Is Your Bank Ready for Loan Review 2.0?

Lending institutions face unique challenges in 2020.

Leading up to 2020, regulators and industry professionals voiced growing concerns related to the easing of underwriting, prolonged increasing of commercial real estate values, risk tolerance complacency, and how much longer the good times could continue — which the ongoing public health crisis answered.

Covid-19 propelled businesses and borrowers into a liquidity crisis like most have never experienced. Economists already have identified the start of a recession, but many lending institutions find themselves determining if — or when — the liquidity crisis has transitioned to a credit crisis

The third and fourth quarters of 2020 will be most telling. Never has a bank’s loan review function been more important.

On May 8, interagency guidance was released on credit risk review systems. The guidance was well-timed given the pandemic but wasn’t impulsive, as the regulatory agencies began their review process in October 2019. The guidance focused on two key pieces of the puzzle needed for effective credit risk systems: a solid credit administration function and independent credit review.

The guidance highlighted the importance of a loan review policy and how it should incorporate the following areas:

  • Qualifications of credit risk review personnel.
  • Independence of credit risk review personnel.
  • Frequency of reviews.
  • Scope of reviews.
  • Depth of reviews.
  • Review of findings.
  • Communication and distribution of results.

These policy areas are highlighted to help drive a successful function that provides the right level of independent challenge to the organization on issue identification, risk rating accuracy/timeliness, policy adherence, policy depth, trends, and management effectiveness. Independently reporting these observations to the board and all stakeholders provides an in-depth independent assessment to help verify the strength of internal controls and the timeliness of grading. It also provides assurance that management’s reporting and allowance levels are reasonable.

Fast forward one month to June 2020, and loan review was top of mind for these same regulatory agencies, which released “Examiner Guidance for Assessing Safety and Soundness Considering the Effect of the COVID-19 Pandemic on Financial Institutions” (FDIC PR-72-2020). This guidance looked to address the unique challenges to consider when conducting safety and soundness assessments in these unprecedented times.

The guidance memorialized how examiners will consider the unique, evolving, and potentially long-term nature of the issues confronting institutions and exercise appropriate flexibility in their supervisory response. It speaks specifically to credit risk review (loan review) by stating the following:

Credit risk review. Examiners will recognize that the rapidly changing environment and limited operational capacity might temporarily affect an institution’s ability to meet normal expectations of loan review (such as a schedule or scope of reviews). Examiners will assess the institution’s support for any delays or reductions in scope of credit risk reviews and consider management’s plan to complete appropriate reviews within a reasonable amount of time.

Classification of credits. The assessment of each loan should be based on the fundamental characteristics affecting the collectability of that particular credit, while acknowledging that supporting documentation might be limited and cash flow projections might be highly uncertain.

Loan portfolios are a lending institution’s lifeblood. Portfolios drive earnings but also can be the largest threat to an institution’s ongoing viability. In this rapidly moving environment, it is key to have a loan review function that is up to the challenge.

Operating an effective loan review function
Large- and medium-sized financial institutions often opt to maintain an in-house loan review department. While this decision makes sense for some institutions, establishing and maintaining an effective and credible internal loan review operation can present significant challenges.

Credit department responsibilities have grown increasingly complex in recent years, not only due to regulatory demands but also because of a rapidly changing credit environment and new types of credit products. With these heightened expectations, loan review functions are being pressured by regulators and external auditors to raise the bar. Is it time to step back and assess whether your loan review function has adjusted to the changing environment and the products you offer?

Answer these questions to help take a step back and determine if your institution has a robust loan review function that not only meets the demands of the regulatory guidance but is built to meet the demands of the future as well.

Approaching Credit Management, Risk Ratings Today

As a credit risk consulting firm that supports community and regional banks, Ardmore Banking Advisors has assembled some credit risk management best practices when it comes to how executives should look at their bank’s portfolio during the coronavirus-induced economic crisis.

It is clear that the expectation of regulators is that credit risk management programs (including identification, measurement, monitoring, control and reporting) should be enhanced and adapted to the current economic challenges. Credit risk management programs require proactive actions from the first line of defense (borrower contact by loan officers), the second line of defense (credit oversight) and the third line of defense (independent review and validation of actions and risk ratings).

Boards will have to enhance their oversight of asset quality. Regulators and CPAs will be focusing on process and control, and challenge the banks on what they have done to mitigate risk. Going concern opinions on borrowers by CPAs may become widely used, which will put pressure on banks to be conservative in risk ratings.

