The Strategic Side of Cybersecurity Governance


cybersecurity-8-7-19.pngWithout a comprehensive cyber risk governance strategy, banks risk playing Whac-A-Mole with their cybersecurity.

Most financial institutions’ cybersecurity programs are tactical or project-oriented, addressing one-off situations and putting out fires as they arise. This piecemeal approach to cybersecurity is inefficient and increasingly risky, given the growing number of new compliance requirements and privacy and security laws. Institutions are recognizing that everyone in the C-suite should be thinking about the need for a cyber risk governance strategy.

There are three key advantages to having a cyber risk governance strategy:

  • Effectively managing the audit and security budget: Organizations that address current risks can more effectively prepare for cybersecurity threats, while meeting and achieving consistent audit results. A thorough risk assessment can highlight real threats and identify controls to evaluate on an ongoing basis through regular review or testing.
  • Reducing legal exposure: Companies and their officers can reduce the potential for civil and criminal liability by getting in front of cybersecurity and demonstrating how the institution is managing its risk effectively.
  • Getting in front of cybersecurity at an organizational level: Strategic planning is an important shift of responsibility for management teams. It proactively undertakes initiatives because it’s the right thing to do, versus an auditor instructing a company to do them.

So what’s required to set up a cyber risk governance strategy? Most organizations have talented individuals, but not necessarily personnel that is focused on security. Compounding the industry shortage of cybersecurity professionals, banks may also lack the resources necessary to do a risk assessment and ensure security practices are aligned to the cyber risk governance. As a result, banks frequently bring in vendors to help. If that’s the case, they should undertake a cyber risk strategy assessment with the help of their vendor.

Bank boards can perform a cyber risk governance strategy assessment in three phases:

  1. An assessment of the current cyber risk governance strategy. In phase one, a vendor’s team will review a bank’s current organizational and governance structure for managing information security risk. They’ll also review the information technology strategic plan and cybersecurity program to understand how the bank implements information security policies, standards and procedures. This provides a baseline of the people and processes surrounding the organization’s cyber risk governance and information security risk tolerance.
  2. Understand the institution’s cyber risk footprint. Here, a vendor will review the technology footprint of customers, employees and vendors. They’ll look at internal and external data sources, the egress and ingress flow of data, the data flow mapping, the technology supporting data transport and the technology used for servicing clients, employees, and the third parties who support strategic initiatives.
  3. Align information security resources to cyber governance goals. In phase three, a vendor will help the bank’s board and executives understand how its people, process and technology are aligned to achieve the company’s institution’s cyber governance goals. They’ll review the bank’s core operations and document the roles, processes and technology surrounding information security. They’ll also review the alignment of operational activities that support the bank’s information security strategic goals, and document effective and ineffective operational activities supporting the board’s cyber governance goals.

Once the assessment is complete, a bank will have the foundation needed to follow up with an operational analysis, tactical plan and strategic roadmap. With the roadmap in place, a bank can craft a cyber risk strategy that aligns with its policies, as well as an information security program that addresses the actual risks that the organization faces. Instead of just checking the boxes of required audits, bank boards can approach the assessments strategically, dictating the schedule while feeling confident that its cyber risks are being addressed.

Addressing the Top Three Risk Trends for Banks in 2019



As banks continue to become more reliant on technology, the risks and concerns around cybersecurity and compliance continue to grow. Bank Director’s 2019 Risk Survey, sponsored by Moss Adams LLP, compiled the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about the current risk landscape. Respondents identified cybersecurity as the greatest concern, continuing the trend from the previous five versions of this report and indicating an industry-wide struggle to fully manage this risk.

Other top trends included the use of technology to enhance compliance and the potential effect of rising interest rates. Here’s what banks need to know as they assess the risks they’ll face in the coming year.

Cybersecurity
Regulatory oversight and scrutiny around cybersecurity for banks seems to be increasing. Agencies including the Securities and Exchange Commission are focused on the cybersecurity reporting practices of publicly traded institutions, as well as their ability to detect intruders. The Colorado legislature recently passed a law requiring credit unions to report data breaches within 30 days. It’s no surprise that 83 percent of respondents said their concerns about cybersecurity had increased over the past year.

