With several of the largest banks experiencing ethical scandals in recent years, Bank Director digital magazine set out to interview Terry Strange, the audit and compliance committee chair at BBVA Compass Bancshares, the $86.7 billion institution based in Houston. As a former vice chair and managing partner of the U.S. audit practice to KPMG, LLP, he is uniquely qualified to talk about how bank board members can assess the culture of their organization and look for red flags.
He discusses with Naomi Snyder, editor of Bank Director digital magazine:
The importance of integrity.
Red flags that you have an ethical problem.
What he would have asked Wells Fargo & Co. management.
Leaving is an inevitable part of life. Everybody ages and, whether by choice or by circumstance, we won’t forever be doing what we are doing today. This law is true for your bank as much as it is for yourself. It is essential to take steps now to prevent the inevitable transitions that are in the future. As individuals, we are constantly questioning whether we are prepared for the next stage of life. “Have I saved enough for retirement?” “Is my estate in order?” As directors, we need to be making similar plans for our bank’s future.
Succession planning can be broken down into three areas: management succession, board succession and ownership succession.
Management Succession When succession planning is first addressed by a bank, typically management succession is what comes to mind. This naturally includes the chief executive officer’s position, but should also include other vital roles in the bank such as chief financial officer, chief operating officer and your bank’s senior lending officers.
Some banks are challenged when trying to start a formal succession plan: “Who should you include and how should you start?” Banks should start with the most predictable event possible, the eventual retirement of current executives. Not all current executives will necessarily know the exact date they plan to retire, but an age range of 65 to 67 is a good start. As far as whom to include in the plan, it is important to remember that it is not necessary to name a successor now. Identifying a small pool of potential successors is often sufficient. But what banks need to remember is that part of a successful succession plan is ensuring that the people in your plan are still at the bank when you need them. Many banks are incorporating executive benefit/BOLI plans that have golden handcuffs in order to retain all potential successors in the succession plan.
Knowing what you should plan for is always beneficial, but when designing a formal succession plan, banks need to address other contingencies besides the eventual retirement of the current management team. Death, disability and other unexpected events may create a critical situation for those banks that don’t have an emergency succession plan in addition to their long-term succession plan. Depending on the readiness of those involved, the person who takes over running the bank in case of an emergency may very well not be the same person who is the identified successor in the long-term plan.
Board Succession One of the most challenging aspects of succession planning is board succession. Many banks have mandatory retirement ages typically ranging from age 70 to 75. If your bank does not currently have a mandatory retirement age, you can use nonqualified benefit plans to provide a benefit to those who you may require to retire at a specific age. This can facilitate their retirement from the board in a respectful and dignified way. You may also consider grandfathering the existing board members from a new policy you wish to implement. If that step is taken, the bank still needs to recruit young directors in preparation for the succession of the aging board. In the current regulatory environment, the role of the director is much more involved than in previous years. Often, the most successful banks have diversity on their boards, including various ages and backgrounds, to bring different perspectives regarding the strategic direction of the bank. One concept that seems to be successful for many of our clients is creating an advisory board made up of younger, successful, local business men and women to assist the bank in spreading its marketing footprint. They also typically provide great insight into the needs of the younger generation of bank customers. And many of them bring potentially profitable customers to the bank. As directors reach the mandatory retirement age, the board may recruit full-time directors from the advisory board, which makes for a much smoother transition.
Ownership Succession Though many owners do not share their ownership succession plan with the rest of the board or key members of management, it is helpful to know how to plan for the succession of the bank. Utilizing nonqualified benefit plans for key management is beneficial in keeping the management team in place during the ownership succession of the bank. Open communication is a key factor when considering all forms of succession planning. The more people are aware of the planning that banks are doing, the more comfortable both employees and customers will be during any portion of a transition of succession.
Issues like cybersecurity, digital transformation and future business models now require the attention of not just management teams, but also bank boards. As directors engage more deeply in these issues, Bill Fisher of Diligent explains how they can enhance the effectiveness of the board to be a true strategic asset to the bank.
Investment in fraud detection can be a competitive advantage, especially as real-time payments initiatives create new opportunities—and threats—for financial institutions. Luis Rojas of Bottomline Technologies explains where and how to address gaps in fraud detection, and how bank boards should examine the true costs of fraud.
