The Right Questions for 2024: Cross the Bridge or Walk the Plank?

As the 2024 budgeting process commences, directors may observe results that give them pause as earnings growth misses desired targets. Before reacting, they would serve their banks well by asking a few questions and listening to the responses. Exploring the right questions can help directors shape a view that 2024 is a “bridge year” to the next rate cycle and sunnier days ahead. But if left unexplored, that bridge may turn out to be a precarious plank off an otherwise seaworthy ship in a changing tide.

Question 1: What is normal anymore?
The coronavirus pandemic led to a 30%-plus increase in the money supply via economic relief programs. Paycheck Protection Program lending created a windfall for many community banks in 2020 and 2021. The Federal Open Market Committee shifted to a rate-tightening policy that caused short-term rates to rise at a pace and extent not witnessed since the early 1980s. As intended, the restrictive policy drained liquidity from the financial system, causing deposit costs to rise more quickly than the asset side of the balance sheet could offset.

And here we are, three years later, wondering what “normal” is. Word of advice: Benchmarking budget expectations to the last few years could lead to short-sighted decisions with meaningful longer-term and adverse consequences. View your 2024 budget with situational awareness and realism.

Question 2: What if the predictive average is reality?
The most difficult variable to pin down is the expectation for funding costs. Many banks enjoyed a lag in deposit pricing through 2022, but that lag broke in early 2023. DCG’s predictive deposit model, using an aggregate of all 275 institutions tracked, suggests that if current market rate levels hold, a nonmaturity deposit base’s average cost may increase by 20% over the next year, while balances may erode by 10%. Consider this baseline analysis as an effective challenge when reviewing your institution’s budget forecasts. The budget should tell you the reality you need to hear, not the fiction you may want to hear.

Question 3: What is the full asset cash flow picture?
Based on a sample of fourth quarter 2023 client model results, the typical bank may see average loan yields improve 15% to 20% over the next year if current market rate levels persist. Much of this loan cash flow will likely be redeployed at rates that are 2% higher than the roll-off rate. The same phenomenon exists for bond cash flows.

Undoubtedly, term funding rollover costs will eat into some of that asset yield improvement for the typical bank — but margin improvement should still be achievable until you consider the potential lag in nonmaturity deposit costs and changes in deposit mix. Having a realistic view of that variable will illustrate the growth the bank needs to achieve to meet reasonable profitability targets, as well as whether it should take other measures.

Question 4: Is now the time to push the earnings envelope?
All of this is unfolding at a time when the life cycle of an inverted yield curve may be ending. Historically, inverted yield curves persisted for 12 to 18 months; the current inversion has lasted for 14 months. The Fed’s concern about inflation has caused short-term interest rates to rise well over longer-term rates.

Curve normalization often begins with the Fed easing and lowering rates as the restrictive policy accomplishes its mission, or the market capitulates and buys into the mindset of “higher rates for longer.” We are seeing that now.

But what drove the recession that followed the inverted curves of the late ‘80s, early 2000s and 2008? In each instance, there was a triggering event: the Gulf War, 9/11 and the failure of Lehman Brothers and trouble at Fannie Mae and Freddie Mac. That event may be unfolding now with the devastating situation in the Middle East.

Should your bank lock up longer-term funding to save 100 to 200 basis points now, likely giving it back in years to come? Should it sell bonds at a loss and reposition into higher yields, in hopes of earning it back before loan quality issues potentially reduce regulatory capital levels? Should the bank ease on credit standards, despite evident cracks in asset quality?

Question 5: Bridge year or plank?
There are many reasons for a director to be concerned about 2024 and beyond. How much the board presses management for 2024, if not realistic and careful, could have longer-range implications when no reset button exists. This year is very different — the tide seems to be shifting for rates and asset quality. It may be better to observe this from the safety of a bridge, rather than the end of an unstable plank.

Closing the Gap on Succession Planning

Many boards are confident in their ability to handle the sudden departure of the CEO or a key executive, but they’re less secure when it comes to planning for the long-term future of the organization’s leadership. 

Bank Director’s 2023 Compensation Survey, sponsored by Chartwell Partners, revealed gaps in the effectiveness of long-term succession planning for the CEO. Overall, 82% of responding directors and chairs expressed confidence in the succession plan if a CEO or other key executive were to leave suddenly. Only 63% said the same of the long-term succession plan for the CEO; another 28% said they have no long-term CEO succession plan. Respondents from banks below $500 million in assets were more likely to indicate that their bank lacked a long-term plan for CEO succession.   

Succession planning can be a daunting task that involves hard conversations about retirement and ultimately giving up control of something the CEO has been deeply invested in. Yet, it’s also one of the board’s key responsibilities — and an area where many boards fall short. 

“CEO succession is the No. 1 responsibility of the board of directors,” says Alan Kaplan, founder and CEO of the search firm Kaplan Partners. “It doesn’t matter if it’s public, private or family owned. The charter doesn’t matter. It’s the single most important responsibility as a director, and you better get it right — because if you don’t, you compromise the future of the institution.”

To put together an effective long-term succession plan, directors should ask thoughtful questions about the skills needed, the timeline, whether the board will search internally and externally, and the role of compensation in ensuring a smooth transition. 

The bank’s big picture strategy should inform the profile of the board’s ideal CEO candidate, Kaplan says. Consider whether the bank could enter into new geographies or lines of business, and how much larger or more complex it may become in five years’ time. What skills would be needed of the new CEO on day 1, and what skills could that chief executive develop over time?     

“A lot of our board members will just say, ‘Clone our CEO, they’re great.’ But what got you here doesn’t necessarily get you from where you are today to double or triple that size,” Kaplan says. “In many cases, you need a different set of skills.” 

While the current CEO’s input could be beneficial, the board also shouldn’t leave the job to the chief executive, especially if it feels it’s in the best interests of the bank’s shareholders and community to continue operating. 

“I’ve seen it time and time again: They leave it up to the CEO, the CEO pays lip service to it and all of a sudden, 18 months down the road, you don’t have an heir apparent,” says Laura Hay, lead consultant at Meridian Compensation Partners. 

The board should query the current chief executive about his or her timeline for retirement and potential successors who may already be on the management team. Evaluating the existing bench of talent will give the board a good sense for the organization’s prospects over the next few years. 

