The Opposite of Blissfully Unaware

There’s been an increasingly common refrain from bank executives as the United States moves into the second half of 2022: Risk and uncertainty are increasing.

For now, things are good: Credit quality is strong, consumer spending is robust and loan pipelines are healthy. But all that could change.

The president and chief operating officer of The Goldman Sachs Group, John Waldron, called it “among — if not the most —complex, dynamic environments” he’s seen in his career. And Jamie Dimon, chair and CEO of JPMorgan Chase & Co., changed his economic forecast from “big storm clouds” on the horizon to “a hurricane” in remarks he gave on June 1. While he doesn’t know if the impact will be a “minor one or Superstorm Sandy,” the bank is “bracing” itself and planning to be “very conservative” with its balance sheet.

Bankers are also pulling forward their expectations of when the next recession will come, according to a sentiment survey conducted at the end of May by the investment bank Hovde Group. In the first survey, conducted at the end of March, about 9% of executives expected a recession by the end of 2022 and 26.6% expected a recession by the end of June 2023. Sixty days later, nearly 23% of expect a recession by the end of 2022 and almost 51% expect one by the end of June 2023.

“More than 75% of the [regional and community bank management teams] we surveyed [believe] we will be in a recession in the next 12 months,” wrote lead analyst Brett Rabatin.

“[B]anks face downside risks from inflation or slower-than-expected economic growth,” the Federal Deposit Insurance Corp. wrote in its 2022 Risk Review. Higher inflation could squeeze borrowers and compromise credit quality; it could also increase interest rate risk in bank security portfolios.

Risk is everywhere, and it is rising. This only adds to the urgency surrounding the topics that we’ll discuss at Bank Director’s Bank Audit & Risk Committees Conference, taking place June 13 through 15 at the Marriott Magnificent Mile in Chicago. We’ll explore issues such as the top risks facing banks over the next 18 months, how institutions can take advantage of opportunities while leveraging an environmental, social and governance framework, and how executives can balance loan growth and credit quality. We’ll also look at strategic and operational risk and opportunities for boards.

In that way, the uncertainty we are experiencing now is really a gift of foresight. Already, there are signs that executives are responding to the darkening outlook. Despite improved credit quality across the industry, provision expenses in the first quarter of 2022 swung more than $19.7 billion year over year, from a negative $14.5 billion during last year’s first quarter to a positive $5.2 billion this quarter, according to the Federal Deposit Insurance Corp.’s quarterly banking profile. It is impossible to know if, and when, the economy will tip into a recession, but it is possible to prepare for a bad outcome by increasing provisions and allowances.

“It’s the opposite of ‘blissfully unaware,’” writes Morgan Housel, a partner at the investment firm The Collaborative Fund, in a May 25 essay. “Uncertainty hasn’t gone up this year; complacency has come down. People are more aware that the future could go [in any direction], that what’s prosperous today can evaporate tomorrow, and that predictions that seemed assured a few months ago can look crazy today. That’s always been the case. But now we’re keenly aware of it.”

Getting Proactive About Third-Party Cyber Risk

Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, finds most bank executives and board members (65%) report that at least one vendor experienced a data breach or ransomware attack in 2020-21. While most weren’t directly affected by these incidents, 60% of respondents whose vendor experienced an attack took the opportunity to update third-party management policies, processes and/or risk oversight in response.

Cyberattacks on U.S. financial institutions are rarely impactful, according to the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) “Navigating Cyber 2022” report. However, the cyber-focused industry consortium added that “several high-profile third-party incidents have impacted the security and availability of products and services used by many financial firms.” Banks have responded by devoting resources to assessing exposure, patching and mitigating, as well as increasing compliance mandates for third-party operational resilience.

Regulators are taking note of the threat. An interagency rule approved by the Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. in November 2021 mandates that banks must notify their primary regulator of a cyber incident within 36 hours; this rule went into effect on April 1, 2022. Service providers must notify affected bank clients “as soon as possible” when they determine that a cyber incident has or will cause a “material service disruption or degradation” for four hours or more. From there, banks must assess whether the incident will have a material impact on the organization and its customers, and whether that will trigger a notification by the bank to its regulator.

In March 2022, the Securities and Exchange Commission proposed new rules around cybersecurity disclosure that would include how companies select and monitor third-party providers. And guidance is still pending from the primary financial regulators around risks related to third-party relationships. That guidance would include an assessment of the vendor’s information security program, including if the vendor has “sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities.”

Bank boards and leadership teams will need to be proactive — rather than reactive — as regulators get even more serious about this issue. “Know where you stand and what [vendors are] doing to address any of your concerns, and that starts with having a defined criteria of what you require,” says Cody Harrell, managing director at Strategic Resource Management (SRM), a Memphis, Tennessee-based consulting firm.