Changing your bank’s core technology provider is one of the most important decisions that a bank board and management team can make, and even when things go smoothly it can be the source of great disruption. The undertaking can be particularly challenging for small banks that are already resource constrained since the conversion requires that all of the bank’s data be transferred from one vendor’s system to another’s, and even for a small institution that can add up to a lot of bits and bytes. Also, changing to another vendor’s core technology platform typically means adopting several of its ancillary products like branch teller and online and mobile banking systems, which further complicates the conversion process.
“It isn’t something to be taken lightly,” Quintin Sykes, a managing director at Scottsdale, Arizona-based consulting firm Cornerstone Advisors, says of the decision to switch core providers. “It is not something that should be driven by a single executive or the IT team or the operations team. Everybody has got to be on board as to why that change is occurring and what the benefits are…”
The Bank of Bennington, a $400 million asset mutual bank located in Bennington, Vermont, recently switched its core technology platform from Fiserv to Fidelity National Information Services, or FIS. President and Chief Executive Officer James Brown says that even successful conversions put an enormous strain on a bank’s staff.
“It’s not fun,” says Brown. “I have the advantage of having gone through two previous conversions in my career, one that was horrendous and one that was just horrible. [The core providers have] gotten better at it, but there’s no way to avoid the pain. There are going to be hiccups, things that no matter how you prepare are going to impact customers. There’s this turmoil, if you will, once you flip the switch, where everybody is trying to figure out how to do things and put out fires, but I will say [the conversation to FIS], in terms of how bad it could have been, was not bad at all.”
But even that conversion, while it went more smoothly than Brown’s previous experiences, put a lot of stress on the bank’s 60 employees. “There was a lot of overtime and a lot of management working different jobs to make sure our customers were taken care of,” he says.
Banks typically change their core providers for a couple of different reasons. If the bank has been executing an aggressive growth strategy, either organically or through an acquisition plan, it may simply have outgrown its current system. A lot of core providers can handle growth, particularly in the retail side of the bank, so that’s not usually the problem, Sykes says. Instead, the growth issue often comes down to the breadth of the bank’s product line and whether staying with its current core provider will allow it to expand its product set. When banks embark on a growth strategy, they don’t always consider whether their core data system can expand accordingly. “Usually they’re unable or just haven’t looked far enough ahead to realize they need it before they do,” Sykes explains. “The pain has set in by the time they reach a decision that they need to explore [switching to a new] core.”
Banks will also switch their core providers over price, especially of they have been with the same vendor through consecutive contracts and didn’t negotiate a lower price at renewal. “If any banker says price doesn’t have an impact on their decision, they’re not being honest,” says Stephen Heckard, a senior consultant at Louisville, Kentucky-based ProBank Austin.
Although the major core providers would no doubt argue differently, Heckard—who sold core systems for Fiserv for 12 years before becoming a consultant—says that each vendor has a platform that should meet any institution’s needs, and the deciding factor can be the difference in their respective cultures. And this speaks to a third common reason why banks will leave their core provider: unresolved service issues that leave the bank’s management team frustrated, angry and wanting to make a change.
“The smaller the bank, the more important the relationship is,” says Heckard. “When I talk about relationships, I’m also talking about emotions. They get played up in this. For a community bank of $500 million in assets, quite often if the vendor has stopped performing, there’s an emotional impact on the staff. And if the vendor is not servicing the customer’s needs in a holistic manner, and the relationship begins to degrade, then I do feel that eventually the technology that’s in place, while it may be solid, begins to break.”
Heckard says that core providers should understand their clients’ strategic objectives and business plans and be able to provide them with a roadmap on how their products and services can support their needs. “I don’t see that happening near enough,” he says. And if the service issues go unresolved long enough, the client may begin pulling back from the provider, almost like a disillusioned spouse in a failing marriage. “They may not be as actively attending user groups, national conferences and so forth,” Heckard says. “They don’t take advantage of all the training that’s available, so they become part of the problem too.”
