Cutting Compliance Costs with Regtech


FXT-compliance.png

I was having a discussion about the future of banking with some fellow investors recently and one of my younger and more tech savvy associates opined that fintech companies would soon make traditional branch banking obsolete. It is a provocative idea but I am pretty sure he is wrong. Two decades from now it will still be fairly easy to find a bank branch a short drive away even if it is in a driverless car. Bankers will adapt and banking will become more mobile and more digital, but there will always be a place for banks and their branches in the economy.

Bankers are not sitting in their offices waiting to be replaced. They are finding ways to use new technology advancements to make their business faster, more efficient-and most importantly, less expensive. This is particularly true in one of the highest cost centers in the bank-regulatory compliance-where the automation of that detail intensive process is providing huge cost benefits. Compliance costs have been spiraling upward since the financial crisis led to an avalanche of new regulations, and technology might be the industry’s best hope of bringing those costs back down.

Bankers are starting to see the advantages of big data and analytics-based solutions when they are applied to the compliance challenge. “Although still in the early stages, banks are applying big data and advanced analytics across customer-facing channels, up and down the supply chain, and in risk and compliance functions,” said Bank of the West Chairman Michael Shepherd in a recent interview with the Reuters news service. For example, a growing number of banks are using new technology to automate the enormous data collection and management processes needed to file the proper compliance reports, particularly in areas like the Bank Secrecy Act. This new technology can help regional and community banks address data gathering and reporting challenges for regulatory compliance.

Smaller banks in particular are looking to partner with companies that can help build a data driven approach to compliance management. More than 80 percent of community banks have reported that compliance costs have risen by at least 5 percent as a result of the passage of the Dodd-Frank Act and the expense is causing many of the smallest institutions to seek merger partners. In fact, two of the biggest drivers of my investment process in the community bank stock sector is to identify banks where compliance costs are too high, and where there is a need to spend an enormous amount of money to bring their technology up to date. Odds are that those banks will be looking for a merger partner sooner rather than later.

While banks are looking to make the compliance process quicker, easier and cheaper, they also need to be aware that the regulators are developing a higher level of interest in the industry’s data collection and management systems as well. A recent report from consulting firm Deloitte noted that “[In] recent years regulatory reporting problems across the banking industry have more broadly called into question the credibility of data used for capital distributions and other key decisions. The [Federal Reserve Board] in particular is requesting specific details on the data quality controls and reconciliation processes that firms are using to determine the accuracy of their regulatory reports and capital plan submissions.”

The Consumer Financial Protection Bureau is also monitoring the compliance management process very closely. An assistant director there was quoted recently as saying that the bureau is increasingly focusing its supervisory work on the third-party compliance systems that both banks and nonbanks sometimes rely on. This is the behind-the-scenes technology that drives and supports the compliance process.

There is a developing opportunity for fintech companies to focus their efforts on providing regtech solutions to regional and community banks. The cost of compliance is excessive for many of these institutions and, for some, place their very survival into question. Regtech firms that develop compliance systems that are faster, more efficient and can help cut compliance costs significantly in a manner acceptable to the regulatory agencies will find a large and fast growing market for their services.

Raising the Bar: Top Challenges Facing Bank Boards


Regulators are expecting more and more from bank management teams and boards. In this video, Lynn McKenzie, a partner at KPMG, offers solutions to help address the top challenges facing the industry.

  • Legal and Regulatory Compliance
  • Cybersecurity
  • Financial and Regulatory Reporting
  • Vendor Risk Management

Gaining a Competitive Advantage through Regtech


regtech.png

The newly-coined term “regtech,” which is a combination of regulation and technology, is a useful concept to a highly-regulated industry like banking. Regtech is distinct from fintech in that regtech refers to a combination of regulatory strategies that a regulated business can use to secure a business advantage.