Broadly, bank executives and boards need to understand the risks inherent with all of the bank’s vendors, including existing ones, says Harrell. “Who are the most critical vendors to our business? Who are the ones that house sensitive data? Where’s our biggest risk? And not only from a liability standpoint, but from an operational standpoint.” If a vendor falls victim to a cyberattack, will the bank still be able to serve customers? “You need to have a vendor due diligence checklist for each vendor, regardless of whether there’s a problem or not,” he adds. “[Make] sure that everyone that’s within the ecosystem is in compliance with your requirements.”

All vendors also need to comply with regulatory guidelines. The November 2021 notification rule specifies that service providers must comply even if the contract states otherwise. But bank boards are ultimately responsible for ensuring compliance. “If the bank doesn’t have a program of regularly conducting annual vendor diligence and sending renewed questionnaires and identifying gaps, then you’re not conducting ongoing diligence,” says Steve Cosentino, a partner at the law firm Stinson LLP who regularly negotiates agreements between banks and their service providers.

Here are four considerations for bank boards seeking to enhance their third-party oversight.

Understand how vendors will respond to a cyber incident. This should be uncovered during due diligence.

When a breach occurs, “how much you did in the vendor diligence area [will impact] how quickly you’re able to respond to an incident,” says Cosentino. “If you have a quality vendor diligence program [with] extensive diligence and ongoing monitoring, those will all be helpful facts if you’re subject to a potential litigation claim or class action, which has been more and more common.”

In line with the regulatory rule around security notifications, banks need to know when they’ll be notified of an incident, and whether the vendor or the bank will communicate with affected customers. And even if individuals weren’t affected, that doesn’t absolve the vendor from notifying the bank, says Cosentino. “It’s evidence of a flaw in [the vendor’s] systems and security processes that next time could potentially affect the bank, and the bank needs to be apprised of what they’re doing to remedy that.” He adds that these obligations could differ in a security breach, where confidential data may have been accessed, versus a security incident, which may not involve the theft of personal information.

Banks should also know if the service provider will engage an outside cyber forensics firm to investigate a breach, and whether that company is on retainer and can respond quickly. “Taking a day or two out to review different forensic investigators and getting a contract in place and all that, that’s time that’s lost,” says Cosentino. Regulators will ask, “Why did it take so long between the time that the breach occurred and [when] the notices went out?”

The bank should also know what the vendor won’t do. “What are the things that my critical vendor, my third-party provider, is requiring me to take care of, that they’re not?” says Moss Adams Partner Craig Sanders. That could include password resets, network design or educating administrators.

Don’t overlook fourth parties. Vendors have their own vendors, from smaller fintechs that may provide ancillary services to big cloud platforms like Amazon Web Services or Microsoft Corp.’s Azure, and those can pose their own risks. Effective diligence on fourth parties can be difficult, says Cosentino, but banks can take a few steps. Questionnaires sent to third-party vendors should address their own due diligence with subcontractors, and banks should access SOC (System and Organization Controls) reports on those fourth parties. In addition, “Put in your agreement some language that says that the service provider may use subcontractors, [but] they always have to be responsible for [their vendors’] actions and omissions,” he says. “But they can only do so after completion of a third-party risk management vendor diligence review consistent with the FFIEC IT examination handbook and interagency guidance on third-party relationships.”

Don’t silo due diligence. The due diligence exercise shouldn’t be limited to the bank’s technology team.

“The IT group doesn’t always have an understanding of all of the software and systems that process personal information or nonpublic personal information. And that slips through the cracks a lot,” says Cosentino. He recommends a data mapping exercise that includes multiple areas so the bank knows where all of its information is housed. “Conduct that review with your IT group, obviously, but also with the marketing team, your sales team, your operations team, your legal team, because you will find when you do that, there are a number of engagements with third-party service providers where nonpublic personal information is involved, and they’re not picked up in the vendor diligence process,” says Cosentino. Involving multiple teams in the bank will ensure everyone’s on the same page before a breach occurs. “If you do have a data security incident, you have to know where all that information is stored, and how to address, analyze and review [where the] personal information is and what actions you need to take with respect to notifications and remediations and all that,” he says.

While multiple teams within the bank should be included along the way, centralizing vendor management — ensuring an individual has responsibility or using a vendor management platform, or both — can help banks stay on track. “A lot of the financial institutions that we see, various departments control a contract or a decision or a vendor evaluation, and they’re not necessarily speaking to the other departments and having a defined criteria that everyone should comply with,” says Harrell. Vendor diligence requires a lot of documentation, and that needs to be tracked. “Make this a systematic approach.”

