Is Regulation Forcing Banks to Sell?


bank-regulation-2-3-16.pngThere were more than 900 attendees at Bank Director’s Acquire or Be Acquired Conference in Phoenix this week, and zero bank regulators. So it wasn’t much of a surprise that the crowd of mostly bank directors and bank CEOs frequently bashed regulation and its enormous cost burdens. In the wake of the financial crisis and the ensuing Dodd-Frank Act, banks are ramping up their compliance departments and facing an onslaught of fines, as well as an increased focus on consumer rights and the Bank Secrecy Act.

This added burden has been most difficult for the smallest banks to handle, because they have fewer resources. I talked to one bank CEO, Joe Stewart, who owns a series of small banks in Missouri, and has sold two of them since 2013, each below $200 million in assets. He said the banks couldn’t afford to add a second compliance person to a staff of one. He pointed in particular to increased reporting requirements and disclosure standards for residential mortgage loans. “Unless you can get some regulatory relief, we can’t survive,’’ he said.

No doubt, for very small banks, regulatory costs are a much greater burden than they are for larger banks. But other factors are at play, too. When asked what factors are driving M&A in the marketplace, an audience poll revealed regulatory cost was the no. 4 most popular answer, after such factors as shareholders looking for liquidity, being too small to compete with bigger banks, and retiring leadership.

When I asked the CEO of BNC Bancorp, the parent company of Bank of North Carolina, Rick Callicutt, who has purchased eight banks in five years, what is driving banks to sell, he thought regulatory costs were part of the equation. But he also thinks banks are looking at their balance sheets and realizing they are going to make less money in a few years than they make today, and are not satisfied with that future. Some have realized that their loan portfolios are filled with fixed rate loans at seven-, 10-, and 15-year terms, and they are not going to be in a good position.

Mark Kanaly, an attorney at Alston & Bird, doesn’t think compliance costs are a huge factor in consolidation. “It’s not the determinant,’’ he said. Most often, bank leadership teams take a look at what they can realistically achieve, and don’t like what they see.

Another clue to what’s driving recent bank acquisitions is to look at the industry’s profitability as a whole. The median return on equity was just 8.7 percent in the third quarter of 2015, according to a Keefe, Bruyette & Woods analysis of the banks in their coverage universe. The average return on assets was .91 percent. Interests rates are likely to stay low for some time, continuing pressure on bank profitability.

A lot of banks simply aren’t doing that well. Regulators may be partly to blame for increased consolidation, but they aren’t the whole story.

What Banks Are Doing Now to Handle Compliance


4-13-15-Naomi.pngA heightened regulatory environment is here to stay, that much seems clear. So how are banks and bank management teams coping?

They are hiring more employees, buying software, scrutinizing vendors for compliance and focusing more and more on the business of complying with regulations, in addition to running the bank. Preston Kennedy, the CEO of $200 million asset Bank of Zachary, in Zachary, Louisiana, says he spends one-third of his time on compliance and regulations. “The regulations are now the table stakes,’’ he says. “If you want to go outside in the winter, you have to wear a coat. If you want to be a banker, you have to abide by a lot of regulations. ”

The following is a list of ways in which banks are coping with increased regulations.

Hiring a Chief Compliance Officer or Chief Risk Officer
Previously the domain of the largest banks, even small banks are hiring chief risk officers or chief compliance officers. In Bank Director’s 2015 Risk Practices Survey, 71 percent of respondents from banks below $1 billion in assets had a chief risk officer. So, too, did 92 percent of respondents from banks with $1 billion to $5 billion in assets. Bank of Zachary, despite its small size, has both a compliance officer and a recently hired chief risk officer, who reports directly to the CEO and the board of directors.

Buying Compliance Software or Getting Outside Advice
Banks also are turning to software vendors, core processors and outside consultants such as Fiserv, FIS, Computer Services, Inc. and DH Corp. to help manage compliance. “We are definitely seeing more indications that banks are relying on software more in all different areas,” says Christine Pratt, a senior analyst at financial services research firm Aite Group. Bank of Zachary just purchased a $35,000 program from Continuity to keep track of new regulations that will impact the bank, and help the bank document its compliance. Proper documentation is key because banks have to prove to regulators that they are in compliance. “In order to run a $200 million bank in suburban Louisiana, we have to rely on a company that is hardwired to the government to keep up with this pipeline of new regulations,’’ Kennedy says. “It’s absolutely ridiculous but it’s the task that we have.”