Banks sail on a sea of pervasive regulation. We see several ways that banks can chart a new course on this sea and make more money through regulatory innovation, beginning with the use of technology to make regulatory compliance more efficient. Most of the literature sees regtech as a single idea: using technology to drive efficiency in regulatory compliance. We think that such efficiencies are a very important part of regtech–but are only part of the story. The topic of compliance efficiency has several elements:

  • Identify areas where the bank’s compliance oversight is not effective–typically because human resources have the wrong priorities or are spread too thin. Many institutions risk fines and enforcement actions and put their long-term viability at risk by tolerating gaps in their compliance oversight–and yet they still manage to spend too much.
  • Identify a technology provider whose software and services are a good fit for your bank’s existing and projected growth.
  • Communicate with regulators to spot any regulatory objections to the technology provider and the overall strategy as early as possible in the process.

For example, the forward publishing function in software available in HotDocs, a popular provider of document assembly technology, allows banks and other financial institutions to maintain their own lending or operational forms. This means that changes to an institution’s form documents can be applied prior to new regulations coming in and accurate, updated templates can be made available to document users on the legally required date. Version control ensures that only the most up to date template is available for use, negating the risk of any old and non-compliant documents being issued. Such an automated system for updating forms based on regulatory changes is a classic example of technology making a compliance task faster, more efficient and effective.

Marrying technology to compliance will result in a much more effective compliance team. They can use their time to review dashboards, clear exceptions and otherwise exercise their experience and judgment instead of wasting time on rote or repetitive busywork. It also makes possible much more valuable internal and external compliance audits as well as meaningful reports to the bank’s board of directors on operational and compliance risks. Being smart in this area of regtech is mission critical for community banks and financial technology companies.

Another new approach is the creation and exploitation of intellectual property based on regulatory insights. Many times, figuring out a way to offer a new product or service, or offer an existing product in in a new way, depends on finding a regulatory interpretation that allows the innovation to proceed.—•?_ There is precedent for patenting new regulatory loopholes, including tax-related loopholes discovered and patented by CPAs and others. Some examples include a derivatives-related patent application, in which one of the authors of this article was a co-inventor, as well as several patents obtained by the consulting firm Promontory Financial, which are based on regulatory insights. Those patents have made possible new business processes and services.

A financial institution that has a flash of insight on how to improve an existing process or develop a new innovation should carefully consider seeking a patent or otherwise surrounding the regulatory insight with as much intellectual property protection as possible. We think that doing so is another great way to use regtech to get a business advantage.

Most banks and financial technology companies have important choices in deciding how and by whom they will be regulated in a particular jurisdiction. If you know you want to be a depository institution, you still need to choose (1) a state or national charter and (2) if a state charter, the chartering state; (3) the type of charter including a commercial bank, savings bank, savings and loan or credit union; and (4) depending on what charter you choose, whether to be a member institution in the Federal Reserve. Also available are a few “bank-lite” charters, such as an industrial loan company (ILC) charter that is available in seven states including Utah, or a trust company charter from one of several states. Some banks would do well to carefully consider changing their charter—and in the process, their regulator–to something that better supports their business goals.

For a business model based on lending money, there are the bank models mentioned above as well as a range of non-depository charters, such as the ILC charter and other state lending licenses. Many of these are only valid in the issuing state, which means that building a national business in the U.S. using multiple state lending licenses can quickly become a complex endeavor. Similarly, for a business model premised on moving money, including money transmission, payments, stored value cards, wallets and remittances to name a few, there is a similar choice between a web of state licenses or a carefully-crafted bank partnership, a blend of the two, or possibly one of the new federal charters being discussed by the Office of the Comptroller of the Currency.

Rent-a-charter is a derogatory term for a partnership between a bank or other chartered or non-chartered institution in which the bank lends its name (and little else) to the other party. Such an arrangement can lead to allegations that the non-chartered party is the “de facto” lender or other real party in interest and that the bank is not exercising sufficient oversight or control over the process. However, bank partnerships are crucial in the financial world and most of the time a business model can be built on a properly-structured bank partnership. The details of the partnership are extremely important and we think rise to the level of true regtech.

These are foundational choices with numerous and conflicting considerations. However, the business that shrewdly chooses its chartering path (and therefore its regulators) can gain a crucial edge on its competitors. For example, some financial technology companies are learning that some business models actually face a more complex and expensive compliance burden by not being a bank than they would have experienced by acquiring a bank charter. Thus, we think that the initial and ongoing chartering strategy is an element of regtech.