As a general rule, the board should begin the succession planning conversation about three years out from the CEO’s expected retirement if they plan to search externally, but two years should suffice if the bank plans to fill the position internally, says Scott Petty, managing partner of the financial services practice at Chartwell. He recommends that boards ask the CEO to report on talent two levels down the organizational chart from his or her own position. The board should review that information annually. 

“There [are] a lot of CEOs that rebuff that, but a board should have a CEO that’s glad to report on the state of the talent base and go down to [level] three in their depth chart, so that the board gets a true sense of what the talent base here looks like,” Petty says. 

A deeper grasp of the bank’s internal talent bench can also aid boards in understanding the cascading effects of succession planning. If an internal candidate is tapped to be the next chief executive, then that candidate would eventually need to be replaced as well.  

For internal candidates, give some thought to what kinds of skills the board wants to see already demonstrated in a potential successor, versus what that person can learn, says Sean O’Neal, a partner with Chartwell. He adds that true leadership skills are often overlooked in favor of candidates who have a history of loan growth. 

“One [quality] that is perhaps not often enough viewed as a must-have, but really should be, is true leadership — the ability to attract and develop a senior leadership team that’s going to be really effective,” he says. “Who can cast a vision, be strategic, and really see around corners and help bring people along? Sometimes that’s not the person you just happen to know really well.”   

The board could also consider the role of compensation in ensuring a successful transition. Hay has seen boards successfully utilize transition bonuses to entice an outgoing executive to stay and help get the incoming executive up to speed. In cases where the board is choosing between two internal candidates, a vesting incentive could encourage an executive who doesn’t ultimately get the chief executive gig to stay on a little longer. 

“Sometimes, emotions run high if you don’t get the job,” Hay says. “Those kinds of awards can be beneficial for slowing people down. They may leave anyway, but at least you get them to pause a little bit and think about it in a way that’s more practical, rather than emotional.”

Clear and consistent communication is critical to the succession planning process. Directors may want to avoid these uncomfortable conversations, but not having a long-term plan in place ultimately threatens the organization’s very existence. 

“As an institution, if you don’t have a succession plan, that limits your options,” Petty says. “Sometimes there are forced sales. Sometimes you get to a place where you have an aged management team and all of a sudden, you hit a market like we’re in now, and you may not be able to set up the bank at a reasonable price for another four or five years. So, you end up cratering the value of your institution.”

O’Neal adds, “It’s just like any business without real leadership: Poor decisions are made, additional key talent will be lost, earnings will suffer. In a variety of ways, businesses can just kind of wither away and no longer be relevant.” 

The board should also hold the chief executive to their timeline for retirement as much as possible. Would-be successors who are left hanging on for a seemingly indefinite period are ripe targets for executive search firms. 

“There are some CEOs that have a successor, and they don’t clearly communicate to the successor about the timeline … and they linger,” Petty says. “Then their successor gets frustrated and starts listening for phone calls.” 

Resources
Bank Director’s 2023 Compensation Survey, sponsored by Chartwell Partners, surveyed 289 independent directors, CEOs, human resources officers and other executives of U.S. banks below $100 billion in assets to understand how they’re addressing talent challenges, succession planning and CEO performance. Compensation data for directors, non-executive chairs and CEOs for fiscal year 2022 was also collected from the proxy statements of 102 public banks. Members of the Bank Services Program have exclusive access to the complete results of the survey, which was conducted in March and April 2023.

Bank Director’s Online Training Series includes units on CEO and executive succession planning.

More Banks Use Retention Bonuses to Keep Key Staff

As baby boomers continue to retire from the workforce, bank leaders are increasingly looking to retention bonuses as a means to bridge the gap when key executives ponder retirement.

Almost a third of the board members, CEOs, human resources officers and other executives responding to Bank Director’s 2023 Compensation Survey in March and April say their bank has offered retention bonuses to key staff as an incentive to delay retirement. That represented an increase from 21% who said as much in last year’s survey. Privately-held and mutual banks were also significantly more likely to leverage this type of incentive.

Boards can use a retention bonus as a tool to extend the succession planning process. For example, a board might design a package to entice a chief executive to stay four more years, instead of three, to buy a little more time in choosing and preparing that person’s successor.

“It’s usually a good tool for those banks that know they have somebody retiring, they’ve had those conversations, and they don’t want to risk them leaving early,” says Scott Petty, managing partner of the financial institutions practice at Chartwell Partners, which sponsored the Compensation Survey. “They want them to delay to give [the board] enough time. It can take up to six months to figure that out, or maybe even a year.”

There’s not necessarily one right way to design a retention bonus, but there are some best practices for using these tools. And their use should also prompt discussions in the boardroom about the succession planning process.

First, a retention bonus should be significant enough to make it worth that person’s while, says Sean O’Neal, a partner with Chartwell Partners. A good starting point would be half of the executive’s total compensation package. He adds that the bank could pay out that retention bonus in stages — half now and half at retirement, for example.

“Staging it out is an option that needs to be considered versus one lump sum, because all of a sudden, they can just gear their retirement around that one date,” he says.

Publicly held companies, accountable to proxy advisory firms and investors, might consider tying a retention grant to the firm’s financial performance in some way, says Shaun Bisman, principal at Compensation Advisory Partners. This year, the proxy advisory firms Glass Lewis & Co. and Institutional Shareholder Services issued guidance recommending that shareholders vote against executive compensation packages when retention grants were not tied to performance metrics.

“When you make these retention awards, it’s really important to evaluate the impact,” Bisman says. “If you make these awards, are people staying? Are they leaving? Are we achieving the desired outcomes?”

Further down the ranks, some bankers say they have had success using other tools besides retention bonuses. Amy Roberts, chief human resources officer of PeoplesBank in Holyoke, Massachusetts, starts with a conversation with the prospective retiree to understand what that individual really wants. Sometimes, she finds that the employee wants more free time or flexibility, and in some cases, they don’t want to have to wait until full retirement to travel, for instance.

In those instances, Roberts says the $3.8 billion banking subsidiary of PeoplesBancorp, MHC has had some success working out alternative scheduling arrangements for key staff who are nearing retirement. PeoplesBank has also retained some staff as consultants, particularly when there’s a project involved that would benefit from that staffer’s continued expertise.