Set the tone at the top. In a 2019 letter, the FDIC reminded financial institutions that “boards of directors and senior management are responsible for managing risks related to relationships with technology service providers. Effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response.”

Unfortunately, boards often lack the skill sets to understand cybersecurity, says Sanders. “They’ve got to have that knowledge and expertise at the governance level to really understand what should be going on.” He recommends that boards hear from the bank’s chief information security officer at least quarterly and should seek the best technology providers that meet the bank’s strategic needs — not selecting a solution because it’s the cheapest option. The bank may find it gets what it pays for.

“Be honest with yourself about where the risk is and what the involvement from the institution is that should take place at the governance level,” says Sanders. “From the top down, give the support to management and compliance to go out and do what they need to do.”

For more information on vendor risk management, you can view “Avoiding Gaps in Vendor Risk Management” and “Vendor Management: What the Board Needs to Know,” both part of Bank Director’s Online Training Series. For advice on tightening up your bank’s cybersecurity practices amid today’s geopolitical tensions, consider reading “From Russia With ‘Love.’” This issue is also addressed in “Ransomware Attacks Heat Up,” the cover story in the fourth quarter 2021 issue of Bank Director magazine.

Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, surveyed 222 independent directors, chief executive officers, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including credit risk, cybersecurity and emerging issues such as ESG. Bank Services members have exclusive access to the complete results of the survey, which was conducted in January 2022.

What New Climate Disclosure Means for Banks

Climate risk assessment is still in its infancy, but recent pronouncements by federal regulators should have bank directors and executives considering its implications for their own organizations.   

Under a new rule proposed by the Securities and Exchange Commission, publicly traded companies would be required to report on certain climate-related risks in regular public filings. 

Though the SEC’s proposal only applies to publicly traded companies, some industry observers say it’s only a matter of time before more financial institutions are expected to grapple with climate-related risks. Not long after the SEC issued its proposal, the Federal Deposit Insurance Corp. issued its own draft principles for managing climate risk. While the principles focus on banks with over $100 billion of assets, Acting Chair Martin Gruenberg commented further that “all financial institutions, regardless of size, complexity, or business model, are subject to climate-related financial risks.” 

The practice of assessing climate risk has gained momentum in recent years, but many boards aren’t regularly talking about these issues. Just 16% of the directors and officers responding to Bank Director’s 2022 Risk Survey say their board discusses climate change annually.

To understand what this means for their own organizations, boards need to develop the baseline knowledge so directors can ask management smarter questions. They should also establish organizational ownership of the issue and think about the incremental steps they might take in response to those risk assessments. 

“Climate risk is like every other risk,” says Ivan Frishberg, chief sustainability officer at $7 billion Amalgamated Financial Corp. in New York. “It needs the same systems for managing it inside a bank that any other kind of risk does. It’s going to require data, it’s going to require risk assessments, it’s going to require strategy. All of those things are very traditional frameworks.” 

The SEC’s proposed rule intends to address a major challenge with sizing up climate risk: the lack of uniform disclosures of companies’ greenhouse gas emissions and environmental efforts. The agency also wants to know how banks and other firms are incorporating climate risks into their risk management and overall business strategies. That includes both physical risk, or the risk of financial losses from serious weather events, and transition risk, arising from the shift to a low-carbon economy.  

Bank Director’s Risk Survey finds that many boards need to start by getting up to speed on the issue. Though 60% of survey respondents say that their board and senior leadership have a good understanding of physical risks, just 43% say the same about transition risk. Directors should also get a basic grasp of what’s meant by Scope 1, Scope 2 and Scope 3 emissions to better gauge the impact on their own institutions.  

Understanding Carbon Emissions

Scope 1: Emissions from sources directly owned or controlled by the bank, such as company vehicles.

Scope 2: Indirect emissions associated with the energy a bank buys, such as electricity for its facilities. 

Scope 3: Indirect emissions resulting from purchased goods and services (business travel, for example) and other business activities, such as lending and investments.

 

The SEC’s proposal would not require scenario analysis. However, directors and executives should understand how their loan portfolios could be affected under a variety of scenarios. 

Talking with other banks engaged in similar efforts could help institutions benchmark their progress, says Steven Rothstein, managing director of the Ceres Accelerator for Sustainable Capital Markets, a nonprofit that works with financial institutions on corporate sustainability. Boards could also look to trade associations and recent comments by federal regulators. In a November 2021 speech, Acting Comptroller of the Currency Michael Hsu outlined five basic questions that bank boards should ask about climate risk. The Risk Management Association recently established a climate risk consortium for regional banks. 