Brown says that when Bank of Bennington’s service contract was coming up on its expiration date, his management team started working with Heckard to evaluate possible alternatives. “We needed to implement some technology upgrades,” he says. “We felt we were behind the curve. Something as simple as mobile banking, we didn’t have yet.” The management team ultimately chose FIS, with Brown citing customer service and cybersecurity as principal factors in the decision. The decision was less clear cut when it came to the actual technology, since each of the systems under consideration had their strengths and weaknesses. “I’m sure [the vendors] wouldn’t like to hear this but in a lot of ways a core is a core,” Brown says.
Heckard, who managed the request for proposal (RFP) process for Bennington, says that bank management teams should ask themselves three questions when choosing a new core provider. “The first one would be, have you exhausted every opportunity to remain with the present vendor?” he says. As a general rule, Heckard always includes the incumbent provider in the RFP process, and sometimes having the contract put out to bid can help resolve long-standing customer service issues. The second question would be, why was the new vendor selected? And the third question would be, how will the conversion restrict our activities over the next 18 months? For example, if the bank is considering an acquisition, or is pursuing an organic growth strategy, to what extent will the conversion interfere with those initiatives?
Heckard also covers the conversion process in every RFP “so that by the time the bank’s selection committee reads that document they know what’s ahead of them, they know the training requirements…they understand the impact on the bank.”
And sometimes a bank will decide at the 11th hour that a core conversion would place too much stain on its staff, and it ends up staying with its incumbent provider. Heckard recalls one bank that he worked with recently decided at the last moment not to switch, even though another vendor had put a very attractive financial offer on the table. “The president of the holding company told me, ‘Steve, we can’t do it. It’s just too much of an impact on our bank. We’ve got a main office remodel going on,’ and he went through about four other items,” Heckard says. “I thought, all of these were present before you started this. But sometimes they don’t realize that until they get involved in the process and understand the impact on their staff.”
Well-documented stories of speculators using derivative structures to gamble and lose their firms’ capital, along with Warren Buffett tagging them as “financial weapons of mass destruction” have made interest rate swaps a non-starter for many community banks. It seems that the preponderance of evidence against derivatives has led many community bank boards to view the issue as an open and shut case, rather than carefully considering all of the facts before passing judgment on these instruments. But questioning the four most common objections to swaps uncovers some overlooked truths that may motivate your board to take a fresh look at derivatives.
1. I know someone who lost money on a swap…but why? Putting aside situations where derivatives were sold inappropriately, the claim, “I know a customer who got burned using a swap,’’ is simply the banker stating that the borrower utilized an interest rate swap to lock in borrowing costs. A borrower who chose the certainty offered by a swap over uncertain variable interest payments ultimately paid more because interest rates went down instead of up, and then stayed low. In reality, the borrower was burned by the falling rate environment while the interest rate swap performed exactly as advertised, providing known debt service, albeit higher than the prevailing rates. It looked like a bad deal only with 20-20 hindsight.
With the Federal Reserve now moving short-term rates higher while market yields remain close to historic lows, the odds begin to favor the borrower who uses a swap to hedge against rising rates. Whether or not the swap pays off, the certainty that it delivers becomes more attractive as rates become volatile and their future path remains uncertain.
2. Regulators don’t want community banks using swaps…or do they? When looking at the topic of interest rate risk, regulators began sounding alarm bells for banks in the years following the crisis on the premise that there was nowhere to go but up for rates. In a 2013 letter to constituents, the Federal Deposit Insurance Corp. (FDIC) re-emphasized the importance of prudent interest rate risk oversight and issued this warning:
“Boards of directors and management are strongly encouraged to analyze exposure to interest rate volatility and take action as necessary to mitigate potential financial risk.”
When it came to outlining mitigation strategies in this letter, rather than banning derivatives as intrinsically risky, the FDIC specifically mentioned hedging as a viable option. They did, however, sound a note of caution:
“…institutions should not undertake derivative-based hedging unless the board of directors and senior management fully understand these instruments and their potential risks [emphasis our own].”
Compared with other risk management tactics, derivatives offer superior agility and capital efficiency along with new avenues to reduce funding costs. Accordingly, it may behoove banks to heed the FDIC’s exhortation and implement derivatives education for directors and senior management.