It’s unclear whether more banks will decide to employ retention bonuses in the year ahead. The murky economic forecast, as well as pressure by shareholders, could mean that larger, publicly traded companies think twice about awarding retention bonuses, as they have done this year, Bisman says.

On the other hand, the U.S. workforce is graying more broadly, as baby boomers — a generation that spans roughly 20 years — continue to retire. Petty and O’Neal have both seen more chief executives notify their boards of their intent to retire earlier than 65; these CEOs have enough money to retire earlier than anticipated, and some simply don’t want to stick around for the next downturn.

Some key roles could also be more affected by coming retirements than others, depending on the skill set required of the job, says O’Neal, particularly for the CFO or technical leadership roles in compliance and information technology.

In a perfect world, the board would never be caught off guard when a valued executive signals their intent to retire by a certain date, and they would generally have one or two candidates in line for the position. While the board may be only responsible for hiring the CEO, Petty says boards should also confer with the CEO about the rest of the executive team and what their timeline for retirement could look like.

Ultimately, if an employee really wants to leave, there may not be much the bank can do to persuade them to stay. A bonus only has so much allure if retirement is what an individual ultimately wants.

“I definitely don’t want to be in a position where I’m not ready [with a next-in-line candidate], so I’m trying to force this person to stick around,” Roberts says. “That’s not fair to them.”

Talent issues like these will be covered during Bank Director’s Bank Board Training Forum in Nashville Sept. 11-12, 2023.

Assessing Risk Management Readiness

As recent events have shown, even large, sophisticated banks can fail. These failures have been the result of risks which generally are managed within bank treasury groups: market and liquidity risks. For these banks, decreased market values of high-quality assets, paired with excessive levels of uninsured deposits, was a fatal combination.

There are a number of proactive tangible steps that boards and management teams can take to evaluate and enhance their institutions’ current market and liquidity risk management practices, beyond first-tier risk management.

Let’s start with measurement. Virtually all banks calculate base case balance sheet interest rate and liquidity risks. They need to measure the short-term effects on net interest income, along with the effect on market values in both rising and falling rate scenarios. They should particularly scrutinize portfolios that require behavioral assumptions for cash flows: non-maturity deposits, loan commitment facilities and mortgage-based assets.

This is where banks frequently fall short in not creating sufficiently stressed scenarios. They view extremely stressed scenarios as implausible — but implausible scenarios do occur, as demonstrated by the pandemic-driven economic shutdown. And yet, considering every possible extreme scenario will lead to scenario exhaustion and balance sheet immobilization.

What to do? One approach is to reverse the process and ask, “Where are potential exposures that could hurt us in an adverse scenario?” Use large, rapid movements up and down in interest rates, changes in yield curve shape like inversion or bowing, customer actions that drain liquidity, and market situations which affect hedge market liquidity and valuations. These scenarios create stresses based on known relationships between market events and balance sheet responses along with the effects of uncertain customer behavioral responses in these environments.

From these scenarios, the bank would know the market value and net interest income effects on investments, loans and known maturity liabilities. On non-maturity deposits and undrawn amounts in committed loan facilities, the bank must rely on assumptions of how these items would behave in various scenarios. One starting place for setting these assumptions is the outflow rates provided in the liquidity coverage ratio rules, which can be used for base assumptions, followed by scenarios with variations around these starting levels of outflow.

Measurement may be the most straightforward element of managing balance sheet risks. Once the bank puts measurements in place, they must communicate, acknowledge and act on them. Each of these elements present an opportunity for breakdown that executives should evaluate.

Effective communication is the responsibility of both treasury and risk management teams. In normal operating times, treasury develops information and risk management challenges this information. Risk management must then interpret the results for executives and the board. This interpretation role is useful in normal operating environments, but critical in stressed environments; risk management amplifies treasury’s message to ensure timely and appropriate actions.

Effective balance sheet risk communication must be accurate and timely. These communications include two critical components:

  • They are layered. The first layer shows the status of compliance with policy limits. The second layer provides a narrative of the current balance sheet situation, operating environment, projected earnings and range of potential risks. Unfortunately, the second layer often is presented as a compendium of everything that has been calculated and analyzed — but this compendium of information should occur in a third reference layer.
  • They are designed for the intended audience. Asset/liability committee, executive management and the board each should be receiving a different form of communication that aligns with their decision-making role.

Acknowledgement and action both must occur outside of the treasury group. Executive management and the board must absorb the risk situation and act accordingly. There is one word that captures the likelihood that a bank will effectively acknowledge and act on a risk situation: culture. An effective risk culture is one where all parties strive to optimize returns within agreed risk parameters while looking to eliminate or mitigate risks where possible.

There are signposts of effective risk management that a bank can evaluate and act on now. Management teams and the board should be looking at their current risk management practices and determine:

  • Are the measurements correct?
  • Is the information on risks communicated in ways that are digestible by each intended audience?
  • Are policy limits comprehensive and aligned with risk levels required to support business activities?
  • Do risk management groups have unfettered access to all information, as well as regular interactions with key board members?
  • Is everyone working collaboratively towards optimizing long-term risk adjusted returns?

If the answers to all these questions are “yes”, then the risk management function seems to be effective. If not “yes,” use the markers described above as starting guidance on moving toward effective risk management.

Curious About Cannabis

As the smoke clears around banking the marijuana industry, more banks are exploring its potential to drive deposits and revenue, according to Bank Director’s 2023 Risk Survey

While few banks actively count marijuana businesses as customers, 43% of the bank executives and board members responding to Bank Director’s survey in January indicated their bank had discussed working with those businesses. That interest represents an uptick compared to the survey in 2021, when 34% said their bank’s leadership had discussed potential opportunities or risks. 

Though it is still illegal on a federal level, marijuana has been legalized for recreational and medical use in 22 states and Washington, D.C. and approved for medical use only in 16 states, according to an analysis by CNN. In Bank Director’s survey, 36% said their bank was headquartered in a state where marijuana was fully legal; another 35% said marijuana was approved for medicinal use only. 

Expanding legalization plays a hand in banks’ growing interest in providing financial services to this industry, as does its growth outlook. The cannabis data firm BDSA projects legal cannabis sales in the U.S. to grow at a compound annual growth rate of roughly 11%, increasing from $26.2 billion in 2022 to $44.6 billion in 2027. 