New regulatory guidance and best practices indicate that more forward-looking, leading indicators of credit must be employed. We expect greater emphasis on borrower contact and information on liquidity and projections. These concepts are also embodied in the new credit loss and loan loss reserve model that went into effect at larger banks in the first quarter.

Many banks have used Covid-19 as an opportunity to increase their loan loss provisions, reviewing their portfolios for weaknesses in borrowers that may never recover. This evaluation will be expected by regulators during examinations; it is a good indication of forward-thinking proactive oversight by a bank’s officers and directors.

Risk Rating Approaches in the Current Climate
When it comes to risk ratings, it is not advisable for banks to automatically downgrade entire business segments. Instead, executives should scrutinize the most vulnerable segments of the portfolio that include highly stressed industries and types of loans.

Banks do not have to downgrade modifications or extensions solely because they provided relief related to Covid-19; however, the basis for extensions or modifications should be evaluated relative to the ultimate ability of the borrower to repay their loans going forward, after the short-term disruption concludes or the deferral matures.

We have observed that regulators are focusing on second deferrals and asking whether a risk rating change or troubled debt restructuring are warranted. Banks should be reviewing information on further deferrals to determine if there could be an underlying problem indicating that payment is ultimately unlikely.

Paycheck Protection Program loans do not require a downgrade; however, banks may want an independent review of PPP loans to identify any operational or reputational risk. We also recommend that current customers who received PPP loans should be evaluated for their ability to repay other loans once the short-term disruption concludes.

Credit review, the third line of defense, is typically a backward-looking exercise, after loans are already made and funded. It is predicated primarily on an independent review of the analysis of borrowers by loan officers during the first line of defense, and credit officers in the second line of defense. For over 10 years, the industry has experienced relatively good economic times. The current environment requires a more insightful assessment of the bank’s actions and the borrower’s emerging risk profile and outlook, with less reliance on past performance.

The bank should evaluate historical and recent financial information from the borrower as a predicate for evaluating the borrower’s ability to withstand current economic challenges. Executives should review any new information reported by the bank’s officers on the current condition, extensions or modifications provided and the current status of the borrower’s operations to determine if a risk rating change is necessary.

Importance of Credit Review for Banks
Banks must look carefully at risk ratings to confirm that all lines of defense have properly reviewed the borrowers, with a realistic assessment of their ultimate ability to repay the loan after any short-term deferrals, modifications or extensions due to the Covid-19 disruption. This includes an assessment of whether the action requires formal valuation of troubled debt restructuring status. The banks can then follow the current regulatory guidance that an extension or modification does not in itself require a designation as a TDR.

We believe based on our years in banking that the bank regulators will test the bankers’ response and process in the current economic downturn. They, and the CPAs certifying annual financial statements, will expect realistic credit risk evaluations and controls as confirmed by independent and credible loan reviews. Bank boards and executive management teams will be well-served by accurate loan and borrower credit risk assessment during regulatory exams and the annual financial CPA audits for 2020.

Four Questions for Three CEOs

The coronavirus pandemic has thrown the banking industry into an environment that is both rapidly changing and a prolonged grind.

The recession induced as a result of public and private response to Covid-19 has lowered the revenue outlook and increased credit risk for institutions across the country. Bankers must navigate an extraordinarily uncertain operating environment and make tough decisions. To that end, Bank Director created the AOBA Summer Series — a free, on-demand compilation of pragmatic information, honest conversations and real-world insight.  

The series goes live on Aug. 12. As a preview, we sat down (virtually) with three executives featured in the series — Chuck Sulerzyski, Jill Castilla and John Asbury — for a glimpse into where they see challenges, opportunities and inspiration. Sulerzyski is CEO of Peoples Bancorp in Marietta, Ohio, which has $5 billion in assets; Castilla is chairman and CEO of Citizens Bancshares, which has $317 million in assets and is based in Edmond, Oklahoma; and John Asbury is CEO of Richmond, Virginia-based Atlantic Union Bankshares Corp., which has $19.8 billion in assets. These conversations were conducted independently, and have been lightly edited for length and clarity.

BD: What is the biggest challenge you see for your bank?

JC: I think about businesses that aren’t able to recover as quickly and making sure that you have the tools available to get to the other side. These are unprecedented times and these businesses are struggling — not due to something they caused; it was something inflicted upon them. I think it’s going to be difficult moving through that.

JA: Navigating the credit risk implications of the Covid-19-induced recession. We remain confident in our overall asset quality, credit loss reserves, capital position and preparedness for this event. However, the duration of Covid-19 will largely determine just how great a challenge this will be. Time will tell.