Most of the cybersecurity risk for banks comes from application security. The more banks rely on technology, the greater the chance they face of a security breach. Adding to this, hackers continue to refine their techniques and skills, so banks need to continually update and improve their cybersecurity skills. This expectation falls to the bank board, but the way boards oversee cybersecurity continues to vary: Twenty-seven percent opt for a risk committee; 25 percent, a technology committee and 19 percent, the audit committee. Only 8 percent of respondents reported their board has a board-level cybersecurity committee; 20 percent address cybersecurity as a full board rather than delegating it to a committee.

Compliance & Regtech
Utilizing technological tools to meet compliance standards—known as regtech—was another prevalent theme in this year’s survey. This is a big stress area for banks due to continually changing requirements. The previous report indicated that survey respondents saw increased expenses around regtech. This year, when asked which barriers they encountered around regtech, 47 percent responded they were unable to identify the right solutions for their organizations. Executives looking to decrease costs may want to consider whether deploying technology could allow for fewer personnel. When this technology is properly used, manual work decreases through increased automation.

Other compliance concerns for this year’s report included rules around the Bank Secrecy Act and anti-money laundering. Seventy-one percent of respondents indicated they implemented or plan to implement more innovative technology in 2019 to better comply with BSA/AML rules.

Compliance with the current expected credit loss standard was another area of concern. Forty-two percent of respondents indicated their bank was prepared to comply with the CECL standard, and 56 percent replied they would be prepared when the standard took place for their bank.

Interest Rate & Credit Risk
The potential for additional interest rate increases made this a new key issue for the 2019 report. When asked how an interest rate increase of more than 100 basis points, or 1 percent, would affect their banks’ ability to attract and retain deposits, 47 percent of respondents indicated they would lose some deposits, but their bank wouldn’t be significantly affected. Thirty percent indicated an increase would have no impact on their ability to compete for deposits.

However, 55 percent believed a severe economic downturn would have a moderate impact on their banks’ capital. In the event of such a downturn, deposits and lending would slow, and banks could incur more charge-offs, which would impact capital. This fluctuation can be easy to dismiss, but careful planning may help reduce this risk.

Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

How Innovative Banks Keep Up With Compliance Changes


compliance-6-5-19.pngBankers and directors are increasingly worried about compliance risk.

More than half of executives and directors at banks with more than $10 billion in assets said their concerns about compliance risk increased in 2018, according to Bank Director’s 2019 Risk Survey. At banks of all sizes, 39 percent of respondents expressed increasing concern about their ability to comply with changing regulations.

They’re right to be worried. In 2018, U.S. banks saw the largest amount of rule changes since 2012, according to Pamela Perdue, chief regulatory officer for Continuity. This may have surprised bankers who assumed that deregulation would translate to less work.

“The reality is that that is not the case,” she says. “[I]t takes just as much operational effort to unwind a regulatory implementation as it does to ramp it up in the first place.”

Many banks still rely on compliance officers manually monitoring websites and using Google alerts to stay abreast of law and policy changes. That “hunt-and-peck” approach to compliance may not be sufficiently broad enough; Perdue said bankers risk missing or misinterpreting regulatory updates.

This potential liability could also mean missed opportunities for new business as rules change. To handle these challenges, some banks use regulatory change management (RCM) technology to aggregate law and policy changes and stay ahead of the curve.

RCM technology offerings are evolving. Current offerings are often included in broader governance risk and compliance solutions, though these tools often use the same manual methods for collecting and processing content that banks use.

Some versions of RCM technology link into data feeds from regulatory bodies and use scripts to crawl the web to capture information. This is less likely to miss a change but creates a mountain of alerts for a bank to sort through. Some providers pair this offering with expert analysis, and make recommendations for whether and how banks should respond.

But some of the most innovative banks are leveraging artificial intelligence (AI) to manage regulatory change. Bank Director’s 2019 Risk Survey revealed that 29 percent of bank respondents are exploring AI, and another 8 percent are already using it to enhance the compliance function. Companies like San Francisco-based Compliance.ai use AI to extract regulatory changes, classify them and summarize their key holdings in minutes.

While AI works exponentially faster than human compliance officers, there are concerns about its accuracy and reliability.

