Bank Director Releases 2022 Risk Survey Results

BRENTWOOD, TENN., Mar. 29, 2022 – Bank Director, the leading information resource for directors and officers of financial institutions nationwide, today released its 2022 Risk Survey, sponsored by Moss Adams LLP. The findings reveal a high level of anxiety about interest rate risk as well as a lack of awareness in the environmental, social and governance (ESG) space.

The 2022 Risk Survey finds that the majority of responding directors, CEOs, chief risk officers and other senior bank executives are more concerned about interest rate risk compared to the previous year. Why? While interest rate increases — kicked off with a quarter-point hike announced by the Federal Reserve earlier this month — would ease pressures on bank net interest margins, they could also dampen loan demand and slow economic growth. When asked about the ideal scenario for their institution, almost three-quarters of survey respondents say they’d like to see a moderate rise in rates in 2022, by no more than one point. That’s significantly less than the 1.9% expected from the Fed by the end of the year.

“Finding the balance between an increase in rates without a decrease in the volume of lending can be an art form,” says Craig Sanders, partner at Moss Adams. “Banks with more diverse loan portfolios and those that made the right bets regarding loan terms will be better positioned to adapt to the new, ever-changing environment.”

Findings also reveal that more than half of the respondents’ banks don’t yet focus on ESG issues in a comprehensive manner, and just 6% describe their ESG program as mature enough to publish a disclosure of their progress. 

“While we see a handful of primarily larger, public banks focused on ESG, it’s a broad issue that touches on several areas important to community banking, including community and employee engagement, risk management and data privacy, and corporate governance,” says Emily McCormick, vice president of research at Bank Director. “The survey finds banks setting goals in these distinct spheres when it comes to ESG, despite a lack of formal programs or initiatives.”

Key Findings Also Include: 

Top Risks
Respondents also reveal increased anxiety about cybersecurity, with 93% saying that their concerns have increased somewhat or significantly over the past year. Along with interest rate risk, regulatory risk (72%) and compliance (65%) round out the top risks. One responding CRO expresses specific concern about “heightened regulatory expectations” around overdraft fees, fair lending and redlining, as well as rulemaking from the Consumer Financial Protection Bureau around the collection of small business lending data. 

Enhancing Cybersecurity Oversight
Most indicate that their bank conducted a cybersecurity assessment over the past year, with 61% using the Cybersecurity Assessment Tool offered by the Federal Financial Institutions Examination Council (FFIEC) in combination with other methodologies. While 83% report that their program is more mature compared to their previous assessment, there’s still room to improve, particularly in training bank staff (83%) and using technology to better detect and/or deter cyber threats and intrusions (64%). Respondents report a median budget of $200,000 for cybersecurity expenses in fiscal year 2022, matching last year’s survey.

Setting ESG Goals
While most banks lack a comprehensive ESG program, more than half say their bank set goals and objectives in several discrete areas: employee development (68%), community needs, investment and/or volunteerism (63%), risk management processes and risk governance (61%), employee engagement (59%), and data privacy and information security (56%).

Protecting Staff
More than 80% of respondents say at least some employees work remotely for at least a portion of their work week, an indicator of how business continuity plans have evolved: 44% identify formalizing remote work procedures and policies as a gap in their business continuity planning, down significantly compared to last year’s survey (77%). Further, banks continue to take a carrot approach to vaccinations and boosters, with most encouraging rather than requiring their use. Thirty-nine percent require, and 31% encourage, employees to disclose their vaccination status.

Climate Change Gaps
Sixteen percent say their board discusses climate change annually — a subtle increase compared to last year’s survey. While 60% indicate that their board and senior leadership team understand the physical risks to their bank as a result of more frequent severe weather events, less than half understand the transition risks tied to shifts in preferences or reduced demand for products and services as the economy adapts.

The survey includes the views of 222 directors, CEOs, chief risk officers and other senior executives of U.S. banks below $100 billion in assets. Full survey results are now available online at

About Bank Director
Bank Director reaches the leaders of the institutions that comprise America’s banking industry. Since 1991, Bank Director has provided board-level research, peer-insights and in-depth executive and board services. Built for banks, Bank Director extends into and beyond the boardroom by providing timely and relevant information through Bank Director magazine, board training services and the financial industry’s premier event, Acquire or Be Acquired. For more information, please visit

About Moss Adams LLP
With more than 3,800 professionals across 30-plus locations, Moss Adams provides the world’s most innovative companies with specialized accounting, tax, and consulting services to help them embrace emerging opportunity. We serve over 400 banks and other financial institutions in all stages of the growth cycle helping our clients navigate an evolving regulatory environment, maintain profitability, and manage risk throughout each phase of their business’s growth. Discover how Moss Adams is bringing more West to business. For more information visit

For more information, please contact Bank Director’s Director of Marketing, Deahna Welcher, at [email protected].

Combating Complacency Through Strategic and Operational Planning

For many banks, 2020 and 2021 had surprising results. Liquidity and capital were strong, loan growth escalated from pent-up demand and income levels were favorable.

These positive trends could lead many management teams to become complacent — which can lead to risk. In its 2022 Fiscal Year Bank Supervision Operating Plan, the Office of the Comptroller of the Currency (OCC) listed guarding against complacency as a top priority for examiners. Complacency, by definition, is a state where one’s satisfaction with their own achievements leads them to be unaware of potential danger. Heeding the OCC’s warning to address indications or perceptions of emerging risks, we’ve identified five focus areas for boards and management teams.