“You look at a typical community bank board, and you have lots of entrepreneurs and real estate developers,” says Tony Repanich, CEO of Shield Compliance, a compliance platform focused on helping financial institutions bank cannabis. “They are seeing what’s going on in the industry, and they’re asking management, ‘Should we be considering this?’” 

As the cannabis industry matures and regulatory expectations become more clear, best practices have evolved around working with those and other high-risk businesses. Banks will need to invest more in staffing, expertise and technology, and enhance existing policies and procedures, says Joseph Silvia, an attorney at Dickinson Wright.  

“A lot of the risk that banks are looking at is much less about cannabis and more about the fundamental compliance, BSA [Bank Secrecy Act] or risk management components,” Silvia says. “It’s less that cannabis is high risk and more that we need to have these systems, reporting, compliance staff expertise, and so forth. It doesn’t really matter whether it’s cannabis or money services businesses, money transmitters or virtual currency.” 

In 2014, the Financial Crimes Enforcement Network (FinCEN) issued guidance intended to clarify customer due diligence and reporting requirements for banks interested in serving marijuana-related businesses. But as more financial institutions have begun banking cannabis businesses and successfully passing regulatory examination cycles, that’s provided an added level of assurance that bankers who are meeting all of their reporting requirements are not going to get dinged simply for banking a high-risk business, says Paul Dunford, cofounder and vice president of knowledge at Green Check Verified, a technology provider focused on the cannabis sector.  

“In the world that we live in, cannabis banking is based on precedent,” Dunford says. “Every year you see more and more financial institutions willing to express an interest because it’s been happening for a while. We hear stories about people banking cannabis, and people are not getting their charters revoked. The horror stories are not coming true.” 

Broadly speaking, banks serving the cannabis industry tend to stick to offering deposit products to those customers. Far fewer have gotten comfortable actually lending to cannabis businesses, in large part because the industry lacks accepted underwriting standards and banks cannot collateralize a controlled substance, Dunford says. But those banks that do lend to cannabis businesses can usually command higher interest rates on the loans.  

“We see good fee income associated with these accounts,” Repanich says, noting that mortgage income has declined as interest rates have increased, and non-sufficient funds and overdraft fees are under pressure by regulators like the Consumer Financial Protection Bureau. “Some of our banks are providing loan facilities to the industry, and they’re usually getting a better than average yield.”

Directors and executives contemplating whether cannabis might complement their bank’s business model should weigh the risks and benefits, and clearly define the geographic area they’re willing to serve, Silvia says. They should also consider exactly what services their bank will and will not provide; some banks are not comfortable offering wire services, for example. It’s also important to get buy-in from the compliance staff who would be handling the day-to-day operations associated with those accounts.  

“It’s very difficult to dip your toe in one of these higher risk areas,” says Silvia. “You either jump in head first, or you stay out because the cost of putting together the risk management is not insubstantial.”  

Does Your Board Need More Cyber Expertise?

Despite continued and growing anxiety around cybersecurity, boards have long struggled to understand the intricacies of the bank’s security efforts. Instead, they have often left it to the technology and security experts within the institution. But with increased scrutiny from regulators, a shift toward proactive oversight at the board level may be in the works.

According to Bank Director’s 2023 Risk Survey, 89% of bank executives and board members reported in January that their institution conducted a cybersecurity assessment in 2021-22. In response to that assessment, 46% said that the board had increased or planned to increase its oversight of cybersecurity moving forward.

Ideally, that could have the board taking an active oversight role by asking pointed questions about the threats facing the organization and how it would respond in various scenarios. In order to do that, boards could look to add cybersecurity experts to their membership.

For public banks, a requirement to make known the cybersecurity expertise on the board is expected to go into effect soon. The Securities and Exchange Commission announced last year that public companies would need to disclose which board members have cybersecurity expertise, with details about the director’s prior work experience and relevant background information, such as certifications or other experience. The SEC adds that cyber expertise on the board doesn’t decrease the responsibilities or liabilities of the remaining directors. The proposed rules, which also include expectations around disclosing cyber incidents, were first expected to go into effect in April 2023.

The demand for cyber expertise in the boardroom “will eventually trickle down to all community banks,” predicts Joe Oleksak, a partner focused on cybersecurity at the business advisory firm Plante Moran. “Very few [people] have that very specific cybersecurity experience,” he continues. “It’s often confused with technology experience.”

Last year, Bank Director’s 2022 Governance Best Practices Survey found 72% of directors and CEOs indicating a need for more board-level training about cybersecurity. The previous year, 45% reported that at least one board member had cyber expertise.

Often, bank boards seek cyber expertise by adding new directors with that particular skill set; other times, a board member may take ownership over the space and learn how to oversee it. Both approaches come with significant hurdles. An existing board member may not have the extra time required to become the board’s de facto cyber expert. An in-demand outsider may not be willing to financially commit to the bank; board members are typically subject to ownership requirements.

Boards rely on information from the bank’s executives as part of the deliberation process. It’s common for directors to trust the chief technology officer, chief security officer or the chief information security officer to provide updates on cyber threats and tactics. But understanding the incentives and expertise of the executive would ensure that directors understand the value of the information they receive, says Craig Sanders, a partner of the accounting firm Moss Adams, which sponsored the Risk Survey.

Boards leaning on their CSO, for instance, need to understand that these officers solely focus on broad defense of the institution, which includes both physical and digital protection of the bank. The CISO, on the other hand, homes in on securing data. Meanwhile, the CTO should have a broad understanding of cybersecurity, but likely will not be able to dig into the weeds as they’re primarily focused on the bank’s technology.

A third party can help fill in the gaps for the board.

“If you have someone coming in that has seen hundreds of institutions, then you get a better lens,” says Sanders. An outside advisor can educate directors about common security threats based on what’s happening at other institutions. A third party can also provide an external point of view.

Some, however, hesitate in suggesting that a board should seek to add a cyber expert to its membership. “It’s going to taint your board or what the purpose of your board is,” says Joshua Sitta, co-founder and CISO at the cybersecurity advisor Sittadel. “I think you’re going to have a voice driving [the board] toward risk management.”

Sitta explains that those focused on cybersecurity will push for more security. But a board’s role is oversight, governance and providing a sounding board to executive management to keep the bank safe, sound and growing. Having cyber talent at the board level could discourage growth opportunities for fear that any new initiative could pressure security efforts.