Assessing climate risk involves pulling together large amounts of data from across the entire organization. Banks that undertake an assessment of their climate-related risks should appoint somebody to coordinate that project and keep the board apprised.  

Banks might also benefit from conducting a peer review, looking at competing institutions as well as banks with similar investor profiles, says Lorene Boudreau, co-leader of the environment, social and governance  working group at Ballard Spahr. “What are the other components of your investors’ profile? And what are they doing? Use that information to figure out where there’s a [gap], perhaps, between what they’re doing and what your company is doing,” she says.

Finally, boards should think about the shorter term, incremental goals their bank could set as a result of a climate risk assessment. That could look like smaller, sector-specific goals for reducing financed emissions or finding opportunities to finance projects that address climate-related challenges, such as storm hardening or energy efficiency upgrades. 

A number of big banks have made splashy pledges to reduce their greenhouse gas emissions to net zero by 2050, but fewer have gotten specific about their goals for 2030 or 2040, Boudreau says. “It doesn’t have a lot of credibility without those interim steps.” 

While many smaller financial institutions will likely escape regulatory requirements for the near term, they can still benefit from adopting some basic best practices so they aren’t caught off guard in a worst-case scenario. 

“Climate risk is financial risk,” says Rothstein. “If you’re a bank director thinking about the safety and soundness of a bank, part of your job has to be to look at climate risk. Just as if someone said, ‘Is the bank looking at cyber risk? Or pandemic risk or crypto risk?’ All of those are risks that directors, through their management team, have to be aware of.” 

2022 Risk Survey: Complete Results

What’s keeping board members, CEOs, risk officers and other key executives up at night? 

With a number of evolving risks facing the industry, bank leaders have a lot on their plate. They weigh in on these key risks — from cybersecurity to rising interest rates and more — in Bank Director’s 2022 Risk Survey, sponsored by Moss Adams LLP. While it’s not surprising to find respondents almost universally more worried about cybersecurity — a perennial point of anxiety in the survey — they also reveal increased concerns in a number of areas. 

Almost three-quarters say they’re more worried about regulatory risk, with one respondent citing specific concerns about overdraft fees, fair lending and redlining, and rulemaking from the Consumer Financial Protection Bureau.  

Given expected rate hikes from the Federal Reserve, 71% say they’re worried about interest rate risk. Three-quarters hope to see a moderate rise in rates by the end of the year, though uncertainty around inflationary pressures, exacerbated by the conflict in Ukraine, could yield surprises.  

Members of the Bank Services program now have exclusive access to the full results of the survey, including breakouts by asset category. Click here to view the report.

Findings also include:

  • Most bank executives and board members report that their cybersecurity programs have matured, but respondents still identify key gaps in their programs, particularly in training bank staff (83%) and using technology to better detect and/or deter cyber threats and intrusions (64%). Respondents also reveal how the board oversees this critical threat.
  • In an indicator of how business continuity plans have evolved through the pandemic, more than 80% say at least some employees work remotely for at least a portion of their work week. When it comes to vaccinations, banks continue to take a carrot approach to vaccinations, with most encouraging rather than requiring Covid-19 vaccinations and boosters. Thirty-nine percent require, and 31% encourage, employees to disclose their vaccination status.
  • Environmental, social and governance disclosures may be getting a lot of buzz, but more than half of the survey participants don’t yet focus on environmental, social and governance issues in a comprehensive manner, but the majority set goals in several discrete areas related to ESG.
  • Sixteen percent say their board discusses climate change annually — a subtle increase compared to last year’s survey. 

Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, surveyed 222 independent directors, chief executive officers, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including credit risk, cybersecurity and emerging issues such as ESG. The survey was conducted in January 2022.

2022 Risk Survey Results: Walking a Tightrope

Despite geopolitical turmoil following Russia’s invasion of Ukraine, the Federal Reserve opted to raise interest rates 25 basis points in March — its first increase in more than three years — in an attempt to fight off a high rate of inflation that saw consumer prices rising by 7.9% over the preceding year, according to the Bureau of Labor Statistics.

“Inflation remains elevated, reflecting supply and demand imbalances related to the pandemic, higher energy prices, and broader price pressures,” the central bank said in a statement. The Federal Open Market Committee (FOMC) is the policymaking body within the Fed that sets rates, and Fed Chairman Jerome Powell remarked further that the FOMC will continue to act to restore price stability.

“We are attentive to the risks of further upward pressure on inflation and inflation expectations,” Powell said, adding that the FOMC anticipates a median inflation rate of 4.3% for 2022. He believes a recession is unlikely, however. “The U.S. economy is very strong and well-positioned to handle tighter monetary policy.”