1. Strategic and Operational Planning
Executives and boards should evaluate strategic planning in the context of the current environment. Post-pandemic, banks have increased opportunities for growth including, but not limited to, mergers and acquisitions. The key to strategic planning is to be strategic. Shape your strategic planning sessions to consider new industry opportunities and threats. Approach each opportunity and threat methodically — whether succession planning, mergers or acquisitions, fintech partnerships, changing demographics, the shift in the regulatory perimeter or another area relevant to your institution.

Operational planning is just as critical. Crafting a well-established plan to profitably service your bank’s target markets remains a balancing act of priorities for directors. Consider new products and services to meet the needs and expectations of your evolving customer base. Thoughtfully evaluate your bank’s target market, planned growth, the potential for enhanced products and services and any prospective investments to maintain profitability. Allow talent, technology, and financial resource risk assessments to guide your institution’s operational planning process, asking, “Where is my bank growing and am I ready?”

2. Credit Risk
We continually hear about the great credit quality that banks have experienced thus far in the post-pandemic period. Yet, credit risk remains a critical priority for banks and regulators, especially since coronavirus relief funds may have dramatically changed the financial view for borrowers.

Covid-19 relief funds served a temporary purpose of keeping businesses operating during the peak of the pandemic. However, high levels of inflation and continuing labor and supply chain disruptions has put continued pressure on many small businesses and may have a yet-to-be-realized impact on the credit quality within your bank.

Now more than ever, remaining engaged with your borrowers and looking past traditional credit metrics to identify issues could reduce future losses for your financial institution. Credit risk monitoring tools like stress testing remain relevant with the prospective of rising interest rates.

3. Cybersecurity Risk
Cybersecurity risk, like credit risk, is here to stay. Executives must stay focused in this area as risks increase; the instances of public attacks across all industries reflect a relentless pursuit by cybercriminals to steal data for financial gain. The most recent reminder of this are Russian state-sponsored cyber threats. As banks gather and maintain more and more data, it’s paramount to have experienced talent and protocols for protection of customer data.

Bank management teams should be able to show evidence of their institution’s capability to respond or recover from destructive cyberattacks that are increasingly routine. The bank’s risk assessment process is a critical component of managing its cybersecurity risk, and should incorporate any processes or controls that may have changed as result of a new strategic or operational plan.

4. Compliance Risk
Compliance matters are always evolving, and regulatory emphasis on applicable laws and regulations is only increasing. The focus on Bank Secrecy Act and anti-money laundering rules, fair lending, Community Reinvestment Act and overall prioritization of compliance management are not shifting.

Compliance risk management requires banks to have a strong internal system. It also requires a deep understanding of the various rules and proficiency in identifying, implementing and auditing the changes. It has never been more critical for banks to have strong independent review systems to account for updated rules and regulations.

5. Management and Board Education
The operational and strategic landscape of banking is changing. Management team and board members must be informed and educated. As you decide how your bank will adjust to this new environment, identify industry-specific third parties to meet with your management team and board to provide a strong foundation to strategic planning.

We see numerous opportunities and areas of focus for banks in 2022. If we’ve learned anything during this time, it’s that banks need to look at risk differently in this ever-changing environment. Now is not the time to be complacent.

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader. Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.

How Innovative Banks Keep Up With Compliance Changes

compliance-6-5-19.pngBankers and directors are increasingly worried about compliance risk.

More than half of executives and directors at banks with more than $10 billion in assets said their concerns about compliance risk increased in 2018, according to Bank Director’s 2019 Risk Survey. At banks of all sizes, 39 percent of respondents expressed increasing concern about their ability to comply with changing regulations.

They’re right to be worried. In 2018, U.S. banks saw the largest amount of rule changes since 2012, according to Pamela Perdue, chief regulatory officer for Continuity. This may have surprised bankers who assumed that deregulation would translate to less work.

“The reality is that that is not the case,” she says. “[I]t takes just as much operational effort to unwind a regulatory implementation as it does to ramp it up in the first place.”

Many banks still rely on compliance officers manually monitoring websites and using Google alerts to stay abreast of law and policy changes. That “hunt-and-peck” approach to compliance may not be sufficiently broad enough; Perdue said bankers risk missing or misinterpreting regulatory updates.

This potential liability could also mean missed opportunities for new business as rules change. To handle these challenges, some banks use regulatory change management (RCM) technology to aggregate law and policy changes and stay ahead of the curve.

RCM technology offerings are evolving. Current offerings are often included in broader governance risk and compliance solutions, though these tools often use the same manual methods for collecting and processing content that banks use.

Some versions of RCM technology link into data feeds from regulatory bodies and use scripts to crawl the web to capture information. This is less likely to miss a change but creates a mountain of alerts for a bank to sort through. Some providers pair this offering with expert analysis, and make recommendations for whether and how banks should respond.

But some of the most innovative banks are leveraging artificial intelligence (AI) to manage regulatory change. Bank Director’s 2019 Risk Survey revealed that 29 percent of bank respondents are exploring AI, and another 8 percent are already using it to enhance the compliance function. Companies like San Francisco-based use AI to extract regulatory changes, classify them and summarize their key holdings in minutes.

While AI works exponentially faster than human compliance officers, there are concerns about its accuracy and reliability.