Banks should ensure they’re protected against large breaches of critical data, says Sitta, but should avoid complete protection that has them investing to prevent every breach or fraud alert, no matter how insignificant. Understanding what’s a reasonable concern is important for the board to grasp. But cybersecurity experts within the company or advising the board should simply “inform” the board, according to Sitta. With that information, the board can then assess whether the bank has the risk appetite to add a debated service or investment.

Many boards, though, might not have a full awareness of the level of attacks the bank faces. In Bank Director’s 2022 Risk Survey, conducted last year, board members and executives were asked if their bank experienced a data breach or ransomware attack in 2020-21, with 93% noting that they had not. This could indicate that board members and top executives aren’t fully aware of the threats their bank faces on a daily basis, or that they could weather a threat soon.

“They get into a false sense [of security],” says Sanders. “Everyone is going to have some kind of disclosure. Assessing the program and making changes once a year probably isn’t sufficient.”

While 71% of respondents in last year’s Risk Survey said their board was apprised of deficiencies in the bank’s cybersecurity risk program, less than half — 42% — reported that their board reviewed detailed metrics or scorecards that outlined cyber incidents, and 35% used data and relevant metrics to facilitate strategic decisions and monitor cyber risk.

The lack of awareness of a threat or breach could give the board a sense of ease. But this could hold the bank back from making the shifts needed to protect from the largest attacks. Further, a board that remains unaware of the true rates of incidents could underestimate the imperative to build or adjust a cyber response.

Another factor that boards must consider is how they have long prioritized cybersecurity.

“A lot of smaller organizations view cybersecurity as a cost center,” says Oleksak. The 2023 Risk Survey found that banks budget a median $250,000 for cybersecurity, ranging from $125,000 reported for the smallest institutions to $3 million for banks above $10 billion in assets. “It’s like insurance. You understand that it’s not a revenue generation center, [but] ignoring it can significantly affect the organization.”

Resources
Bank Director’s 2023 Risk Survey, sponsored by Moss Adams, surveyed 212 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including interest rate risk, credit and cybersecurity. Members of the Bank Services Program have exclusive access to the complete results of the survey, which was conducted in January 2023.

Bank Director’s 2022 Governance Best Practices Survey, sponsored by Bryan Cave Leighton Paisner, surveyed 234 independent directors and CEOs of U.S. banks below $100 billion in assets to explore governance practices, board culture, committee structure and ESG oversight. The survey was conducted in February and March 2022

Risk issues like these will be covered during Bank Director’s Bank Audit & Risk Conference in Chicago, June 12-14, 2023.

Boardroom Battle

The following feature appeared in the second quarter 2023 edition of Bank Director magazine. It and other stories are available to magazine subscribers and members of Bank Director’s Bank Services Membership Program. Learn more about subscribing here.

Few banks can tout a success story as enviable as Cherry Hill, New Jersey-based Commerce Bancorp.

Anyone who invested in Commerce back in 1973, when Vernon Hill II founded the bank, saw their investment grow 470 times by 2007, when the bank sold to TD Bank Financial Group, he says. “The 34-year annual return to our shareholders was 23% a year. … If you look at the growth numbers of Commerce, there was nobody even close to it.” The bank went from a single location with just nine employees to almost $50 billion in assets, more than 12,000 employees and 470 branches — or stores, as Hill calls them.

It accomplished this by focusing on growth, at a rate of $18 million in deposits annually, according to Hill. A “Philadelphia” magazine article from 2006, titled “Vernon the Barbarian,” described Hill rallying his troops — the thousands of bank employees attending the company’s “Wow” awards, which gave out honors such as “Best Teller.” With employees cheering him on, he told the crowd, “Most of you know that each year, we go and save another part of America that’s not served by Commerce.” A Lehman Brothers analyst covering the bank at the time likened its expansion to “the Mongolian horde coming across the plains, threatening the Roman Empire.”

Commerce won so many customer accounts because it focused on taking a retail approach to banking, offering a high level of service. Billed as “America’s Most Convenient Bank,” Commerce branches were open seven days a week. They welcomed dogs in branches and gave out dog biscuits. And Hill isn’t a cost-cutter — he likes his branches to be well designed, in the best locations and stocked with free pens that advertise the bank. Hill boasts that Commerce gave away 28 million pens a month to anyone who came in the branch.

But the years since have been fraught with trouble. Described as the “greatest retail banker of our lifetime,” Hill has been embroiled in lawsuits, a boardroom battle, regulatory actions and activist campaigns. Hill hasn’t been able to create the same magic since, and shareholders have suffered.

In 2007, Hill lost his job at Commerce under pressure from the Office of the Comptroller of the Currency, according to a Securities and Exchange Commission filing. Hill had used a real estate firm he owned with family members to scout locations for Commerce branches; his wife’s design firm, InterArch, was contracted for the company’s design and branding. The OCC placed restrictions on related-party transactions that would have prolonged the branch application process.

Months later, TD announced that it would acquire Commerce in an $8.5 billion transaction. The deal was an important step in the Canadian bank’s own growth in the U.S., doubling its U.S. footprint. TD kept the “America’s Most Convenient Bank” slogan, which it uses to this day.

As an investor with more than 6 million Commerce shares, Hill had done well for himself. But after more than three decades running a bank, he suddenly had nothing to do. “I couldn’t work for somebody else,” he tells me. So in 2008, Hill invested in sleepy little Republic First Bancorp, a small competitor to Commerce that at the time had less than $1 billion in assets and a handful of branches primarily centered around its headquarters in Philadelphia. He began acting as an advisor to the bank’s leaders, including then-CEO and founder Harry Madonna. Then two years later, in 2010, he crossed the pond to found Metro Bank in the U.K., leveraging the same model that made Commerce a success.

At Metro Bank, the stock saw steady growth from its 2016 IPO before going into a free fall in the latter half of 2018; it hasn’t recovered. Republic’s stock has also been beleaguered. Back in the Commerce days, Hill’s customer-friendly, growth-focused approach was revolutionary. His friend, longtime bank investor Tom Brown, is the one who describes him as the “greatest retail banker of our lifetime.” But even he admits Hill can have a difficult personality.