Incorporating Compliance
Banks are shifting away from handling compliance after the fact and moving toward incorporating compliance into many of their basic business processes, says Jamie van der Hagen, director of consumer lending for Wolters Kluwer Financial & Compliance Services, which sells regulatory consulting services and compliance software to banks. For example, instead of giving out loans and then checking to see if they meet fair lending standards, banks increasingly incorporate fair lending standards into the process of making loans. “Proactive compliance efforts, through automated testing for example, help banks validate their entire portfolio of products and accounts and identify potential compliance issues before they become a problem,’’ says van der Hagen. “Finding and addressing these possible compliance issues can have a positive impact on the bottom line by enabling institutions to identify loans that qualify for CRA credits and other premiums that can help them improve their overall bottom line.”

Starting to Prepare in Advance of Knowing the Final Rules
Banks are finding they have less time than in prior years to adjust after a rule is finalized and goes into effect. That means they have to prepare even as the rules are in the proposal stage. “They don’t have the time anymore to wait for the rule to be formulated,” says Pratt. “Banks have told me they’re writing two different versions of software [to prepare ahead of time]. That’s incredibly expensive.” Alternatively, vendors should help with the process of updating software on time.

Scrutinizing Vendors for Compliance
Regulators are increasingly emphasizing that banks are responsible for the missteps of their vendors on pretty much every law or regulation, including fair lending, debt collection or unfair consumer practices. The New York State Department of Financial Services, the state’s banking regulator, recently surveyed banks to determine their oversight of vendors for cybersecurity, as it is preparing new regulations on how banks should monitor third party vendors. Managing a bank’s vendors for compliance is a complex process, but there are general guidelines to getting it right.

However much of a burden it feels, bank management teams and boards know that they have to comply with regulations to stay in business. Managing the pace of regulatory change and keeping the bank out of the crosshairs of regulatory fines and punitive enforcement actions has become a core responsibility of the bank’s management team. “The pace of regulatory change has really increased in the last 10 years and there is no indication that it is going to go down,’’ says van der Hagen.

How New Technology Drives Sales in Your Bank


4-3-15-yseop.pngIn this highly competitive and data-driven environment, financial institutions are looking for innovative new ways to drive sales in the finance sector.

For banks, one of the most exciting technologies to explore is the artificial intelligence and natural language generation (NLG) space. NLG is a technology that can write like a human and turn big data into narrative and easy-to-understand content. It serves big data analytics, customer service and sales.

Three Ways to Drive Sales
Artificial intelligence-powered NLG software allows banks to understand unprecedented levels of client data, enhance customer service and ensure regulatory compliance.

  1. Make Sense of Big Data
    Banks need tools that explain what their big data means, what to do about it and why—in plain English (or the language of their choice) and in real time. The challenge is there is too much data, too few data experts and too little time to transform volumes of data into insight. But AI-powered NLG technology can turn data into written financial reports, executive summaries or portfolio analysis, for example, and explain how and why a conclusion is reached.
  2. Provide the Highest Level of Customer Service
    Banks are competing to deliver expert customer service—on the phone, online and in the branch. AI-powered NLG systems, often called “smart machines,” can be programmed with the expertise of your bank, can connect to client data and serve as an interactive expert to guide customer service teams through interactions. These systems can turn customer service agents into top tier sales people. They can even be deployed online to replicate the in-store banking experience and help make selling complex products and services easy.
  3. Ensure Compliance and Autonomy
    The advice-giving space is fraught with the potential for litigation in the face of ever-growing levels of regulations. Financial advisors and bankers must protect themselves by keeping meticulous records. These records, a sort of audit trail in case of litigation, coupled with legal fees and the fear of legal action, cost businesses millions if not billions of dollars each year. But AI-powered NLG can help. Programmed with the bank’s unique regulatory and legal framework, it can ensure compliant, expert advice, as long as the system is kept up-to-date. In case of litigation, it creates what we would call in banking an “audit trail.” The software shows its decision-making process, the advice it gave and explains why (and pursuant to what rules) it gave the advice. Since the software is incapable of human error, it never forgets a rule.

