It will come as no surprise to anyone working in the banking industry that fraudsters are getting smarter, moving faster and acting bolder every day.
But to understand just how much fraud has escalated over the past 12 months, Alloy polled more than 250 compliance, fraud and risk decision-makers at U.S. financial institutions ranging from start-up fintech companies to enterprise banks to uncover how much fraud they are actually seeing, the impact fraud has on organizations and how banks and fintech companies are fighting back against fraudsters. Here are the five biggest takeaways from Alloy’s inaugural “State of Fraud Benchmark Report:”
1. 91% of respondents said fraud increased year-over-year since 2021.
Over the past few years, the industry saw an enormous increase in pandemic relief programs experiencing fraud, which unfortunately demonstrated how easy it can be for fraudsters to exploit these programs. There continues to be an ongoing threat of fraud by organized groups that are well-funded with a clear agenda to defraud both people and organizations. In 2022, the industry saw data breaches, an increase in stolen mail with checks and sophisticated approaches to victimize clients through email, phone and text. Based on what financial institutions experienced in 2022, the attack rates are not showing any signs of slowing down.
2. First-party fraud is perceived as the most prevalent type of attack.
Certainly, this phenom could be influenced by the current state of the economy, but it can also reflect how organizations are classifying their fraud cases. If a fraudster opens a new account with a stolen identity and then commits fraud, the financial institution may not be aware this is a stolen identity and classify the case as first-party when it is actually second or third-party fraud.
3. 99% of respondents made changes to their policies and controls for fraud prevention in light of the evolving fraud landscape.
Financial institutions recognized policies that may have worked historically might not be sufficient to respond appropriately to the current fraud landscape. In order to continue mitigating and closing the gap on fraud, executives at banks and other organizations will need to evolve their policies and controls with the ecosystem and require a cadence of ongoing review.
4. 71% of respondents have increased their spending on fraud prevention year-over-year.
This response is a direct reflection of the increase in fraud year-over-year. Financial institution executives recognize the need to continue investing in fraud prevention. Investments should include layering multiple levels of defense while also keeping abreast of where the fraud is shifting, so financial institutions can make the appropriate adjustments.
5. 59% of companies are looking into, or are already using, an identity decisioning platform (IDP).
Not only are companies revisiting their policies and controls related to identity decisioning, they are also increasingly investing in a dedicated platform for it. An IDP can provide a holistic view into an identity for both fraud and know your customer compliance while ensuring the financial institution meets compliance requirements. Implementing an IDP also provides an opportunity for banks reevaluate their current solutions and workflow in production to determine if it is still a best-in-class solution for them. Firms can then establish a plan that increases their efficiency through automated decisions and leveraging a multi-pronged approach for multiple layers of defense.
Fraud rates continue to remain elevated in the financial services space; in response, organizations are appropriately investing in technology and tools to help them move at the pace of fraud so that they can prevent fraud as they grow without taking on additional risk.
The challenging last three years have done nothing but reinforce our belief that the best-performing community banks, over the long run, anchor their balance sheet management in a set of principles — not in divining the future.
They organize their principles into a coherent decision-making methodology that evaluates all capital allocation alternatives across multiple scenarios, over time, on a level playing field. Unfortunately, however, far too many community bankers rely on forecasts of interest rates and economic conditions, which are then engraved into budgets, compensation programs and guidance provided to stock analysts and asset-liability providers.
If we’ve learned anything recently, it’s that nobody can predict rates — not even the members of the Federal Open Market Committee. A year ago, its median forecast for fed funds today was approximately 0.80%; the reality of 4.50% is 370 basis points above this “prediction.”
Even slight differences between predicted and actual rates can result in significant variances from a bank’s budget, which can pressure management towards reactive strategies based on near-term accounting income, liquidity or capital. We’ve long argued that this approach will usually accumulate less reward, and more risk, than proponents ever expect.
Community banking is challenging, but it needn’t be bewildering. The following decision-making principles can clarify your path and energize your execution:
Know where you are. Net interest income and economic value simulations in isolation present incomplete and often conflicting portrayals of a bank’s risk and reward profile. To know where your bank is, hold yourself accountable to all cash flows across multiple rate scenarios over time, incorporating both dividends paid to a horizon and the economic value of the bank at that horizon. This framework produces a multi-scenario view of returns to shareholders , across a range of possible futures. Making capital allocation decisions in the context of this profile is everything; developing and consulting it is far more inspiring and leverageable than a mere asset-liability exercise.