David Slackman, a former Commerce executive, believes Hill is often misunderstood. “Vernon is extremely confident in the model and extremely confident in his ability to be successful with it, and can therefore sometimes come across as seeming inflexible,” he says. He describes Hill as an exact but supportive and loyal boss who ended conversations with his top officers by saying, “Don’t do anything stupid.” That was a warning not to stray away from the Commerce model, Slackman recalls.

“My personality is strong,” Hill says. Commerce was frequently compared to Apple back in the day, which was run by another passionate business leader, Steve Jobs. It’s clear — from talking to Hill, reading his books and digging into his banks — that he’s committed to his approach to banking.

But relationships devolved at Republic over the years. Madonna says Hill — who eventually became CEO before resigning 18 months later — held his bank hostage due to a perfect split in the boardroom: three directors backing Hill, and four backing Madonna. Madonna says Hill operated without effective board oversight due to the division in the boardroom.

But in a lawsuit filed against Republic and Madonna’s faction of directors, Hill and former director Barry Spevak contend that it was Madonna’s group that had the board deadlocked, with Hill’s directors “intentionally and systematically prevented” from participating in board deliberations.

Back before that became an issue, in 2008, Republic needed capital, and it needed a new direction. Like many banks in the financial crisis, Republic had experienced losses in its loan portfolio, says Frank Schiraldi, a managing director and senior research analyst at Piper Sandler & Co. “Vernon came along as really a savior,” he explains. Hill says he invested $6 million. “With [Hill] now being a large owner, he had the opportunity to push his old Commerce strategy as sort of a reboot. And initially, it was very well received.” Madonna describes Republic in those days as a “garden-variety community bank.” He says Hill persuaded him to turn Republic into a “deposit-driven organization” with an expanded branch footprint. Hill’s ownership gained him the right to designate a board member, Theodore Flocco Jr. — a former senior audit partner at Ernst & Young who had advised Commerce, and someone Hill considered a friend.

“When I invested in Republic, they were a broken bank, troubled. They needed capital, they needed [our] model, they needed people,” says Hill. “I came in and invested on the terms that I would install — with their approval — what we call ‘The Power of Red.’” Hill’s branding campaign eventually included a big red ‘R’ for Republic; Commerce had a similar big red ‘C.’

“It was an opportunity for me to invest and use the Commerce model to expand Republic and serve the same markets we had served at Commerce,” he says. But, “it’s harder to convert something than it is to build it from scratch.”

Meanwhile, Madonna was still running Republic while Hill was in London recreating the old Commerce model from the ground up at Metro Bank. And he was doing that with Shirley Hill, his wife and “branding queen” who owned the firm InterArch, responsible for branding, marketing and design at Hill’s banks — Commerce, Republic and Metro.

Hill describes his wife’s involvement as a whole package adding value, similar to the way Apple designs its products and experience. “She does architecture, construction, marketing and branding. And the value of that is not one branch. It’s all united together,” explains Hill. Metro paid InterArch over £20 million over the five-year period preceding the Hills’ departure in 2019, according to the bank’s annual reports.

“Everybody knows we have to get third-party reviews on the pricing,” Hill says of the InterArch relationship, something that occurred at both banks.

Hill stresses that InterArch was worth every penny and just as important to his banking model as his dog, Sir Duffield II, or Duffy — a Yorkshire terrier who has featured heavily in promotions for Republic and Metro. “My dog’s more well known than me,” Hill jokes. At Metro, Duffy joined the Hills in welcoming customers — and their dogs — at the bank’s grand openings. A Duffy float made its way through London parades. The Yorkie even had a column in the bank’s newsletter, and a Twitter account featuring him visiting bank branches and dining with Ann Coulter. “Everybody knows Duffy; he goes everywhere,” says Hill. The dog-friendly branches also appealed to customers, he says. “The customers take that to mean, ‘If you love my dog, you must love me.’”

It was the original Sir Duffield, visiting a competing bank’s branch with Shirley Hill in 2001, who inspired Vernon Hill’s dog-friendly approach. She was stopped at the front door and told that her pup wasn’t allowed. Hill decided being open to dogs was another way to disrupt banking and set his banks apart.

Despite the known issues around related-party transactions, Republic offered Hill the chair role in 2016, ramping up his involvement with the bank. “We were very aware of his relationship,” says Madonna. “Consultants were brought in to look at the contracts, to make sure they were fair market value, and that things were done in accordance with laws and regulations, and that they were in the best interest of the bank.” InterArch billed Republic $2.2 million for marketing, design and similar services from 2019 through 2021, according to an SEC filing.

Charles Elson, founding director of the Weinberg Center for Corporate Governance at the University of Delaware, sees a huge conflict for any public company doing business with a spouse or family member of a CEO or director — even if all parties appear satisfied with the arrangement. “You’re going to face all kinds of accusations of unfair dealing,” he says. “I can’t imagine a board being counseled that it was OK to do that. That’s strange.”

But while Hill was chairman, he was still spending most of his time in Europe building Metro Bank, according to Madonna. That changed in 2019, with Hill’s resignation from the U.K. bank after Metro disclosed that it had misclassified commercial loans, leading to a £900 million increase in risk-weighted assets. Put simply, Metro classified those loans as less risky than regulators thought they were; riskier loans require more capital.

Metro Bank shares dropped precipitously when the bank disclosed the issues in January and continued to fall through the year. The stock peaked at more than £40 in March 2018; it was valued at less than £1.50 as of Feb. 28, 2023, on the heels of Brexit and the Covid-19 pandemic. Shareholders began calling for Hill’s resignation; he stepped down as Metro’s chairman in October 2019, and resigned from the board by the end of the year — along with Metro CEO Craig Donaldson, who’d run the bank by Hill’s side since its founding in 2010. “It was a misinterpretation of the rules,” Donaldson told Bloomberg at the time, calling it an “isolated incident” that the bank was seeking to rectify.

Issues with the bank’s regulators took years to resolve, and included a £5.4 million penalty to the Prudential Regulation Authority and a £10 million fine to the Financial Conduct Authority.

“What happened in London really didn’t involve me,” Hill says. “Their capital system [in the U.K.] is way different than ours; there was nothing about our model.”

Following his departure from Metro, Hill became increasingly involved in day-to-day operations and decision-making at Republic. “He really was trying even harder to prove that what he was doing [at] Metro Bank was right and not wrong, and he doubled down on pushing for more and more deposits that we couldn’t put to use,” Madonna says. “That’s when it turned hostile.”