Is AI-Powered NLG Ready for Your Business?
NLG has been around for several decades, but NLG software has only recently been commercially viable, really since 2008. Fast forward eight years and Fortune 500 companies on both sides of the Atlantic are already using the combination of NLG and AI as a single software to make sense of big data, provide the highest level of customer service and ensure compliance and autonomy—all to drive revenue. In fact, these solutions are now fully scalable so banks can build their own applications—with no need to rely on vendors. Additionally, leading vendors of AI-powered NLG software provide configuration environments so easy to use that even non-technical users can build and update their own applications.

Cybersecurity Risk Preparedness: Practical Steps for Financial Firms in the Face of Threats


3-19-15-AP.pngBanks and other financial services firms face increasingly sophisticated threats to their data systems and remote applications. Every system and device—ATMs, point-of-sale terminals, customer access devices, internal wireless networks and routers—can be a source of vulnerability. The risks include system disruption, loss of proprietary data and confidential consumer information, theft of money and securities through unauthorized transfers and account access, class action litigation, and damaged reputation.

Regulators are taking aggressive actions in response. The Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and the federal banking regulators are engaged in targeted examinations of cyber-security efforts. The New York Department of Financial Services has declared that it will be scrutinizing cybersecurity as an integral part of its bank examinations. Other regulators too are closely examining the depth and comprehensiveness of financial firms’ data security programs. Administrative enforcement actions and civil litigation are the foreseeable consequences of programs that fail to measure up.

So what are the practical steps a financial firm should take to mitigate cybersecurity risks?

Get the Board and Senior Management Involved
Proper oversight starts with the board. Assign cybersecurity and vendor management to a specific board committee with responsibility to appoint senior officers to oversee the cybersecurity program and institute a formal reporting line up from business units and the legal, compliance, audit and technology departments.

Map the Risks
Create an inventory of database, telecommunications, and Internet systems and vendors, and a map of the business units that use them, how the various systems and vendors interact with one another and with customers and counterparties, who has access to them, and who has oversight and control over them. Scrutinize particularly the risks of remote access, transactional and funds transfer systems and devices.

Coordinate Compliance Plans
Various units within a financial institution are generally engaged in simultaneous efforts to assess and control threats though, e.g., anti-money laundering (AML) controls, fraud prevention, and credit and counterparty risk management. Coordinate these efforts with the cybersecurity plan through an enterprise-wide risk-management program.

Test and Audit
Conduct regular internal audits of system security and, at least annually, engage external vendors to do penetration testing.

Train Personnel
Create a formal personnel training program on cyber-security protocols and how to identify potential risks. Document participation in the training. Incorporate external resources and alerts on an on-going basis to address emerging issues.

Manage Vendor Risks
Regulators are expecting banks to oversee vendors. Control risks through both careful vendor selection and subsequent oversight.

  • Selection

    • Require prospective vendors to verify cyber risk-prevention preparedness.
    • Review vendors’ SEC filings.
    • Search for the vendor’s litigation and enforcement history.
  • Contracting
    The vendor contract should specifically provide for:

    • Oversight access: rights to conduct system security audits such as SSAE 16 and to receive reports of vendor internal audits.
    • Specific risk-control tools: e.g., firewalls, anti-virus software, spyware detection, physical security, intrusion detection, network anomaly detection, security information and event management, configuration management; business continuity plans and back-up systems.
    • Internal management:  specification of who has data system access, how that access is controlled, and the means of detecting unauthorized access and patterns of suspicious account activity.
    • Reporting: prompt vendor reporting of any security risk incidents.
    • Data Retention:  periods for maintaining data, methods for data disposal, return or transfer.
    • Liability; Indemnification; Insurance:  limits on liability, indemnification provisions, standards of care and performance, rights of termination, and requirements for vendor insurance.

For vendors outside of the United States, the contract should address applicable legal requirements and protocols for any portions of a system, process or services conducted or accessible by the vendor or its sub-vendors from outside the United States.

Obtain Adequate Insurance
Review your insurance coverage for the scope and carve-outs for cyberattacks and unauthorized access to confidential information and funds and accounts.

Prepare For a Breach
Be ready for a security breach. Prepare now for making prompt disclosures to law enforcement, regulators and affected customers, SAR filings (as applicable), insurance carrier notifications, communications with vendors, and, depending on the nature and magnitude of the event, public or investor disclosures. Line up counsel to handle potential class action litigation and administrative enforcement actions.

Work With Regulators and Peer Groups
Close attention to published regulatory guidance and direct communications with regulators can help identify potential gaps and weaknesses in a cybersecurity plan. Similarly, attention to trade association best practices and guidance (such as the Financial Services Information Sharing and Analysis Center), and participation in industry-wide working groups and conferences can further help identify areas for improvements.

