M&A Readiness: Making Sure Your Bank Can Do Acquisitions


acquisitions-5-10-17.pngWith many financial institutions benefiting from increased stock values and renewed optimism following the November election, merger activity for community banks is on the uptick. Successful acquirers must remain in a state of readiness to take advantage of opportunities as they present themselves.

Whether a prolonged courtship or a pitch book from an investment banker, deals hardly, if ever, show up when it is most convenient for a buyer to execute on them. As a result, buyers need to develop a plan as to what they want, where they want it and what they are willing to pay for it, long before the “it” becomes available. M&A readiness equates to the board of directors working with management to have a well-defined M&A process that includes the internal and external resources ready to jump in to conduct due diligence, structure a transaction and map out integration. Also, M&A readiness requires that buyers have their house in order, meaning that their technology is scalable, they have no compliance issues and the capital is on hand or readily available to support an acquisition.

Technology. In assessing the scalability of an institution’s technology for acquisitions, a buyer should review its existing technology contracts to see if it has the ability to mitigate or even eliminate termination fees for targets that utilize the same core provider. Without this feature, some deals cannot happen due to the costs of terminating the target’s data processing contracts. Cybersecurity is another key element of readiness. As an institution grows, its cybersecurity needs to advance in accordance with its size. Buyers need to understand targets’ cybersecurity procedures and providers in order to ensure that their own systems overlap and don’t create gaps of coverage, increasing risk. Additionally, buyers should understand existing cybersecurity insurance coverage and the impact of a transaction on such policies.

Compliance. Compliance readiness, or lack thereof, are the rocks against which even the best acquisition plans can crash and sink. Ensure that your Bank Secrecy Act/anti-money laundering programs are above reproach and operating effectively, and that your fair lending and Community Reinvestment Act policies, procedures and practices are effective. Running into compliance issues will cause missed opportunities as the regulators prohibit any expansion activities until any issues are resolved.

Conducting a thorough review of compliance programs of a target is critical to an efficient regulatory and integration process. A challenge to overcome is the regulators’ prohibition on buyers reviewing confidential supervisory information (CSI), including exam reports as part of due diligence. While the sharing of this information has always been prohibited, the regulatory agencies have become more diligent on enforcement of this prohibition. Although it is possible to request permission from the applicable regulatory agency to review CSI, the presumption is that the regulators will reject the request or it will not be answered until the request is stale. As such, buyers should enhance their discussions with target’s management to elicit the same type of information without causing the target to disclose CSI. A simple starting point is for the buyer to ask how many pages were in the last exam report.

While stress testing may officially apply to banks with $10 billion or more in assets, regulators are expecting smaller banks to prevent concentrations of risk from building up in their portfolios. The expectation is for banks to conduct annual stress tests, particularly among their commercial real estate (CRE) loans. Because of these expectations, buyers need to know the interagency guidance governing CRE concentrations and how they will be viewed on a combined basis. Reviewing different stress-test approaches can help banks better understand the alternatives that are available to meet their unique requirements.

Capital. An effective capital plan includes triggers to notify the institution’s board when additional capital will be needed and contemplates how it will obtain that capital. Ideally, the buyer’s capital plan works in tandem with its strategic plan as it relates to growth through acquisitions. Recently the public capital markets have become much more receptive to sales of community bank stock, but this has not always been the case. In evaluating an acquisition, the regulators will expect to see significant capital to absorb the target as well as continue to implement the buyer’s strategic plan.

The increase in financial institution stock prices has increased acquisition opportunities and M&A activity since the election. Opportunistic financial institutions have plans in place and solid understandings of their own technology needs and agreements, regulatory compliance issues and capital sources. Although it sounds simple, a developed acquisition strategy will aid buyers in taking advantage of opportunities and minimizing risk in the current environment.

Handling Today’s Top Risk Challenges



Cybersecurity and compliance are the top two areas of concern for the bank executives and directors responding to Bank Director’s 2017 Risk Practices Survey, sponsored by FIS. What are the best practices that boards should implement to mitigate these risks? In this video, Sai Huda of FIS highlights the survey results and details how boards can stay proactive.

  • Cybersecurity and Compliance Gaps
  • Five Cybersecurity Best Practices
  • Three Ways to Strengthen Internal Controls

What Does 2017 Hold for the Alternative Investment Industry?


alternative-investment.png

Last year was an exciting one in the alternative investment industry, and all indications point to another great year in 2017. Here are five predictions that will dominate the industry in 2017.