Refuse to speculate on rates. Plenty of wealth has been lost looking through the wrong end of the kaleidoscope. Nobody can predict rates with any utility — not economists, not even the FOMC. Make each marginal capital allocation in the context of your shareholder return profile, avoiding unacceptable risk in any scenario while seeking asymmetric reward in others. The idea is to stack the deck in the bank’s favor, not to guess the next card.
For example, imagine your institution is poised to create more shareholder wealth in rates down scenarios than up, a common reality in the current environment. Should you consider trading some of this for outsized benefits in the opposite direction, or not? Assess potential approaches across multiple scenarios: compare short assets versus long liabilities, test combinations or turn the dial through simple derivative strategies to asymmetrically adjust returns or create functional liquidity.
Price options appropriately. Banks sell options continually, but seldom consider their compensation. They often price loans to win the business, rather than in comparison to wholesale alternatives, and they often forgo enforceable prepayment penalties. Less forgivably, many banks sell options too cheaply in their securities portfolios, in obtaining wholesale funding or in setting servicing rates. Know who owns each option the bank is short, and determine whether it is priced appropriately by comparing it to possible alternatives and measuring the impact on the bank’s forward-looking return profile.
Evaluate risk and regulatory positions. To make capital allocation decisions prospectively, principle-based decision-makers assess their risk and regulatory positions prospectively as well. The bank’s enterprise risk management platform should offer an objective assessment of its current capital, asset quality, liquidity and sensitivity to market risk positions, and simulate these on a prospective basis also. The only way to determine if a strategy aligns with management’s specific risk tolerance is to have clarity and confidence in its pro forma impact on risk and regulatory positions. For many, establishing secured borrowing lines and reviewing contingency funding plans in 2023 will be prudent steps.
These principles are timeless — only the conclusions they lead to will vary over time. Those institutions that have already woven them into their organizational fabric are facing 2023 and beyond with confidence; those adopting them now for the first time can soon experience the same.
The current expected credit loss (CECL) adoption deadline of Jan. 1, 2023 has many financial institutions evaluating various models and assumptions. Many financial institutions haven’t had sufficient time to evaluate their CECL model performance under various stress scenarios that could provide a more forward-looking view, taking the model beyond just a compliance or accounting exercise.
One critical element of CECL adoption is model validation. The process of validating a model is not only an expectation of bank regulators as part of the CECL process — it can also yield advantages for institutions by providing crucial insights into how their credit risk profile would be impacted by uncertain conditions.
In the current economic environment, financial institutions need to thoroughly understand what an economic downturn, no matter how mild or severe, could do to their organization. While these outcomes really depend on what assumptions they are using, modeling out different scenarios using more severe assumptions will help these institutions see how prepared they may or may not be.
Often vendors have hundreds of clients and use general economic assumptions on them. Validation gives management a deeper dive into assumptions specific to their institution, creating an opportunity to assess their relevance to their facts and circumstances. When doing a validation, there are three main pillars: data and assumptions, modeling and stress testing.
Data and assumptions: Using your own clean and correct data is a fundamental part of CECL. Bank-specific data is key, as opposed to using industry data that might not be applicable to your bank. Validation allows for back-testing of what assumptions the bank is using for its specific data in order to confirm that those assumptions are accurate or identify other data fields or sources that may be better applied.
Modeling (black box): When you put data into a model, it does some evaluating and gives you an answer. That evaluation period is often referred to as the “black box.” Data and assumptions go into the model and returns a CECL estimate as the output. These models are becoming more sophisticated and complex, requiring many years of historical data and future economic projections to determine the CECL estimate. As a result of these complexities, we believe that financial institutions should perform a full replication of their CECL model. Leveraging this best practice when conducting a validation will assure the management team and the board that the model the bank has chosen is estimating its CECL estimate accurately and also providing further insight into its credit risk profile. By stripping the model and its assumptions down and rebuilding them, we can uncover potential risks and model limitations that may otherwise be unknown to the user.
Validations should give financial institutions confidence in how their model works and what is happening. Being familiar with the annual validation process for CECL compliance will better prepare an institution to answer all types of questions from regulators, auditors and other parties. Furthermore, it’s a valuable tool for management to be able to predict future information that will help them plan for how their institution will react to stressful situations, while also aiding them in future capital and budgeting discussions.
Stress testing: In the current climate of huge capital market swings, dislocations and interest rate increases, stress testing is vital. No one knows exactly where the economy is going. Once the model has been validated, the next step is for banks to understand how the model will behave in a worst-case scenario. It is important to run a severe stress test to uncover where the institution will be affected by those assumptions most. Management can use the information from this exercise to see the connections between changes and the expected impact to the bank, and how the bank could react. From here, management can gain a clearer picture of how changes in the major assumptions impact its CECL estimate, so there are no surprises in the future.