Regulatory Concerns about Bank Culture Should Serve as a Wake-Up Call


2-4-15-AlstonBird.pngThe culture inside a bank has received renewed discussion in various forums over the course of the last year. The regulators are now moving from crisis and reaction to root cause analysis of the financial crisis. Regulators have expressed concern that despite the array of new rules, guidance, and enforcement actions brought in the wake of the financial crisis and the Dodd Frank Act, banks just seem to keep turning up problems. Fair or not, and whether you think that this concern is really attributable to the largest financial institutions, the regulators’ signals merit attention for any bank.

Bank regulators, notably the Federal Reserve and the Office of the Comptroller of the Currency (OCC), have contrasted two broad categories of banks:  those that adopt an approach of mere compliance with regulation, where compliance concerns are background noise to be silenced; and those that embrace risk management and compliance programs as an important part of cultural norms. The signal from the regulators is that they look for, and can sense whether the bank is in one or the other of these camps. Supervisory judgment calls are informed by those perceptions.

What is culture? William Dudley, president of the New York Fed, recently stated: “Like a gentle breeze, culture may be hard to see, but you can feel it.” Culture is the norms of behavior that drive the business, including ethical standards above and beyond the rules. This is attributable to the tone at the top set by directors and top executives, but it is manifested (or not) in behaviors throughout the organization. What incentives (compensation and otherwise) drive what kinds of performance throughout the organization? To what degree do risk management concerns get air time alongside financial performance in the board room? Do the board and senior management discuss risk management and compliance in terms of “regulatory burden?”   Worse, do you talk openly about your talented risk and compliance staff as a “burden” weighing on the bottom line?

Increasingly, bank supervisors are beginning to mandate cultural norms. Internationally, the Basel Committee on Banking Supervision has set forth corporate governance principles to assess whether a bank’s board and senior management perform their risk governance responsibilities and establish an appropriate organizational risk culture. The OCC’s heightened expectations for enterprise risk management by the largest banks have emphasized the need for a board to provide what’s known as an “effective challenge” of management, and this has become the gold standard for all banks. The OCC has had open debate with the industry over whether directors must “ensure” rather than only “validate” the effectiveness of a risk management and compliance program. All of the regulators, including the Consumer Financial Protection Bureau, have sent strong signals in the form of enforcement actions, guidance and examination messages.

A key cultural norm is how the bank thinks of its customers. Thomas Watson, legendary leader of IBM, famously said: “The essence of trust building is to emphasize the similarities between you and the customer.” Does your bank consider borrowers as counterparties in a contract, or customers for whom the bank has a shared (fiduciary-like) interest in their success?

Moreover, once a strategic decision is made by the top leaders of the organization, does the company do a good job of challenging the decision when evidence arises that it was wrong-headed, or does the company suffer from confirmation bias, collectively seeking only the evidence that justifies the strategy? Institutional groupthink can result in hidden problems for a bank, whether they are credit concerns, compliance concerns, or lost market opportunities, for example. Does the organization value diverse views that can positively challenge norms?

Examiners assess culture by looking for patterns of behavior, rather than individual instances, just as they focus less on specific loans than on concentrations of credit risk. Distinctions between policies and actual behavior are measurable; exceptions to policy are measurable; meaningfully reviewable management reports should allow detection of patterns. In this sense, examiners and directors are aligned and can be complementary of each other.

Undoubtedly, the audit of risk management or compliance culture is subjective. Are we on the verge of bank supervisors becoming culture police? There is a real concern that supervisors could also suffer from confirmation bias and thereby feed a concentration of cultural norms and fail to appreciate the idiosyncratic nature of institutions and the value of their diversity. Nevertheless, it behooves all boards of directors to look inward and take heed of the bank regulators’ messaging about culture.

Keeping Your Head Above Water: Four Tips for Managing Flood Insurance Law Changes


1-19-15-Dinsmore.pngAmong the various areas of regulatory compliance, one area—compliance with flood insurance regulations—seems to cause an out-sized level of anxiety, and for good reason. Over the past several years, field examiners have been diligent in identifying and citing violations of the flood regulations, and many of these violations have resulted in imposition of civil money penalties (CMPs) against the violating banks. During 2013 and 2014, nearly 100 flood-related CMPs were imposed on banks, ranging in amount from $1,000 to well over $100,000. Paying penalties is never enjoyable, but is even less so in this era of tight margins and strained profitability.