And finally, we think good old-fashioned lobbying is properly considered part of regtech. Think about the varied tactics used in Uber and Lyft’s efforts to beat back challenges to their shared ride business model. A large company like Uber, which has immense popularity with consumers, can use that popularity in its lobbying and negotiation with regulators. Might can make right.

For most other companies that lack the market clout of an Uber, lobbying can take more traditional forms such as convincing a range of stakeholders and legislators that statutory reform is necessary and appropriate to achieve a broader social good. Think about recent California legislation exempting free credit building loans (low or no-interest loans designed to help people build a good credit score) from finance lender legislation. Or think about the Consumer Financial Protection Bureau’s current advertising campaign—an effort ostensibly designed to raise consumer awareness of the bureau’s services that also helps build political support during an election year for a controversial agency.

Other situations are better suited for a quiet one-on-one approach. Sometimes this can result in a published interpretation or no-action letter that expressly blesses the proposed innovation. Probably more frequently, a no-names inquiry through lawyers or other representatives can get equally valuable information that has the added benefit of not being publicly available to competitors. With good faith around the key regulatory elements of a proposed innovation, a company can be first to market with a new product or service.

In summary, we think that regtech is not only useful in sparking thought and conversations in the financial industry, it may even spur innovation and profitability.

Top Trends Impacting Audit Committees in 2016


audit-committee-6-10-16.pngIf you’re serving on an audit committee, congratulations. That may be the toughest and most time consuming committee of a bank board. If you find that it isn’t getting any easier, you’re not alone.

As Bank Director gears up for next week’s Bank Audit & Risk Committees Conference in Chicago, we spoke to accountants and consultants who advise banks on the biggest trends impacting audit committees this year.

Audit committees are clamoring to learn how to be more strategic. Jennifer Burke, a partner at Crowe Horwath LLP, says she gets lots of questions from audit committees about how they should focus more on big picture issues, and not get bogged down in all the details. They have the usual responsibilities: supervising an internal auditor, hiring an external auditor, reviewing audits and following up to make sure problems are fixed, but they have a lot more to keep track of as well, including a widening array of new regulations and accounting pronouncements, as well as, in some cases, risk management and cyber risk issues. “It’s not easy to be on an audit committee these days,’’ she says. “There’s not a box to check to make sure your bank will survive.”

Audit committees will begin asking questions about the implementation of Financial Accounting Standards Board (FASB)’s new standard on loan loss impairment. The organization is expected to publish final rules in the next week or two for what’s known as the Current Expected Credit Loss Impairment Model (CECL). “It’s the biggest accounting change for banks we’ve seen in a decade,’’ says Carol Larson, a partner at Deloitte & Touche LLP. Under the current incurred loss model, banks reserve for loan losses based on incurred losses. Under CECL, which is expected to go into effect in 2020, banks will have to reserve for estimated losses over the life of the loan, based on the experience with other, similar types of loans. As soon as a bank makes a loan, it will likely have to record a reserve for that loan. “Banks don’t like this model we’re moving to,’’ Larson says. “It’s going to significantly increase their reserves. You can imagine regulators really like it a lot.” Since banks will want to run the new model for a year in advance of the rule going into effect, Larson suggests banks should try to have a concrete plan and timeline for implementation this fall.

Audit committees increasingly burdened with bank-related compliance issues are trying to be more efficient. Larson says boards often hand over compliance-related problems and oversight of new regulations to audit committees, which have seen such work escalate since the financial crisis. It used to be fairly uncommon for a bank to get hit with a regulatory “matters requiring attention” notice. Now, it’s fairly common for a bank to have 20, Larson says. “It’s mind numbing on some level,’’ she says. It’s fair for an audit committee to ask questions not just about adding employees to the compliance department, but how to add them efficiently. Perhaps the old way of doing business is no longer the most efficient way, and data analytics could help banks in some ways handle the compliance burden effectively.

