Seven Cybersecurity Best Practices that Boards Should Adopt

Protecting their bank against cyberattacks is a core risk governance responsibility of every bank board of directors. But what are the best ways to implement a risk management process to focus specifically on the growing and costly issue of cybersecurity? Sai Huda of FIS discusses the seven best practices which boards should adopt to prevent a cyber disaster.

Challenges and Opportunities: Mutual Banks

10-16-14-Naomi-DC.pngMutual savings banks have had a tough time the last several decades. Their ranks have been reduced by roughly one-third during the last 10 years, mostly due to stock conversions or failures. What got started as a philanthropic endeavor in the early part of the 19th century and grew to considerable prominence in the banking industry, mutual savings banks now are fewer in number, have multiple challenges and are little understood. But they also have advantages that continue to draw proponents to this day.

Mutuals do not have stock holders. Instead, the owners of the mutual are its depositors. Because of limitations of the mutual charter, mutuals can do little to raise capital, aside from generating earnings or converting from a mutual into a stock corporation. This can put them in a precarious situation, but it also means they tend to be better capitalized, more conservative and with better asset quality than other banks and thrifts because they are extra careful to protect capital. Just like stock-based thrifts, mutual thrifts have loan portfolios with heavy concentrations in residential one-to-four family mortgages. Federally charted mutual banks are regulated by the Office of the Comptroller of the Currency (OCC) and mutual holding companies are regulated by the Federal Reserve Board, after the Dodd-Frank Act disbanded their previous regulator, the Office of Thrift Supervision, in 2011. Mutuals that are state chartered have the OCC as their secondary regulator.

There are fewer than 500 mutual banks left today, many of them in New England, and in particular, Massachusetts, which has a total of 46, according to industry consultant RP Financial in Arlington, Virginia. Mutuals have deep historic roots in New England, which explains why the region has such a high concentration. During the early 1800s, philanthropists started mutuals by donating the capital and appointing themselves trustees of the organization to help the working class become savers at a time when commercial banks had little interest in them. Mutuals were extremely popular throughout much of their history. The average mutual had $3.7 million in assets in 1900, compared to $700,000 for the average commercial bank at that time, according to the Federal Deposit Insurance Corp. (FDIC). Today, about 90 percent of mutual banks have assets of less than $500 million.

Many mutuals failed in the 1980s as interest rates rose, and they struggled to compete for depositors while contending with a lot of fixed-rate assets on their balance sheets. A law meant to strengthen the banking industry, the Financial Institutions Reform, Recovery and Enforcement Act of 1989, eliminated certain forms of regulatory capital that had benefited mutuals. As a result, even more mutuals disappeared in the 1990s.

Regulators have struggled with what to do with a mutual bank that needs capital and doesn’t have the earnings growth to get stronger.

Capital and Regulatory Issues
Mutuals have the same regulatory capital requirements as banks and other thrifts. To raise capital, they can use unique forms such as pledge deposits, but these are not FDIC-insured and depositors can’t make a withdrawal without regulatory approval, so this form of capital is rarely used.

Mutuals can also raise capital through stock conversions, but that essentially converts a mutual into a stock company. Some mutuals have converted in stages, with a first step conversion selling less than half the subsidiary bank’s stock to the public and retaining the rest in the mutual holding company. The second step can fully convert the mutual holding company down the road. This lets the mutual raise capital in stages while maintaining majority control. Investors Bancorp., the holding company for New Jersey-based Investors Bank, did so this year, raising $2.2 billion in a second-step stock offering. Hudson City Bancorp, one of the largest mutuals, did so in 2005 and raised $3.93 billion.

Because of the lack of stock, mutuals tend to be highly capitalized and are not so interested in risky investments or risky growth. The average mutual in the $250-million to $750-million asset range had a Tier 1 leverage ratio of 11 percent as of December, 2013, compared to 9.8 percent for other institutions in that size range, according to an analysis by RP Financial.

As a result of capital constraints, the OCC considers capital planning “critical” for mutuals, as described in an OCC bulletin from July 2014. To do so, the board needs to stress profitability and moderate the company’s growth so it doesn’t outgrow its capital base, says Ron Riggins, president and managing director of RP Financial. From a risk management perspective, mutuals need to position the balance sheet with lower risk than competitors might typically take on. For instance, mutuals tend not to do much in the way of consumer or commercial lending, which can be higher risk, and they purchase more government-issued securities than their non-mutual competitors.