CS: Maybe not in the next three months, but in the upcoming quarters, I think credit is going to be the biggest challenge, and helping our customers get through all of this. We feel good about our portfolio and its diversification. The places where we feel the most stress is in the hotel portfolio. Obviously, businesspeople aren’t traveling, and consumers are starting to travel a little more but way below normal levels. It’s very difficult for hotel operators to [meet] cash flow.

BD: What is the biggest opportunity for your bank?

JC: The biggest opportunity is continuing to be a leader and advocate, and restoring trust in financial services — both nationally as well as locally —  and being seen as a trusted advisor and a trusted advocate.

JA: The bank has demonstrated resilience, agility, courage and innovation in its response to Covid-19. We developed and launched an online portal and automated workflow system to take Paycheck Protection Program loan applications in five days because we remained agile and knew the stakes were high as our customers were counting on us. We were also quick to make difficult decisions to align our expense structure to the expected lower-for-longer rate environment, beginning in March, to ensure we emerge on the other side of Covid-19 positioned for success. Permanently ingraining these characteristics into our culture will result in an even better, stronger and more capable company.

CS: Peoples really crushed it on the PPP program. We were open for new customers and brought them in with the understanding they would become full-service customers. The biggest opportunity over the next three to six months is taking in these relatively new people and cross-selling them loans, deposits, insurance and investments. Already, we bought in over $40 million dollars of loans and deposits, and over $150,000 in fee income. 

BD: Where are you getting inspiration right now?

JC: So many places. I’m fortunate to be in a city that has diverse leadership. Whether it’s in our underrepresented and underserved communities, those leaders that have fought the odds for decades and are striving for their communities to reach higher levels and pull more out of me to be a better person, a better leader and a better businessperson, and provide access to capital and liquidity and things that. That’s been extraordinary. Seeing our leaders make hard decisions for the welfare of their communities or for the business community as well — that courage, whether I agree with the actions or not — seeing the willingness to take a stand and to stand up for something has been inspirational.

JA: Our teammates! They amaze me with their determination, resourcefulness, effort and caring for our customers and each other. Their efforts on PPP in particular were heroic.

CS: There’s much going on in the world. The healthcare workers, I’ve been touched by everything that they have done. One of my kids is a doctor, one is a nurse, and another is working on a Ph.D. in public health. All of what’s going on with healthcare workers and first responders has been very motivational. 

I know we’ve gone through a lot of social unrest, but I find inspiration in [Senator] John Lewis’ passing and everything that he stood for. I was eight years old when the Voting Rights Act was passed. It’s mind-numbing that folks of color didn’t have the opportunity to vote, and here we are, 50 years later, fighting similar fights and hopefully making progress.

BD: What has been the best thing you’ve read or watched since the pandemic began?

JC: Maybe because it’s on my mind, but the timeliness of the release of “Hamilton” [on the Disney+ streaming service]. I got to see it live in Oklahoma City a year ago; I had tickets and had waited forever to go see it. And then I got hit by a truck walking across my street two days before the show.

We ended up [seeing] the last performance before it left Oklahoma City. I’ve been really excited to see it coming back in my life a year later and in this time. The boldness of the vision to create a musical that uses a diverse cast and a difficult topic, the timeliness of the messaging and then making something accessible to everyone.

It’s the last thing I’ve seen that’s blown me away. But there’s been so many instances where someone has blown me away with something they’ve written online, an article I’ve read or a podcast I’ve listened to. This crisis is so bad, but again, you get to see this beauty of leadership, this boldness of action and constant inspiration of people stepping up and doing wonderful work.

JA: Despite having never worked longer or harder for such a sustained period of time, since Covid-19 hit I’ve read books extensively. The most impactful is “How to Be an Antiracist” by Ibram X. Kendi. It has given me a perspective on social injustice and systemic racism that I did not have before, as well as a better understanding of its root causes and what can be done about it.

CS: I’m a Yankees fan; Aaron Judge had two home runs [in the Aug. 2 game against the Boston Red Sox], and I liked that a great deal. I also think John Lewis’ obituary goodbye letter in The New York Times was the best thing that I’ve read. We shared that so that our employees could read it.

The $700 Billion Credit Question for Banks

It’s the $700 billion question: How bad could it get for banks?

That’s the maximum amount of losses that the Federal Reserve modeled in a special sensitivity analysis in June for the nation’s 34 largest banks over nine quarters as part of its annual stress testing exercise.