Last year, President Obama signed into law the Homeowner Flood Insurance Affordability Act (HFIAA) as a way to dial back some of the increased costs associated with 2012 Flood Insurance Reform Act. The HFIAA will bring about a number of new and modified obligations on banks, which will become effective at various times during 2015 and 2016. Changes are coming in the areas of forced placement of insurance, acceptance of private flood insurance, escrowing of premiums, and exemptions to the mandatory purchase of flood insurance.

The ultimate responsibility for ensuring compliance with consumer protection laws and regulations, including flood insurance laws and regulations, rests with the board and senior management. How do you keep your head above the changing waters?

  1. Policies and Procedures. Any change in law or regulation in a compliance area should trigger a review of the bank’s existing policies and procedures in the affected areas. The review should be done with an eye toward necessary or appropriate changes to the policies and procedures. Management also should use this review process to determine to whom the revised policies and procedures need to be communicated to ensure an effective flood insurance compliance program. Certain of the changes may affect personnel outside of the lending and compliance functions at the bank. Once identified, all appropriate personnel should be trained on the new policies and procedures.
  2. Education. The compliance officer’s and real estate loan origination staff’s knowledge and understanding of the changes in the law/regulations are critical to ensuring compliance. The board and senior management have to be willing to expend the necessary resources to educate these folks who are on the front lines of the flood insurance process. Additionally, directors and senior managers also should receive training on the basics of flood insurance regulations so that they can appropriately oversee the compliance function and manage the attendant risk. The regulatory agencies, industry trade associations, and FEMA (Federal Emergency Management Agency) are good sources of training materials.
  3. Customer Communication. Your bank already may be receiving inquiries from customers regarding the impending changes to the flood insurance rules. If not, expect that you will. The changes relating to escrowing premiums, exemptions from mandatory coverage, and private flood insurance are fertile ground for customer questions. Now is the time to review your existing customer communication procedures to be sure that appropriate personnel and/or departments are tasked with handling inquiries, and that all personnel, especially customer-facing personnel, know to whom they should direct customer inquiries regarding flood insurance.
  4. Monitoring and Audit. As previously mentioned, the board and management have ultimate responsibility for ensuring compliance with flood insurance regulations. An effective compliance monitoring/audit function is paramount in carrying out this responsibility. The coming changes in the regulations will require management and the board to revisit certain aspects, if not all, of the flood insurance compliance program. Despite your training and planning efforts to implement perfectly the changes to your flood insurance processes and procedures, mistakes will be made. The wise bank will test the new processes early and frequently to head off any systemic issues. Better you find any problems and fix them, than to have them discovered by the examiners at your next compliance exam.

Changes are coming, and it is safe to say these will not be the last. Getting out ahead of the changes and planning for them is the key to successfully navigating the changing flood waters.

There’s a New Framework for Internal Controls: What Boards Need to Know


10-17-14-Moss-Adams.pngThe COSO framework, which stands for Committee of Sponsoring Organizations of the Treadway Commission, is used by most public companies when reporting on the effectiveness of their internal control over financial reporting in compliance with the Sarbanes-Oxley Act.

The organization, whose sponsoring members include the American Institute of CPAs and the Institute of Internal Auditors, released an updated version of its major guidance document in May of 2013, called Internal Control—Integrated Framework.

As a member of a bank board or audit committee, it is important to have an understanding of how these changes might impact your bank.

Banking regulators are putting more pressure on banks to diversify lending while simultaneously improving credit risk management and reporting, and they are also after banks to focus on IT security. The 2013 framework creates a more formal structure for designing and evaluating the effectiveness of internal controls by codifying the fundamental concepts associated with them. A set of 17 broad principles relating to internal controls, which were present but deeply buried in the earlier framework, now supplement the five components held over from the 1992 framework. These components and associated principles are:

  • Control environment

    • Demonstrates commitment to integrity and ethical values
    • Exercises oversight responsibility
    • Establishes structure, authority and responsibility
    • Demonstrates commitment to competence
    • Enforces accountability
  • Risk assessment

    • Specifies suitable objectives
    • Identifies and analyzes risk
    • Assesses fraud risk
    • Identifies and analyzes significant change
  • Control activities

    • Selects and develops control activities
    • Selects and develops general controls over technology
    • Deploys through policies and procedures
  • Information and communication

    • Uses relevant information
    • Communicates internally
    • Communicates externally
  • Monitoring activities

    • Conducts ongoing or separate evaluations
    • Evaluates and communicates deficiencies

Entities must demonstrate compliance with the principles associated with each component above to conclude that the component is present and functioning.