Because of the lower risk profile, mutuals tend to have slightly better asset quality than other types of banks and thrifts. The average non-performing asset ratio for mutuals in the $250 million to $750 million assets range was 1.4 percent, compared to 1.5 percent for all non-mutuals.

The conservative nature of mutuals and the higher cost of regulation given their small size tends to make them less profitable than other institutions. The average return on average assets was .5 percent for mutuals above $250 million in assets and .9 percent for similar sized non-mutuals and commercial banks as of December 2013.

The OCC has spent the last couple of years trying to better understand the traits of mutuals and how to regulate them effectively. Mutuals have been lobbying to be compared only with other mutuals, which has been proposed by Comptroller Tom Curry. Exceptions occur when there are no similar mutuals for comparison, as when the mutual is very large. In such instances, examiners will make adjustments. For example, when comparing net income between a stock bank and a mutual, the OCC will subtract dividends of stock banks to make a better comparison with the net income of mutuals.

“I think the OCC has worked really hard to understand our cultures better,’’ says Paul Mackin, the president and chief executive officer of $1.5-billion asset Think Mutual Bank in Rochester, Minn. Mackin is on the OCC’s advisory committee for mutuals. “Most [mutuals] would say the examination process today has advanced because of that work and the work they continue to do.”

Early on during the transition from the OTS, mutuals had to learn that exams would be tougher and the OCC had a different way of looking at risk, which was much more forward focused, he says.

Riggins says there was little change for mutuals that were state chartered, but for those with federal charters, the OCC had a different view of the adequacy of loan loss provisions and the sufficiency of capital to manage risk than the OTS did.

Mergers and Acquisitions
The unique structure of a mutual also leads to challenges in mergers and acquisitions. There is no stock to exchange, unless the mutual institution has at least gone through a first stage conversion. This is an expensive and time consuming proposition. Mackin doesn’t see M&A as much of an obstacle for a well capitalized mutual, which in most cases can afford to pay cash. For mutuals wary of paying cash, an alternative strategy could be a merger of equals. Since no premiums are paid, management of the target can be rewarded with enough compensation to attract a merger partner, Riggins says.

Growth through acquisitions might benefit a mutual in terms of dealing with increased regulatory costs, the increased costs of technology and cybersecurity, as well as the need to compete with growing credit unions and other banks.

Compensation and Working for a Mutual
Like other non-stock companies, mutuals can’t pay employees or executives in stock, but Mackin hasn’t found that to be much of an issue for his employees. He finds he can attract employees from the bigger banks because his bank focuses on customer needs instead of investors’ needs. The web site for the mutual declares: “We believe fair prices are more important than increased profits.”

“As an industry, we lost a lot of trust with customers because of what happen in late 2000s,’’ Mackin says. “I think [Think Mutual has] really strong brand appeal because we are owned by our customers. In this day and age, when banks are not as widely trusted as they once were, we have a strong appeal to the marketplace.”

That brand promise is a powerful recruitment and retention tool. Mutuals tend to have less of a focus on short-term profitability than publicly traded banks, and might win over employees who are interested in institutions that can make long-term investments and provide job stability because of reduced earnings pressure. Think Mutual does not offer cash bonuses or a stock incentive plan but does pay higher salaries than banks that do, Mackin says. He believes this is consistent with the mutual’s customer-ownership culture.

“Paying higher salaries means we expect top performance from every employee and our managers have to be very active coaches,’’ he says. “Still, earnings remain important to build longer term capabilities and we do offer profit sharing to all employees when we exceed our net profit goals.” The plan pays out a percentage of their salaries based on the company’s level of excess earnings and is distributed shortly after fiscal year end.