Six more rate hikes are expected in 2022, which overshoots the aspirations of the directors, CEOs, chief risk officers and other senior executives responding to Bank Director’s 2022 Risk Survey, conducted in January. Respondents reveal a high level of anxiety about interest rate risk, with 71% indicating increased concern. When asked about the ideal scenario for their institution, almost three-quarters say they’d like to see a moderate rise in rates in 2022, by no more than one point — significantly less than the 1.9% anticipated by the end of the year.

Moss Adams LLP sponsors Bank Director’s annual Risk Survey, which also focuses on cybersecurity, credit risk, business continuity and emerging issues, including banks’ progress on environmental, social and governance (ESG) programs. More than half of the respondents say their bank doesn’t yet focus on ESG issues in a comprehensive manner, and just 6% describe their ESG program as mature enough to publish a disclosure of their progress.

Developments in this area could be important to watch: The term ESG covers a number of key risks, including climate change, cybersecurity, regulatory compliance with laws such as the Community Reinvestment Act and operational risks like talent.

“Finding employees is becoming much harder and has us [looking] at outsourcing (increased risk) or remote workers (increased risk),” writes one survey respondent. Workers want to work for ethical companies that care about their employees and communities, according to research from Gallup. Could a focus on ESG become a competitive strength in such an environment?

Key Findings

Top Risks
Respondents also reveal increased anxiety about cybersecurity, with 93% saying that their concerns have increased somewhat or significantly over the past year. Along with interest rate risk, regulatory risk (72%) and compliance (65%) round out the top risks. One respondent, the CRO of a Southeastern bank between $1 billion and $5 billion in assets, expresses specific concern about “heightened regulatory expectations” around overdraft fees, fair lending and redlining, as well as rulemaking from the Consumer Financial Protection Bureau around the collection of small business lending data.

Enhancing Cybersecurity Oversight
Most indicate that their bank conducted a cybersecurity assessment over the past year, with 61% using the Cybersecurity Assessment Tool offered by the Federal Financial Institutions Examination Council (FFIEC) in combination with other methodologies. While 83% report that their program is more mature compared to their previous assessment, there’s still room to improve, particularly in training bank staff (83%) and using technology to better detect and/or deter cyber threats and intrusions (64%). Respondents report a median budget of $200,000 for cybersecurity expenses in fiscal year 2022, matching last year’s survey.

Setting ESG Goals
While most banks lack a comprehensive ESG program, more than half say their bank set goals and objectives in several discrete areas: employee development (68%), community needs, investment and/or volunteerism (63%), risk management processes and risk governance (61%), employee engagement (59%), and data privacy and information security (56%).

Protecting Staff
More than 80% of respondents say at least some employees work remotely for at least a portion of their work week, an indicator of how business continuity plans have evolved: 44% identify formalizing remote work procedures and policies as a gap in their business continuity planning, down significantly compared to last year’s survey (77%). Further, banks continue to take a carrot approach to vaccinations and boosters, with most encouraging rather than requiring their use. Thirty-nine percent require, and 31% encourage, employees to disclose their vaccination status.

Climate Change Gaps
Sixteen percent say their board discusses climate change annually — a subtle increase compared to last year’s survey. While 60% indicate that their board and senior leadership team understand the physical risks to their bank as a result of more frequent severe weather events, less than half understand the transition risks tied to shifts in preferences or reduced demand for products and services as the economy adapts.

To view the high-level findings, click here.

Bank Services members can access a deeper exploration of the survey results. Members can click here to view the complete results, broken out by asset category and other relevant attributes. If you want to find out how your bank can gain access to this exclusive report, contact bankservices@bankdirector.com.

Combating Complacency Through Strategic and Operational Planning

For many banks, 2020 and 2021 had surprising results. Liquidity and capital were strong, loan growth escalated from pent-up demand and income levels were favorable.

These positive trends could lead many management teams to become complacent — which can lead to risk. In its 2022 Fiscal Year Bank Supervision Operating Plan, the Office of the Comptroller of the Currency (OCC) listed guarding against complacency as a top priority for examiners. Complacency, by definition, is a state where one’s satisfaction with their own achievements leads them to be unaware of potential danger. Heeding the OCC’s warning to address indications or perceptions of emerging risks, we’ve identified five focus areas for boards and management teams.

1. Strategic and Operational Planning
Executives and boards should evaluate strategic planning in the context of the current environment. Post-pandemic, banks have increased opportunities for growth including, but not limited to, mergers and acquisitions. The key to strategic planning is to be strategic. Shape your strategic planning sessions to consider new industry opportunities and threats. Approach each opportunity and threat methodically — whether succession planning, mergers or acquisitions, fintech partnerships, changing demographics, the shift in the regulatory perimeter or another area relevant to your institution.