“I think organizations need to be pragmatic about this,” says chief executive officer and co-founder Kayvan Alikhani. “[T]here has to exist a healthy level of skepticism about solutions that use artificial intelligence and machine learning to replace what a $700 to $800 an hour lawyer was doing before this solution was used.” uses an “Expert in The Loop” system to verify that the classifications and summaries the AI produced are accurate. This nuanced version of supervised learning helps train the model, which only confirms a finding if it has higher than 95 percent confidence in the decision.

Bankers may find it challenging to test their regulatory technology systems for accuracy and validity, according to Jo Ann Barefoot, chief executive officer of Washington-based Barefoot Innovation Group and Hummingbird Regtech.

“A lot of a lot of banks are running simultaneously on the new software and the old process, and trying to see whether they get the same results or even better results with the new technology,” she says.

Alikhani encourages banks to do proofs of concept and test new solutions alongside their current methodologies, comparing the results over time.

Trust and reliability don’t seem to be key factors in bankers’ pursuit of AI-based compliance technology. In Bank Director’s 2019 Risk Survey, only 11 percent of banks said their bank leadership teams’ hesitation was a barrier to adoption. Instead, 47 percent cited the inability to identify the right solution and 37 percent cited a lack of viable solutions in the marketplace as the biggest deterrents.

Bankers who are adopting RCM are motivated by expense savings, creating a more robust compliance program and even finding a competitive edge, according to Barefoot.

“If your competitors are using these kinds of tools and you’re not that’s going to hurt you,” she says.

Potential Technology Partners


Combines regulatory data feeds with consultative advice about how to implement changes.

Pairs an “Expert in the Loop” system to verify the accuracy of AI summaries and categorization

OneSumX Regulatory Change Management from Wolters Kluwer

Includes workflows and tasks that help banks manage the implementation of new rules and changes


Provides impact ratings that show which parts of the bank will be impacted by a rule and the degree of impact

Predict360 from 360factors

Governance risk and compliance solution that provides banks with access to the Code of Federal Regulations and administrative codes for each state

Learn more about each of the technology providers in this piece by accessing their profiles in Bank Director’s FinXTech Connect platform.

Don’t Forget Your Umbrella: How to Protect Your Bank From Financial Crimes

risk-management-6-13-17.pngWith banks of all sizes facing significant challenges in the management of financial crime risk, senior management and bank board members need an unambiguous understanding of the strengths and weaknesses of their organizations’ financial crime compliance strategy.

The escalation of mobile banking, the burgeoning role of fintech in banking and the spread of cybercrime are only a few of the key reasons for banks to establish a process that views financial crime risks in the aggregate—under one umbrella. Further, in our view, directors must have a firm grasp with respect to how the program has been designed and implemented.

An integrated view of financial crime compliance risk can give board members a sense of confidence that management has a robust financial crime compliance program in place. A view of issues in the aggregate provides management the ability to understand the entirety of the financial crimes landscape at their firm.

At their core, these programs require a dynamic and agile mindset at the board level. Directors must possess a level of confidence that management has established a strategic, well considered approach to detecting, preventing and reporting financial crime. A carefully managed, well designed, and integrated plan can also create considerable governance benefits across internal silos.

For banks currently without an integrated plan, the creation of such a plan requires:

  • A strategic vision of a future program that engages senior management in the first line of defense (lines of businesses and operations) in the design of the vision—and has buy-in by the entire board.
  • The integration of teams that in the past have approached such risks in a separate manner, such as compliance programs for anti-money laundering, anti-bribery and corruption, and Office of Foreign Assets Controls.
  • A vision for how to change or enhance the bank’s information technology (IT) infrastructure.
  • The designation of an individual as the bank’s financial crimes compliance officer.

Building an integrated financial crimes program under an umbrella structure presents opportunities for collaboration, improved data aggregation and analytics capabilities, heightened board awareness of the bank’s control environment, and the possibility of cost savings and enhanced regulatory compliance.

The establishment of a centralized financial crimes compliance unit, however, requires a multi-faceted approach. Employee roles and responsibilities will likely shift, policies and procedures many need to be consolidated to reflect the new approach, and compliance reporting mechanisms and IT responsibilities will be altered.

Recognizing that the landscape will shift, we offer a roadmap to an integrated financial crimes compliance program. Here’s a synopsis of our five-step plan for your board’s consideration:

  1. Compliance leaders recognize the importance of cultivating partnerships with business-unit leaders across the bank—as well as their internal audit teams. Thus, building a cross-functional working team is a must across the bank’s “three lines of defense:” the front office and lines of business, the support functions such as compliance and finally, audit. These members should consider perceived benefits, anticipated costs and potential obstacles. Dialogue and trust is essential.
  2. The team should strive to gain a clear view of the bank’s current risk management efforts and assess the underlying financial crimes risks. Too many institutions stumble at this stage by adopting models that may work for larger or more-regulated institutions, or conversely for smaller institutions with a different product mix or jurisdictional presence.
  3. The cross-functional team should draft a working plan for the centralized compliance unit, and the team should provide the draft plan, which would include the recommended step-by-step approach to establishing the unit, to board members and executive leadership for review. The plan would identify the individuals who will design and roll out the changes, the governance and oversight structure of the transformation program, and the unit’s staffing model.
  4. Perhaps as much as any these steps, clear and frequent communication to bank personnel about the program’s intentions, benefits and impacts is vital. Board members should be satisfied that management has established a plan for the timing and cadence of communications, has identified which audience will be targeted at each step, and has created specific messages to the bank staff regarding why the establishment of the unit is necessary and how it will benefit the organization.
  5. Once the bank has embedded its Financial Crimes Compliance Program, management must be certain that monitoring and testing mechanisms are working continuously, and that the firm is equipped to deal with changes as regulations change or are introduced.