“I think organizations need to be pragmatic about this,” says Compliance.ai chief executive officer and co-founder Kayvan Alikhani. “[T]here has to exist a healthy level of skepticism about solutions that use artificial intelligence and machine learning to replace what a $700 to $800 an hour lawyer was doing before this solution was used.”

Compliance.ai uses an “Expert in The Loop” system to verify that the classifications and summaries the AI produced are accurate. This nuanced version of supervised learning helps train the model, which only confirms a finding if it has higher than 95 percent confidence in the decision.

Bankers may find it challenging to test their regulatory technology systems for accuracy and validity, according to Jo Ann Barefoot, chief executive officer of Washington-based Barefoot Innovation Group and Hummingbird Regtech.

“A lot of a lot of banks are running simultaneously on the new software and the old process, and trying to see whether they get the same results or even better results with the new technology,” she says.

Alikhani encourages banks to do proofs of concept and test new solutions alongside their current methodologies, comparing the results over time.

Trust and reliability don’t seem to be key factors in bankers’ pursuit of AI-based compliance technology. In Bank Director’s 2019 Risk Survey, only 11 percent of banks said their bank leadership teams’ hesitation was a barrier to adoption. Instead, 47 percent cited the inability to identify the right solution and 37 percent cited a lack of viable solutions in the marketplace as the biggest deterrents.

Bankers who are adopting RCM are motivated by expense savings, creating a more robust compliance program and even finding a competitive edge, according to Barefoot.

“If your competitors are using these kinds of tools and you’re not that’s going to hurt you,” she says.

Potential Technology Partners

Continuity

Combines regulatory data feeds with consultative advice about how to implement changes.

Compliance.ai

Pairs an “Expert in the Loop” system to verify the accuracy of AI summaries and categorization

OneSumX Regulatory Change Management from Wolters Kluwer

Includes workflows and tasks that help banks manage the implementation of new rules and changes

BWise

Provides impact ratings that show which parts of the bank will be impacted by a rule and the degree of impact

Predict360 from 360factors

Governance risk and compliance solution that provides banks with access to the Code of Federal Regulations and administrative codes for each state

Learn more about each of the technology providers in this piece by accessing their profiles in Bank Director’s FinXTech Connect platform.

Five Reasons Behind Mortgage Subservicing’s Continued Popularity


mortgage-6-3-19.pngMortgage subservicing has made significant in-roads among banks, as more institutions decide to outsource the function to strategic partners.

In 1990, virtually no financial institution outsourced their residential mortgage servicing.

By the end of 2018, the Federal Reserve said that $2.47 trillion of the $10.337 trillion, or 24%, of mortgage loans and mortgage servicing rights were subserviced. Less than three decades have passed, but the work required to service a mortgage effectively has completely changed. Five trends have been at work pushing an increasing number of banks to shift to a strategic partner for mortgage subservicing.

  1. Gain strategic flexibility. Servicing operations carry high fixed costs that are cannot adapt quickly when market conditions change. Partnering with a subservicer allows lenders to scale their mortgage portfolio, expand their geographies, add product types and sell to multiple investors as needed. A partnership gives bank management teams the ability to react faster to changing conditions and manage their operations more strategically.
  2. Prioritizes strong compliance. The increasing complexity of the regulatory environment puts tremendous strain on management and servicing teams. This can mean that mortgage businesses are sometimes unable to make strategic adjustments because the bank lacks the regulatory expertise needed. But subservicers can leverage their scale to hire the necessary talent to ensure compliance with all federal, state, municipal and government sponsored entity and agency requirements.
  3. Increased efficiency, yielding better results with better data. Mortgage servicing is a data-intensive endeavor, with information often residing in outdated and siloed systems. Mortgage subservicers can provide a bank management team with all the information they would need to operate their business as effectively and efficiently as possible.
  4. Give borrowers the experience they want. Today’s borrowers expect their mortgage lender to offer comparable experiences across digital channels like mobile, web, virtual and video. But it often does not make sense for banks to build these mortgage-specific technologies themselves, given high costs, a lack of expertise and gaps in standard core banking platforms for specific mortgage functions. Partnering with a mortgage subservicer allows banks to offer modern and relevant digital servicing applications.
  5. Reduced cost. Calculating the cost to service a loan can be a challenging undertaking for a bank due to multiple business units sharing services, misallocated overhead charges and hybrid roles in many servicing operations. These costs can be difficult to calculate, and the expense varies widely based on the type of loans, size of portfolio and the credit quality. A subservicer can help solidify a predictable expense for a bank that is generally more cost efficient compared to operating a full mortgage servicing unit.