Operational planning is just as critical. Crafting a well-established plan to profitably service your bank’s target markets remains a balancing act of priorities for directors. Consider new products and services to meet the needs and expectations of your evolving customer base. Thoughtfully evaluate your bank’s target market, planned growth, the potential for enhanced products and services and any prospective investments to maintain profitability. Allow talent, technology, and financial resource risk assessments to guide your institution’s operational planning process, asking, “Where is my bank growing and am I ready?”

2. Credit Risk
We continually hear about the great credit quality that banks have experienced thus far in the post-pandemic period. Yet, credit risk remains a critical priority for banks and regulators, especially since coronavirus relief funds may have dramatically changed the financial view for borrowers.

Covid-19 relief funds served a temporary purpose of keeping businesses operating during the peak of the pandemic. However, high levels of inflation and continuing labor and supply chain disruptions has put continued pressure on many small businesses and may have a yet-to-be-realized impact on the credit quality within your bank.

Now more than ever, remaining engaged with your borrowers and looking past traditional credit metrics to identify issues could reduce future losses for your financial institution. Credit risk monitoring tools like stress testing remain relevant with the prospective of rising interest rates.

3. Cybersecurity Risk
Cybersecurity risk, like credit risk, is here to stay. Executives must stay focused in this area as risks increase; the instances of public attacks across all industries reflect a relentless pursuit by cybercriminals to steal data for financial gain. The most recent reminder of this are Russian state-sponsored cyber threats. As banks gather and maintain more and more data, it’s paramount to have experienced talent and protocols for protection of customer data.

Bank management teams should be able to show evidence of their institution’s capability to respond or recover from destructive cyberattacks that are increasingly routine. The bank’s risk assessment process is a critical component of managing its cybersecurity risk, and should incorporate any processes or controls that may have changed as result of a new strategic or operational plan.

4. Compliance Risk
Compliance matters are always evolving, and regulatory emphasis on applicable laws and regulations is only increasing. The focus on Bank Secrecy Act and anti-money laundering rules, fair lending, Community Reinvestment Act and overall prioritization of compliance management are not shifting.

Compliance risk management requires banks to have a strong internal system. It also requires a deep understanding of the various rules and proficiency in identifying, implementing and auditing the changes. It has never been more critical for banks to have strong independent review systems to account for updated rules and regulations.

5. Management and Board Education
The operational and strategic landscape of banking is changing. Management team and board members must be informed and educated. As you decide how your bank will adjust to this new environment, identify industry-specific third parties to meet with your management team and board to provide a strong foundation to strategic planning.

We see numerous opportunities and areas of focus for banks in 2022. If we’ve learned anything during this time, it’s that banks need to look at risk differently in this ever-changing environment. Now is not the time to be complacent.

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader. Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.

The Most Important Aspect of Third-Party Risk Management

Third-party risk management, or TPRM, is a perpetual hot topic in banking and financial services.

Banks are outsourcing and using third parties for a range of products, services and activities as the financial services landscape becomes more digital and distributed. A common refrain among regulators is that “you can outsource the activity, but you can’t outsource the responsibility.” Banks can engage third parties to do what they can’t or don’t want to do, but are still on the hook as if they were providing the product or service directly. This continues to be a common area of focus for examiners and has been identified as an area for potential enforcement actions in the future.

Given the continuing intense focus on third party activities and oversight, one word comes to mind as the most critical component of TPRM compliance: structure. Structure is critical in the development of a TPRM program, including each of its component parts.

Why is it so critical? Structure promotes consistency. Consistency supports compliance. Compliance mitigates risk and liability.

Banks with a consistent approach to TPRM conduct risk assessments more easily, plan for third party engagements, complete comprehensive due diligence, adequately document the relationship in a written agreement and monitor the relationship on an ongoing basis. Consistency, through structure, ultimately promotes compliance.

Structure will become increasingly important in TPRM compliance, given that the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency issued proposed interagency guidance on TPRM last summer. While the guidance has not been finalized as of this publication, the concepts and substantive components have been in play for some time; indeed, they are based largely on the OCC’s 2013 guidance and FAQs on the topic.

Generally, the proposed guidance contemplates a “framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.” Like other areas of risk management, this framework should be tailored based on the risks involved and the size and complexity of the banking organization. Fortunately, interagency guidance will enhance the consistency of the regulatory examination of TPRM compliance across banks of all sizes and charter-types.