1. Capital invested in private equity funds will continue to increase amidst a further decline in hedge funds
Growth in alternative investments will continue to be explosive in 2017. According to a report from Cerulli & Associates, the mean allocation of alternative investments is still less than 5 percent of overall assets. Depending on the industry source, the general guidance is that the ideal allocation should be in the 15 percent to 25 percent range, signaling that there is a lot more room to grow.

Nowhere has that growth been more evident than in private equity funds, which have increased dramatically over the past few years. Assets have risen from $30 billion in 1995 to around $4 trillion in 2015. This growth will continue, as 64 percent of limited partners plan to increase their allocation to private equity funds, which is up from 26 percent just five years ago.

Hedge funds, on the other hand, have struggled as poor performance compounded by high fees resulted in large outflows in 2016.

2. Regulatory and compliance pressures will continue to increase even under a Trump administration
Regulatory and compliance pressures have been a dominant factor in the alternative Investment industry (and especially among hedge funds) for several years now. While some industry leaders are optimistic that a loosening of regulations will occur under the new Trump administration, the trend toward more transparency will continue to grow.

Study after study shows the impact of mounting regulatory and compliance pressures. Here are two reports that paint a clear picture:

  • In a Longitude Research study last year more than 50 percent of fund administrators predicted that the need to keep up with regulation would have the greatest impact on their activities over the following three years.
  • A report from Linedata showed regulatory and compliance being the chief concern facing fund administrators and fund managers alike.

3. Technological capabilities will become as important for fund administrators as accounting capabilities
Fund administrators are traditionally thought of as providers of accounting services. Technology was mostly thought of as internal plumbing, and the decisions made about the use of technology were often left in the hands of an IT department, with little senior-level involvement.

It’s safe to say that those days are over. This year we will see the further emergence of technology as an integral capability for any fund administrator—on par with the importance of their accounting capabilities.

Fund administrators rely on technology to give them the data, reporting and understanding needed to satisfy the evolving needs of their clients and investors. In fact, nine out of 10 fund administrators plan to invest in technology in the next three years.

4. Consolidation will continue to increase in the fund administration business
Competition in the fund administration industry is intense. This is being driven by the explosion in capital being invested, the increasing demands for regulatory transparency, and the economies of scale needed to effectively compete in a low-margin business. No metric shows this better than the one reported by Preqin that 28 percent of fund administrators have been fired by their clients in the past 12 months.

The trend toward consolidation has escalated significantly in the past two years. While this can be good news for the largest of funds that can afford the services of the largest of fund administrators, this consolidation is likely bad news for both mid-market fund managers and mid-market fund administrators.

5. Fund administrators will become a bigger force in private equity and real estate funds, as well as with family offices
The use of fund administrators is pretty much a requirement for hedge funds, as evidenced by the outsourcing to fund administrators increasing from 50 percent in 2006 to 81 percent in 2013. This dynamic really started taking shape in the wake of the Bernie Madoff scandal, which showed the perils of a lack of validation and supervision within the industry.

In comparison, fund administrators are under-penetrated in private equity and real estate funds, with estimates showing fund administrator penetration at around 30 percent of assets under management today. However, this is expected to increase 45 percent by 2018.

The same conditions that drove the shift to fund administrators in the hedge fund space affect private equity and real estate funds as well. Just as happened with investors in hedge funds, investors in private equity and real estate funds are demanding third-party validation of assets and performance. Regulatory pressures are already having an impact on general partners of private equity and real estate funds.

Although occurring more slowly, the need to turn to fund administrators is also happening in the single and multi-family office space thanks to an increasing rate of wealth and investments in ever more complicated asset types.

Why a Compliance Mindset Is Hurting Community Banks


risk-management-1-20-17.pngCommunity banks are wasting money on compliance. They are spending more than ever, hiring additional risk officers, internal auditors, compliance officers, vendors and consultants. They are checking every box and fulfilling every mandate. And they are doing it all wrong.

A recent study by the supervision division at the Federal Reserve Bank of St. Louis found that spending more on compliance isn’t leading to higher regulatory ratings for the smallest community banks. It isn’t elevating the bank’s regulatory management scores, or positioning banks for success.