The broader economic trends underpinning the growing popularity of mortgage subservicing look to be strengthening, which will only accelerate this trend. Once an operational cost save, mortgage subservicing has transformed into a strategic choice for many banks.

Avoiding Unnecessary Unclaimed Property Forfeitures and Keeping Customers


risk-5-27-19.pngUnclaimed property issues are complex, but there are steps banks can take to help their customers maintain claims to their assets and keep their funds within the institution.

“Escheatment” is the legal term for the transfer of abandoned property to the state. Once a customer’s property is considered “abandoned” after a specific waiting period, state laws require that the bank turn over the asset to the state treasury department for safekeeping. Dormancy periods can be as short as one year, but vary by state or jurisdiction.

Banks can take four key actions that can reduce the risk that unnecessary escheatment could have on their customers’ accounts, and keep assets and deposits within the institution.

Institutions need to design processes and systems that can prevent unnecessary escheatment. Many banks lack the internal processes and technology solutions that would help minimize the risk of escheatment and often do not formalize their approach until faced with an audit, compounding an already-stressful situation.

Banks can create a culture of compliance by having policies and procedures for this process in place. They can also use technology to mitigate escheatment risk, lower the cost of the process and increase the efficiency of mitigation efforts.

However, many financial organizations lack robust systems to aid this process. For example, banks might allow certificates of deposit to be escheated because of inactivity, even though the CD owner has actively made deposits in or withdrawals from another account type. Linking customer accounts together allows the bank to assess contact activity across all holdings.

Banks can also educate their customers on the importance of maintaining accurate contact information and regular activity, which could prevent accounts from becoming dormant. Effective ways to help clients accomplish this include:

  • Providing customers with educational information when they open an account—one of the best times to educate them.
  • Adding messages on customer communications.
  • Establishing online alerts if mail has been returned as undeliverable, prompting customers to update their address when they log into their accounts.
  • Training bank employees about the risks of unnecessary escheatment so they are well-versed about unclaimed property compliance and can guide customers appropriately.

Banks should also proactively identify their customers who might be at risk for escheatment. All jurisdictions, except for Puerto Rico, have basic due diligence requirements that require banks to make a final attempt to contact owners of dormant accounts and uncashed checks towards the end of the dormancy period. But there are several steps that banks can take to identify customers at risk of escheatment ahead of the dormancy period:

  • Monitor which accounts have been inactive for 12 to 18 months and note the relationship with these customers.
  • Begin outreach campaigns early and allow sufficient time for communication, rather than waiting for the mandated due diligence process.
  • Identify deceased customer accounts that appear to be inactive, which can happen when family members are not aware that the account needs to be transferred or overlook paperwork when settling an estate.

Banks should communicate early, often and effectively with at-risk customers well in advance of the due diligence escheatment process. This process generally occurs late in the dormancy period: accounts have often been dormant for three to five years, making it difficult to find and communicate with their owners.

The process typically involves a single mailing sent to the last address of the dormant account’s owner, in hopes that they will respond. Most jurisdictions do not require due diligence mailings if the address on the account has been deemed inaccurate.

Owners that do receive and open the due diligence mailing may miss the window to reactivate their account if they do not act immediately. Customers may also think these letters are potential scams because they do not perceive themselves to be inactive or lost.

Effective ways to communicate with at-risk customers include:

  • Calling customers directly and explaining the situation before incurring the expense of a due diligence mailing
  • Using colored envelopes and company logos in customer communications.
  • Using direct mailings when time, budget, resources or the volume of accounts prevent telephone efforts.

Varying the communication techniques, changing the appearance of each mailing and customizing the specific details of the communication to the customer’s unique situation may also accelerate and increase the response rate. Proper documentation is critical–banks should retain all correspondence for control and audit purposes.