Also new to the 2013 framework are 75 points of focus that relate to external financial reporting. These specific considerations relate to each principle above, principles such as “assesses fraud risk,” and are important characteristics to consider in determining whether the corresponding principle is, in COSO’s terms, “present and functioning.” Not all points of focus need be met to conclude that a principle is present and functioning.

A key first step is determining how the 2013 framework will affect your internal controls’ design, documentation and evaluation. While many businesses have an abundance of transaction controls but gaps in other areas, banks—which operate in a regulated environment with frequent examinations—are more likely to have implemented many of the entity-level and monitoring controls that other companies lack. Still, since some of these controls may not have previously been identified as key SOX controls, additional documentation may be necessary.

Your staff should begin by matching existing documented controls with the new principles and associated points of focus. Next, they should compare each principle and point of focus to your existing controls to assess whether the controls are sufficient to conclude that each principle is present and functioning. A fair amount of judgment is involved in determining which controls address a specific principle or point of focus, and undoubtedly there will be many relationships between your existing controls and the COSO principles and points of focus.

If you can conclude that the principles are covered, no further analysis is necessary. But if it appears a principle isn’t covered, your staff should determine whether the unmet principle or point of focus is due to an entirely missing control—an activity the institution doesn’t perform—or an undocumented control. Many apparent gaps are often the result of missing documentation, not necessarily missing controls.

At this point, staff should determine whether undocumented controls should be formally documented as part of your bank’s SOX program or if new controls are necessary to mitigate the missing controls. This is an important point and should be considered carefully. Although your SOX program may be based on the 2013 framework, not all points of focus need to be covered by a key SOX control.

The process of mapping your internal control documentation to the principles and points of focus and mapping each principle and point of focus to your documented controls will help you evaluate your mix of control activities, the levels at which activities are applied, and segregation of duties. This exercise will determine how close you are to complying with the COSO 2013 framework—and put you on the path to full compliance.

Is Your Bank Ready for Basel III Compliance?


10-13-14-fiserv.pngBoard members have an important role to play in implementing the latest directives from the Basel Committee on Banking Supervision.

The first implementation deadlines are looming for the standards in the Third Basel Accord, commonly known as Basel III. It’s time for bank directors to make sure they’re up to speed.

Basel III comes into play at a time of worldwide economic uncertainty. Promulgated by the Basel Committee on Banking Supervision, the international forum for supervisory matters based in Basel, Switzerland, this comprehensive set of regulations seeks to instill greater stability and confidence in the banking system by dealing with deficiencies exposed by the financial crisis of the late 2000s.

The Basel III framework includes six key requirements for banks:

  • Hold more and better-quality liquidity
  • Maintain more and better-quality capital
  • Achieve enterprise risk management maturity
  • Ensure robust, comprehensive stress testing
  • Enhance capital adequacy assessments
  • Integrate comprehensive and actionable capital and strategic planning

A new risk-weighted capital framework to determine regulatory capital adequacy based on Basel III becomes effective for community banking organizations (non-complex, with assets between $500 million and $10 billion) on January 1, 2015.

Community Bank Readiness
Many managers and officers of community banks and small regional banks have told me they believe Basel III is really not an issue for them because they’re extremely well-capitalized. However, if these bankers haven’t run the Basel III calculator provided on each banking regulator’s website, their confidence may not be warranted. The risk ratings under Basel III are radically different from anything we’ve seen in the past. And you can’t determine true capital adequacy simply and solely on the basis of the new regulatory capital ratios. Those ratios are merely the ante into the game, the minimum requirement.

In today’s banking environment, the only true measure of capital adequacy is economic capital measured in a customized way for each financial institution, stress-tested to consider all risk elements across the full probability spectrum. A fresh assessment and approach are needed before you can say you’re well-capitalized in a Basel III world.