A final reminder is worth noting: The journey is never over. Financial crime compliance risk, as a board agenda item, should be a constant.

Bank Regulatory Update: Three Things to Think About for 2017

regulation-1-18-17.pngSignificant regulatory changes continued to affect the banking industry in 2016. The industry generally has moved beyond implementing the requirements of the Dodd-Frank and Wall Street Reform and Consumer Protection Act, but regulatory expectations continue to rise, with increased emphasis on each institution’s ability to respond to and withstand adverse economic conditions. Regulatory supervision, often through oversight from multiple agencies, is becoming more focused on supporting compliance efforts with strong corporate cultures within the institution. Managing regulatory compliance risk for a financial institution has never been more complex.

Looking forward to 2017, regulators are expected to continue to ramp up expectations in several areas. Industry stakeholders undoubtedly will be watching closely as the new administration takes control of the White House. However, regulators are expected to continue to increase their emphasis on three areas: cybersecurity risk, consumer compliance and third-party risk management.

1. Cybersecurity Risk
Cybersecurity is likely to remain a key supervisory focal point for regulators in 2017. Regulatory officials have stressed that cybersecurity vulnerabilities are not just a concern at larger financial institutions: small banks also are at risk. As such, financial institutions of all sizes need to improve their ability to more aptly identify, assess and mitigate risks in light of the increasing volume and sophistication of cyberthreats.

The Federal Financial Institutions Examination Council (FFIEC) agencies have established a comprehensive cybersecurity awareness website that serves as a central repository where financial services companies of all sizes can access valuable cybersecurity tools and resources. The website also houses an FFIEC cybersecurity self-assessment tool to help banks identify their risks and assess their cybersecurity preparedness. The voluntary assessment provides a repeatable and quantifiable process that measures a bank’s cybersecurity preparedness over time.

2. Consumer Compliance
The Consumer Financial Protection Bureau (CFPB)—now a more mature entity—is having a dramatic impact on the supervisory processes around consumer financial products. While the CFPB conducts on-site consumer exams for financial institutions with more than $10 billion in assets, it also has begun to work with regulators in consumer supervisory efforts in smaller banks. The CFPB also has issued a significant number of new and revised consumer regulations that apply to institutions of all sizes. Some of the more onerous requirements center on mortgage lending and truth-in-lending integrated disclosures (TRID).

The CFPB also continues to cast a wide net when it comes to gathering consumer complaints about financial products and services through its consumer complaint database. The latest snapshot shows the database contains information on more than one million complaints about mortgages, student loans, deposit accounts and services, other consumer loans, and credit cards.

CFPB examiners often use complaints received through the database as a channel for reviewing practices and identifying possible violations. This continued pressure has forced financial institutions to ensure their compliance management systems are supported by effective policies, procedures and governance. But keep in mind, it’s even more important now to adequately aggregate, analyze and report customer-level data, so your institution can identify and remediate problems before the regulators come after you, and so you don’t get accused of “abusive” practices under the Dodd-Frank Act.

3. Third-Party Risk Management
As a component of safety and soundness examinations, effective third-party risk management is regarded as an important indicator of a financial institution’s ability to manage its business. As a result, regulatory examinations consistently include an element of third-party risk management, and all of the federal bank regulators have issued some form of guidance related to third-party risk. The Federal Reserve’s (Fed’s) SR 13-19 applies to all financial services companies under Fed supervision. The Fed guidance focuses on outsourced activities that have a substantial impact on a bank’s financial condition or that are critical to ongoing operations for other reasons, such as sensitive customer information, new products or services, or activities that pose material compliance risk.

Guidance from the Office of the Comptroller of the Currency (OCC) on third-party risk (Bulletin 2013-29) generally is more comprehensive than the Fed guidance and requires rigorous oversight and management of third-party relationships that involve critical activities. The OCC bulletin specifically highlights third-party activities outside of traditional vendor relationships.

The critical areas discussed here are just a few for which banks need to expect more regulatory scrutiny in 2017. While there are early indicators that some elements of Dodd-Frank and other regulatory requirements could be pared back as the new administration takes control of the White House, the industry will need to closely monitor any changes and adjust compliance efforts accordingly.

Credit, Compliance or Operations: What is the Biggest Risk?

Historically, credit has often been the number one risk banks faced. But with an increasing amount of regulation and new technology opening up the gateway of attacks on bank infrastructure, other sorts of risks are gaining increasing attention these days. In advance of Bank Director’s seventh annual Bank Audit Committee Conference in Chicago June 6 through June 7, we asked speakers to describe the risk concerns of their clients. We asked:

“What risks do you see financial institutions most concerned about: Operational, regulatory or credit?”

rob_fleetwood.jpgOperational and regulatory risks are more inter-related than ever before. Banks still seem extremely mindful of credit risk, but management teams have “gotten used to” those risks, and have been living with the new reality for many years. Now we are seeing a lot of activity relating to regulatory changes and how those changes affect operations. Over the next few years, it will be critical for management teams to stay on top of the regulatory changes and make sure that they are comfortable that their entity’s operations are able to respond to the ongoing regulatory changes. This includes conducting a thorough internal review of internal and external compliance function to ensure that it is appropriately staffed and receiving adequate guidance.

