Can Boards Be a Technology Resource for Their Bank?

Written by

Just 29% of chief executives, and 17% of chief information and chief technology officers, say they rely on members of their board for information about technology’s impact on their institution, according to Bank Director’s 2021 Technology Survey. But what if a bank could leverage their board as a resource on this issue, helping to connect the dots between technology and its overall strategy?

Coastal Financial Corp., based in Everett, Washington, has brought on board members over the past three years with experience working in and supporting the digital sector: Sadhana Akella-Mishra, chief risk officer at the core provider Finxact; Stephan Klee, chief financial officer at the venture capital firm Portage Ventures and former CFO of Zenbanx, a fintech acquired by SoFi in 2017; Rilla Delorier, a retired bank executive who until last year led digital transformation at Umpqua Bank; and Pamela Unger, a certified public accountant who created software to support her work with venture capital firms. That deep bench of technology expertise helps the bank evolve, according to CEO Eric Sprink, by better understanding opportunities and risks. The board can even help $2 billion Coastal identify and bring on staff.

“The board has always been entrepreneurial at its basis, and some of the core values that we developed as a board were, be flexible, be unbankey and live in the gray — and those are [our] board values,” Sprink says. “We’ve really worked hard to continually ask people to join our board that continue that evolution and entrepreneurial spirit with some specialty that they bring.”

Bank Director’s recent Technology Survey finds that roughly half of bank boards discuss technology at every board meeting; another 30% make sure it’s a quarterly agenda item. That’s been the picture for several years in our survey, given technology’s importance in an increasingly digital economy.

But for many community bank boards, the expertise reflected in the boardroom hasn’t caught up to today’s reality — just 49% of board members and executives representing a bank smaller than $10 billion in assets report that their board has a director with a background or expertise in technology. And these skills are even rarer for discrete areas affecting bank strategies and operations, from cybersecurity (25% say they have such an expert on their board) to digital transformation (20%) and data analytics (16%).

Bank boards would benefit greatly from this expertise — and many of them know it, says J. Scott Petty, a partner at the executive search firm Chartwell Partners. “When I interview boards and we go through an assessment process, it’s always the No. 1 thing they talk about,” he says. “There’s no one there [who] can really understand what their head of technology is talking about. So, whatever they say, they go, ‘OK, well, you’re the tech expert.’”

In Bank Director’s 2021 Governance Best Practices Survey conducted earlier this year, board members identify their two most vital functions: holding management accountable for achieving strategic goals in a safe and sound manner, and meeting the board’s fiduciary responsibilities to shareholders.

If board members can’t pose a credible challenge to management when it comes to discussions on technology — asking pointed questions about a rising budget item for the majority of banks, as our recent research finds — then they can’t effectively fulfill their two most important duties. And boards also will find themselves unable to contribute to the bank’s strategy in the way they could or should.

Directors with technology expertise can help boards provide effective oversight and link technology and strategy, says Petty. “That’s the No. 1 [thing] — that fiduciary responsibility to really understand how the bank [aligns] its business strategy with its technology strategy.”

Petty shares a comprehensive list that identifies how technology expertise in the boardroom can contribute to the board’s oversight and strategic functions. These include:

  • Linking technology to the overall business strategy
  • Asking incisive questions of the bank’s CIO and/or CTO, and holding them accountable for goals, deadlines and budgets
  • Providing effective oversight of information security as well as Bank Secrecy Act/anti-money laundering (BSA/AML) compliance
  • Offering input and guidance on the bank’s technology initiatives
  • Giving feedback on innovation, customer experience and acquisition, product development, digital integration, cross-selling opportunities and similar areas

Asking pointed questions and deliberating about these technology matters isn’t just a fiduciary responsibility — it makes banks better, points out Jeff Marsico, president of The Kafafian Group, a consulting firm. Technology use by the industry isn’t new, he notes, but community bank boardrooms are typically composed of older members who will be inherently less tapped into what’s going on in the digital banking space. As a result, “they don’t have enough base knowledge to be challenging to management and therefore management knows, ‘I’m not going to be particularly challenged here,’” Marsico says. “[Boards] need somebody with enough knowledge to be able to challenge management — because then management gets better.”

Marsico sees flaws in most boards’ often-informal nomination processes. Performance evaluations, he notes, aren’t adequately used by the industry to identify gaps in board composition, and board members are often reticent to leave. Bank Director’s governance research backs this up, finding that roughly half of boards representing banks between $1 billion and $10 billion in assets conduct an annual performance assessment; that drops to 23% of boards below $1 billion in assets. Fewer than 20% overall use that assessment to modify the board’s composition.

Finding technology skill sets may challenge community bank boards, but Petty recommends a few ways that nominating committees can expand their search. Banks aren’t alone in the digital evolution, which affects practically every sector of the economy. With that in mind, he suggests looking at other industries for prospective board members. “Take an industry-agnostic look to find technology experts from organizations that are larger than the current institution,” Petty says.