Cyber risk is a huge concern. Bank boards are worried about cyber security, there’s no doubt about it, and much of this oversight is handled at the audit committee level, especially for smaller banks. About 28 percent of bank audit committees handle cyber risk in the audit committee, with smaller banks more likely to handle this in audit than banks over $5 billion in assets, according to Bank Director’s 2016 Risk Practices Survey. A good practice is not to assume you can plug every leak, but to get prepared for the almost inevitable data breach, Larson says. Just like a natural disaster, data breaches aren’t necessarily preventable, but you can prepare with a good disaster plan.

Is Regulation Forcing Banks to Sell?


bank-regulation-2-3-16.pngThere were more than 900 attendees at Bank Director’s Acquire or Be Acquired Conference in Phoenix this week, and zero bank regulators. So it wasn’t much of a surprise that the crowd of mostly bank directors and bank CEOs frequently bashed regulation and its enormous cost burdens. In the wake of the financial crisis and the ensuing Dodd-Frank Act, banks are ramping up their compliance departments and facing an onslaught of fines, as well as an increased focus on consumer rights and the Bank Secrecy Act.

This added burden has been most difficult for the smallest banks to handle, because they have fewer resources. I talked to one bank CEO, Joe Stewart, who owns a series of small banks in Missouri, and has sold two of them since 2013, each below $200 million in assets. He said the banks couldn’t afford to add a second compliance person to a staff of one. He pointed in particular to increased reporting requirements and disclosure standards for residential mortgage loans. “Unless you can get some regulatory relief, we can’t survive,’’ he said.

No doubt, for very small banks, regulatory costs are a much greater burden than they are for larger banks. But other factors are at play, too. When asked what factors are driving M&A in the marketplace, an audience poll revealed regulatory cost was the no. 4 most popular answer, after such factors as shareholders looking for liquidity, being too small to compete with bigger banks, and retiring leadership.

When I asked the CEO of BNC Bancorp, the parent company of Bank of North Carolina, Rick Callicutt, who has purchased eight banks in five years, what is driving banks to sell, he thought regulatory costs were part of the equation. But he also thinks banks are looking at their balance sheets and realizing they are going to make less money in a few years than they make today, and are not satisfied with that future. Some have realized that their loan portfolios are filled with fixed rate loans at seven-, 10-, and 15-year terms, and they are not going to be in a good position.

Mark Kanaly, an attorney at Alston & Bird, doesn’t think compliance costs are a huge factor in consolidation. “It’s not the determinant,’’ he said. Most often, bank leadership teams take a look at what they can realistically achieve, and don’t like what they see.

Another clue to what’s driving recent bank acquisitions is to look at the industry’s profitability as a whole. The median return on equity was just 8.7 percent in the third quarter of 2015, according to a Keefe, Bruyette & Woods analysis of the banks in their coverage universe. The average return on assets was .91 percent. Interests rates are likely to stay low for some time, continuing pressure on bank profitability.

A lot of banks simply aren’t doing that well. Regulators may be partly to blame for increased consolidation, but they aren’t the whole story.

What Banks Are Doing Now to Handle Compliance


4-13-15-Naomi.pngA heightened regulatory environment is here to stay, that much seems clear. So how are banks and bank management teams coping?

They are hiring more employees, buying software, scrutinizing vendors for compliance and focusing more and more on the business of complying with regulations, in addition to running the bank. Preston Kennedy, the CEO of $200 million asset Bank of Zachary, in Zachary, Louisiana, says he spends one-third of his time on compliance and regulations. “The regulations are now the table stakes,’’ he says. “If you want to go outside in the winter, you have to wear a coat. If you want to be a banker, you have to abide by a lot of regulations. ”

The following is a list of ways in which banks are coping with increased regulations.

Hiring a Chief Compliance Officer or Chief Risk Officer
Previously the domain of the largest banks, even small banks are hiring chief risk officers or chief compliance officers. In Bank Director’s 2015 Risk Practices Survey, 71 percent of respondents from banks below $1 billion in assets had a chief risk officer. So, too, did 92 percent of respondents from banks with $1 billion to $5 billion in assets. Bank of Zachary, despite its small size, has both a compliance officer and a recently hired chief risk officer, who reports directly to the CEO and the board of directors.