The key to preventing unnecessary escheatment is being proactive long before the state dormancy periods begin. These methods will help banks reduce the cost of compliance and retain assets and customers.

How Spreadsheets Add Risk to Construction Lending


lending-4-11-19.pngMillennials are entering the housing market with a force, yet low inventory across the country is stalling their dreams of homeownership. Now is the time for lenders to either begin or ramp up their construction loan programs. These niche loan products are a great addition to any book of business, but to be successful you have to be able to manage and service the loan after it closes.

Post close actions have traditionally been done with spreadsheets. This method, while fairly understood, is actually limiting and prone to formula errors. Additionally, spreadsheets naturally reach a tipping point in a team’s ability to scale and share reportable data with management and others in the organization. This puts loan completion in jeopardy and creates more risk to the lender.

The Limits of Spreadsheets to Manage Construction Lending
Spreadsheets can only do what they are designed to do—no more and no less. As your program grows, you are bound to reach the point where a spreadsheet is no longer functionally efficient and becomes a risky way to manage your pipeline.

  • Limited Visibility Into the Life of the Loan: Each loan has many different data points and touches over time, and housing them in a spreadsheet is basically burying important and vital information every time the loan is touched. It’s nearly impossible to see history, anticipate the future—and most importantly, clearly see problems before they arise. Spreadsheets force a reactive instead of a proactive method, which means a lender who is using spreadsheets is always playing catch-up.
  • No Reporting: Can you open up the spreadsheet right now and easily and accurately report on the pipeline, draw reports or consultant reports? The answer is probably no. And what do you do when you need to produce 1098 or 1099 reports? How do spreadsheets support these requirements? Getting your 1098s or 1099s from spreadsheets is a tedious, manual process prone to error. If you have a good quantity of construction loans, this is a large undertaking, and is difficult to scale. As you consider spreadsheets, consider the additional work that those spreadsheets will cost you over time.
  • A Finite Number Of Loans One Person Can Manage: Spreadsheets require a lot of time to properly manage one loan, and we have found that dedicated and experienced construction loan administrators can typically manage 35 to 50 loans using spreadsheets at one time. Any more than this usually adds to poor customer service.
  • Drains In-house Resources: If your program is doing well and your origination volume is growing, team members are limited in scale before a new hire must be acquired to take on more loans. Throwing bodies at the problem is not the best solution.
  • Location, Location, Location: Spreadsheets, no matter if they are stored on the cloud or on desktops, are still accessed by individual devices. You are now limited to these single failure points. What are the implications of losing this data, or the individual that knows how it works?
  • No Tracking: A spreadsheet does not offer tracking, task automation, complaint management, event monitoring, risk analysis and draw validations to ensure that the loan is meeting all of its milestones and risk requirements. As a workaround, lenders turn to the sticky note to help them keep track of important dates and actions. We all know the ineffective nature of this system, especially as key factors such as deadlines for draws, inspections, liens or permit expirations often get lost in the sticky note shuffle.
  • No Compliance Monitoring: Spreadsheets cannot keep you in compliance with government regulations, state statutes, loan program requirements, internal compliance, in-house policies/procedures or industry best practices. In order to maintain strict compliance, spreadsheets require constant vigilance. This may be their biggest limitation.

If Not Spreadsheets, Then What?
Spreadsheets just don’t cut it for construction loan management. Lenders who want to increase revenue while adding fewer additional resources need a digital construction loan management solution. Digital solutions reduce risk, improve efficiencies, allow scale and provide a better customer experience. Not to mention it keeps track of every small, yet critical, part of the construction loan. Never again will you be questioning if you are over-dispersing funds. Digital solutions, especially those that are cloud-based, can alleviate all the limitations of spreadsheets and the tipping point will be a thing of the past. Once you are running on this new level, you can bring more revenue and smart growth to your organization.

Applying the 1-10-100 Rule to Loan Management


data-4-2-19.pngImplementing new software may seem like an expensive and time-consuming challenge, so many financial institutions make do with legacy systems and workflows rather than investing in robust, modern technology solutions aimed at reducing operating expenses and increasing revenue. Unfortunately, banks stand to lose much more in both time and resources by continuing to use outdated systems, and the resultant data entry errors put institutions at risk.