That’s because having a compliance mindset is a recipe for mediocrity, no matter the size of the bank. The banks that will earn the most leeway with regulators—and maximize value for shareholders—will naturally implement and utilize the tools and processes that are a prerequisite for compliance as a critical function of their strategic and capital planning processes.

When that happens, compliance becomes a mere afterthought; something that is more icing on a cake that doesn’t need icing to begin with. This type of approach is actually easy to execute. You don’t need expensive, overrated and highly misleading black-box models and software. You don’t need an entire department dedicated toward enterprise risk management.

What you do need is a cultural mindset, which starts with the CEO and the board of directors. They must change the outlook in the bank so that risk management tools are used to play offense, not defense. These proactive and forward-looking tools enable the team to see problems before they materialize. The CEO can then position the bank to gain a competitive edge, while its competitors (from both an operational and capital markets perspective) get blindsided.

I participated in a recent regulatory panel with the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. The topic was how best to manage commercial real estate concentrations. Part of the discussion revolved around the role of stress testing, which can be critical to showing examiners that a bank has enough capital to handle a risky portfolio.

Stress testing is a great tool for the job, but it’s a tool, not the job. Banks that simply submit stress tests to regulators as evidence that they can manage a loan portfolio aren’t going to get what they want.

Instead of viewing stress tests as an end game, bank CEOs need to think of them as tools to provide insights. Reports must be discussed at the board level and understood by the highest levels of management. And then the bank must adjust its strategy if the tests show a potential problem. This lesson applies to much more than concentrations. The results of adequate stress testing offer a strategic guide to capital planning, M&A and more.

The trick to compliance is to not treat it as a compliance exercise. It must be an integral part of strategic planning. A CEO cannot give a stress test to the chief risk officer and say, “Make the problem go away.” CEOs must look at the results, understand them and use them to adjust their strategic thinking. If organic growth is not working, the proper analytics can guide the executive team’s strategic course toward a merger or acquisition.

A funny thing happened when I began talking about this compliance mindset on the recent regulatory panel. The regulators nodded their heads in agreement.

Four Tips for Choosing a Fintech Partner


fintech-partner-2.png

Over the last three years we’ve implemented five strategic partnerships with fintech companies in industries such as mobile payments, investments and marketplace lending. In doing so, we’ve developed a reputation of being a nimble company for fintechs to partner with, yet we remain very selective in who we decide to work with.

We are very often asked–in places like the board room, at conferences and at networking events, how we choose what fintech companies to work with. It is a great question and one that needs to be looked at from a few angles. If you’re a financial institution looking to potentially begin partnering with fintech companies, below are some criteria to consider when vetting an opportunity.

A Strategic Fit: How does this relationship fit into your strategic plan? Finding a fintech that helps advance your goals may sound obvious, but it can be easy to get caught up in the fintech excitement, so don’t allow the latest fad to influence your choice of a partner. Don’t lose sight of your vision and make sure your potential partners buy into it. It’s better to have a few, meaningful partnerships than a host of relationships that may inadvertently distract you from your goals and spread your resources too thin.

Cultural Alignment: Make sure to do some research on the fintech’s management team, board of directors and advisory board. How do they–and their company’s mission-fit with your organization’s mission? Do you trust their team? Our CEO, Mike Butler, likes to say that we have a culture of trying to do things, not trying to NOT doing things. That’s important to us, and we want to work with teams that think similarly. Spending time together in the early stages of the relationship will help set the stage for a solid partnership in the future.

A Strong Business Plan: Is the company financially sound? Is their vision viable? Back to earlier commentary on not getting too caught up in the latest technology trend, consider testing the business idea on someone who isn’t a banker, like a friend or family member. While you might think it’s a great idea, does it appeal to a consumer that is not in our industry? If the business plan passes muster, another issue to consider is the fintech’s long-term plan and possible exit strategy, and the impact it would have on your business if the relationship went away. It’s important to understand both the fintech’s short- and long-term business plans and how those will impact your bank’s balance sheet and income statement today and in the future.

Compliance Buy-In: Does the fintech team appreciate the importance of security? Do they appreciate the role of regulation in banking and finance? Do they understand they may need to modify their solution in light of certain regulations? We know fintechs can sometimes look at banks with impatience, feeling that we’re slow to move. And while some might move at a slower pace than other, we banks know that there are good reasons to proceed cautiously and that compliance isn’t a “nice to have” when it comes to dealing with other people’s money. We are never willing to compromise security and are sure to emphasize that early in the conversation. It’s critical to find a partner with a similar commitment.