Proportional losses could be devastating for community banks, which also tend to lack the sophisticated stress testing models of their bigger peers and employ a more straight-forward approach to risk management. Experts say that community banks should draw inspiration from the Fed’s analysis and broad stress-testing practices to address potential balance sheet risk, even if they don’t undergo a full stress analysis.

“It’s always good to understand your downsides,” says Steve Turner, managing director at Empyrean Solutions, an asset and liability tool for financial institutions. “Economic environments do two things: They tend to trend and then they tend to change abruptly. Most people are really good at predicting trends, very few are good at forecasting the abrupt changes. Stress testing provides you with insight into what could be the abrupt changes.”

For the most part, stress testing, an exercise that subjects existing and historical balance sheet data to a variety of adverse macroeconomic outlooks to create a range of potential outcomes, has been the domain of the largest banks. But considering worst-case scenarios and working backward to mitigate those outcomes — one of the main takeaways and advantages of stress testing — is “unequivocally” part of prudent risk and profitability management for banks, says Ed Young, senior director and capital planning strategist at Moody’s Analytics.

Capital & Liquidity
The results of the Fed’s sensitivity analysis underpinned the regulator’s decision to alter planned capital actions at large banks, capping dividend levels and ceasing most stock repurchase activity. Young says bank boards should look at the analysis and conclusion before revisiting their comfort levels with “how much capital you’re letting exit from your firm today” through planned distributions.

Share repurchases are relatively easy to turn on and off; pausing or cutting a dividend could have more significant consequences. Boards should also revisit the strategic plan and assess the capital intensity of certain planned projects. They may need to pause anticipated acquisitions, business line additions and branch expansions that could expend valuable capital. They also need to be realistic about the likelihood of raising new capital — what form and at what cost — should they need to bolster their ratios.

Boards need to frequently assess their liquidity position too, Young says. Exercises that demonstrate the bank can maintain adequate capital for 12 months mean little if sufficient liquidity runs out after six months.

Credit
When it comes to credit, community banks may want to start by comparing the distribution of the loan portfolios of the banks involved in the exercise to their own. These players are active lenders in many of the same areas that community banks are, with sizable commercial and industrial, commercial real estate and mortgage portfolios.

“You can essentially take those results and translate them, to a certain degree, into your bank’s size and risk profile,” says Frank Manahan, a managing director in KPMG’s financial services practice. “It’s not going to be highly mathematical or highly quantitative, but it is a data point to show you how severe these other institutions expect it to be for them. Then, on a pro-rated basis, you can extract information down to your size.”

Turner says many community banks could “reverse stress test” their loan portfolios to produce useful insights and potential ways to proceed as well as identify emerging weaknesses or risks.

They should try to calculate their loss-absorbing capacity if credit takes a nosedive, or use a tiered approach to imagine if something “bad, really bad and cataclysmic” happens in their market. Credit and loan teams can leverage their knowledge of customers to come up with potential worst-case scenarios for individual borrowers or groups, as well as what it would mean for the bank.

“Rather than say, ‘I project that a worst-case scenarios is X,’ turn it around and say, ‘If I get this level of losses in my owner-occupied commercial real estate portfolio, then I have a capital problem,’” Turner says. “I’ll have a sense of what actions I need to take after that stress test process.”

A key driver of credit problems in the past has been the unemployment rate, Manahan says. Unemployment is at record highs, but banks can still leverage their historical experience of credit performance when unemployment hit 9.5% in June 2009.

“If you’ve done scenarios that show you that an increase in unemployment from 10% to 15% will have this dollar impact on the balance sheet — that is a hugely useful data point,” he says. “That’s essentially a sensitivity analysis, to say that a 1 basis point increase in unemployment translates into … an increase in losses or a decrease in revenue perspective to the balance sheet.”

After identifying the worst-case scenarios, banks should then tackle changing or refining the data or information that will serve as early-warning indicators. That could be a drawdown of deposit accounts, additional requests for deferrals or changes in customer cash flow — anything that may indicate eventual erosion of credit quality. They should then look for those indicators in the borrowers or asset classes that could create the biggest problems for the bank and act accordingly.