The Paycheck Protection Program — in many ways a boon to community banks in 2020 — revealed divides in the Republic boardroom. Madonna says he and some of the other directors wanted to use the influx in deposits from PPP loan customers to return expensive government funding, reducing the bank’s costs and improving its loan-to-deposit ratio. “Instead, [Hill] went out and purchased a lot of long-term, mortgage-backed securities” at low interest rates, Madonna says. Loans were already a low percentage of the bank’s assets compared to peer institutions, due to Hill’s preference to leverage securities.

Much like institutions with long-term, low rate bonds and securities on the books, Republic First was negatively affected when the Federal Reserve began its series of inflation-fighting interest rate increases in early 2022. Republic’s accumulated other comprehensive income, influenced by bond prices, amounted to a negative $148 million as of Dec. 31, 2022, according to S&P Global Market Intelligence; securities accounted for 43% of the bank’s assets.

“When you have a lot of low-cost deposits, you look at ways to invest it. Sometimes you make loans; sometimes you buy bonds,” says Hill. The bank couldn’t safely grow loans as fast as it could grow deposits; he favored government mortgage-backed securities as an alternative to loan generation. “When you have excess funding, what do you do with it? In the current environment, buying government mortgage-backed securities is the best way,” Hill says.

The AOCI effects plaguing many banks are more pronounced at Republic due to its model, says Schiraldi.
Beyond the bank’s securities portfolio, Hill wanted to build expensive, $7 million branches, according to Madonna — significantly more expensive than the average branch cost of $1.8 million, per a 2019 survey by the consulting firm Bancography.

But Hill has a different view. “The retailers that win in life are the ones that have the highest sales per store,” Hill says, adding that deposits per branch at Republic were “extremely high.” Deposits were growing, he adds, by around $30 million a year per branch. In its 2021 annual report, Republic reported deposit growth over the prior three years at an average 30% annually.

But profitability metrics had been abysmally low for years and didn’t appear to be improving. In Bank Director’s annual performance rankings dating back to 2015 — the year before Hill became chairman — Republic has appeared toward the bottom of its peer group year after year.

Up until 2020, Madonna says the board was collegial. But some directors, including Madonna, were beginning to believe that Hill’s strategy wasn’t working. “It was our fiduciary obligation to periodically look at what the strategic alternatives were for the bank,” Madonna says. Hill alleges that the group wanted to sell the bank, something he vehemently opposed. Madonna says while this option wasn’t off the table, they weren’t seeking a buyer. But Madonna’s group of board members was growing skeptical of what he calls “extremely optimistic” forecasts put forth by Hill. “It was just growth, growth, growth,” says Madonna. “He had three directors that no matter what he said, they put their hands up and said, ‘Yes.’”

“The board meetings became poisonous,” he adds. Madonna describes deliberations as “personal and hostile.”

Directors felt they couldn’t ask questions, he says, claiming that Hill would leave the meeting or refuse to answer. “[H]e wasn’t a person who knew how to discuss things in a reasonable manner. He had his model, and everything had to fit his model.” Directors received the agenda the day before meetings, Madonna alleges.

Hill sees things differently, telling me that directors were prepared and involved. “We were active in moving our business plan along; we had multi-year plans,” he says. Directors may have debated and even disagreed on matters, but Hill characterizes meetings as “generally OK.”

But Madonna says that by February 2021, he had had enough — so, he stepped down as CEO and handed the reins to Hill.

Why make Hill CEO? Madonna says he was fed up with management receiving two sets of instructions, one from Hill and the other from Madonna. “You can’t run a bank that way,” says Madonna. “I said, ‘Hey, you want to run it, you run it.’” Madonna remained president and chairman emeritus of the holding company board.

Investors had noted Republic’s woes. Driver Management Co. — no stranger to running activist campaigns at community banks — had started purchasing the stock in October 2021. “We focus on banks where there is value that needs to be unlocked,” says Abbott Cooper, Driver’s founder and managing member.

Through 2022, the bank’s total shareholder return from 2016 — when Hill was elected chair — was down 50.3%, according to Schiraldi. Driver was soon joined by another investor group intent on pushing Hill out, led by George Norcross III, Gregory Braca and Philip Norcross. Both George Norcross and Braca worked under Hill back in the Commerce days. George led the bank’s insurance brokerage and served on the company’s board. Braca stayed with TD following the acquisition, eventually becoming CEO of TD’s U.S. operations.

Braca and the Norcross brothers — both influential in New Jersey politics — saw a struggling bank in a familiar footprint: Pennsylvania, New Jersey and New York. “With the right leadership, the right oversight and governance, the right strategy, this could be a winning organization,” says Braca. Like Driver, the Norcross brothers and Braca wanted Hill out — but they wanted Braca in as CEO.

As the Norcrosses and Braca escalated their campaign, the division in the boardroom became public. Madonna — with fellow board members Andrew Cohen, Lisa Jacobs and Harris Wildstein — issued a press release in March 2022, stating their concerns about “potential harmful actions” by the other half of the board. They asked that several proposals be tabled until after the 2022 annual shareholder meeting, including agreements around services provided by Shirley Hill’s firm, InterArch; the opening and renovation of new branches; and augmented severance payments connected to Hill’s service on the board and as CEO.

In the defamation lawsuit filed against Republic and Madonna’s faction, Hill and Spevak called the accusations levied by that group “knowingly false and defamatory,” noting that the board had approved the contract for InterArch year after year and that the opening of two new branches had been authorized years earlier.

As Elson points out, it’s hard for a board to get anything done when it’s split evenly between two factions.

Republic’s annual meeting, last held in April 2021, had been postponed. But the stalemate broke on May 11, 2022, with the death of Flocco, the board member and Hill’s longtime friend. Just two days later, the Madonna majority appointed him as interim chairman; Hill remained CEO and a member of the board. The battle wasn’t over — litigation followed, with the directors suing each other — but Flocco’s death spelled the beginning of the end for Vernon Hill’s tenure at Republic. Legal issues that stalled Madonna’s re-appointment as chairman were resolved in late June, favoring the Madonna faction. Hill stepped down as CEO, and the directors who had voted with Hill left the board.