Governance Issues
Being owned by depositor-members who don’t own stock also brings up its own governance issues. Members have many rights, for example, the right to vote on board members, inspect corporate records, amend the charter and request special meetings, but in practice many give voting rights by proxy to the board or a special committee of the board. Getting a quorum is always an issue at an annual meeting to re-elect directors, so in some cases as little as one member is needed to make quorum, and there is no requirement to mail out proxies to member homes in advance of the meeting. The bylaws of the mutual will dictate rules and procedures, and will be governed by state law or by the OCC’s rules. Regulators understand that in effect, mutuals have a tough time getting participation from depositors when those depositors may feel like they have no financial stake in the vote.

The special governance structure could lead to weaker governance practices, such as a lack of accountability to depositor-members on the part of the board. Mackin suggests that every mutual should develop its own corporate governance policies for directors, expectations for the board and a rigorous evaluation process. At Think Mutual, directors are individually evaluated every other year. The board then assesses its overall performance during the off-years. The individual assessment calls for each director to complete a self-evaluation and do the same for the other directors. The executive management team also participates in the process. The process is complete once the chairman and vice-chairman of the board have met with each director about their performance and that includes recommending continuing education as needed.

Think Mutual also addresses board tenure with age limits and mandatory resignations. The age limit is 72 years old. Also, directors must submit their resignation letter should a material career change occur, including retirement. This provides the board with a decision point so it can evaluate if the director will have the same capacity to perform their duties, says Mackin.

With the loss of mutual banks in this country, it could easily seem as if they were becoming a poorly understood minority in the financial marketplace. “They don’t have the lobbying power they once had,’’ Riggins says.

In an age where credit unions are growing in size and mutual banks are declining in number, who will advocate for their health, and role in society? Who will make sure their voice is heard at the regulatory table, and that they don’t go the way of the passenger pigeon?

Mutuals tend to attract impassioned advocates, and their survival may hinge on the strength of those passionate managers and board members who cleave to the form.

Part I: Best Practices of Bank Boards

good-board.jpgToday’s banking industry is constantly being buffeted by waves of financial, regulatory and operational challenges. The increased regulatory burden and related costs impact every financial institution in both the approach to doing business and the expense of doing business. The industry is in transition, with no clear path forward. As a result, there has never been a greater need for well functioning, informed and courageous boards of directors of banks and bank holding companies. There has also never been a more important time for board members to keep in mind that their responsibilities can be boiled down into one simple goal: the creation of sustainable long-term value for shareholders.

Achieving long-term value for shareholders may seem an elusive goal in the current environment. On more than one occasion, bank board members have commented to me that they feel they are now working for the benefit of the regulators. However, as with any time of turmoil and change, the challenges we now face will pass. As bank boards look for ways to strengthen their institutions, they should not overlook the opportunity to strengthen themselves as a group. One way of doing that is to adopt the practices of the most effective boards of directors.

Over the past several decades my partners and I have attended hundreds of bank board meetings, for institutions ranging in size from under $100 million in assets to well over $10 billion. Regardless of the size of the entity, we have noticed a number of common characteristics and practices of the most effective boards of directors. This is the first in a series of articles which will describe the 10 best practices we have observed among highly effective boards of directors. In this article I focus on two fundamental best practices – selecting good board members and adopting a meaningful agenda for the board meetings.

Best Practice No. 1 – Select Good Board Members

Some of the most challenging and distracting issues a board can face are those related to its own members. These issues typically arise in connection with conflicts of interest between board members and the banks they serve, or when board members experience financial stress. They can also arise when there are personality clashes in the boardroom or when one or more board members seek to dominate the conversation. The best time to avoid such issues is during the selection process for new directors. Compromise and wishful thinking in the selection of directors will almost always dilute the effectiveness of the board as a whole. Key characteristics of good directors include:

  • Independence – being free of conflicts.
  • Time to devote to the job – including time to gain knowledge of the industry, to prepare for board meetings and to participate in committees.
  • Attention – being fully engaged and proactive as a board member.
  • Courage – having a willingness to deal with tough issues.
  • Curiosity -possessing an intellectual curiosity about the bank, the financial services industry and the trends impacting both.

A group of good, solid and dependable board members is, in my experience, preferable to a big-hitter, all-star line-up of directors. A board is most effective when it acts as a group, with a culture in which all members can voice their opinions, and in which probing, and sometimes difficult questions can be asked. Dominant personalities and board cultures in which constructive debate never occurs have contributed to the demise of many banks in the current downturn. Careful selection of new board members, keeping in mind the strengths and weaknesses of the other members of the board, is well worth the time and effort involved.