Additional insights

  • Experts and executives report that banks are having stress testing conversations monthly, given the heightened risk environment. In normal times, Turner says they can happen semi-annual.
  • Sophisticated models are useful but have their limits, including a lack of historical data for a pandemic. Young points out that the Fed’s sensitivity analysis discussed how big banks are incorporating detailed management judgement on top of their loss models.
  • Vendors exist to help firms do one-time or sporadic stress tests of loan portfolios against a range of potential economic forecasts and can use publicly available information or internal data. This could be an option for firms that want a formal analysis but don’t have the time or money to implement a system internally.
  • Experts recommend taking advantage of opportunities, like the pandemic, to enhance risk management and the processes and procedures around it.

Risk, Business Continuity Planning: Trends and Lessons from Covid-19

The Covid-19 pandemic has introduced unprecedented strains to the economy, enhancing concerns about credit risk and pressuring lenders’ ability to serve their borrowers.

Cybersecurity and other risk environments have also evolved, following government-mandated work from home models. These shifts are prompting bank leaders to evaluate their business continuity plans and pandemic planning initiatives to ensure they’re putting safety and efficiency first.

Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, was conducted in January before the U.S. economy felt the full effect of the coronavirus. Yet, insights derived from this annual survey of bank executives and board members help paint a picture of how the industry will move forward in a challenging operating environment.

Credit Risk
Most community banks have issued loans through the Paycheck Protection Program (PPP), the Small Business Administration’s loan created under the Coronavirus Aid, Relief and Economic Security (CARES) Act passed in late March. These loans, which may be forgiven if borrowers meet specified conditions, allowed small businesses to retain staff, pay rent and cover identified operating expenses.

However, it’s likely that businesses will seek additional credit sources as the economy restarts. The lapse in business revenue generation will pose significant underwriting challenges for banks.

More than half of respondents in the 2020 Risk Survey revealed enhanced concerns around credit risk over the past year, while 67% believed that competing banks and credit unions had eased underwriting standards.

While there’s no way to determine what the future holds, near-term lending decisions will likely occur amid an uncertain economic recovery. There are some important questions institutions should consider when determining their lending approach:

  • How will our organization evaluate lending to businesses that have been closed due to the coronavirus?
  • Should a pandemic-related operational gap be treated as an anomaly, or should lenders consider this as they underwrite commercial loans?
  • What other factors should be considered in the current environment?
  • How much bank capital are we willing to put at risk?

Cybersecurity
Directors and executives who responded to the survey consistently indicate that cybersecurity is a key risk concern. In this year’s survey, 77% revealed their bank had placed significant emphasis on increasing cybersecurity and data privacy in the wake of cyberattacks targeting financial institutions, such as Capital One Financial Corp.

With more bank staff working remotely, cyber risks are even greater now. Employees are also emotionally taxed with concerns about their health, family and jobs, increasing the risk for errors and oversights. Unfortunately, the COVID-19 pandemic presents cybercriminals with a ripe opportunity to prey on individuals.

Business Continuity
In the survey, respondents whose bank had weathered a natural disaster within the last two years were asked if they were satisfied with their institution’s business continuity plan. The majority, or 79%, indicated they were.

However, the Covid-19 pandemic isn’t a typical natural disaster. Although buildings haven’t been destroyed, companies are still experiencing significant disruption to their normal operations — if they’re able to operate at all.

These circumstances, coupled with expanding technology and banks operations increasingly moving to the cloud, will likely lead to further changes in business continuity planning.

Remain Flexible
In an interagency statement released a week before the World Health Organization declared that the Covid-19 outbreak a pandemic, federal regulators reminded depository institutions of their duty to “periodically review related risk management plans, including continuity plans, to ensure their ability to continue to deliver their products and services in a wide range of scenarios and with minimal disruption.”

The Federal Financial Institutions Examination Council also updated its pandemic guidance, noting the need for a preventative program and documented strategy to continue critical operations throughout a pandemic.

Since that time, banks have encouraged customers to broadly adopt digital platforms and, when necessary, serve customers in person through drive-through lines or by appointment to reduce face-to-face contact. Bank employees wear masks and gloves, branches are cleaned frequently and, where possible, staff work remotely.

Gain Insights
The pandemic is a real-world tabletop exercise that can provide important takeaways about the effectiveness of an organization’s business continuity plan. It’s important for organizations to take advantage of this opportunity.

For example, there could be another wave of Covid-19 later this year; alternately, it could be years before we see an event similar to what we’re experiencing. Either way, your bank must to consider the potential consequences of each outcome and have a plan ready. Reviewing your organization’s business continuity plans and initiatives can help reveal opportunities to move forward with confidence, despite challenging operating environments.

Directors’ Defense Against the Pandemic Impact on Credit

Bank directors and management teams must prepare themselves and their institution for the potential for an economic crisis due to the COVID-19 outbreak.