The Scary Truth about Data Entry Errors
You might be surprised by the error rates associated with manual data entry. The National Center for Biotechnology Information evaluated over 20,000 individual pieces of data to examine the number of errors generated from manually entering data into a spreadsheet. The study, published in 2008, revealed that the error rates reached upwards of 650 errors out of 10,000 entries—a 6.5 percent error rate.

Calculating 6.5 percent of a total loan portfolio—$65,000 of $1 million, for example—produces an arbitrary number. To truly understand the potential risk of human data entry error, one must be able to estimate the true cost of each error. Solely quantifying data entry error rates is meaningless without assigning a value to each error.

The 1-10-100 Rule is one way to determine the true value of these errors.

The rule is outlined in the book “Making Quality Work: A Leadership Guide for the Results-Driven Manager,” by George Labovitz, Y.S. Chang and Victor Rosansky. They posit that the cost of every single data entry error increases exponentially at subsequent stages of a business’s process.

For example, if a worker at a communications company incorrectly enters a potential customer’s address, the initial error might cost only one dollar in postage for a wrongly-addressed mailer. If that error is not corrected at the next stage—when the customer signs up for services—the 1-10-100 Rule would predict a loss of $10. If the address remains uncorrected in the third step—the first billing cycle, perhaps—the 1-10-100 Rule would predict a loss of $100. After the next step in this progression, the company would lose another $1,000 due to the initial data entry error.

This example considers only one error in data entry, not the multitude that doubtlessly occur each day in companies that rely heavily on humans to enter data into systems.

In lending, data entry goes far beyond typos in customers’ contact information and can include potentially serious mistakes in vital customer profile information. Data points such as social security numbers and dates of birth are necessary to document identity verification to comply with the Bank Secrecy Act. Data entry errors also lead to mistakes in loan amounts. A $10,000 loan, for example, has different implications with respect to compliance reporting, documentation, and pricing than a $100,000 loan. Even if the loan is funded correctly, a single zero incorrectly entered in a bank’s loan management system can lead to costly oversights.

Four Ways Data Entry Errors Hurt the Bottom Line
Data entry errors can be especially troublesome and costly in industries in which businesses rely heavily on data for daily operations, strategic planning, risk mitigation and decision making. In finance, determining the safety and soundness of an institution, its ability to achieve regulatory compliance, and its budget planning depend on the accuracy of data entry in its loan portfolios, account documentation, and customer information profiles. Data entry errors can harm a financial institution in several ways.

  1. Time Management. When legacy systems cannot integrate, data ends up housed in different silos, which require duplicative data entry. Siloed systems and layers of manual processes expose an institution to various opportunities for human error. The true cost of these errors on an employee’s time—in terms of wages, benefits, training, etc.—add up, making multiple data entry a hefty and unnecessary expense.
  2. Uncertain Risk Management. No matter how many stress tests you perform, it is impossible to manage the risk of a loan portfolio comprised of inaccurate data. In addition, entry errors can lead to incorrectly filed security instruments, leaving a portfolio exposed to the risk of insufficient collateral.
  3. Inaccurate Reporting. Data entry errors create unreliable loan reports, leading to missed maturities, overlooked stale-dates, canceled insurance and other potentially costly oversights.
  4. Mismanaged Compliance. Data entry errors are a major compliance risk. Whether due to inaccurately entered loan amounts, file exceptions, insurance lapses or inaccurate reporting, the penalties can be extremely costly—not only in terms of dollars but also with respect to an institution’s reputation.

Reduce Opportunities for Human Error
An institution’s risk management plan should include steps intended to mitigate the inevitable occurrence of human error. In addition to establishing systems of dual control and checks and balances, you should also implement modern technologies, tools, and procedures that eliminate redundancies within data entry processes. By doing so, you will be able to prevent mistakes from happening, rather than relying solely on a system of double-checking.

Does Your Digital Strategy Include the “Last Mile?”


strategy-3-20-19.pngThe “last mile” is a ubiquitous term that originated in the telecommunications industry to represent the final leg of delivering service to a customer. Most of the time it referred to installing copper wire that connected the local telephone exchange to individual landlines.