3. My peers don’t use swaps…why should I?
If you are not hedging with swaps and your total assets are between $500 million and $1 billion then you are in good company; seven out of eight banks your size have also avoided their use. But if your growth plans anticipate crossing the $1 billion asset level, more than one in four of your new peers will be using swaps. Once you cross the $2 billion mark more than half of your peers will be managing interest rate risk with derivatives, while institutions not using swaps become a shrinking minority. For the many institutions serving small communities and not expecting to cross the $500 million asset level in the foreseeable future, derivatives are not typically a viable solution. But if your growth will soon push you into a new group of peers with more than $2 billion in assets on the balance sheet, then having interest rate swaps in the risk management tool kit will become the norm among your competitors.
4. Our board doesn’t need derivatives education…or do we? After digging below the surface we learn that most of the instances where derivatives left a bad aftertaste were caused by an unexpected drop in rates rather than a product flaw. We also learn that in urging banks to take action to mitigate interest rate risk, the regulators are not anti-derivative per se; they simply lay out the reasonable expectation that the board and senior management must fully understand the strategy before executing. Taking the time to educate your board on the true risks as well as the many benefits provided by interest rate hedging products may help to distinguish them as powerful tools rather than dangerous weapons.
Commercial banking is a core business for most regional and community banks. It is a key driver of profitability as well as organizational growth, and frequently serves as the entry point to many of the bank’s other businesses, such as wealth management, treasury services and deposit gathering. The competition for talent and growth within commercial lending has never been higher, and as a result, commercial lenders continue to be among the mostly highly paid and highly incentivized individuals in the bank. It is of critical importance therefore to think carefully about maximizing your bank’s return on its lender compensation by thoroughly evaluating your incentive programs for this group. Do the plans motivate the right behaviors, properly consider risk elements and successfully align compensation with performance?
Incentive Goals The first step in evaluating the effectiveness of the incentive plan for the commercial lending group is evaluating the business priorities of the lending group.
What is the preferred balance between profit and growth for each of the commercial businesses?
How should your business segmentation impact your plan design? For example, does the bank need multiple incentive plans to align with segmentation between C&I and commercial real estate, or one incentive plan covering multiple loan types?
What are the cross-selling or referral expectations for lenders?
What products and behaviors should your lenders pursue in order to encourage sticky relationships with your commercial clients?
What is the performance culture of the commercial lending group, and how can the incentive plan reinforce it?
What are the bank’s goals for specific types of commercial business in terms of client type, industry and loan size? For example, if the bank prioritizes C&I loans due to their typically higher level of fee income and associated deposits, rather than larger CRE loans, the incentive plan should reflect that priority.
These are just a few examples of the types of questions that bank board members and executives should be asking right now as they evaluate their commercial lender incentive programs. In order to properly contribute to the bank’s overall success, the incentive plan design and performance goals must reflect the bank’s priorities for the commercial lending group.
The exhibit below highlights some of the most common productivity goals used for commercial lenders at regional and community banks. Data is taken from a flash survey of regional and community banks that was conducted by McLagan earlier this year and that covered a variety of commercial lending topics.
Aligning Pay With Performance In addition to identifying plan goals vis-à-vis departmental priorities, it is important to evaluate the alignment of incentive awards with the performance necessary to earn those awards. In short, what is the bank’s return on its incentive payments to lenders? If performance and awards are not appropriately aligned, the bank may be overpaying for mediocre performance or not appropriately rewarding its high performers, either of which can have a negative impact on long-term corporate performance.
Robust performance and payout modeling is particularly important when a new or revised incentive program is implemented—changes to plan payout methodologies may necessitate changing performance expectations for lenders. For example, if incentive payout targets are increased in order to remain externally competitive, do performance targets need to increase as well in order to provide an appropriate return to the bottom line?
Risk Considerations While lender productivity generally has the biggest impact on plan awards, incentive plans cannot ignore risk considerations. The actions of commercial lenders today can have a significant impact on the bank’s credit quality and profitability in future years, and incentive plans should be designed to mitigate any behaviors that are not in line with the bank’s risk policies. In some cases, risk factors may be included as specific objectives under the incentive plan. More frequently, mechanisms outside of the core plan are used to safeguard against risky behaviors or poor risk outcomes. Common plan mechanisms include credit quality payout triggers, clawbacks that seek to recapture pay that has already been awarded, and deferrals that pay out based on long-term risk outcomes, among others.