There’s been an increasingly common refrain from bank executives as the United States moves into the second half of 2022: Risk and uncertainty are increasing.
For now, things are good: Credit quality is strong, consumer spending is robust and loan pipelines are healthy. But all that could change.
The president and chief operating officer of The Goldman Sachs Group, John Waldron, called it “among — if not the most —complex, dynamic environments” he’s seen in his career. And Jamie Dimon, chair and CEO of JPMorgan Chase & Co., changed his economic forecast from “big storm clouds” on the horizon to “a hurricane” in remarks he gave on June 1. While he doesn’t know if the impact will be a “minor one or Superstorm Sandy,” the bank is “bracing” itself and planning to be “very conservative” with its balance sheet.
Bankers are also pulling forward their expectations of when the next recession will come, according to a sentiment survey conducted at the end of May by the investment bank Hovde Group. In the first survey, conducted at the end of March, about 9% of executives expected a recession by the end of 2022 and 26.6% expected a recession by the end of June 2023. Sixty days later, nearly 23% of expect a recession by the end of 2022 and almost 51% expect one by the end of June 2023.
“More than 75% of the [regional and community bank management teams] we surveyed [believe] we will be in a recession in the next 12 months,” wrote lead analyst Brett Rabatin.
“[B]anks face downside risks from inflation or slower-than-expected economic growth,” the Federal Deposit Insurance Corp. wrote in its 2022 Risk Review. Higher inflation could squeeze borrowers and compromise credit quality; it could also increase interest rate risk in bank security portfolios.
Risk is everywhere, and it is rising. This only adds to the urgency surrounding the topics that we’ll discuss at Bank Director’s Bank Audit & Risk Committees Conference, taking place June 13 through 15 at the Marriott Magnificent Mile in Chicago. We’ll explore issues such as the top risks facing banks over the next 18 months, how institutions can take advantage of opportunities while leveraging an environmental, social and governance framework, and how executives can balance loan growth and credit quality. We’ll also look at strategic and operational risk and opportunities for boards.
In that way, the uncertainty we are experiencing now is really a gift of foresight. Already, there are signs that executives are responding to the darkening outlook. Despite improved credit quality across the industry, provision expenses in the first quarter of 2022 swung more than $19.7 billion year over year, from a negative $14.5 billion during last year’s first quarter to a positive $5.2 billion this quarter, according to the Federal Deposit Insurance Corp.’s quarterly banking profile. It is impossible to know if, and when, the economy will tip into a recession, but it is possible to prepare for a bad outcome by increasing provisions and allowances.
“It’s the opposite of ‘blissfully unaware,’” writes Morgan Housel, a partner at the investment firm The Collaborative Fund, in a May 25 essay. “Uncertainty hasn’t gone up this year; complacency has come down. People are more aware that the future could go [in any direction], that what’s prosperous today can evaporate tomorrow, and that predictions that seemed assured a few months ago can look crazy today. That’s always been the case. But now we’re keenly aware of it.”
Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, finds most bank executives and board members (65%) report that at least one vendor experienced a data breach or ransomware attack in 2020-21. While most weren’t directly affected by these incidents, 60% of respondents whose vendor experienced an attack took the opportunity to update third-party management policies, processes and/or risk oversight in response.
Cyberattacks on U.S. financial institutions are rarely impactful, according to the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) “Navigating Cyber 2022” report. However, the cyber-focused industry consortium added that “several high-profile third-party incidents have impacted the security and availability of products and services used by many financial firms.” Banks have responded by devoting resources to assessing exposure, patching and mitigating, as well as increasing compliance mandates for third-party operational resilience.
Regulators are taking note of the threat. An interagency rule approved by the Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. in November 2021 mandates that banks must notify their primary regulator of a cyber incident within 36 hours; this rule went into effect on April 1, 2022. Service providers must notify affected bank clients “as soon as possible” when they determine that a cyber incident has or will cause a “material service disruption or degradation” for four hours or more. From there, banks must assess whether the incident will have a material impact on the organization and its customers, and whether that will trigger a notification by the bank to its regulator.
In March 2022, the Securities and Exchange Commission proposed new rules around cybersecurity disclosure that would include how companies select and monitor third-party providers. And guidance is still pending from the primary financial regulators around risks related to third-party relationships. That guidance would include an assessment of the vendor’s information security program, including if the vendor has “sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities.”
Bank boards and leadership teams will need to be proactive — rather than reactive — as regulators get even more serious about this issue. “Know where you stand and what [vendors are] doing to address any of your concerns, and that starts with having a defined criteria of what you require,” says Cody Harrell, managing director at Strategic Resource Management (SRM), a Memphis, Tennessee-based consulting firm.