The proposed guidance outlines the general TPRM “life cycle” and identifies a number of principles for each of the following stages: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination. The first three stages of this TPRM life cycle benefit the most from a structured approach. These three stages have more stated principles and expectations outlined by the banking agencies, which can be broken down effectively through a properly structured TPRM program.

So, when looking at improvements to any TPRM program, I suggest bank executives and boards start with structure. Going forward, they should consider the structure of the overall program, the structure of each of the stages of the life cycle outlined by the banking agencies and the structure of compliance function as it relates to TPRM. An effective strategy includes implementing a tailored structure at each stage. If executives can accomplished that, they can streamline compliance and make it more consistent throughout the program. Structure provides certainty as to internal roles and responsibilities, and promotes a consistent approach to working with third parties.

Disney’s Lesson for Banks

When Robert Iger became The Walt Disney Co. CEO in 2005, the company’s storied history of animation had floundered for a decade.

So Iger turned to a competitor whose animation outpaced Disney’s own and proposed a deal.

The relationship between Pixar Animation Studios and Disney had been strained, and Iger was nervous when he called Pixar’s CEO at the time, Steve Jobs. The two sat down in front of a white board at Pixar’s headquarters and began listing the pros and cons of the deal. The pros had three items. The cons had 20, as the now-retired Iger tells it in his Masterclass online.

“I said ‘This probably isn’t going to happen,’’’ Iger remembers. “He said, ‘Why do you say that?’”

Jobs could see that the pros had greater weight to them, despite the long list of the cons. Ultimately, Disney did buy Pixar for more than $7 billion in 2006, improving its standing, animation and financial success. In the end, Iger says he “didn’t think it was anything but a risk worth taking.”

I read Iger’s memoir, “The Ride of a Lifetime,’’ in 2021, just as I began planning the agenda for our annual Acquire or Be Acquired Conference in Phoenix, which is widely regarded as the premier M&A conference for financial industry CEOs, boards and leadership teams.

His story resonated, and not just because of the Disney/Pixar transaction.

I thought about risks worth taking, and was reminded of the leadership traits Iger prizesspecifically, optimism, courage and curiosity. Moreover, many of this year’s registered attendees wrestle with the same issues Iger confronted at Disney: They represent important brands in their markets that must respond to the monumental changes in customer expectations. They must attract and retain talent and to grow in the face of challenges.

While some look to 2022 with a sense of apprehension — thanks to Covid variant uncertainty, inflation, supply chain bottlenecks and potential regulatory changes — I feel quite the pep in my step this January. I celebrate the opportunity with our team to return, in-person, to the JW Marriott Desert Ridge. With over 1,350 registered to join us Jan. 30 through Feb. 1, I know I am not alone in my excitement to be again with people in real life.

So what’s in store for those joining us? We will have conversations about:

  • Examining capital allocation.
  • Balancing short-term profitability versus long term value creation.
  • Managing excess liquidity and shrinking margins.
  • Re-thinking hiring models and succession planning.
  • Becoming more competitive and efficient.

Naturally, we discuss the various growth opportunities available to participants. We talk about recent merger transactions, market reactions and integration hurdles. We hear about the importance of marrying bank strategy with technology investment. We explore what’s going on in Washington with respect to regulation and we acknowledge the pressure to grow earnings and the need to diversify the business.

As the convergence of traditional banking and fintech continues to accelerate, we again offer FinXTech sessions dedicated to delivering growth. We unpack concepts like banking as a service, stablecoins, Web3, embedded finance and open banking.

Acquire or Be Acquired has long been a meeting ground for those that take the creation of franchise value very seriously — a topic even more nuanced in today’s increasingly digital world. The risk takers will be there.

“There’s no way you can achieve great gains without taking great chances,’’ Iger says. “Success is boundless.”

Reconsidering Pay Strategy in the Wake of Inflation

Say goodbye to the Goldilocks economy, where moderate growth and low inflation sustained us for years. Our global economy and social norms have careened from crisis to crisis over the last 24 months. The world has faced down a pandemic, unprecedented restriction of interpersonal interactions, and disruption of worldwide supply chains. And yet the world economy is booming.

Opinions vary about the reality, root cause, and associated solutions for inflation and low unemployment. But what’s critical is that the growing expectation of future inflation is a self-fulfilling prophecy, and that it stresses the systems for retaining and motivating employees.

Inflation simply is another type of disruption, albeit one that impacts companies and employees at nearly every level. Higher input costs lead to lower corporate margins. Higher costs of goods lead to lower individual savings rates (i.e., margins).

People costs are rising, too. Thinking about people cost as in investment allows strategic discussion about maximizing return. The good thing about people investments relative to say, commodity costs, is that cost levers are largely in corporate control and the tradeoffs can be managed. We view it as an imperative to consider changing pay strategy to reflect the reality of a world where the dollar does not go as far.