Buying Compliance Software or Getting Outside Advice
Banks also are turning to software vendors, core processors and outside consultants such as Fiserv, FIS, Computer Services, Inc. and DH Corp. to help manage compliance. “We are definitely seeing more indications that banks are relying on software more in all different areas,” says Christine Pratt, a senior analyst at financial services research firm Aite Group. Bank of Zachary just purchased a $35,000 program from Continuity to keep track of new regulations that will impact the bank, and help the bank document its compliance. Proper documentation is key because banks have to prove to regulators that they are in compliance. “In order to run a $200 million bank in suburban Louisiana, we have to rely on a company that is hardwired to the government to keep up with this pipeline of new regulations,’’ Kennedy says. “It’s absolutely ridiculous but it’s the task that we have.”

Incorporating Compliance
Banks are shifting away from handling compliance after the fact and moving toward incorporating compliance into many of their basic business processes, says Jamie van der Hagen, director of consumer lending for Wolters Kluwer Financial & Compliance Services, which sells regulatory consulting services and compliance software to banks. For example, instead of giving out loans and then checking to see if they meet fair lending standards, banks increasingly incorporate fair lending standards into the process of making loans. “Proactive compliance efforts, through automated testing for example, help banks validate their entire portfolio of products and accounts and identify potential compliance issues before they become a problem,’’ says van der Hagen. “Finding and addressing these possible compliance issues can have a positive impact on the bottom line by enabling institutions to identify loans that qualify for CRA credits and other premiums that can help them improve their overall bottom line.”

Starting to Prepare in Advance of Knowing the Final Rules
Banks are finding they have less time than in prior years to adjust after a rule is finalized and goes into effect. That means they have to prepare even as the rules are in the proposal stage. “They don’t have the time anymore to wait for the rule to be formulated,” says Pratt. “Banks have told me they’re writing two different versions of software [to prepare ahead of time]. That’s incredibly expensive.” Alternatively, vendors should help with the process of updating software on time.

Scrutinizing Vendors for Compliance
Regulators are increasingly emphasizing that banks are responsible for the missteps of their vendors on pretty much every law or regulation, including fair lending, debt collection or unfair consumer practices. The New York State Department of Financial Services, the state’s banking regulator, recently surveyed banks to determine their oversight of vendors for cybersecurity, as it is preparing new regulations on how banks should monitor third party vendors. Managing a bank’s vendors for compliance is a complex process, but there are general guidelines to getting it right.

However much of a burden it feels, bank management teams and boards know that they have to comply with regulations to stay in business. Managing the pace of regulatory change and keeping the bank out of the crosshairs of regulatory fines and punitive enforcement actions has become a core responsibility of the bank’s management team. “The pace of regulatory change has really increased in the last 10 years and there is no indication that it is going to go down,’’ says van der Hagen.

How New Technology Drives Sales in Your Bank


4-3-15-yseop.pngIn this highly competitive and data-driven environment, financial institutions are looking for innovative new ways to drive sales in the finance sector.

For banks, one of the most exciting technologies to explore is the artificial intelligence and natural language generation (NLG) space. NLG is a technology that can write like a human and turn big data into narrative and easy-to-understand content. It serves big data analytics, customer service and sales.

Three Ways to Drive Sales
Artificial intelligence-powered NLG software allows banks to understand unprecedented levels of client data, enhance customer service and ensure regulatory compliance.

  1. Make Sense of Big Data
    Banks need tools that explain what their big data means, what to do about it and why—in plain English (or the language of their choice) and in real time. The challenge is there is too much data, too few data experts and too little time to transform volumes of data into insight. But AI-powered NLG technology can turn data into written financial reports, executive summaries or portfolio analysis, for example, and explain how and why a conclusion is reached.
  2. Provide the Highest Level of Customer Service
    Banks are competing to deliver expert customer service—on the phone, online and in the branch. AI-powered NLG systems, often called “smart machines,” can be programmed with the expertise of your bank, can connect to client data and serve as an interactive expert to guide customer service teams through interactions. These systems can turn customer service agents into top tier sales people. They can even be deployed online to replicate the in-store banking experience and help make selling complex products and services easy.
  3. Ensure Compliance and Autonomy
    The advice-giving space is fraught with the potential for litigation in the face of ever-growing levels of regulations. Financial advisors and bankers must protect themselves by keeping meticulous records. These records, a sort of audit trail in case of litigation, coupled with legal fees and the fear of legal action, cost businesses millions if not billions of dollars each year. But AI-powered NLG can help. Programmed with the bank’s unique regulatory and legal framework, it can ensure compliant, expert advice, as long as the system is kept up-to-date. In case of litigation, it creates what we would call in banking an “audit trail.” The software shows its decision-making process, the advice it gave and explains why (and pursuant to what rules) it gave the advice. Since the software is incapable of human error, it never forgets a rule.