More recently, the term represents what can be the final and most challenging part of a consumer interaction. Generally, it’s the point at which a broad consumer service interacts with an individual customer to deliver a personalized experience.

In banking, this is most often in the form of digital documents created to meet the exact specifications and compliance requirements of an individual transaction that allow a loan or deposit to be booked.

The last mile concept is changing the way financial institutions approach their digital strategy. Previously, many banks focused on digital services to a broad customer base that allowed end users to access account information, pay bills and transfer funds. Lesser in the strategy was the ability to originate a loan or deposit transaction through a digital channel, and even less likely to be contemplated was the customer experience while documenting and booking these types of transactions.

Often, what would begin as a digital experience through a mobile device, tablet or PC would quickly revert to a less accessible process that concluded with a customer coming to a branch to manually sign an agreement.

Banks today are recognizing that a shift in their digital strategy is required. Increasingly, institutions are reshaping their digital presence to focus on the “last mile” – the hardest part of the customer journey that requires an individualized experience. Building a foundation focused on this critical customer touchpoint requires banks to deploy technology that documents, in a fully compliant manner, consumer and commercial loan and deposit transactions while at the same time supporting a fully digital customer experience.

In seeking fintech partners that can support this digital strategy shift, institutions are identifying essential attributes and capabilities to enable effective execution:

  • Integrated Capabilities: Disparate systems require data to be imported and exported to avoid data conflict. A single system of record, integrated with digital document capabilities and a two-way data flow, supports data integrity while eliminating the need to access separate solutions.
  • In-house Compliance Expertise: Documenting transactions in a compliant manner is essential. State and federal mandates change frequently. In-house compliance expertise supported by unique research capabilities ensures the documented words are accurate and up to date.
  • Electronic Closing Enabled: The ability to leverage technology from origination to customer signature without deploying manual workarounds or static forms.
  • Reinvestment in Technology: Digital capabilities continue to evolve. Gone are the days of generic templates and static documents. A partner that’s focused on both current and future capabilities ensures an institution isn’t left behind the times.

As your bank begins to formulate a digital strategy or if you’re revising your existing strategy, ask yourself if you’ve contemplated the “last mile.” If not, focus on this part of the customer interaction first to deliver a comprehensive, compliant, and digitally enabled experience.

The Next Things To Know About Data


data-3-5-19.pngThere’s one thing in today’s banking industry that is critical to remaining competitive, being innovative, and maintaining compliance and risk levels: data.

This is no longer a surprise for most banks. It’s an issue that comes up often among bank boards and management, but there are still a number of challenges that banks must overcome to be successful in all of those areas.

It has a connection to many of the major decisions boards make, from what third-party partners to join forces with to how it integrates the next landmark technology.


	strategy-3-5-19-tb.pngFive Steps to a Data-Driven Competitive Strategy
Maintaining a competitive advantage for banks today lies in one of its most precious assets: data. Banks have the gold standard of consumer data, and leveraging that information can be the trump card in achieving growth goals.

Getting there, though, requires good governance of data and technology, and then using those elements to craft strategic objectives.

compliance-3-5-19-tb.pngFintechs Can Fend Off Compliance Issues With Data
Fintechs are known to be nimbler than banks for a few reasons, including a limited regulatory framework compared to their bank partners and a smaller set of products or services. But with that relative freedom comes added risk if they don’t comply with broader regulatory requirements. One compliance problem can put a fintech out of business.

But those companies can use data to reduce compliance risk. Here’s how.

risk-3-5-19-tb.pngRisk Management at the Forefront in Fintech Partnerships
Bank regulators have generally kept their distance from interfering in bank-fintech partnerships. Agencies have deferred to the bank’s third-party risk management process, but some regulators have indicated the intent to keep a closer eye on third-party fintech firms.

Here is an overview of what banks should keep in mind when considering and managing the risk associated with these third-party partnerships.

innovation-3-5-19-tb.pngFour Ways To Innovate And Manage Risk, Compliance
There is a careful balance that banks must strike in today’s industry. To remain competitive, they have to innovate, but they also have to remain compliant with regulations, many of which have stood for years, and manage risks that can ebb and flow with economic and technological pressure.