Best Practice No. 2 – Adopt a Meaningful Agenda

Take the time to review, revise and update your board agenda. I’m aware of several banks that are using the same approach to board meetings and the same agenda as 30 years ago. The absence of any objection from board members may only mean that they are drifting off to sleep during the half-hour-long financial presentation. Board members greatly appreciate a shift to a more efficient and effective agenda, with a focus on committee reports and presentation of only meaningful information about the condition and operations of the bank .This can free up substantial time for the board to focus on the overall direction and progress of the bank. 

Most directors only visit the bank once or twice a month, which makes a full understanding of the bank’s plans and status very difficult. There needs to be an educational element in board meetings. Most directors have an ongoing need, and desire, for growth and development in their understanding of the banking industry. With such education, directors can become more effective in their recognition and understanding of the risks to be monitored, as well as the factors that most influence a bank’s strength and performance.

Board packages should be delivered well in advance of each meeting in order to provide the directors with adequate time to prepare. Committee chairs should be prepared to give concise but informative reports at the meeting. Financial and operational presentations by management should focus on telling the board members what time it is, not how the watch was built. This approach can result in more interesting and informative board meetings and will likely result in greater interaction and contribution by the board members.

Links to the other 3 parts in this series

Originally published on October 25, 2011.

Part 4: Best Practices for Bank Boards

relay-baton.jpgI frequently speak to groups of bank CEOs and directors at state and national conferences.  One of my favorite topics is “best practices for bank boards.”  The audience reaction always confirms my belief that bank boards of directors all face the same fundamental challenges, regardless of the size or geographic location of the bank and the shareholder base which they serve.  Boards of directors are groups of people, and every group of people develops its own set of shared expectations and priorities.  It can be helpful for a bank board to occasionally take the time to reflect on its approach to self governance and decision making, especially when this is done by examining the experience and success of other boards of directors in the industry.

This is the fourth and final article in a series on best practices for bank boards. This series of articles describes ten of those best practices.  In this article, I will discuss the last two best practices—developing real board leadership and making use of special purpose board meetings.

Best Practice No. 9 – Develop Real Board Leadership

 Every board should periodically evaluate whether it has effective leadership.  Just as no director has a “right” to sit on a board, which gives rise to the need for director assessments and evaluations, leadership positions also are not tenured.  To be effective, a leader must be engaged, prepared for meetings, willing to take on difficult issues, and, in my view, willing to lead by example.  Burnout and growing complacency can be expected in all leadership roles.  It is in the best interest of the board, the bank and its shareholders for the board to have the ability and willingness to recognize and address these issues when they arise, and not delay action.

If the CEO is also chairman of the board, is that arrangement working for the board?  A test for whether such an arrangement is working is for the non-management independent directors to consider whether the board is truly making its own decisions.  If not, then reconsider the existing leadership structure and, at a minimum, appoint a lead director to bring more balance to the board’s decision making process and better ensure a flow of important information to the board.

Also, consider rotating committee leadership on a regular basis, particularly among the most important committees such as the audit, asset-liability and loan committees.  Fresh leadership perspective can be an effective risk management tool.

Best Practice No. 10 – Make Use of Special Purpose Board Meetings

Have at least two meetings a year dedicated to focusing on the bank’s strategy and why it works (or should work) and its strengths and challenges.  Include in one such meeting a discussion of “Buy, Sell or Hold,” since management needs to know the direction of the board on this fundamental issue in order to effectively run the bank and position it for the future.

Consider scheduling a special meeting to address any questions or concerns that directors may have but won’t express in a regular board meeting.  For example, in this time of increased regulatory burden and more aggressive regulatory enforcement, many directors are interested in knowing what their personal liability exposure is and what protections exist, whether they ask or not.  Directors also are very interested these days in hearing a more complete description of the impact of the Dodd-Frank Act and the scope of authority and impact of the Consumer Financial Protection Bureau.