Is AI-Powered NLG Ready for Your Business?
NLG has been around for several decades, but NLG software has only recently been commercially viable, really since 2008. Fast forward eight years and Fortune 500 companies on both sides of the Atlantic are already using the combination of NLG and AI as a single software to make sense of big data, provide the highest level of customer service and ensure compliance and autonomy—all to drive revenue. In fact, these solutions are now fully scalable so banks can build their own applications—with no need to rely on vendors. Additionally, leading vendors of AI-powered NLG software provide configuration environments so easy to use that even non-technical users can build and update their own applications.

Cybersecurity Risk Preparedness: Practical Steps for Financial Firms in the Face of Threats


3-19-15-AP.pngBanks and other financial services firms face increasingly sophisticated threats to their data systems and remote applications. Every system and device—ATMs, point-of-sale terminals, customer access devices, internal wireless networks and routers—can be a source of vulnerability. The risks include system disruption, loss of proprietary data and confidential consumer information, theft of money and securities through unauthorized transfers and account access, class action litigation, and damaged reputation.

Regulators are taking aggressive actions in response. The Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and the federal banking regulators are engaged in targeted examinations of cyber-security efforts. The New York Department of Financial Services has declared that it will be scrutinizing cybersecurity as an integral part of its bank examinations. Other regulators too are closely examining the depth and comprehensiveness of financial firms’ data security programs. Administrative enforcement actions and civil litigation are the foreseeable consequences of programs that fail to measure up.

So what are the practical steps a financial firm should take to mitigate cybersecurity risks?

Get the Board and Senior Management Involved
Proper oversight starts with the board. Assign cybersecurity and vendor management to a specific board committee with responsibility to appoint senior officers to oversee the cybersecurity program and institute a formal reporting line up from business units and the legal, compliance, audit and technology departments.

Map the Risks
Create an inventory of database, telecommunications, and Internet systems and vendors, and a map of the business units that use them, how the various systems and vendors interact with one another and with customers and counterparties, who has access to them, and who has oversight and control over them. Scrutinize particularly the risks of remote access, transactional and funds transfer systems and devices.

Coordinate Compliance Plans
Various units within a financial institution are generally engaged in simultaneous efforts to assess and control threats though, e.g., anti-money laundering (AML) controls, fraud prevention, and credit and counterparty risk management. Coordinate these efforts with the cybersecurity plan through an enterprise-wide risk-management program.

Test and Audit
Conduct regular internal audits of system security and, at least annually, engage external vendors to do penetration testing.

Train Personnel
Create a formal personnel training program on cyber-security protocols and how to identify potential risks. Document participation in the training. Incorporate external resources and alerts on an on-going basis to address emerging issues.

Manage Vendor Risks
Regulators are expecting banks to oversee vendors. Control risks through both careful vendor selection and subsequent oversight.

  • Selection

    • Require prospective vendors to verify cyber risk-prevention preparedness.
    • Review vendors’ SEC filings.
    • Search for the vendor’s litigation and enforcement history.
  • Contracting
    The vendor contract should specifically provide for:

    • Oversight access: rights to conduct system security audits such as SSAE 16 and to receive reports of vendor internal audits.
    • Specific risk-control tools: e.g., firewalls, anti-virus software, spyware detection, physical security, intrusion detection, network anomaly detection, security information and event management, configuration management; business continuity plans and back-up systems.
    • Internal management:  specification of who has data system access, how that access is controlled, and the means of detecting unauthorized access and patterns of suspicious account activity.
    • Reporting: prompt vendor reporting of any security risk incidents.
    • Data Retention:  periods for maintaining data, methods for data disposal, return or transfer.
    • Liability; Indemnification; Insurance:  limits on liability, indemnification provisions, standards of care and performance, rights of termination, and requirements for vendor insurance.