A Board Responsibility
Basel III should be a top-of-mind concern with every member of the board. Directors have a critical fiduciary role in ensuring Basel III compliance, and in capital and strategic planning in general. The board should be front and center in these areas:

  • Defining risk appetite. First and foremost, boards of directors must define the level of risk that is acceptable for their organizations. Within acceptance of that risk, they must determine what commensurate returns they expect the financial institution to earn.
  • Scenario planning. Through stress testing and scenario planning, boards of directors should look at all potential outcomes and their impact on capital, from low- to high-probability events. Directors should help frame some of these scenarios and stress tests, and thoroughly understand the results. The board must also have a firm grasp on how integrated strategic and capital plans are driving decision making—including risk assumption, resource allocation and the tactical actions of the organization.
  • Right-sizing capital. The board of directors must be instrumental in making sure that the bank’s capitalization properly aligns with the risks assumed by its banking business model. I am an advocate for the “Goldilocks School of Banking.” Like the porridge sampled by the little blonde-haired girl, capital needs to be “just right”—neither too much nor too little, and customized for the financial institution.

RAROC: The One True Metric
Risk-adjusted return on capital (RAROC) is the most all-encompassing performance indicator your organization can employ in assessing your capital position. It is the only metric that considers both full risk and potential return in a strategic business equation.

RAROC is suitable for assessing your total organization, individual business units, products, customers and customer segments. It enables you to determine your economic capital and capital adequacy, while helping optimize how you allocate capital and resources. Risk-adjusted analysis helps your organization intelligently price customer transactions, evaluate profitability, incentivize employees and right-size capital to your risk profile.

The benefits of RAROC are substantial and far-reaching. I encourage your board to insist on using this important tool.

Getting Started
Basel III awareness and compliance begin with the board asking two things of management:

  • Education. Whether it’s provided by the executive team or an outside consultant, the board should insist on a one- to two-hour overview of Basel III—not just focusing on what the regulations require, but also the implications for your banking business model and a strategy to respond.
  • Basel III status report. The board must ask if the executive team has run the pro forma calculations for Basel III capital compliance, and where the capital levels stand today in light of Basel III requirements.

This simple, two-step questioning process is absolutely essential. If it isn’t already underway at your financial institution, it should begin at your next board meeting.

For more information on capitalization and regulatory compliance, see Orlando Hanselman’s white paper, Capital Conundrum: A Call for Clarity and Action.

Weak Consumer Exams Are Holding Up M&A Deals


9-15-14-DavisPolk.pngIt has been several years since the financial crisis, and now banks seeking acquisitions know that they need to have high levels of capital, strong management teams and good asset quality if they hope to get the deal across the regulatory finish line. The key handicap these days, however, is the increased scrutiny on compliance issues at both the acquiring bank and the target bank.

After two years and two extensions of its drop dead date, the M&T Corp-Hudson City Bancorp deal remains in a highly visible state of regulatory purgatory. Others are suffering in a less visible way, and for a broader range of compliance reasons than the anti-money laundering (AML) problems that trapped M&T. Moreover, compliance-related delays can arise from problems at the target even when the acquirer has a strong rating and systems. One of the newest reasons for the delay in M&A regulatory approvals arises because of increased regulatory expectations around consumer financial protection.

For many banks, the results of consumer compliance exam reports are not quite as good as they were a few years ago. For some banks and thrifts, the increased examination standards are an unpleasant surprise, demanding increased infrastructure and investment at a time when there are many competing demands. Just as expectations and examinations gradually increased in intensity in the AML arena a few years ago, they are now increasing in the consumer protection arena, with the expectations of the Consumer Financial Protection Bureau (CFPB) informing the consumer compliance and enforcement practices of the traditional banking agencies. These agencies do not want to appear lax as compared to the CFPB. The CFPB examines banks above $10 billion in assets, but as a result of other banking agencies’ focus, consumer compliance is now a concern even for those banks that are not subject to CFPB examination and enforcement authority. This is leading to two new trends:

  1. For those banks that are subject to CFPB jurisdiction, we are increasingly seeing that the Federal Reserve will seek informal assurances from the CFPB that the most recent exam report is or will be satisfactory before approving an acquisition at the bank holding company level.
  2. A threatened, but unresolved memoranda of understanding or cease and desist in the consumer compliance area, whether at the acquirer or the target, can delay approvals of an acquisition even when all other issues are resolved. This is especially the case when after the closing there is a change of primary regulator.

Whether and how long this trend will hold is unclear but, for now, it is sometimes a reason for an unexpected delay.