We’re in an exciting time; the conversations on both the bank and fintech sides are increasing about collaboration rather than competition. Considering criteria like the above will help banks take advantage of new possibilities in a meaningful way.

Cutting Compliance Costs with Regtech


FXT-compliance.png

I was having a discussion about the future of banking with some fellow investors recently and one of my younger and more tech savvy associates opined that fintech companies would soon make traditional branch banking obsolete. It is a provocative idea but I am pretty sure he is wrong. Two decades from now it will still be fairly easy to find a bank branch a short drive away even if it is in a driverless car. Bankers will adapt and banking will become more mobile and more digital, but there will always be a place for banks and their branches in the economy.

Bankers are not sitting in their offices waiting to be replaced. They are finding ways to use new technology advancements to make their business faster, more efficient-and most importantly, less expensive. This is particularly true in one of the highest cost centers in the bank-regulatory compliance-where the automation of that detail intensive process is providing huge cost benefits. Compliance costs have been spiraling upward since the financial crisis led to an avalanche of new regulations, and technology might be the industry’s best hope of bringing those costs back down.

Bankers are starting to see the advantages of big data and analytics-based solutions when they are applied to the compliance challenge. “Although still in the early stages, banks are applying big data and advanced analytics across customer-facing channels, up and down the supply chain, and in risk and compliance functions,” said Bank of the West Chairman Michael Shepherd in a recent interview with the Reuters news service. For example, a growing number of banks are using new technology to automate the enormous data collection and management processes needed to file the proper compliance reports, particularly in areas like the Bank Secrecy Act. This new technology can help regional and community banks address data gathering and reporting challenges for regulatory compliance.

Smaller banks in particular are looking to partner with companies that can help build a data driven approach to compliance management. More than 80 percent of community banks have reported that compliance costs have risen by at least 5 percent as a result of the passage of the Dodd-Frank Act and the expense is causing many of the smallest institutions to seek merger partners. In fact, two of the biggest drivers of my investment process in the community bank stock sector is to identify banks where compliance costs are too high, and where there is a need to spend an enormous amount of money to bring their technology up to date. Odds are that those banks will be looking for a merger partner sooner rather than later.

While banks are looking to make the compliance process quicker, easier and cheaper, they also need to be aware that the regulators are developing a higher level of interest in the industry’s data collection and management systems as well. A recent report from consulting firm Deloitte noted that “[In] recent years regulatory reporting problems across the banking industry have more broadly called into question the credibility of data used for capital distributions and other key decisions. The [Federal Reserve Board] in particular is requesting specific details on the data quality controls and reconciliation processes that firms are using to determine the accuracy of their regulatory reports and capital plan submissions.”

The Consumer Financial Protection Bureau is also monitoring the compliance management process very closely. An assistant director there was quoted recently as saying that the bureau is increasingly focusing its supervisory work on the third-party compliance systems that both banks and nonbanks sometimes rely on. This is the behind-the-scenes technology that drives and supports the compliance process.

There is a developing opportunity for fintech companies to focus their efforts on providing regtech solutions to regional and community banks. The cost of compliance is excessive for many of these institutions and, for some, place their very survival into question. Regtech firms that develop compliance systems that are faster, more efficient and can help cut compliance costs significantly in a manner acceptable to the regulatory agencies will find a large and fast growing market for their services.

Raising the Bar: Top Challenges Facing Bank Boards


Regulators are expecting more and more from bank management teams and boards. In this video, Lynn McKenzie, a partner at KPMG, offers solutions to help address the top challenges facing the industry.

  • Legal and Regulatory Compliance
  • Cybersecurity
  • Financial and Regulatory Reporting
  • Vendor Risk Management

Gaining a Competitive Advantage through Regtech


regtech.png

The newly-coined term “regtech,” which is a combination of regulation and technology, is a useful concept to a highly-regulated industry like banking. Regtech is distinct from fintech in that regtech refers to a combination of regulatory strategies that a regulated business can use to secure a business advantage.