Broadly, bank executives and boards need to understand the risks inherent with all of the bank’s vendors, including existing ones, says Harrell. “Who are the most critical vendors to our business? Who are the ones that house sensitive data? Where’s our biggest risk? And not only from a liability standpoint, but from an operational standpoint.” If a vendor falls victim to a cyberattack, will the bank still be able to serve customers? “You need to have a vendor due diligence checklist for each vendor, regardless of whether there’s a problem or not,” he adds. “[Make] sure that everyone that’s within the ecosystem is in compliance with your requirements.”
All vendors also need to comply with regulatory guidelines. The November 2021 notification rule specifies that service providers must comply even if the contract states otherwise. But bank boards are ultimately responsible for ensuring compliance. “If the bank doesn’t have a program of regularly conducting annual vendor diligence and sending renewed questionnaires and identifying gaps, then you’re not conducting ongoing diligence,” says Steve Cosentino, a partner at the law firm Stinson LLP who regularly negotiates agreements between banks and their service providers.
Here are four considerations for bank boards seeking to enhance their third-party oversight.
Understand how vendors will respond to a cyber incident. This should be uncovered during due diligence.
When a breach occurs, “how much you did in the vendor diligence area [will impact] how quickly you’re able to respond to an incident,” says Cosentino. “If you have a quality vendor diligence program [with] extensive diligence and ongoing monitoring, those will all be helpful facts if you’re subject to a potential litigation claim or class action, which has been more and more common.”
In line with the regulatory rule around security notifications, banks need to know when they’ll be notified of an incident, and whether the vendor or the bank will communicate with affected customers. And even if individuals weren’t affected, that doesn’t absolve the vendor from notifying the bank, says Cosentino. “It’s evidence of a flaw in [the vendor’s] systems and security processes that next time could potentially affect the bank, and the bank needs to be apprised of what they’re doing to remedy that.” He adds that these obligations could differ in a security breach, where confidential data may have been accessed, versus a security incident, which may not involve the theft of personal information.
Banks should also know if the service provider will engage an outside cyber forensics firm to investigate a breach, and whether that company is on retainer and can respond quickly. “Taking a day or two out to review different forensic investigators and getting a contract in place and all that, that’s time that’s lost,” says Cosentino. Regulators will ask, “Why did it take so long between the time that the breach occurred and [when] the notices went out?”
The bank should also know what the vendor won’t do. “What are the things that my critical vendor, my third-party provider, is requiring me to take care of, that they’re not?” says Moss Adams Partner Craig Sanders. That could include password resets, network design or educating administrators.
Don’t overlook fourth parties. Vendors have their own vendors, from smaller fintechs that may provide ancillary services to big cloud platforms like Amazon Web Services or Microsoft Corp.’s Azure, and those can pose their own risks. Effective diligence on fourth parties can be difficult, says Cosentino, but banks can take a few steps. Questionnaires sent to third-party vendors should address their own due diligence with subcontractors, and banks should access SOC (System and Organization Controls) reports on those fourth parties. In addition, “Put in your agreement some language that says that the service provider may use subcontractors, [but] they always have to be responsible for [their vendors’] actions and omissions,” he says. “But they can only do so after completion of a third-party risk management vendor diligence review consistent with the FFIEC IT examination handbook and interagency guidance on third-party relationships.”
Don’t silo due diligence. The due diligence exercise shouldn’t be limited to the bank’s technology team.
“The IT group doesn’t always have an understanding of all of the software and systems that process personal information or nonpublic personal information. And that slips through the cracks a lot,” says Cosentino. He recommends a data mapping exercise that includes multiple areas so the bank knows where all of its information is housed. “Conduct that review with your IT group, obviously, but also with the marketing team, your sales team, your operations team, your legal team, because you will find when you do that, there are a number of engagements with third-party service providers where nonpublic personal information is involved, and they’re not picked up in the vendor diligence process,” says Cosentino. Involving multiple teams in the bank will ensure everyone’s on the same page before a breach occurs. “If you do have a data security incident, you have to know where all that information is stored, and how to address, analyze and review [where the] personal information is and what actions you need to take with respect to notifications and remediations and all that,” he says.
While multiple teams within the bank should be included along the way, centralizing vendor management — ensuring an individual has responsibility or using a vendor management platform, or both — can help banks stay on track. “A lot of the financial institutions that we see, various departments control a contract or a decision or a vendor evaluation, and they’re not necessarily speaking to the other departments and having a defined criteria that everyone should comply with,” says Harrell. Vendor diligence requires a lot of documentation, and that needs to be tracked. “Make this a systematic approach.”