As a result, bank boards and managements need to think carefully about consumer compliance issues as they consider their strategic options. There is, of course, a bit of a chicken-and-egg problem here. Community and smaller regional banks may need to get larger in order to have the scale to invest in the new infrastructure that the rising standards demand and yet perceived current problems with poor consumer compliance marks can prevent or delay acquisitions that might bring about scale and scope. The art is to avoid the trap.

What You Don’t Know Can Hurt You: 10 Things to Watch When You’re on a Bank Board


8-8-14-alston-bird.pngThe legal and regulatory climate for a bank is changing on a weekly basis. At least in part due to this, the expectations and liability risk of a bank director are not the same as a year ago, let alone five years ago. To help address this, we crafted a list of some broad themes we believe bank directors should be particularly attuned to now.

Enterprise Risk Management
Risk management is a function, not a committee. Boards need to implement a process to ensure that risks are properly identified and addressed in such a way that the board can demonstrate a “credible challenge” to management. And, beyond creating an effective corporate clearing house for risk, boards need to ensure that the bank possesses a management team capable of carrying out this function.

Third Party Risk
Vendor management has become a hot-button for all banks, as formal and tacit guidance continues to emerge. In addition to performing and memorializing due diligence around vendor selection, banks need to be in a position to understand and properly supervise the work of any vendors. This means having a properly qualified and trained management team that addresses the operational, compliance and other risks potentially resulting from reliance on third parties.

Trust Preferred Securities (TRuPS)
Many banks were forced to defer payments on TRuPS in the aftermath of the 2008-2009 crisis period. With the five year TRUPS deferral period now coming to an end, many bank holding companies don’t possess the funds (and cannot compel a bank dividend) to bring the TRuPS current. Further, regulators have insisted that any proposed capital raise be sufficient not only to pay off the TRuPS, but also to result in a composite CAMELS 2 rating for the bank. Your board needs to understand the resulting threats and opportunities.

Deferred Tax Asset Preservation
Bank regulatory agencies have begun to take issue with rights plans that are designed to preserve deferred tax assets (DTAs), citing the safety and soundness concerns that such plans could present by complicating future capital raises. As regulatory guidance on this point appears imminent, your board needs to understand the implications for your bank and your competitors.

Director Liability
Boards should ensure that they have the benefit of up-to-date exculpation and indemnification provisions in the bank’s charter and bylaws, as well as a robust directors and officers (D&O) insurance policy that is not rendered useless by a host of exemptions. In addition, with so much of the recent banking litigation being focused on process, your board should reconsider and redefine the way that your bank makes, records and polices its deliberations and decisions.

Role of Directors in Lending Decisions
Clearly, directors should be involved in defining the scope of a bank’s lending activities, the delegation of lending authority, and the monitoring of credit concentrations and other risks. But should directors serve on loan committees, and make the actual lending decisions? It’s time to reassess this important issue. Directors making day-to-day lending decisions can blur the lines of proper governance and needlessly expose directors to additional liability risk.

Charter Conversions
Each of the banking agencies seems to be developing a different regulatory mood on key issues, such as business plans, consumer compliance and risk-based regulation. In this post-crisis environment, it is important that you consider whether your bank is appropriately chartered in light of its strategy. Put another way, the trends have changed, and you should consider how these changes affect your bank.

Growth Strategies in a Tough Lending Climate
With traditional loan growth being slow, banks continue to reach for less traditional loan products, such as asset-based lending, factoring, lease finance, reverse mortgages, premium finance, indirect auto lending, warehouse facilities, etc. As always, these products must be considered in light of concomitant compliance risks and capital requirements. Directors should ensure that management performs thorough risk assessments alongside their profit/loss projections.

The Effects of Basel III
Depending upon the size and makeup of your bank, the January 2015 Basel III changes will impact your bank’s regulatory capital position. At a minimum, directors need to understand from the bank’s CFO and auditors that there is a plan anticipating what the pro forma capital position is expected to be under Basel III.

Compliance Issues Can Sink a Strategy
Too many banks with solid strategies have seen their bank’s growth hindered by compliance failures. Bank Secrecy Act/anti-money laundering rules, consumer protection regulations, and poor oversight of third parties can result in enforcement actions and derail growth until the issues are remediated, which can take years. Boards must set a tone at the top with regard to the compliance culture of the bank.

The themes above are top of mind for us, but the environment remains dynamic. This list likely will look very different in another year.