In summary, commercial lenders can have a significant impact on your bank’s organizational success, and your commercial incentive plan can have a significant impact on the business and behaviors that your lenders pursue. As you begin to plan for 2018, take time now to evaluate the alignment between goals and business needs, payouts and performance, and plan features and risk policies. Doing so will help your bank maximize the potential organizational impact of its commercial incentive dollars.
It’s not a matter of if your bank will be hacked, but when—and your bank should be prepared when the inevitable occurs. A cyberattack or data breach is costly, and can result in reputational damage if customer data is stolen and possible enforcement action if the regulator concludes that cybersecurity controls were lax. In this video, Raj Chaudhary of Crowe Horwath LLP addresses the board’s role in cybersecurity, the importance of an incident response plan and the need to train both board and staff to better protect the bank.
The Elements of an Incident Response Plan
Training Considerations for the Board and Bank Employees
About the Presenter: Raj Chaudhary is a principal in Crowe Risk Consulting and leads the Cybersecurity Risk Consulting group. He also serves as senior vice president of CHAN Healthcare, a subsidiary of Crowe Horwath LLP.
Raj has more than 30 years of experience specializing in enterprisewide information systems consulting for financial services, utilities, healthcare, and public sector organizations.
With banks of all sizes facing significant challenges in the management of financial crime risk, senior management and bank board members need an unambiguous understanding of the strengths and weaknesses of their organizations’ financial crime compliance strategy.
The escalation of mobile banking, the burgeoning role of fintech in banking and the spread of cybercrime are only a few of the key reasons for banks to establish a process that views financial crime risks in the aggregate—under one umbrella. Further, in our view, directors must have a firm grasp with respect to how the program has been designed and implemented.
An integrated view of financial crime compliance risk can give board members a sense of confidence that management has a robust financial crime compliance program in place. A view of issues in the aggregate provides management the ability to understand the entirety of the financial crimes landscape at their firm.
At their core, these programs require a dynamic and agile mindset at the board level. Directors must possess a level of confidence that management has established a strategic, well considered approach to detecting, preventing and reporting financial crime. A carefully managed, well designed, and integrated plan can also create considerable governance benefits across internal silos.
For banks currently without an integrated plan, the creation of such a plan requires:
A strategic vision of a future program that engages senior management in the first line of defense (lines of businesses and operations) in the design of the vision—and has buy-in by the entire board.
The integration of teams that in the past have approached such risks in a separate manner, such as compliance programs for anti-money laundering, anti-bribery and corruption, and Office of Foreign Assets Controls.
A vision for how to change or enhance the bank’s information technology (IT) infrastructure.
The designation of an individual as the bank’s financial crimes compliance officer.
Building an integrated financial crimes program under an umbrella structure presents opportunities for collaboration, improved data aggregation and analytics capabilities, heightened board awareness of the bank’s control environment, and the possibility of cost savings and enhanced regulatory compliance.
The establishment of a centralized financial crimes compliance unit, however, requires a multi-faceted approach. Employee roles and responsibilities will likely shift, policies and procedures many need to be consolidated to reflect the new approach, and compliance reporting mechanisms and IT responsibilities will be altered.
Recognizing that the landscape will shift, we offer a roadmap to an integrated financial crimes compliance program. Here’s a synopsis of our five-step plan for your board’s consideration:
Compliance leaders recognize the importance of cultivating partnerships with business-unit leaders across the bank—as well as their internal audit teams. Thus, building a cross-functional working team is a must across the bank’s “three lines of defense:” the front office and lines of business, the support functions such as compliance and finally, audit. These members should consider perceived benefits, anticipated costs and potential obstacles. Dialogue and trust is essential.
The team should strive to gain a clear view of the bank’s current risk management efforts and assess the underlying financial crimes risks. Too many institutions stumble at this stage by adopting models that may work for larger or more-regulated institutions, or conversely for smaller institutions with a different product mix or jurisdictional presence.