Set the tone at the top. In a 2019 letter, the FDIC reminded financial institutions that “boards of directors and senior management are responsible for managing risks related to relationships with technology service providers. Effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response.”
Unfortunately, boards often lack the skill sets to understand cybersecurity, says Sanders. “They’ve got to have that knowledge and expertise at the governance level to really understand what should be going on.” He recommends that boards hear from the bank’s chief information security officer at least quarterly and should seek the best technology providers that meet the bank’s strategic needs — not selecting a solution because it’s the cheapest option. The bank may find it gets what it pays for.
“Be honest with yourself about where the risk is and what the involvement from the institution is that should take place at the governance level,” says Sanders. “From the top down, give the support to management and compliance to go out and do what they need to do.”
Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, surveyed 222 independent directors, chief executive officers, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including credit risk, cybersecurity and emerging issues such as ESG. Bank Services members have exclusive access to the complete results of the survey, which was conducted in January 2022.
Climate risk assessment is still in its infancy, but recent pronouncements by federal regulators should have bank directors and executives considering its implications for their own organizations.
Under a new rule proposed by the Securities and Exchange Commission, publicly traded companies would be required to report on certain climate-related risks in regular public filings.
Though the SEC’s proposal only applies to publicly traded companies, some industry observers say it’s only a matter of time before more financial institutions are expected to grapple with climate-related risks. Not long after the SEC issued its proposal, the Federal Deposit Insurance Corp. issued its own draft principles for managing climate risk. While the principles focus on banks with over $100 billion of assets, Acting Chair Martin Gruenberg commented further that “all financial institutions, regardless of size, complexity, or business model, are subject to climate-related financial risks.”
The practice of assessing climate risk has gained momentum in recent years, but many boards aren’t regularly talking about these issues. Just 16% of the directors and officers responding to Bank Director’s 2022 Risk Survey say their board discusses climate change annually.
To understand what this means for their own organizations, boards need to develop the baseline knowledge so directors can ask management smarter questions. They should also establish organizational ownership of the issue and think about the incremental steps they might take in response to those risk assessments.
“Climate risk is like every other risk,” says Ivan Frishberg, chief sustainability officer at $7 billion Amalgamated Financial Corp. in New York. “It needs the same systems for managing it inside a bank that any other kind of risk does. It’s going to require data, it’s going to require risk assessments, it’s going to require strategy. All of those things are very traditional frameworks.”
The SEC’s proposed rule intends to address a major challenge with sizing up climate risk: the lack of uniform disclosures of companies’ greenhouse gas emissions and environmental efforts. The agency also wants to know how banks and other firms are incorporating climate risks into their risk management and overall business strategies. That includes both physical risk, or the risk of financial losses from serious weather events, and transition risk, arising from the shift to a low-carbon economy.
Bank Director’s Risk Survey finds that many boards need to start by getting up to speed on the issue. Though 60% of survey respondents say that their board and senior leadership have a good understanding of physical risks, just 43% say the same about transition risk. Directors should also get a basic grasp of what’s meant by Scope 1, Scope 2 and Scope 3 emissions to better gauge the impact on their own institutions.
Understanding Carbon Emissions
Scope 1: Emissions from sources directly owned or controlled by the bank, such as company vehicles.
Scope 2: Indirect emissions associated with the energy a bank buys, such as electricity for its facilities.
Scope 3: Indirect emissions resulting from purchased goods and services (business travel, for example) and other business activities, such as lending and investments.
The SEC’s proposal would not require scenario analysis. However, directors and executives should understand how their loan portfolios could be affected under a variety of scenarios.
Talking with other banks engaged in similar efforts could help institutions benchmark their progress, says Steven Rothstein, managing director of the Ceres Accelerator for Sustainable Capital Markets, a nonprofit that works with financial institutions on corporate sustainability. Boards could also look to trade associations and recent comments by federal regulators. In a November 2021 speech, Acting Comptroller of the Currency Michael Hsu outlined five basic questions that bank boards should ask about climate risk. The Risk Management Association recently established a climate risk consortium for regional banks.
Assessing climate risk involves pulling together large amounts of data from across the entire organization. Banks that undertake an assessment of their climate-related risks should appoint somebody to coordinate that project and keep the board apprised.
Banks might also benefit from conducting a peer review, looking at competing institutions as well as banks with similar investor profiles, says Lorene Boudreau, co-leader of the environment, social and governance working group at Ballard Spahr. “What are the other components of your investors’ profile? And what are they doing? Use that information to figure out where there’s a [gap], perhaps, between what they’re doing and what your company is doing,” she says.