This preparation process is different than how they would manage credit issues in more traditional economic downturns; traditional credit risk management tools and techniques may not apply or be as effective. Directors and others in bank management may need to consider new alternatives and act quickly and deliberately if they are going to be successful during this very difficult time.

The traditional three lines of defense against quickly elevating credit risk may not work to prevent the credit impact of the new coronavirus and its consequences. The “horse is out of the barn” and no existing, normal risk management system can prevent some level of losses. This pandemic is the proverbial black swan.

The real questions now are how can banks prepare to deal with the related issues and problems?

Some institutions are likely to be better prepared, including those with:

  • A strong capital base.
  • Good, conservative allowance reserve levels.
  • Realistic credit risk assessments and portfolio ratings prior to the pandemic.
  • Are poised to take part in a potential acquisition.
  • A good strategic approach that is not materially swayed by quarterly earning pressures.
  • A management and board that “tells it like it is” and is realistic.
  • Good relationship with regulators, CPA firms, professionals and investors.

What are a bank’s options when trying to assess and manage the pandemic’s impact?

  • Deny the problem and kick the can down the road.
  • Wait for the government and regulators to provide solutions or a playbook for the problems.
  • Sell the bank — most likely at a big discount if at all.
  • Liquidate the bank, likely only after expending capital, with assistance from the Federal Deposit Insurance Corp.
  • Be proactive and put in place processes to deal with the problem and consequences.

There are some steps a bank can take to be proactive:

  • Identify emerging and potential problems and the options to handle them, and then create a plan that is strategic, operational and provides the best financial result.
  • Commit to doing what’s right for the bank, its employees, customers and community.
  • Enhance or replace the current credit risk management system with a robust identification, measurement, monitoring, control and reporting program.
  • Adopt an “all hands-on deck” to improve focus and deal with material issues in a priority order, deferring things that do not move the needle.
  • Assess internal resources and consider moving qualified personnel into areas that require more focus.
  • Seek outside professional assistance, if needed, such as loan workout or portfolio analysis and planning.
  • Perform targeted reviews of portfolio segments that are or may become challenged because of the pandemic and potential fallout, along with others may have had weaker risk profiles before the pandemic.
  • Communicate the issues such as the magnitude of the financial challenge to employees, the market, regulators, CPAs and other professionals who provide risk management services to your bank.
  • Deal with problems head-on and decisively to maintain credibility and respect from various constituencies while achieving a superior result.

It is best for everyone in the bank to work together and act quickly, thoughtfully, honestly and strategically. There will, of course, be some expected and understood need in the short term for increases in allowance provisioning. If planning and actions are executed well, the long-term results will improve the bank’s performance and enhance its credibility with the market, regulators and all other professionals. Just as valuable as an outcome is that your bank’s reputation will be enhanced with your employees, who will be proud to have been part of the effort during these difficult times.

An Effective Way to Combat Cyber Breaches

Banks have always been in the business of risk management, but the risks they face aren’t stagnant; they migrate with time.

Traditionally, banks have faced two types of risk: interest rate and credit risk. Today, however, given the growth of digital banking and transactions, these two risks have been supplanted by another: cybersecurity.

The biggest challenge when it comes to cybersecurity risk is that it constantly evolves, as the threats, actors and attacks increase in sophistication. Banks that prepare for one method of intrusion may find themselves the victim of a different strategy.

Earlier this year, H. Rodgin Cohen, a partner at Sullivan & Cromwell and one of the industry’s most trusted advisors, commented on this change.

“I think the biggest risk in the [financial] system today is a successful cyberattack,” Cohen said. “That is a very serious risk, but I think the more likely [danger] is that a single bank — or a group of banks — are hit with a massive denial of service for a period of time, or a massive scrambling of records.”

Banks of all sizes feel pressure to keep their systems secure from intruders, according to Bank Director’s 2019 Risk Survey, which found that cybersecurity concerns among bankers have increased over the previous year.

Twenty percent of survey respondents say they address cybersecurity as a full board rather than delegating it to a committee, and slightly more than a third say at least one director is a cybersecurity expert.

The concern is ever present, and for some banks, very real: 18% of respondents, excluding chief lending officers and chief credit officers, reported that their bank experienced a data breach or other cyberattack within the last two years.

Concerns like these are why Bank Director created the “Best Solution for Protecting the Bank” category for its 2019 Best of FinXTech Awards. Judges selected winners from the most innovative solutions found in the FinXTech Connect platform.