The cross-functional team should draft a working plan for the centralized compliance unit, and the team should provide the draft plan, which would include the recommended step-by-step approach to establishing the unit, to board members and executive leadership for review. The plan would identify the individuals who will design and roll out the changes, the governance and oversight structure of the transformation program, and the unit’s staffing model.
Perhaps as much as any these steps, clear and frequent communication to bank personnel about the program’s intentions, benefits and impacts is vital. Board members should be satisfied that management has established a plan for the timing and cadence of communications, has identified which audience will be targeted at each step, and has created specific messages to the bank staff regarding why the establishment of the unit is necessary and how it will benefit the organization.
Once the bank has embedded its Financial Crimes Compliance Program, management must be certain that monitoring and testing mechanisms are working continuously, and that the firm is equipped to deal with changes as regulations change or are introduced.
A final reminder is worth noting: The journey is never over. Financial crime compliance risk, as a board agenda item, should be a constant.
It’s not surprising that in the wake of the financial crisis, risk has become a much more important topic on bank boards. What’s more surprising is that it is still front and center, even as credit and economic conditions have remarkably improved.
As Bank Director hosts its Bank Audit & Risk Committees Conference in Chicago this week, risk still is top of mind for attendees and speakers. There are a few notable changes, though, during the past few years.
Five or six years ago, much of the talk for community bank boards was about starting an enterprise risk management system. Regulators were talking about it. Bank officers were talking about it. Boards were trying to figure out how to manage the bank’s various risks in a more integrated, comprehensive manner.
Now, enterprise risk management has plateaued at many banks, says Tim Kosiek, a certified public accountant and partner at Baker Tilly, an accounting and advisory firm. Fewer people are talking about it, or starting new programs. Many banks have already established ERM programs, especially those above $1 billion in assets.
“Bankers are not finding this showing up in the regulatory exams to the degree it was five or six years ago,” says Kosiek, mostly because credit conditions have improved.
ERM still has no set framework. There are no set guidelines from regulators that will tell you exactly how to set one up, or what the perfect ERM program looks like.
But as part of it, compared to four or five years ago, many more banks do have a risk appetite statement, and boards are discussing their risk tolerances for various types of risk, such as credit and compliance.
Challenges still remain. For example, it’s still tough for banks to ensure that their various divisions are sticking to the risk tolerances that have been established, Kosiek says. Also, not all banks have a comprehensive enterprise risk management program in place. The people in charge of risk in the organization don’t necessarily have their compensation clearly tied to their performance as risk officers, for example.
Still, despite those challenges, there are some areas where banks have made significant progress as a whole. In general, bank boards are much more likely to discuss cybersecurity risk. They want to learn about it, they want regular updates from bank management and they want to ensure their organizations have good defenses.
In Bank Director’s 2014 Risk Practices Survey, 51 percent of bank directors said cybersecurity was a top concern. In 2017, 85 percent did.
It’s no secret why they are worried. The reality that pretty much every bank is vulnerable has set in. Twenty-six percent of respondents to Bank Director’s 2017 Risk Practices Survey said their bank has experienced a data breach in the last two years.
It’s not just the risk but the difficulty getting a handle on the risk that is so vexing. Cyberattacks, with their constantly changing bad actors and tactics, are difficult to prepare for.
“[Bankers] have spent so much time on credit risk, which they can have an influence on,’’ Kosiek says. “In the cyber side, they just don’t have all the information.”
The topic is so high up on the board’s agenda, Bank Director digital magazine devoted an entire issue to cybersecurity.
While bank boards fretted over cybersecurity concerns during the last few years, they also had to get ready for one of the biggest accounting changes in decades, CECL, which stands for current expected credit loss standard. Basically, banks must start estimating losses for loans and other assets as soon as they acquire them for the life of the asset. CECL goes into effect for public banks’ fiscal years after Dec. 15, 2019 and for nonpublic banks a year later. Audit committees are overseeing the process.
All these changes are one reason the job of serving on an audit or risk committee is certainly one of the toughest on a bank board. Even as banks have watched their profitability and credit metrics improve in the last few years, the focus on risk coming out the financial crisis has not gone away. It has only shifted.