Finally, boards should think about the shorter term, incremental goals their bank could set as a result of a climate risk assessment. That could look like smaller, sector-specific goals for reducing financed emissions or finding opportunities to finance projects that address climate-related challenges, such as storm hardening or energy efficiency upgrades.
A number of big banks have made splashy pledges to reduce their greenhouse gas emissions to net zero by 2050, but fewer have gotten specific about their goals for 2030 or 2040, Boudreau says. “It doesn’t have a lot of credibility without those interim steps.”
While many smaller financial institutions will likely escape regulatory requirements for the near term, they can still benefit from adopting some basic best practices so they aren’t caught off guard in a worst-case scenario.
“Climate risk is financial risk,” says Rothstein. “If you’re a bank director thinking about the safety and soundness of a bank, part of your job has to be to look at climate risk. Just as if someone said, ‘Is the bank looking at cyber risk? Or pandemic risk or crypto risk?’ All of those are risks that directors, through their management team, have to be aware of.”
What’s keeping board members, CEOs, risk officers and other key executives up at night?
With a number of evolving risks facing the industry, bank leaders have a lot on their plate. They weigh in on these key risks — from cybersecurity to rising interest rates and more — in Bank Director’s 2022 Risk Survey, sponsored by Moss Adams LLP. While it’s not surprising to find respondents almost universally more worried about cybersecurity — a perennial point of anxiety in the survey — they also reveal increased concerns in a number of areas.
Almost three-quarters say they’re more worried about regulatory risk, with one respondent citing specific concerns about overdraft fees, fair lending and redlining, and rulemaking from the Consumer Financial Protection Bureau.
Given expected rate hikes from the Federal Reserve, 71% say they’re worried about interest rate risk. Three-quarters hope to see a moderate rise in rates by the end of the year, though uncertainty around inflationary pressures, exacerbated by the conflict in Ukraine, could yield surprises.
Members of the Bank Services program now have exclusive access to the full results of the survey, including breakouts by asset category. Click here to view the report.
Findings also include:
Most bank executives and board members report that their cybersecurity programs have matured, but respondents still identify key gaps in their programs, particularly in training bank staff (83%) and using technology to better detect and/or deter cyber threats and intrusions (64%). Respondents also reveal how the board oversees this critical threat.
In an indicator of how business continuity plans have evolved through the pandemic, more than 80% say at least some employees work remotely for at least a portion of their work week. When it comes to vaccinations, banks continue to take a carrot approach to vaccinations, with most encouraging rather than requiring Covid-19 vaccinations and boosters. Thirty-nine percent require, and 31% encourage, employees to disclose their vaccination status.
Environmental, social and governance disclosures may be getting a lot of buzz, but more than half of the survey participants don’t yet focus on environmental, social and governance issues in a comprehensive manner, but the majority set goals in several discrete areas related to ESG.
Sixteen percent say their board discusses climate change annually — a subtle increase compared to last year’s survey.
Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, surveyed 222 independent directors, chief executive officers, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including credit risk, cybersecurity and emerging issues such as ESG. The survey was conducted in January 2022.
Despite geopolitical turmoil following Russia’s invasion of Ukraine, the Federal Reserve opted to raise interest rates 25 basis points in March — its first increase in more than three years — in an attempt to fight off a high rate of inflation that saw consumer prices rising by 7.9% over the preceding year, according to the Bureau of Labor Statistics.
“Inflation remains elevated, reflecting supply and demand imbalances related to the pandemic, higher energy prices, and broader price pressures,” the central bank said in a statement. The Federal Open Market Committee (FOMC) is the policymaking body within the Fed that sets rates, and Fed Chairman Jerome Powell remarked further that the FOMC will continue to act to restore price stability.
“We are attentive to the risks of further upward pressure on inflation and inflation expectations,” Powell said, adding that the FOMC anticipates a median inflation rate of 4.3% for 2022. He believes a recession is unlikely, however. “The U.S. economy is very strong and well-positioned to handle tighter monetary policy.”
Six more rate hikes are expected in 2022, which overshoots the aspirations of the directors, CEOs, chief risk officers and other senior executives responding to Bank Director’s 2022 Risk Survey, conducted in January. Respondents reveal a high level of anxiety about interest rate risk, with 71% indicating increased concern. When asked about the ideal scenario for their institution, almost three-quarters say they’d like to see a moderate rise in rates in 2022, by no more than one point — significantly less than the 1.9% anticipated by the end of the year.