Banks sail on a sea of pervasive regulation. We see several ways that banks can chart a new course on this sea and make more money through regulatory innovation, beginning with the use of technology to make regulatory compliance more efficient. Most of the literature sees regtech as a single idea: using technology to drive efficiency in regulatory compliance. We think that such efficiencies are a very important part of regtech–but are only part of the story. The topic of compliance efficiency has several elements:

  • Identify areas where the bank’s compliance oversight is not effective–typically because human resources have the wrong priorities or are spread too thin. Many institutions risk fines and enforcement actions and put their long-term viability at risk by tolerating gaps in their compliance oversight–and yet they still manage to spend too much.
  • Identify a technology provider whose software and services are a good fit for your bank’s existing and projected growth.
  • Communicate with regulators to spot any regulatory objections to the technology provider and the overall strategy as early as possible in the process.

For example, the forward publishing function in software available in HotDocs, a popular provider of document assembly technology, allows banks and other financial institutions to maintain their own lending or operational forms. This means that changes to an institution’s form documents can be applied prior to new regulations coming in and accurate, updated templates can be made available to document users on the legally required date. Version control ensures that only the most up to date template is available for use, negating the risk of any old and non-compliant documents being issued. Such an automated system for updating forms based on regulatory changes is a classic example of technology making a compliance task faster, more efficient and effective.

Marrying technology to compliance will result in a much more effective compliance team. They can use their time to review dashboards, clear exceptions and otherwise exercise their experience and judgment instead of wasting time on rote or repetitive busywork. It also makes possible much more valuable internal and external compliance audits as well as meaningful reports to the bank’s board of directors on operational and compliance risks. Being smart in this area of regtech is mission critical for community banks and financial technology companies.

Another new approach is the creation and exploitation of intellectual property based on regulatory insights. Many times, figuring out a way to offer a new product or service, or offer an existing product in in a new way, depends on finding a regulatory interpretation that allows the innovation to proceed.—•?_ There is precedent for patenting new regulatory loopholes, including tax-related loopholes discovered and patented by CPAs and others. Some examples include a derivatives-related patent application, in which one of the authors of this article was a co-inventor, as well as several patents obtained by the consulting firm Promontory Financial, which are based on regulatory insights. Those patents have made possible new business processes and services.

A financial institution that has a flash of insight on how to improve an existing process or develop a new innovation should carefully consider seeking a patent or otherwise surrounding the regulatory insight with as much intellectual property protection as possible. We think that doing so is another great way to use regtech to get a business advantage.

Most banks and financial technology companies have important choices in deciding how and by whom they will be regulated in a particular jurisdiction. If you know you want to be a depository institution, you still need to choose (1) a state or national charter and (2) if a state charter, the chartering state; (3) the type of charter including a commercial bank, savings bank, savings and loan or credit union; and (4) depending on what charter you choose, whether to be a member institution in the Federal Reserve. Also available are a few “bank-lite” charters, such as an industrial loan company (ILC) charter that is available in seven states including Utah, or a trust company charter from one of several states. Some banks would do well to carefully consider changing their charter—and in the process, their regulator–to something that better supports their business goals.

For a business model based on lending money, there are the bank models mentioned above as well as a range of non-depository charters, such as the ILC charter and other state lending licenses. Many of these are only valid in the issuing state, which means that building a national business in the U.S. using multiple state lending licenses can quickly become a complex endeavor. Similarly, for a business model premised on moving money, including money transmission, payments, stored value cards, wallets and remittances to name a few, there is a similar choice between a web of state licenses or a carefully-crafted bank partnership, a blend of the two, or possibly one of the new federal charters being discussed by the Office of the Comptroller of the Currency.

Rent-a-charter is a derogatory term for a partnership between a bank or other chartered or non-chartered institution in which the bank lends its name (and little else) to the other party. Such an arrangement can lead to allegations that the non-chartered party is the “de facto” lender or other real party in interest and that the bank is not exercising sufficient oversight or control over the process. However, bank partnerships are crucial in the financial world and most of the time a business model can be built on a properly-structured bank partnership. The details of the partnership are extremely important and we think rise to the level of true regtech.

These are foundational choices with numerous and conflicting considerations. However, the business that shrewdly chooses its chartering path (and therefore its regulators) can gain a crucial edge on its competitors. For example, some financial technology companies are learning that some business models actually face a more complex and expensive compliance burden by not being a bank than they would have experienced by acquiring a bank charter. Thus, we think that the initial and ongoing chartering strategy is an element of regtech.