Tom Geisel, the former CEO of Sun Bancorp and executive at Webster Financial Corp., was named CEO by the end of the year. Madonna says the company now aims to slow the growth, restructure the balance sheet and rein in costs.

But things remain unsettled at Republic. Driver resolved its activist campaign with the appointment of former Texas Capital Bancshares executive Peter Bartholow to the now seven-member Republic board. Late in 2022, Hill sued Republic over the continued use of the branding elements developed by InterArch for the bank, some of which featured Hill and Duffy. Madonna tells me Republic has moved away from Hill’s marketing style — though the big red ‘R’ remains.

And the Norcrosses and Braca still want a seat at the table. As of Feb. 27, 2023, the group proposed purchasing $100 million in stock, with board seats commensurate with its stake in the bank. But they’re willing to wait and see how Geisel performs as CEO. “You can’t just blame Vernon … at least he had a growth strategy,” says Braca. “Before [Hill], this was a sleepy little bank that had basically no growth.” He blames the legacy board, and questions whether Geisel will be empowered to effectively raise capital and turn the bank around, citing the lingering issues with Republic’s bond portfolio. “It’s a troubled situation, and it’s exactly why another bank can’t buy this place, because of the mark-to-market issues on that bond portfolio,” he says. “This was a board that oversaw a strategy that said, ‘We’re going to increase our costs and expenses, [and] raise deposits at a premium to what everyone else was paying at the time, which was nearly nothing.’ This was a board that oversaw all this.”

The bank still hasn’t held an annual meeting when this issue went to press, and it’s playing catch-up on its quarterly filings. Nasdaq has threatened to delist the stock as a result. On March 10, Republic announced a $125 million investment from a group that includes Castle Creek Capital; the asset manager will have the right to appoint a director.

And the board division has taken its toll on investors. Those include Hill, who owned almost 10% of the stock in March, and Madonna, but they also include smaller owners who truly believed in Hill’s vision. In the bank’s first quarter 2021 earnings call, a shareholder recalled a personal connection with Commerce. “Vernon, from the beginning, my mother used to work for you … I’ve been in the bank a long time. I’ve lost a lot of money.”

Why the Duty of Cybersecurity is the Next Evolution for Fiduciary Duties

Bank directors know they can be personally liable for breaches of their fiduciary duties.

Through cases like In re Caremark International Inc. Derivative Litigation 698 A.2d 959 (Del. Ch. 1996), Stone v. Ritter, 911 A.2d 362 (Del. 2006), and Marchand v. Barnhill, 212 A.3d 805 (Del. 2019), Delaware courts have held boards responsible for failing to implement systems to monitor, oversee and ensure compliance with the law.

Recently, the Delaware Court of Chancery formally expanded those rules in In re McDonald’s Corporation Stockholder Derivative Litigation, Del. Ch. Ca. No. 2021-0324-JTL. The ruling established that the fiduciary duties of the officers of a Delaware corporation include a duty of oversight that is comparable to the responsibility of directors. These cases make clear that when the duty of oversight meets with the immense cybersecurity responsibilities of financial institutions, a duty of cybersecurity is added to the fiduciary responsibilities of directors and officers.

The lawsuit by 25 former McDonald’s employees alleged that corporate executives failed to address systemic harassment, leading to a hostile work environment. By allowing failure to oversee and monitor claims against the officers in that case, all corporate executives are now forced to take a leadership role in monitoring and addressing company-wide issues.

Given prior rulings in Delaware courts concerning the duty of oversight and officer fiduciary duties, the McDonald’s decision reiterates the importance of implementing robust compliance programs. It also clarifies that officers and directors must actively address compliance.

Cybersecurity is paramount among the myriad of compliance issues that all corporate officers and directors must address. For example, in 2019, In re Google Inc. Shareholder Derivative Litigation, the proceedings against Google’s parent company involved claims that the company’s board of directors and officers failed to discharge their oversight duties related to the 2018 Google+ security vulnerability. That suit settled for $7.5 million and the company agreed to implement significant governance reforms to address data privacy issues. Similarly, In re Yahoo! Inc. Shareholder Derivative Litigation, multiple cybersecurity breaches between 2013 and 2016 led to a shareholder derivative lawsuit, which settled for $29 million in 2019.

And, in the past year, multiple financial institutions, including Wells Fargo & Co., JPMorgan Chase & Co., and Bank of America Corp., faced lawsuits also seeking to hold their officers and directors personally liable for, amongst other things, failing to:

1. Protect customer data adequately.
2. Oversee the bank’s cybersecurity practices.
3. Prevent data breaches that exposed customer personal information.

In these cases, and many others, cybersecurity and data breaches have caused reputational damage for officers and directors and damaged the corporation’s relationships with customers and partners. In addition, these corporate leaders risk:

Breach of fiduciary duty claims. If directors or officers do not take reasonable steps to protect the corporation from a data breach, they risk breaching their fiduciary duties and could be held personally liable for the damages caused by the breach.
Accusations of Negligence. Directors and officers can be accused of negligence for failing to implement appropriate security measures, train employees on cybersecurity best practices and respond to a breach in a timely and effective manner.
Criminal prosecution. If directors and officers intentionally or recklessly cause a breach or fail to report it to the authorities, they may face criminal prosecution.
Regulatory penalties. Government or financial regulators can impose significant fines for cybersecurity failures.

And, just as the risks for directors and officers explode, they face an insurance whipsaw. First, directors’ and officers’ (D&O) insurance policies may include specific exclusions for cyber-related claims or require separate cyber insurance to cover these risks. Next, increased personal exposure for officers and directors will increase the likelihood facing lawsuits, increasing the premiums for D&O insurance. To protect themselves, directors and officers should insist on increased corporate governance protection, including:

• The prioritization by boards of cybersecurity and data privacy as crucial risk management areas, including putting proper reporting and monitoring systems into place.
• Requiring directors and officers to actively understand the evolving landscape of cybersecurity and data privacy risks and regulations.
• Corporate investment in appropriate cybersecurity measures and employee training to minimize the risk of data breaches as well as the associated legal and reputational risks.

To mitigate their risk of personal liability, corporate officers and directors must understand, implement and monitor the cybersecurity safeguards their financial institutions need. And, the courts have sent a clear message to bank directors and officers: To discharge your duty of cybersecurity, you must actively oversee and monitor institutional cybersecurity and data privacy programs.