Moss Adams LLP sponsors Bank Director’s annual Risk Survey, which also focuses on cybersecurity, credit risk, business continuity and emerging issues, including banks’ progress on environmental, social and governance (ESG) programs. More than half of the respondents say their bank doesn’t yet focus on ESG issues in a comprehensive manner, and just 6% describe their ESG program as mature enough to publish a disclosure of their progress.
Developments in this area could be important to watch: The term ESG covers a number of key risks, including climate change, cybersecurity, regulatory compliance with laws such as the Community Reinvestment Act and operational risks like talent.
“Finding employees is becoming much harder and has us [looking] at outsourcing (increased risk) or remote workers (increased risk),” writes one survey respondent. Workers want to work for ethical companies that care about their employees and communities, according to research from Gallup. Could a focus on ESG become a competitive strength in such an environment?
Key Findings
Top Risks Respondents also reveal increased anxiety about cybersecurity, with 93% saying that their concerns have increased somewhat or significantly over the past year. Along with interest rate risk, regulatory risk (72%) and compliance (65%) round out the top risks. One respondent, the CRO of a Southeastern bank between $1 billion and $5 billion in assets, expresses specific concern about “heightened regulatory expectations” around overdraft fees, fair lending and redlining, as well as rulemaking from the Consumer Financial Protection Bureau around the collection of small business lending data.
Enhancing Cybersecurity Oversight Most indicate that their bank conducted a cybersecurity assessment over the past year, with 61% using the Cybersecurity Assessment Tool offered by the Federal Financial Institutions Examination Council (FFIEC) in combination with other methodologies. While 83% report that their program is more mature compared to their previous assessment, there’s still room to improve, particularly in training bank staff (83%) and using technology to better detect and/or deter cyber threats and intrusions (64%). Respondents report a median budget of $200,000 for cybersecurity expenses in fiscal year 2022, matching last year’s survey.
Setting ESG Goals While most banks lack a comprehensive ESG program, more than half say their bank set goals and objectives in several discrete areas: employee development (68%), community needs, investment and/or volunteerism (63%), risk management processes and risk governance (61%), employee engagement (59%), and data privacy and information security (56%).
Protecting Staff More than 80% of respondents say at least some employees work remotely for at least a portion of their work week, an indicator of how business continuity plans have evolved: 44% identify formalizing remote work procedures and policies as a gap in their business continuity planning, down significantly compared to last year’s survey (77%). Further, banks continue to take a carrot approach to vaccinations and boosters, with most encouraging rather than requiring their use. Thirty-nine percent require, and 31% encourage, employees to disclose their vaccination status.
Climate Change Gaps Sixteen percent say their board discusses climate change annually — a subtle increase compared to last year’s survey. While 60% indicate that their board and senior leadership team understand the physical risks to their bank as a result of more frequent severe weather events, less than half understand the transition risks tied to shifts in preferences or reduced demand for products and services as the economy adapts.
Bank Services members can access a deeper exploration of the survey results. Members can click here to view the complete results, broken out by asset category and other relevant attributes. If you want to find out how your bank can gain access to this exclusive report, contact [email protected].
For many banks, 2020 and 2021 had surprising results. Liquidity and capital were strong, loan growth escalated from pent-up demand and income levels were favorable.
These positive trends could lead many management teams to become complacent — which can lead to risk. In its 2022 Fiscal Year Bank Supervision Operating Plan, the Office of the Comptroller of the Currency (OCC) listed guarding against complacency as a top priority for examiners. Complacency, by definition, is a state where one’s satisfaction with their own achievements leads them to be unaware of potential danger. Heeding the OCC’s warning to address indications or perceptions of emerging risks, we’ve identified five focus areas for boards and management teams.
1. Strategic and Operational Planning
Executives and boards should evaluate strategic planning in the context of the current environment. Post-pandemic, banks have increased opportunities for growth including, but not limited to, mergers and acquisitions. The key to strategic planning is to be strategic. Shape your strategic planning sessions to consider new industry opportunities and threats. Approach each opportunity and threat methodically — whether succession planning, mergers or acquisitions, fintech partnerships, changing demographics, the shift in the regulatory perimeter or another area relevant to your institution.
Operational planning is just as critical. Crafting a well-established plan to profitably service your bank’s target markets remains a balancing act of priorities for directors. Consider new products and services to meet the needs and expectations of your evolving customer base. Thoughtfully evaluate your bank’s target market, planned growth, the potential for enhanced products and services and any prospective investments to maintain profitability. Allow talent, technology, and financial resource risk assessments to guide your institution’s operational planning process, asking, “Where is my bank growing and am I ready?”