Colleges, universities or vocational schools may also provide a resource to tap into technology expertise. “They typically are also at the forefront of talking about digitization across industries,” Petty adds.

While boardrooms should benefit from recruiting members with expertise for the digital age, that doesn’t excuse directors from enhancing their own understanding of the topic.

The 2021 Technology Survey finds board members highly reliant on bank executives and staff (87%) for information about the technologies that could affect their institution — right behind articles and publications (96%) as directors’ top resources.

While input from the bank’s executive team is critical, it’s important that directors leverage their own backgrounds, in addition to taking advantage of ongoing training and informational resources, to ask the right questions of these executives.

Marsico recommends that boards focus on strategy in every board meeting, with regular quarterly updates on the bank’s progress on executing the strategy. Other sessions should provide opportunities to educate board members on what’s going on in the banking environment — and should include external points of view. These could include technology vendors or representatives from the various associations serving the banking community. Petty suggests bringing in a former technology executive of another, larger bank who could brief members on what they’re seeing in the marketplace.

[Boards] can get an outsider’s perspective that breathes fresh air into what is the possible — because I don’t think they know what is the possible,” says Marsico.

Petty also points to increasing interest in forming board-level technology committees. Bank Director’s 2021 Compensation Survey, conducted earlier this year, found that 23% of banks use such a committee.

“Even the smaller banks will have a technology committee, because it’s such a major focus for any institution to drive the digitization of how they go to market, how they leverage the digital experience for the customer, how they leverage the digital product offerings, [and] how they use digital to acquire new customers and onboard new customers,” says Petty.

To understand the responsibilities of the technology committee, access our Board Structure Guideline on that topic. Recent Bank Director research reports examine “The Road Ahead for Digital Banking” and “Meeting Customer Demand for Bitcoin.” Bank Director’s membership program includes a board assessment tool and access to the FinXTech Connect platform, which helps bank leaders identify potential technology providers and solutions.

Bank Director’s 2021 Technology Survey, sponsored by CDW, surveyed more than 100 independent directors, CEOs, COOs and senior technology executives of U.S. banks below $100 billion in assets to understand how these institutions leverage technology in response to the competitive landscape. The survey was conducted in June and July 2021.

Bank Director’s 2021 Compensation Survey, sponsored by Newcleus Compensation Advisors, surveyed 282 independent directors, chief executive officers, human resources officers and other senior executives of U.S. banks below $50 billion in assets to understand talent trends, cultural shifts, CEO performance and pay, and director compensation. The survey was conducted in March and April 2021.

Bank Director’s 2021 Governance Best Practices Survey, sponsored by Bryan Cave Leighton Paisner LLP, surveyed 217 independent directors, chairs and chief executives of U.S. banks below $50 billion in assets. The survey was conducted in February and March 2021, and explores the fundamentals of board performance, including strategic planning, working with the management team and enhancing the board’s composition.

2021 Governance Best Practices Survey Results: Who’s Driving Bank Strategy?

Written by

The best banks balance short-term thinking with long-term strategy.

“Long-term performance is always our paramount objective,” Bank OZK Chair and CEO George Gleason told Bank Director at its recent Inspired by Acquire or Be Acquired virtual event. The $27 billion bank topped Bank Director’s 2021 RankingBanking study. “If short-term results suffer because of our focus on long-term objectives, then that’s just part of it.”

Strategic discipline starts with a bank’s leadership team — and the board should play an important role in developing the strategy and monitoring its execution. But that’s not always the case, according to the results of the 2021 Governance Best Practices Survey, sponsored by Bryan Cave Leighton Paisner LLP.

The survey explores the board’s approach to strategic planning, as well as governance practices, board composition and the relationship between executives and the board. The results find that most boards don’t drive strategic planning at their institutions: Just 20% say the board drives this process and collaborates with management to develop the strategic plan. Most — 56% — say their board establishes the risk appetite but relies on management to develop the strategy.

The vast majority believe their strategic planning process is effective. But of the 11% who believe their process to be ineffective, some express regret over the lack of input from their board. One respondent believes their bank’s strategic plan to be “too in the weeds,” while another holds the opposite concern. “It flies at 30,000 feet for [the] most part,” says one independent chair. “[We] need to get a little closer to the ground with metrics and clear paths for management to build.”

Most — 84% — reviewed their strategic plan during the pandemic, but few shortened the time horizon of their strategy. This may seem surprising, given previous indicators that Covid-19 accelerated bank strategy in some areas, particularly around the implementation of digital technology. Perhaps this indicates that, for most bank leadership teams, balancing short-term results and long-term strategy remains top of mind.

Key Findings

Strategic Review
Three-quarters of respondents say their board reviews the strategic plan annually. Roughly two-thirds bring in an outside advisor or consultant to assist in developing the strategic plan — but not generally every year.