— Rob Fleetwood, partner, Barack Ferrazzano Kirschbaum & Nagelberg LLP

Fitzgerald_Doug.pngOperational. Since the vast majority of bank management today has operated in the gradually declining interest rate environment since the early 1980s, operating their institutions in a future that virtually guarantees rising interest rates presents a new challenge. Managing earnings without exposing their banks to the same interest rate risk pressures that nearly destroyed the thrift industry in the decade of the 80s will require dedication to sound asset-liability management processes.

— Doug Fitzgerald, partner, Wipfli LLP

Hovde_Steve.pngCredit Risk. The credit crisis magnified credit risks distinguishing good lenders from poor ones, and banks that survived strengthened internal controls to avoid a repeat scenario. While many banks have cleaned up their loan portfolios, credit risks will remain at the forefront of bankers’ minds across the country for many years to come.

— Steve Hovde, president & chief executive officer, Hovde Financial Inc.

Blaha_Brian.pngRegulatory. A strong enterprise risk management program covering all aspects of the risk spectrum is essential to managing regulatory risk today. Risk must be managed from the top -down with all members of the board of directors and enior management agreeing on the risk appetite of the organization, what level of tolerance they are willing to accept and what metrics will be utilized to monitor the risks.

— Brian Blaha, partner, Wipfli LLP

Strecker_Raymond.pngWhether one looks at the lost or disrupted business caused by recent cyber-attacks, or the massive regulatory settlements in divers areas involving Libor rigging, AML (anti-money laundering) non-compliance, or failure to supervise third party vendors offering misleading credit products, it becomes clear that financial institutions need to take operational and regulatory risks at least as seriously as they take credit risk.

Risk and compliance managers need to be more creative about uncovering the next problem rather than just establishing controls to prevent the last problem from recurring.

— Ray Strecker, special advisor, Promontory Financial Group LLC

Decker_Kendra.pngI believe the biggest risk to financial institutions today is in the regulatory arena. It seems there is something new every day with which banks must comply. It can make your head spin! Having a solid regulatory monitoring function is critical to managing this risk.

— Kendra Decker, partner, National Professional Standards Group, Grant Thornton LLP

Percy_Mike.jpgRegulatory risks are the primary concern; however, it’s not unusual for there to be elements of operational risk and/or credit risk within the regulatory risk as well.

Risks continue to evolve and the regulatory environment is very dynamic. The program that effectively managed regulatory risk last year needs to continue to evolve to be effective going forward. Regulatory risk that is managed within business as usual processes is generally more effective than processes that are added simply to assist in complying with evolving regulatory requirements.

— Mike Percy, partner, Crowe Horwath LLP

Inserra_Sal.pngOperational. There are two fronts. Given margin compression, banks are looking at cost containment. This includes reviewing the process for efficiencies and re-evaluating their delivery network. We are seeing banks take a hard look at their branch network. The second item relates to technology—both from a standpoint of delivery and risk mitigation. If we really understood the regulatory burden in our future, then it would be worth the concern. At this point, it is too nebulous which makes it impossible to address.

— Sal Inserra, partner, Crowe Horwath LLP

Pressgrove_Becky.pngIn today’s banking environment, where these types of risks are so very interrelated, it seems more difficult than ever to untie operational, credit and regulatory risk from one another and identify one as being more critical than another. From an audit committee standpoint as it relates to BOLI (Bank-Owned Life Insurance), the justification for the asset purchase, the product structure and the ongoing review of the credit of various carriers creates regulatory and credit risk challenges. Add to that additional challenges from BASEL III and Dodd-Frank, along with a tepid economic recovery coming out of the great recession, and a complete, more thorough understanding of the BOLI asset will be critical in the future.

— Becky A. Pressgrove, senior vice president and chief operating officer, Equias Alliance LLC

Part III: Remediation – Compliance Lessons from the Construction Industry

tools.jpgFinding A Problem Is One Thing, Fixing It Is Another

Not long ago, I visited an institution we’ll call “Flub Financial.” Flub’s compliance team was knowledgeable and experienced. Their well-executed audit program employed savvy auditors whose comprehensive coverage allowed Flub to easily detect problems. So why did Flub find itself in a multi-million dollar enforcement action? The reason:  Flub kept applying the same practices that had created the problems in the first place.

Management did little to correct the underlying issues. Worse, Flub’s directors exercised even less oversight because they assumed management took care of problems after the board was informed of deficiencies. Simply put, Flub failed to apply our third lesson from the construction industry: Maintenance and repairs are essential to preserving value.

Just as contractors are responsible for a well-built house, directors are accountable for ensuring the compliance program’s sound foundation, and overseeing its ability to detect deficiencies. Moreover, directors must ensure corrective actions are taken when weaknesses occur. Similar to preserving a house, an institution’s success depends on whether corrective actions are taken immediately.

Examiners, much like building inspectors, want to see things working properly. Has prompt action been taken to correct weaknesses noted in routine monitoring as well as during examinations? Do records show how problems were addressed with evidence of corrections made? Good answers to these questions are crucial, because without a proven methodology,   deficiencies may turn into large cracks.