2. Credit Risk
We continually hear about the great credit quality that banks have experienced thus far in the post-pandemic period. Yet, credit risk remains a critical priority for banks and regulators, especially since coronavirus relief funds may have dramatically changed the financial view for borrowers.
Covid-19 relief funds served a temporary purpose of keeping businesses operating during the peak of the pandemic. However, high levels of inflation and continuing labor and supply chain disruptions has put continued pressure on many small businesses and may have a yet-to-be-realized impact on the credit quality within your bank.
Now more than ever, remaining engaged with your borrowers and looking past traditional credit metrics to identify issues could reduce future losses for your financial institution. Credit risk monitoring tools like stress testing remain relevant with the prospective of rising interest rates.
3. Cybersecurity Risk
Cybersecurity risk, like credit risk, is here to stay. Executives must stay focused in this area as risks increase; the instances of public attacks across all industries reflect a relentless pursuit by cybercriminals to steal data for financial gain. The most recent reminder of this are Russian state-sponsored cyber threats. As banks gather and maintain more and more data, it’s paramount to have experienced talent and protocols for protection of customer data.
Bank management teams should be able to show evidence of their institution’s capability to respond or recover from destructive cyberattacks that are increasingly routine. The bank’s risk assessment process is a critical component of managing its cybersecurity risk, and should incorporate any processes or controls that may have changed as result of a new strategic or operational plan.
4. Compliance Risk
Compliance matters are always evolving, and regulatory emphasis on applicable laws and regulations is only increasing. The focus on Bank Secrecy Act and anti-money laundering rules, fair lending, Community Reinvestment Act and overall prioritization of compliance management are not shifting.
Compliance risk management requires banks to have a strong internal system. It also requires a deep understanding of the various rules and proficiency in identifying, implementing and auditing the changes. It has never been more critical for banks to have strong independent review systems to account for updated rules and regulations.
5. Management and Board Education
The operational and strategic landscape of banking is changing. Management team and board members must be informed and educated. As you decide how your bank will adjust to this new environment, identify industry-specific third parties to meet with your management team and board to provide a strong foundation to strategic planning.
We see numerous opportunities and areas of focus for banks in 2022. If we’ve learned anything during this time, it’s that banks need to look at risk differently in this ever-changing environment. Now is not the time to be complacent.
The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader. Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.
Third-party risk management, or TPRM, is a perpetual hot topic in banking and financial services.
Banks are outsourcing and using third parties for a range of products, services and activities as the financial services landscape becomes more digital and distributed. A common refrain among regulators is that “you can outsource the activity, but you can’t outsource the responsibility.” Banks can engage third parties to do what they can’t or don’t want to do, but are still on the hook as if they were providing the product or service directly. This continues to be a common area of focus for examiners and has been identified as an area for potential enforcement actions in the future.
Given the continuing intense focus on third party activities and oversight, one word comes to mind as the most critical component of TPRM compliance: structure. Structure is critical in the development of a TPRM program, including each of its component parts.
Why is it so critical? Structure promotes consistency. Consistency supports compliance. Compliance mitigates risk and liability.
Banks with a consistent approach to TPRM conduct risk assessments more easily, plan for third party engagements, complete comprehensive due diligence, adequately document the relationship in a written agreement and monitor the relationship on an ongoing basis. Consistency, through structure, ultimately promotes compliance.
Structure will become increasingly important in TPRM compliance, given that the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency issued proposed interagency guidance on TPRM last summer. While the guidance has not been finalized as of this publication, the concepts and substantive components have been in play for some time; indeed, they are based largely on the OCC’s 2013 guidance and FAQs on the topic.
Generally, the proposed guidance contemplates a “framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.” Like other areas of risk management, this framework should be tailored based on the risks involved and the size and complexity of the banking organization. Fortunately, interagency guidance will enhance the consistency of the regulatory examination of TPRM compliance across banks of all sizes and charter-types.
The proposed guidance outlines the general TPRM “life cycle” and identifies a number of principles for each of the following stages: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination. The first three stages of this TPRM life cycle benefit the most from a structured approach. These three stages have more stated principles and expectations outlined by the banking agencies, which can be broken down effectively through a properly structured TPRM program.
So, when looking at improvements to any TPRM program, I suggest bank executives and boards start with structure. Going forward, they should consider the structure of the overall program, the structure of each of the stages of the life cycle outlined by the banking agencies and the structure of compliance function as it relates to TPRM. An effective strategy includes implementing a tailored structure at each stage. If executives can accomplished that, they can streamline compliance and make it more consistent throughout the program. Structure provides certainty as to internal roles and responsibilities, and promotes a consistent approach to working with third parties.