And finally, we think good old-fashioned lobbying is properly considered part of regtech. Think about the varied tactics used in Uber and Lyft’s efforts to beat back challenges to their shared ride business model. A large company like Uber, which has immense popularity with consumers, can use that popularity in its lobbying and negotiation with regulators. Might can make right.

For most other companies that lack the market clout of an Uber, lobbying can take more traditional forms such as convincing a range of stakeholders and legislators that statutory reform is necessary and appropriate to achieve a broader social good. Think about recent California legislation exempting free credit building loans (low or no-interest loans designed to help people build a good credit score) from finance lender legislation. Or think about the Consumer Financial Protection Bureau’s current advertising campaign—an effort ostensibly designed to raise consumer awareness of the bureau’s services that also helps build political support during an election year for a controversial agency.

Other situations are better suited for a quiet one-on-one approach. Sometimes this can result in a published interpretation or no-action letter that expressly blesses the proposed innovation. Probably more frequently, a no-names inquiry through lawyers or other representatives can get equally valuable information that has the added benefit of not being publicly available to competitors. With good faith around the key regulatory elements of a proposed innovation, a company can be first to market with a new product or service.

In summary, we think that regtech is not only useful in sparking thought and conversations in the financial industry, it may even spur innovation and profitability.

Top Trends Impacting Audit Committees in 2016


audit-committee-6-10-16.pngIf you’re serving on an audit committee, congratulations. That may be the toughest and most time consuming committee of a bank board. If you find that it isn’t getting any easier, you’re not alone.

As Bank Director gears up for next week’s Bank Audit & Risk Committees Conference in Chicago, we spoke to accountants and consultants who advise banks on the biggest trends impacting audit committees this year.

Audit committees are clamoring to learn how to be more strategic. Jennifer Burke, a partner at Crowe Horwath LLP, says she gets lots of questions from audit committees about how they should focus more on big picture issues, and not get bogged down in all the details. They have the usual responsibilities: supervising an internal auditor, hiring an external auditor, reviewing audits and following up to make sure problems are fixed, but they have a lot more to keep track of as well, including a widening array of new regulations and accounting pronouncements, as well as, in some cases, risk management and cyber risk issues. “It’s not easy to be on an audit committee these days,’’ she says. “There’s not a box to check to make sure your bank will survive.”

Audit committees will begin asking questions about the implementation of Financial Accounting Standards Board (FASB)’s new standard on loan loss impairment. The organization is expected to publish final rules in the next week or two for what’s known as the Current Expected Credit Loss Impairment Model (CECL). “It’s the biggest accounting change for banks we’ve seen in a decade,’’ says Carol Larson, a partner at Deloitte & Touche LLP. Under the current incurred loss model, banks reserve for loan losses based on incurred losses. Under CECL, which is expected to go into effect in 2020, banks will have to reserve for estimated losses over the life of the loan, based on the experience with other, similar types of loans. As soon as a bank makes a loan, it will likely have to record a reserve for that loan. “Banks don’t like this model we’re moving to,’’ Larson says. “It’s going to significantly increase their reserves. You can imagine regulators really like it a lot.” Since banks will want to run the new model for a year in advance of the rule going into effect, Larson suggests banks should try to have a concrete plan and timeline for implementation this fall.

Audit committees increasingly burdened with bank-related compliance issues are trying to be more efficient. Larson says boards often hand over compliance-related problems and oversight of new regulations to audit committees, which have seen such work escalate since the financial crisis. It used to be fairly uncommon for a bank to get hit with a regulatory “matters requiring attention” notice. Now, it’s fairly common for a bank to have 20, Larson says. “It’s mind numbing on some level,’’ she says. It’s fair for an audit committee to ask questions not just about adding employees to the compliance department, but how to add them efficiently. Perhaps the old way of doing business is no longer the most efficient way, and data analytics could help banks in some ways handle the compliance burden effectively.

Cyber risk is a huge concern. Bank boards are worried about cyber security, there’s no doubt about it, and much of this oversight is handled at the audit committee level, especially for smaller banks. About 28 percent of bank audit committees handle cyber risk in the audit committee, with smaller banks more likely to handle this in audit than banks over $5 billion in assets, according to Bank Director’s 2016 Risk Practices Survey. A good practice is not to assume you can plug every leak, but to get prepared for the almost inevitable data breach, Larson says. Just like a natural disaster, data breaches aren’t necessarily preventable, but you can prepare with a good disaster plan.