There are three main aspects to successfully implementing corrective action:

1. Specifying and assigning corrective steps,

2. Confirming the correction occurred, and

3.  Following-up at appropriate intervals to ensure the correction’s effectiveness.

Specifying the Steps

To identify and assign corrective steps, the board must determine who, what and how. Who will ensure correction happens? What oversight and work steps are needed and what is the deadline for the correction? How will the assignee apprise the board of their results and how will the board monitor whether the correction worked, or if problems still persist?

It’s essential for the board to assign correction actions to executives, who have the necessary accountability and proper authority, rather than to a department. For example, listing the lending department as responsible leaves it unclear as to who is accountable for doing the work and confirming it was completed. Avoid this mistake by listing specific job titles or individuals. The institution must be able to recreate the chain of events so the board can validate the process, and examiners can confirm that proper repairs were made.

Confirming the Correction

The responsible party should report to the board when the correction is complete. The board should have a regular and predictable interval for these reports with standard formatting. It’s a best practice to require that managers provide evidence of the correction—in other words—trust, but verify. The implementing manager should conduct preliminary validation of the correction, and demonstrate through actions and evidence that the problem is fixed. This action assures directors that management has resolved the issue, not just given it the appropriate lip service.

Follow-up Reviews

Follow-up reviews should be conducted by compliance personnel, after corrective measures are implemented, at the proper timing. Reviews shouldn’t happen too soon because the board won’t be able to tell if the fix stuck. Often, a corrective measure validated within days after its application will seem to work beautifully. This is either because it worked, or because the change is fresh in the minds of staff and they haven’t had time to backslide into old ways.

A minimum interval of 90 days before verifying corrections allows enough time to gather trend and analytical information, and to see whether corrections withstood the test of time. Beware, however, of waiting too long. Problems may persist if the fix wasn’t properly applied at the outset. Imagine waiting a year before reviewing your fix, only to find that the wrong corrective actions were taken.

To recap, avoid these red flags of poor corrective action:

  • Failure to set specific correction standards
  • Failure to designate a single party ultimately responsible
  • Failure to confirm issues are resolved
  • Failure to keep records so when examiners ask how and why certain things were done, the action can be reconstructed and proved

Bottom line, it is simply not enough to have strong policies and procedures, even with a strong audit program that detects weaknesses. It’s crucial to have an equally strong protocol for swift and precise corrective actions. Just like preventive maintenance protects your home, a strong compliance program protects your institution’s value for the long term.

Top Issues for Audit Committees in 2012 and Beyond

We asked audit committee chairmen (and women) what their committees are grappling with in the year ahead. With the passage of the Dodd-Frank Act in 2010, it’s obvious from their responses that compliance with government regulations has become a huge concern. But so is monitoring the organization’s risks, including IT risks, and figuring out how to make a profit in an environment of low interest rates.

What do you believe are the top issues facing audit committee members in 2012 and into 2013?


Coleman-Robert.jpgStress Testing

We need to focus on developing the appropriate stress tests for our institutions to determine, monitor and support our capital adequacy; focus on liquidity risk as macro-economic conditions improve and many of our institutions face a run-off of deposits to higher earning assets; and institutionalize the lessons learned during this credit cycle. 

– Robert F. Coleman, audit committee chairman, PrivateBancorp, Inc., Chicago, IL


Stafford-Ingrid.jpgGrowing Profitability

I think the top issues are sustaining a risk-based focus with executive leadership, adapting risk oversight at the board level to new Dodd-Frank and Fed requirements and figuring out how to make money in a flat interest rate environment for the next two years. 

– Ingrid S. Stafford, audit committee chairman, Wintrust Financial Corporation, Lake Forest, IL

Copeland-Dave.jpgIT & Security Risks

I agree that compliance, particularly trying to understand what is coming with Dodd-Frank, is growing in importance.  IT risk is also taking a bigger share of our time. Everything from privacy and security (including cyber-security), to emerging technologies like the cloud, social and mobile are going to be a focus for us. 

– David L. Copeland, audit committee chairman, First Financial Bankshares, Abilene, TX

Compliance Issues

Compliance continues to be one of the top issues. More and more internal resources are being directed to the ever growing compliance requirements. Disclosure is another struggle. I suspect that eventually, the 10-Qs and 10-Ks will become so lengthy that no one will read them with footnotes that now span multiple pages and are seemingly redundant to matters covered in other sections of the submissions.  Risk is a concern. Each of us hopes that we do not overlook the obvious. 

– Gordon Budke, audit committee chairman, Banner Corporation, Walla Walla, WA

Seward-John.jpgExpanding Responsibilities

The exponential acceleration of regulations will become an increasing challenge for audit committees of all banks, regardless of size.  The compliance area alone, where banks are being required to implement government policy initiatives, is a prime example of this challenge.  In addition, regulators are requiring extensive documentation of all actions taken and not taken in a culture where risk is to be reduced to zero. Therefore, the audit committee’s role is changing rapidly and must constantly be reassessed with these increasing responsibilities.