Finally, consider setting aside most or all of a board meeting to have the directors hear directly from the key senior staff of the bank.  This can be helpful for the board to gain confidence in the bank’s overall management team, and it can also be a source of insight into the strength of the institution.  Good banking is fundamentally about good people, and in-person communication is the best way for the board to take the measure of the bank’s people.

I wish you and your board great success. The other articles in this series are below:

Part 3: Best Practices for Bank Boards

team-row.jpgOver the past several years we have seen the regulatory agencies become much more focused on board oversight and performance.  This is a natural point of focus for regulators in a time of crisis in the banking industry.  The fiduciary and oversight obligations of members of boards of directors are well established, and there is a road map in the corporate records for following the actions and deliberations of a board.  I would suggest, however, that a board could receive a gold star for the quality of its minutes and its adherence to the established principles of corporate governance, and yet fall well short of being an effective working group.

This is the third in a series of articles of best practices for bank boards.  Over the past several decades my partners and I have worked with hundreds of bank boards.  Regardless of the size of the entity we have noticed a number of common characteristics and practices of the most effective boards of directors.  In this article, I will discuss three additional best practices—meeting in executive session, making use of a nominating committee and director assessments and participating in the examination process.

Best Practice No. 6 – Meet in Executive Session

It is not uncommon for the most passionate and meaningful discussions among board members to occur in the parking lot of the bank following a board meeting.  Much more time is spent in these parking lot sessions discussing a possible sale of the bank and the compensation and performance of the bank CEO than ever takes place in the board room.  The most effective boards of directors move these conversations to the board room by means of executive sessions.  Whether monthly or quarterly, the independent (i.e., non-management) directors meet in executive session and set their own agenda for those meetings.

I have found that CEOs who welcome and facilitate such executive sessions never regret doing so.  Executive sessions provide a structured forum for the independent directors to meet as a group and speak freely regarding matters of interest and concern to them.  Many positive ideas and discussions can result from these sessions.  If the CEO is also chairman of the board, a “lead director” can chair the executive sessions.  A best practice is for the chairman or lead director to meet with the CEO following an executive session and report on the substance of the matters discussed.

Best Practice No. 7 – Make Use of a Nominating Committee and Director Assessments

No director has a “right” to sit on a board.  Members of the most effective boards of directors have an active desire to serve the bank, which is evidenced by a high level of engagement, preparation and participation.  There should be a transition from the typical practice of automatically re-nominating existing board members to a process of conducting annual director assessments coupled with a nominating committee for director elections.

The CEO should not be involved with either director assessments or the nominating committee—these are board functions and should be managed by the board under the direction of the chairman or the lead director.  Annual director assessments could initially be done by means of self-assessments, coupled with a one-on-one meeting between each director and the chairman.  These one-on-one meetings can serve as the basis for discussion of the director’s enthusiasm for and participation in the activities of the board.

The process of implementing an active nominating committee and annual director evaluation process is also about risk management going forward.  In these times of continued economic uncertainty and increased regulatory scrutiny, it is important that banks have active and engaged directors.

Best Practice No. 8 – Actively Participate in the Examination Process

Members of the board should be involved in the regulatory examination process.  The regulators really do want and expect the board to be involved in and understand the issues which the regulators believe may be facing the bank.  Involvement of the entire board or key members of the board from the first management meeting with the examiners to the exit meeting is tangible evidence that the board is actively engaged in oversight of the bank.  It can also be beneficial for members of the board to hear the concerns of the regulators directly, and to observe management’s interaction with the examiners.

I recently attended an exit meeting with bank management following conclusion of an exam.  Several of the bank’s directors were present because they wanted to get a preview of the exam findings on asset quality.  During the exit meeting the lead examiner raised concern about a risk management issue of potentially significant magnitude.  The issue clearly took the bank’s CEO by surprise, but the presence at the meeting of the board’s chairman had a calming effect.  The chairman looked across the table at the lead examiner and said in a convincing tone, “We will fix this immediately.”  The issue was then quickly resolved, and the final examination report commented favorably on that action.  The end result may well have been the same without the presence of board members at the exit meeting, but I believe their presence was very helpful and reflected well on the bank.