For vendors outside of the United States, the contract should address applicable legal requirements and protocols for any portions of a system, process or services conducted or accessible by the vendor or its sub-vendors from outside the United States.

Obtain Adequate Insurance
Review your insurance coverage for the scope and carve-outs for cyberattacks and unauthorized access to confidential information and funds and accounts.

Prepare For a Breach
Be ready for a security breach. Prepare now for making prompt disclosures to law enforcement, regulators and affected customers, SAR filings (as applicable), insurance carrier notifications, communications with vendors, and, depending on the nature and magnitude of the event, public or investor disclosures. Line up counsel to handle potential class action litigation and administrative enforcement actions.

Work With Regulators and Peer Groups
Close attention to published regulatory guidance and direct communications with regulators can help identify potential gaps and weaknesses in a cybersecurity plan. Similarly, attention to trade association best practices and guidance (such as the Financial Services Information Sharing and Analysis Center), and participation in industry-wide working groups and conferences can further help identify areas for improvements.

Regulatory Concerns about Bank Culture Should Serve as a Wake-Up Call


2-4-15-AlstonBird.pngThe culture inside a bank has received renewed discussion in various forums over the course of the last year. The regulators are now moving from crisis and reaction to root cause analysis of the financial crisis. Regulators have expressed concern that despite the array of new rules, guidance, and enforcement actions brought in the wake of the financial crisis and the Dodd Frank Act, banks just seem to keep turning up problems. Fair or not, and whether you think that this concern is really attributable to the largest financial institutions, the regulators’ signals merit attention for any bank.

Bank regulators, notably the Federal Reserve and the Office of the Comptroller of the Currency (OCC), have contrasted two broad categories of banks:  those that adopt an approach of mere compliance with regulation, where compliance concerns are background noise to be silenced; and those that embrace risk management and compliance programs as an important part of cultural norms. The signal from the regulators is that they look for, and can sense whether the bank is in one or the other of these camps. Supervisory judgment calls are informed by those perceptions.

What is culture? William Dudley, president of the New York Fed, recently stated: “Like a gentle breeze, culture may be hard to see, but you can feel it.” Culture is the norms of behavior that drive the business, including ethical standards above and beyond the rules. This is attributable to the tone at the top set by directors and top executives, but it is manifested (or not) in behaviors throughout the organization. What incentives (compensation and otherwise) drive what kinds of performance throughout the organization? To what degree do risk management concerns get air time alongside financial performance in the board room? Do the board and senior management discuss risk management and compliance in terms of “regulatory burden?”   Worse, do you talk openly about your talented risk and compliance staff as a “burden” weighing on the bottom line?

Increasingly, bank supervisors are beginning to mandate cultural norms. Internationally, the Basel Committee on Banking Supervision has set forth corporate governance principles to assess whether a bank’s board and senior management perform their risk governance responsibilities and establish an appropriate organizational risk culture. The OCC’s heightened expectations for enterprise risk management by the largest banks have emphasized the need for a board to provide what’s known as an “effective challenge” of management, and this has become the gold standard for all banks. The OCC has had open debate with the industry over whether directors must “ensure” rather than only “validate” the effectiveness of a risk management and compliance program. All of the regulators, including the Consumer Financial Protection Bureau, have sent strong signals in the form of enforcement actions, guidance and examination messages.

A key cultural norm is how the bank thinks of its customers. Thomas Watson, legendary leader of IBM, famously said: “The essence of trust building is to emphasize the similarities between you and the customer.” Does your bank consider borrowers as counterparties in a contract, or customers for whom the bank has a shared (fiduciary-like) interest in their success?

Moreover, once a strategic decision is made by the top leaders of the organization, does the company do a good job of challenging the decision when evidence arises that it was wrong-headed, or does the company suffer from confirmation bias, collectively seeking only the evidence that justifies the strategy? Institutional groupthink can result in hidden problems for a bank, whether they are credit concerns, compliance concerns, or lost market opportunities, for example. Does the organization value diverse views that can positively challenge norms?