– John E. Seward, Jr., audit committee chairman, Bank of Tennessee, Kingsport, TN and Carter County Bank, Elizabethton, TN

tim-matz.pngRisk Monitoring

I believe the top issues confronting audit committees this year and next are developing, implementing and monitoring audit plans, including internal audit. These plans are focused on the identification and weighting of risk elements arising out of the transition of the banking industry from the defensive/capital conservation strategies of the past three years to the growth/capital deployment strategies to be implemented over the next several years.  The economy and the need for bank financing will expand together with the regulatory risks presented by the Dodd-Frank legislation.

– Timothy B. Matz, audit committee chairman, PacWest Bancorp, San Diego, CA

The Down and Dirty of Compensation Risk

Recent federal guidance on bank incentive compensation practices, combined with the landmark Dodd-Frank Act, is requiring bank compensation committees and their audit or risk committee counterparts to take a collaborative approach to determining whether their plans pose a material financial risk to the institution. This and other topics were covered at a roundtable discussion on compensation risk that brought together directors and human resources professionals at large, publicly traded banks, representatives of the McLagan consulting firm and the law firm Kilpatrick, Townsend & Stockton. The half-day event was held in late September at the University Club in Washington, DC.


Released in June 2010, the new rules mandate that banks must review all of their incentive compensation programs annually to make sure they have an appropriate balance of risk and reward, and that the board of directors is providing an adequate level of governance oversight.

Al Moschner, who is chairman of the compensation committee at $13.9 billion-asset Wintrust Financial Corp. in Lake Forest, Illinois, said the compensation committee sponsored a meeting with the chairmen of the other board committees, the chief executive officer, the chief financial officer and the chief risk officer to review the risk profile of the bank in the current environment. A head of the bank’s human resources department also described the various levels of compensation that are being contemplated for the coming year. “And then there was a robust discussion about whether that makes sense from a risk perspective,” Moschner says.

Wintrust also emphasizes an integrative approach to managing compensation risk by having some directors serve on both its compensation and audit committees. “We try to make sure we have some cross-pollination between the two committees,” Moschner explains.

“The compensation committee needs to work collaboratively with the bank’s risk committee,” says Todd Leone, a principal at McLagan. “The risk committee needs to review the goals that drive the bank’s incentive plans. They have to ensure what is being motivated doesn’t have unintended consequences.  The compensation committee drives plan design; the audit/risk committee ensures it is within the bank’s overall risk tolerance.”

Compensation committees today also face the challenge of developing an appropriate set of performance metrics for long-term incentive plans.
Part of the problem is that federal regulators are now focusing greater attention on compensation risk generally, but fundamental changes that have affected the entire industry add to the challenge. “How banks make money now is now very different and that makes it harder to develop incentive compensation plans,” says Clifford J. Isroff, the lead independent director at $14 billion-asset FirstMerit Corp. in Akron, Ohio, and a member of both the compensation and risk committees.

Wintrust’s long-term incentive plan used to be based on a single metric—annual earnings growth?but the current operating environment has led the bank to build multiple performance metrics into its plan, including return on assets and growth in tangible net assets. 

Another controversial issue that compensation committees are being forced to deal with is the clawback provision in the Dodd-Frank Act. The act requires the Securities and Exchange Commission to direct the national securities exchanges like NYSE Euronext and NASDAQ OMX to prohibit companies from listing their stocks if they have not adopted clawback policies that would allow them to recover incentive compensation that has already been paid to former or current executives if it was based on incorrect data.

Gayle Applebaum, a principal director at McLagan, said many of her bank clients are finding some resistance from their senior managers to the very notion of clawbacks, as well as deferrals that are now being built into many incentive plans. “Oftentimes managers don’t want these things for their people,” Applebaum says. “They are worried about their ability to retain talent.”


One point that most of the participants agreed on was the importance of having a strong risk culture throughout the organization. Although it will still be necessary to vet the bank’s incentive compensation plans annually to satisfy the new federal requirements, a strong risk culture is every bank’s first line of defense.

“If you manage the risk, I’m not worried about the compensation plan,” said Frank Farnesi, who is chairman of the compensation committee at Beneficial Mutual Bancorp Inc., a $4.7 billion-asset mutual holding company in Philadelphia.

New Media Compliance Issues: Is Social Media Right for Your Institution?

socialmedia.jpgAt the heart of social media – blogs, social networks and other multimedia endeavors –  is a real-time, open and public dialogue accessible by anyone with Internet access. By the time your legal and compliance department has vetted a 140-character tweet, the conversation has changed. The reality of instantaneous engaged marketing with your customers can excite production staff and perplex compliance personnel. It doesn’t help that many of the rules that apply to the use of social media were created long before blogs and social networking consumed our lives. Perhaps this is one reason why the banking industry has lagged behind in the social media movement. But in the new reality, to ignore the movement is to be left behind. That is why financial institutions, regulators and attorneys are starting to get on board. The landscape may be unsettled, but it’s not entirely unmanageable.

Businesses, including financial institutions, are starting to see the vast potential for social media use.  Companies are connecting with their customers almost instantaneously and are receiving the kind of immediate feedback that once would have been obtainable only via costly and time-consuming surveys. Many companies are using social media as a customer service platform to create an online community of connected customers. The bottom line is maximization of advertising dollars. Businesses can reach any number of plugged-in consumers through the click of a button. Unlike television or radio ads, an online advertisement can be accessed any time, day or night, and gives the business the ability to change the course of the marketing communication mid-stream to create a fluid message in tune with current trends.  With all of these benefits, why has the financial industry been so slow to adopt social media?  Blame it on the disconnect between static regulations and innovative technology.