Part 2: Best Practices for Bank Boards

megaphone-full.jpgOver the past several years I have attended dozens of meetings of boards of directors of banks in troubled condition.  The vast majority of these boards were well functioning and had dedicated and hard working directors.  Geographic location has been the predominant factor in determining winners and losers among banks in this challenging economy.  However, there have been several situations in which it appeared to me that the composition of a board, and the interpersonal dynamics among its members, had magnified the impact of the economic downturn.  A bank board is like any other working group in that the direction and decisions of a board can be heavily influenced by members who dominate the conversation, or by members who actively discourage discussion or dissent.

This is the second in a series of articles on best practices for bank boards.  During the past several decades, my partners and I have worked with hundreds of bank boards, for institutions ranging in size from under $100 million in assets to well over $10 billion in assets.  Regardless of the size of the entity, we have noticed a number of common characteristics and practices of the most effective boards of directors.  This series of articles describes ten of those best practices.  In the first article in the series, I focused on two fundamental best practices—selecting good board members and adopting a meaningful agenda for the board meetings.  In this article I will discuss three additional best practices—providing the board with meaningful information, encouraging board member participation and making the committees work.

Best Practice No. 3 – Provide the Board with Information, Not Data

Change the monthly financial report to something meaningful.  Most boards need to know only about 20 to 30 key data points and ratios and how those numbers compare to budget, peer banks and prior year results to have a good handle on the condition of the bank.  By contrast, the typical financial report at a bank board meeting is encompassed in a 25 to 30 page document that blurs into a very detailed, and often meaningless, recitation of data that is difficult to follow.

Providing meaningful information in an understandable format is essential for the board members to identify and manage risk.  Less is often more in effective board presentations. 

Best Practice No. 4 – Encourage Board Participation

No board should be burdened with a devil’s advocate who has to speak in opposition to everything, but there should be an atmosphere in the board room which allows for dissenting views and occasional no votes.  Far too many meaningful questions go unasked in the board room.  Board members need to feel empowered to ask challenging questions, and also to say that they don’t understand a proposal or a presentation.

In my experience, a very powerful question is the question: Why?  A sense of momentum and inevitability can develop during the discussion of a proposal in a board room, particularly when the discussion is dominated by one or more directors who are persuasive or who feel strongly about a position. 

I know several bank boards that greatly benefitted from a few independent thinking directors in the years running up to the current economic downturn.  Those directors had the insight and the courage to question generally held beliefs in a boom real estate market.  More importantly, the culture of the boards on which they served allowed for real discussion of concerns expressed by directors.

Best Practice No. 5 – Make the Committees Work

The best functioning bank boards almost always have an active and involved committee system.  There is effective leadership of their committees, and the committee members take the time to read and analyze management reports and related materials in advance of meetings.  If you ever need to provide motivation for committee members to be more focused and attentive, give them a copy of one of the complaints filed in litigation by the FDIC against directors of a failed institution.  Almost all of the FDIC lawsuits assert a lack of adequate attention and focus by directors, and particularly by loan committees.

Directors should not become micro-managers, but management of the bank should feel that board members are holding them to a certain level of performance and accountability.  “Noses in and fingers out” is a good maxim for directors to follow, whether in the committee setting or on the board as a whole.

A strong committee system also helps build real expertise on the board, which can help support management.  Future board leaders can be identified through their work on committees.  We recommend that committee chair positions, particularly among the two or three most active committees of the board, be rotated every few years.  This allows for broader exposure of directors to leadership positions, and can heighten their overall understanding of the bank’s business.  It also brings a fresh perspective and approach to the committees.  Leadership ability and the commitment of time and energy should be the main criteria for selecting committee chairs.

Internet Banking: what it means for your institution

FirstData-WhitePape4.pngThe way we bank is changing. What used to happen at a branch now happens just about anywhere. Internet banking services have fast become a banking reality. And in today’s changing technology landscape, financial institutions must keep up with customer demands. So what does this mean for your institution? First Data created a white paper to help you understand the consumer technology expectations and trends in banking. We outline what a complete internet banking solution should look like, how to choose the right one, and best practices for a successful conversion program. We’ll cover topics such as:

  • Features and capabilities that an internet banking solution should have
  • A mini case study of a bank that utilized First Data’s Internet Banking Suite
  • Nine best practices for a successful conversion process

 To read the white paper, download it now.