Finding a similar balance between thinking strategically for the future while also remembering what has worked and not worked can also be challenging for financial institutions. Building a checklist around these four ideas can help achieve that balance.

partner-3-5-19-tb.pngHow to Pick The Right Data Partner
Banks are grappling with trying to gain the greatest efficiency through a variety of innovative and technological tools, but often are hampered by the quality of the data they maintain. To make correct and sound decisions, accurate and reliable data is essential.

Partnering with third-party data service providers can help with that effort, but even that requires due diligence. To help with that due diligence, banks should have a checklist of capabilities for those partners.

Six Things To Know About CECL Right Now


CECL-11-13-18.pngMany banks began the transition to CECL in earnest when the final version was issued in 2016. While banks are in various stages, some are already working through more nuanced aspects of the transition.

Many lessons have been learned from actual CECL implementations, and here are some tips to assist bank directors as they guide management through the transition.

1. The quantitative impact of CECL adoption may be less straightforward than initially expected. Even before the final CECL standard was issued, industry observers tried to predict just how much the allowance would increase upon adoption. In truth, it will be almost impossible to estimate the impact of the transition for an individual institution. The actual impact will depend upon many bank-specific factors, the estimation method, the length of the reasonable supportable forecast, the size of today’s qualitative adjustment, and management’s outlook, to name a few. Additionally, some banks with short-term portfolios have been surprised to discover the CECL estimate may be lower than the current allowance due to a shift from an estimate based on a loss emergence period to one that considers the next contractual maturity date.

2. CECL may result in a requirement to manage model risk for unsuspecting institutions. Similar to reserving practices today, banks are employing a variety of approaches. General trends include the largest institutions employing statistical software to build custom in-house models, while the smallest institutions favor a less complex approach that relies on adjusting historical averages. Many institutions who are not using models are relying on “correlations” to support their adjustments. However, this practice needs to be managed carefully, as per regulatory definition, any method that applies a statistical approach, economic, financial, or mathematical theory to derive a quantitative estimate is considered a “model.” Therefore, using a correlation – regardless of whether it is identified in a spreadsheet, vendor solution, or anywhere else – to quantify the impact of a factor is by definition a model, and subject to model risk management. Institutions taking this approach to CECL should carefully consider the scope of model risk management, and avoid accidentally creating or misusing models.

3. Qualitative adjustments will still be necessary. Regardless of the method used to estimate the impact of forecasted conditions, there will still be a need to apply expert judgment for factors not considered in the quantitative (modeled) estimate. Even the most sophisticated models used by the largest banks will not consider every factor. Further, many banks prefer the flexibility to exercise judgment in their reserving process. While it’s not yet clear which factors the industry will use or how to quantify the lifetime impact, as it relates to regulatory and auditor oversight, the level of scrutiny around qualitative adjustments will not decrease from existing practice. Again, accidentally creating models is particularly important given the scrutiny on management judgment and the overall impetus to quantify it.

4. Think beyond compliance. One of the overarching goals of CECL is to better align credit loss measurement with underwriting and risk management practices. The transition to CECL presents banks with an opportunity to have unprecedented insight into the credit portfolio. For example, a comparison between the CECL estimate and the interest margin can provide insight into underwriting practices. But this can only happen if banks take a holistic approach to the transition and make the necessary investment in systems and reporting.

5. Reporting and analytics will be more important than ever. Bank directors will be responsible for answering shareholder questions related to the CECL reserve, which will be sensitive to changes in forecasted conditions. As a key constituent of the disclosures and internal management reports, bank directors have a responsibility to ensure a proper reporting framework is in place – one that integrates the data inputs and quantifies the change in expected credit losses at the instrument level. Attribution reports, for example, will be especially helpful in explaining why the allowance changed because they isolate and quantify the impact of individual variables affecting the reserve.

6. Be prepared for an iterative process, even after adoption. Translating the conceptual to operational can reveal unintended consequences and further questions. The industry has continued to work through implementation concerns since the final version was issued in 2016, including several meetings of the CECL Transition Resource Group. Industry best practices will evolve well after initial adoption.