Examiners assess culture by looking for patterns of behavior, rather than individual instances, just as they focus less on specific loans than on concentrations of credit risk. Distinctions between policies and actual behavior are measurable; exceptions to policy are measurable; meaningfully reviewable management reports should allow detection of patterns. In this sense, examiners and directors are aligned and can be complementary of each other.

Undoubtedly, the audit of risk management or compliance culture is subjective. Are we on the verge of bank supervisors becoming culture police? There is a real concern that supervisors could also suffer from confirmation bias and thereby feed a concentration of cultural norms and fail to appreciate the idiosyncratic nature of institutions and the value of their diversity. Nevertheless, it behooves all boards of directors to look inward and take heed of the bank regulators’ messaging about culture.

Keeping Your Head Above Water: Four Tips for Managing Flood Insurance Law Changes


1-19-15-Dinsmore.pngAmong the various areas of regulatory compliance, one area—compliance with flood insurance regulations—seems to cause an out-sized level of anxiety, and for good reason. Over the past several years, field examiners have been diligent in identifying and citing violations of the flood regulations, and many of these violations have resulted in imposition of civil money penalties (CMPs) against the violating banks. During 2013 and 2014, nearly 100 flood-related CMPs were imposed on banks, ranging in amount from $1,000 to well over $100,000. Paying penalties is never enjoyable, but is even less so in this era of tight margins and strained profitability.

Last year, President Obama signed into law the Homeowner Flood Insurance Affordability Act (HFIAA) as a way to dial back some of the increased costs associated with 2012 Flood Insurance Reform Act. The HFIAA will bring about a number of new and modified obligations on banks, which will become effective at various times during 2015 and 2016. Changes are coming in the areas of forced placement of insurance, acceptance of private flood insurance, escrowing of premiums, and exemptions to the mandatory purchase of flood insurance.

The ultimate responsibility for ensuring compliance with consumer protection laws and regulations, including flood insurance laws and regulations, rests with the board and senior management. How do you keep your head above the changing waters?

  1. Policies and Procedures. Any change in law or regulation in a compliance area should trigger a review of the bank’s existing policies and procedures in the affected areas. The review should be done with an eye toward necessary or appropriate changes to the policies and procedures. Management also should use this review process to determine to whom the revised policies and procedures need to be communicated to ensure an effective flood insurance compliance program. Certain of the changes may affect personnel outside of the lending and compliance functions at the bank. Once identified, all appropriate personnel should be trained on the new policies and procedures.
  2. Education. The compliance officer’s and real estate loan origination staff’s knowledge and understanding of the changes in the law/regulations are critical to ensuring compliance. The board and senior management have to be willing to expend the necessary resources to educate these folks who are on the front lines of the flood insurance process. Additionally, directors and senior managers also should receive training on the basics of flood insurance regulations so that they can appropriately oversee the compliance function and manage the attendant risk. The regulatory agencies, industry trade associations, and FEMA (Federal Emergency Management Agency) are good sources of training materials.
  3. Customer Communication. Your bank already may be receiving inquiries from customers regarding the impending changes to the flood insurance rules. If not, expect that you will. The changes relating to escrowing premiums, exemptions from mandatory coverage, and private flood insurance are fertile ground for customer questions. Now is the time to review your existing customer communication procedures to be sure that appropriate personnel and/or departments are tasked with handling inquiries, and that all personnel, especially customer-facing personnel, know to whom they should direct customer inquiries regarding flood insurance.
  4. Monitoring and Audit. As previously mentioned, the board and management have ultimate responsibility for ensuring compliance with flood insurance regulations. An effective compliance monitoring/audit function is paramount in carrying out this responsibility. The coming changes in the regulations will require management and the board to revisit certain aspects, if not all, of the flood insurance compliance program. Despite your training and planning efforts to implement perfectly the changes to your flood insurance processes and procedures, mistakes will be made. The wise bank will test the new processes early and frequently to head off any systemic issues. Better you find any problems and fix them, than to have them discovered by the examiners at your next compliance exam.

Changes are coming, and it is safe to say these will not be the last. Getting out ahead of the changes and planning for them is the key to successfully navigating the changing flood waters.