Compliance Issues In Social Media

The rules of compliance haven’t directly changed due to the advent of social media. However, the facts have changed, impacting the application of the rules. The underlying risk to your institution stems from the nature of how social media impacts the delivery and retention of information in addition to the ever-present privacy concerns.

Information Delivery

Deceptive Advertisements: The Federal Trade Commission (FTC) has long been the guardian of the consumer in the advertising arena. The rules are seemingly simple – advertisements have to be truthful and not deceptive. Easy enough, right? What if I told you that an employee blog that you may or may not know about could be considered an endorsement under the FTC Act if the employee is touting one of your institution’s products or services? In this instance, the blog post in question would have to be entirely truthful and the employee would be required to disclose his or her relationship with your institution regardless of whether your institution is aware of, or has authorized the message. (See the FTC’s Revised Guidelines concerning the use of endorsements and testimonials in advertising. This is just one among countless examples of these types of rules, present at the state and federal level.

Advertising Disclosures: What about microblogging ( i.e., the 140 character tweet)? If an interest rate for a consumer loan product is quoted, how can all of the accompanying disclosures required under state and federal law possibly fit? Crafting the message in light of the limitations of the medium is a critical factor in an institution’s ability to comply with the rules. 

Federal Securities Laws and Blue-Sky Laws: For publicly-traded companies, regulators have begun to address social media in the context of securities laws. Forward-looking statements regarding company performance are a delicate issue, even after thorough vetting by legal counsel. Employers will be liable for the statements of their employees, authorized or not.

Information Retention

Your institution already employs some level of technology to assist you in the collection and retention of certain types of information. This may be in the context of advertising retention rules per state law or e-discovery rules under the Federal Rules of Civil Procedure. Additional retention and reporting requirements come into play under the Sarbanes-Oxley Act, USA PATRIOT Act and other related laws. By its nature, social media is harder to capture and catalogue for later recall. However, technology providers have emerged that focus specifically on this type of media. 

Privacy and Security

Some companies use social media sites for customer support. This use requires special attention, especially in an industry as heavily regulated as banking. Institutions must ensure that any use of social media avoids conflict with existing privacy laws and internal security policies. In addition, regulators are growing increasingly concerned about information technology risks and have adopted compliance guidance.

Suggestions for Conquering Your Institution’s Social Media Fears

Demonstrating that you are cognizant of the risks associated with social media and addressing those risks with thoughtful and effective policies and procedures is just as important as the end-result. Here are a few suggestions:

Dedicate significant time and resources to developing current policies and procedures regarding social media. A number of stakeholders will be critical to this process and they should start by analyzing known risks. The results are highly dependent on your institutions risk profile and the process should be thoroughly documented. Show your work. Regulators will want to know that you take these policies seriously and have acted with a sufficient amount of diligence and caution. Make sure your social media policies and procedures are effectively communicated to your employees. Address violations of social media policy swiftly and decisively.

Monitor for compliance and protect your institution’s brand. The social aspect of social media creates the possibility that some users will have less than stellar things to say about your institution. Treat those situations as a customer service teaching moment and a way to gain feedback about your institution. In addition, to the extent that you have protected trademarks or servicemarks, develop guidelines for employees with communication privileges so that they can adequately protect those marks in the public arena.

Consider using third parties to assist you. There are a number of technology companies available to assist you in message search and monitoring, access management and archival solutions. Reach out to those companies. At the very least, you may get some ideas on areas of focus for your policies and procedures. At best, you’ll find a competent vendor partner to automate what would otherwise be a laborious process.

Go slow. Total institutional immersion into social media doesn’t have to happen overnight. Take the time to create a culture that embraces the effective use of social media and the related compliance components. Consider slowly adding mediums and employees into the fold after adequate training and guidance.

Vendor Management

In a recent interview with, Donald Saxinger, senior examination specialist at the FDIC, suggested that social media providers would have to be treated as vendors for purposes of the FDIC’s Guidance for Managing Third-Party Risk (FIL 44-2008). In addition, he suggested that social networking sites could be considered to be the type of vendors that banks must report to the FDIC under the Bank Service Company Act (BSCA) within 30-days after the relationship begins. (12 U.S.C. § 1867(c)).

The basic premise of the third-party risk management is that the board of directors and senior management are ultimately responsible for the activities conducted by third-parties on behalf of the bank to the same extent that they would be if the activity were handled within the institution. The majority of the guidance from the FDIC pertains to “significant third-party relationships”; however, institutions should consider following this guidance for all social media vendors. Until there is more guidance available pertaining specifically to social media vendors, those companies should be treated as any other vendor would. This means completing a risk assessment on the outsourced activity, due diligence in selecting a third-party, contract structuring and review, and continuing relationship oversight.

The BSCA requires institutions to use the FDIC form titled Notification of Performance of Bank Services to report all vendors performing “Bank Services” as defined in 12 U.S.C. § 1863. Institutions should consult with their legal counsel as to what social media vendors fall under this category for reporting purposes. This question could be difficult until further formal guidance is issued.

Two things are certain with social media – it’s inevitable and ever-changing. Some of these same discussions took place with the adoption of email usage. Just read the disclaimers at the bottom of your last email exchange. Caution and innovation don’t often mix, but your institution can make the best of both worlds with a little time and effort.