Companies and boards should think about how well pay strategy addresses four needs:

Need 1: Is our pay/reward strategy about more than dollars and cents?
Employees have far more choices for employment at this time and can command dollars from multiple places and roles. It is worthwhile to think hard about culture — what makes your culture unique, what people value in their roles, and what might be missing — and then build incentives and reward systems that support those activities in balance with financial performance.

Need 2: Does the pay strategy create the right balance of stability and risk?
Adapting pay programs to be more “risk-off” in the face of a highly uncertain external environment may be appropriate. Think about employees as managing to a “total risk” equation. When the expectation was that corporate growth was close to a given, then the risk meter could accommodate taking more risks to earn potentially more money.

Need 3: Are we making the best possible bets on our top talent?
Paradoxically, it might be a time to take more talent risk by digging deep to find your best people and providing them with differentiated rewards, visibility and responsibility. This is the heart of performance management, and it can always improve. The increased risk comes from investing more in fewer people. What if the assessment turns out to be incorrect or if someone leaves? Managing this risk versus avoiding it is the path to success.

Need 4: How are we sure performance in the face of a more volatile outside world is being rewarded?
This is the most “structural” of the needs. Elements to consider would include:

  • Higher merit budgets
  • More modest annual incentive upside and downside
  • Incorporation of relative measurement into incentive programs
  • Rationalization of equity participation and limitations to a smaller group as needed
  • Designation of equity awards based on overall dilution or shares awarded versus dollar amounts

Each of these needs has material tactical considerations that require much discussion about implementing, communicating and managing change. But unlike other major costs, rising people costs present an investment opportunity for increased returns rather than just a hit to the bottom line.

Embracing Fraud Protection as a Differentiator

Community banks are under pressure from the latest apps or start-ups that attempt to lure customers away with features that they may lack: cutting edge technology, international capabilities and a digital-first approach.

However, much less attention is focused on where established banks thrive: compliance. It might not be as flashy as the latest app, but being able to offer customers a sense of protection is more valuable than many would believe. Main Street banks have long been integral parts of their communities, serving both local businesses and families through their people-first approach. These institutions are well known for reinvesting back into their communities, making them intertwined with their neighborhood. This approach is unique and solidified the reputation of these institutions as personable — a sentiment that remains today, even as tech giants grow within the financial sector. Established institutions have an edge as their long histories and reputations are deemed by consumers as more trustworthy than fintechs.

Public trust is a valuable asset, especially after high-profile data breaches in recent years and coronavirus scams. Payment scams suffered by banks and companies are typically front-page news and can cause significant damage to the business with costly fines and reputation harm. More than 75% of customers say security is a top consideration when choosing a financial institution. Interestingly, even if the organization is not directly at fault, consumers still consider them culpable. In fact, 63% say a company is always responsible for their data — even if the scam resulted from their direct actions, including falling for an email scheme.

$1 Billion Threat
The realization that banking customers hold their banks accountable for all types of fraud and scams may be surprising to some financial leaders. It underscores the importance of banks taking an active role in educating users, as well as protecting their own security behind the scenes.

One of the most common schemes is business email compromise: a cyber crime where a payee sends fraudulent banking information to a business or individual, who unknowingly sends funds to the wrong account. The fraud grew during the coronavirus pandemic as many businesses worked remotely for the first time and relied on email in place of phone calls or in-person interactions. The FBI reported $26 billion in losses in just a three-year period.

Such numbers should concern financial institutions, especially since these funds can be difficult to recover. These incidents are likely underreported, meaning the real figures are likely much larger.

Three Immediate Actions
Today’s challenging environment for financial institutions means that little focus is placed on non-revenue generating activities, especially with the emergence of new fintechs and start-ups. However, helping to ensure that customer funds are protected and providing them with preventative advice could become a huge value-add for banks.

  1. Though some banks do make information available on their websites or in-branches, this is often an afterthought. Showcasing your institution as an authority on these matters will emphasize your desire to put customers first — and they will take notice.
  2. Many customers ignore the threat of fraud because they do not see themselves or their business as a potential victim. Taking the time to explain how a scam targets each customer segment will demonstrate your institution’s ability to identify and mitigate risks to each person.
  3. Monitoring fraud is particularly difficult for many institutions because threats are constantly evolving. Working with larger partners can be an asset, as bigger organizations are more likely to invest both funds and personnel in monitoring and combatting scams.

Many misconceptions regarding fraud still exist, and customers may not realize they are at risk before it’s too late. Transforming your institution into their financial protector could be a low-cost — yet valuable — way to stand out.