Board Responsibilities
When asked to identify the board’s most important functions, the majority of respondents point to holding management accountable for achieving goals in a safe and sound manner (61%) and meeting its fiduciary responsibilities to shareholders (60%). Just 34% say that setting strategy is a key board responsibility.

Competitive Pressures
Respondents say that pressure on net interest margins (52%), the ability to grow organically in their markets (44%) and meeting customer demands for digital options (37%) threaten the long-term viability of their bank.

Interacting With Management
The vast majority of independent directors, chairs and lead directors believe they’re getting the right level of information from bank executives. Almost all interact at least quarterly with the bank’s CEO (98%), CFO (94%) and chief risk officer (85%).

Credible Challenge
Three-quarters say their board has several directors willing to ask tough questions when warranted; 92% find their management team receptive to feedback.

Needle Moving on Board Diversity
Almost 60% believe that fostering diversity in the boardroom improves corporate performance. Thirty-nine percent have three or more board members who bring diverse characteristics to the board, based on gender, race or ethnicity.

Assessing Performance
Less than half conduct an annual evaluation of their board’s performance, which most use to assess the effectiveness of the board as a whole (84%), improve governance processes (60%), identify training needs for the board (59%) or assess committee performance (58%).

To view the full results of the survey, click here.

Federal Agencies Heighten Expectations and Penalties for Bank Directors

Written by


regulation-9-21-16.pngThere have been two changes in bank regulatory enforcement that should be interesting to all directors. Recently, the Office of the Comptroller of the Currency released a new examination handbook applicable to institutions of all asset sizes and changed a corresponding handbook for directors, guiding examiners in assessing an institution’s risk strategy and control environment and heightening the responsibilities of bank board directors. The guidance requires directors to be in a position to pose “credible challenges to management” and states a director’s prime duty is to “ensure the bank operates in a safe and sound manner,” altering a director’s previous duty of “protecting the bank.”

Also, recent rulemaking has intensified the sting of civil money penalties (CMPs). Effective August 1, 2016, the list of violations has been augmented and fines have materially increased. CMPs will increase for directors, institutional affiliated parties (IAPs), banks, thrifts, and other financial institutions. CMP statutes that carry three-tiered penalties geared to levels of severity and intent generally have risen 80 percent to 90 percent to $9,468, $47,340 and $1,893,610. Note that regulators forbid banks from making indemnification payments to a director or IAP assessed a CMP.

The changes in the handbooks, coupled with the enhanced CMPs, signal “regulatory creep,” suggesting strongly that less complex institutions will be held to standards expected of complex institutions. This supervisory approach should be noted by a bank and its board. If a federal banking agency decides to proceed with an enforcement action, the target (either the institution or the IAP) will be notified in writing and provided 15 days to explain why a CMP is unwarranted. Additionally, an IAP target will be required to update personal financial statements.

The bank’s response to the agency requires a deep dive into the record of the supervisory communication between the bank and the agency. A thorough legal analysis of the evidence, counsel’s opinion regarding the likelihood of a violation being upheld on appeal, and advice regarding the potential penalty range is critical. The penalty could range from an informal (supervisory) penalty to a public monetary penalty and industry ban. This is the time the target, along with experienced counsel, should meet with the relevant agency officials to seek to resolve the principal supervisory concerns, so the exposure is contained. It’s a good idea to address the possibility of agency referrals for criminal charges. The process of personal interaction with agency officials, and submission of the legal analysis with focused strategic dialog, is paramount.

While it is typically useful that bank management and directors present a unified front, because the federal banking agencies apply different standards and penalties to directors than bank management, a bank must appreciate the potential for conflicts of interest between directors and bank management. It may be necessary to engage independent legal counsel for the board. To the extent there is a uniformity of interests between management and directors, a joint defense agreement can be fashioned. Most bank board protection plans will cover legal fees and costs associated with independent counsel, although, again, the payment of an assessed CMP cannot be indemnified by the bank.

If alleged violations cannot be resolved by settlement, the CMP assessment or other sanctions will be made public. The sanctioned person may request a hearing before an administrative law judge. After the hearing occurs and submissions from counsel are received, the administrative law judge issues an opinion and recommendation to the agency. The administrative law judge’s opinion can be appealed to the agency head. A similar process then occurs before the agency head, and final agency action is rendered. Final agency action may be appealed to the relevant federal court of appeals. The Federal Reserve Board, the Federal Deposit Insurance Corp. and to a certain extent, the Consumer Financial Protection Bureau, use similar procedures.

Now more than ever, it is imperative that a bank director appreciate heightened supervisory expectations, actively provide oversight to management and, importantly, document for the record curiosity and skepticism. A director’s best defense is to be alert to warning signs that a finding of a legal violation is being considered. With management, the board should be proactive in addressing supervisory concerns, and document curative actions taken before the violation is outlined in a written supervisory communication.

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance

Written by


cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.