The finalists for this year’s award were Rippleshot, which helps banks to identify credit and debit card fraud; IDEMIA, which  works to prevent card-not-present fraud; and Illusive Networks, which helps banks detect when their networks have been infiltrated.

This year’s winner was Illusive Networks, based in part on its work to secure the network of Israel Discount Bank, the third biggest bank in Israel.

Illusive approaches cybersecurity from a hackers’ point of view in order to beat them at their own game. Its strategy isn’t to stop an intrusion per se — a feat that seems increasingly impossible with the number of entry points into a system and the scores of malicious actors.

Rather, it detects and remediates an attack once it has happened. Intruders breaking into a bank’s system must persistently monitor the network for bits of information or credentials that will help them move from machine to machine and gradually close in on the data they want. Illusive plants false information across the bank’s network so that, when attackers act on it, the bank can catch them red-handed.

Illusive calls this “endpoint-focused deception.” The deceptive information is only visible to malicious actors and triggers an alert within Illusive. The technology then captures details about the bad actor directly from the machine they were using, which the bank then uses to track and stop the attack.

One of the main selling points of Illusive’s solution is the short implementation period. In Israel Discount Bank’s case, it took a matter of weeks to implement the solution. The net result is that, not only is the solution harder to detect for potential cyber criminals, but it’s also fast and easy to implement.

Addressing the Top Three Risk Trends for Banks in 2019



As banks continue to become more reliant on technology, the risks and concerns around cybersecurity and compliance continue to grow. Bank Director’s 2019 Risk Survey, sponsored by Moss Adams LLP, compiled the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about the current risk landscape. Respondents identified cybersecurity as the greatest concern, continuing the trend from the previous five versions of this report and indicating an industry-wide struggle to fully manage this risk.

Other top trends included the use of technology to enhance compliance and the potential effect of rising interest rates. Here’s what banks need to know as they assess the risks they’ll face in the coming year.

Cybersecurity
Regulatory oversight and scrutiny around cybersecurity for banks seems to be increasing. Agencies including the Securities and Exchange Commission are focused on the cybersecurity reporting practices of publicly traded institutions, as well as their ability to detect intruders. The Colorado legislature recently passed a law requiring credit unions to report data breaches within 30 days. It’s no surprise that 83 percent of respondents said their concerns about cybersecurity had increased over the past year.

Most of the cybersecurity risk for banks comes from application security. The more banks rely on technology, the greater the chance they face of a security breach. Adding to this, hackers continue to refine their techniques and skills, so banks need to continually update and improve their cybersecurity skills. This expectation falls to the bank board, but the way boards oversee cybersecurity continues to vary: Twenty-seven percent opt for a risk committee; 25 percent, a technology committee and 19 percent, the audit committee. Only 8 percent of respondents reported their board has a board-level cybersecurity committee; 20 percent address cybersecurity as a full board rather than delegating it to a committee.

Compliance & Regtech
Utilizing technological tools to meet compliance standards—known as regtech—was another prevalent theme in this year’s survey. This is a big stress area for banks due to continually changing requirements. The previous report indicated that survey respondents saw increased expenses around regtech. This year, when asked which barriers they encountered around regtech, 47 percent responded they were unable to identify the right solutions for their organizations. Executives looking to decrease costs may want to consider whether deploying technology could allow for fewer personnel. When this technology is properly used, manual work decreases through increased automation.

Other compliance concerns for this year’s report included rules around the Bank Secrecy Act and anti-money laundering. Seventy-one percent of respondents indicated they implemented or plan to implement more innovative technology in 2019 to better comply with BSA/AML rules.

Compliance with the current expected credit loss standard was another area of concern. Forty-two percent of respondents indicated their bank was prepared to comply with the CECL standard, and 56 percent replied they would be prepared when the standard took place for their bank.

Interest Rate & Credit Risk
The potential for additional interest rate increases made this a new key issue for the 2019 report. When asked how an interest rate increase of more than 100 basis points, or 1 percent, would affect their banks’ ability to attract and retain deposits, 47 percent of respondents indicated they would lose some deposits, but their bank wouldn’t be significantly affected. Thirty percent indicated an increase would have no impact on their ability to compete for deposits.

However, 55 percent believed a severe economic downturn would have a moderate impact on their banks’ capital. In the event of such a downturn, deposits and lending would slow, and banks could incur more charge-offs, which would impact capital. This fluctuation can be easy to dismiss, but careful planning may help reduce this risk.

Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

Exclusive: How This Growing Community Bank Focuses on Risk


risk-5-16-19.pngManaging risk and satisfying examiners can be difficult for any bank. It’s particularly hard for community banks that want to manage their limited resources wisely.

One bank that balances these challenges well is Bryn Mawr Bank Corp., a $4.6 billion asset based in Bryn Mawr, Pennsylvania, on the outskirts of Philadelphia.

Bank Director Vice President of Research Emily McCormick recently interviewed Chief Risk Officer Patrick Killeen about the bank’s approach to risk for a feature story in our second quarter 2019 issue. That story, titled “Banks Regain Sovereignty Over Risk Practices,” dives into the results of Bank Director’s 2019 Risk Survey. (You can read that story here.)

In the transcript of the interview—available exclusively to members of our Bank Services program—Killeen goes into detail about how his bank approaches stress testing, cybersecurity and credit risk, and explains how the executive team and board have strengthened the organization for future growth.

He discusses:

  • The top risks facing his community bank
  • Hiring the right talent to balance risk and growth
  • Balancing board and management responsibilities in lending
  • Conducting stress tests as a community bank
  • Managing cyber risk
  • Responding to Bank Secrecy Act and anti-money laundering guidance

The interview has been edited for brevity, clarity and flow.

download.png Download transcript for the full exclusive interview

Credit Due Diligence Is Even More Important Now


due-diligence-4-17-19.pngWith loan quality generally viewed as benign while M&A activity continues into 2019, is any emphasis on credit due diligence now misplaced? The answer is no.

With efficiency driving consolidation, bank boards and management should not be tempted to take any shortcuts to save time and money by substituting credit quality through recent loan reviews and implied findings of regulatory exams.

The overarching reason is the nature of the current business and credit cycle. The economy is strong right now, and among many banks net recoveries have replaced net charge-offs.

But it is not a matter of if but when credit stress rears its head.

And time truly is money when trying to stay ahead of the turn of the credit worm. That means now is the time to highlight a few buy- or sell-side justifications for a credible M&A credit due diligence.

Some challenges always require vigilance. These include:

  • Heightened correlated lending concentrations
  • Superficial underwriting and/or servicing
  • Acquired third-party exposures through participations or syndications
  • Insider lending (albeit indirect)
  • Getting upside down on commodity or collateral valuations
  • Covenant-light lending
  • Credit cultural incongruity

New Risks, New Assessments
The emergence of a portfolio-wide macro approach to credit risk during the past decade has ushered in a flurry of statistical disciplines, such as calculating probabilities of default, loss-given defaults, risk grade migrations, and probability modeling to project baseline and stress loss credit marks for investors and acquirers.

Credible due diligence now provides rich assessments of various pools and subsets of loans within a target’s portfolio. These quantitative measures provide a precise estimate of embedded credit losses, in parallel with the adoption of the current expected credit loss (CECL) standard, to project life of portfolio credit risk and end deficiencies in the current allowance guidance.

Good credit assessment is capped by qualitative components. There are several factors to consider in the current credit cycle.

  • Vintage of loan originations: Late-cycle loans to chase growth goals or to entice investors carry higher risk profiles.
  • Exotic lending: Some banks have added less conventional loan products to their offerings, which may require specialized talent.
  • Leveraged financial transactions: For some banks, commercial and industrial (C&I) syndications have replaced the real estate participation of a decade ago. They have recently grown in leverage and stress, and would be susceptible to an economic downturn.
  • Hyper commercial real estate valuation increases: Recent studies have shown significant increases in commercial property values, well over the pace of residential 1-4 family properties, along with the headwinds of higher interest rates and the advent of diminished real estate requisites accompanying the tech-driven virtual marketplace.
  • Dependence on current circumstance as proxies for future credit quality: We must accept that we are affected by trailing, rather than by leading, credit metric indicators.
  • Lending cultural protocols: Knowing the skill sets and risk appetites of prospective teammates is imperative. Some would argue that in today’s consolidation environment, cultural incongruity trumps loan quality as the biggest determinant of success.

What Should Lie Ahead
Credit due diligence should provide a key strategic forerunner to the financial and cultural integration between institutions that might have disparate lending philosophies.

It should include an in-depth quantitative dive combined with a skilled assessment of qualitative factors, both of which are critical in providing valuable insight to management and the board. Yet, to reduce costs some have difficulty swallowing any in-depth credit diligence, given the de minimis nature of recent losses and low levels of problem loans.

Many economic indicators point to tepid economic growth in 2019. At some point, the current credit cycle will turn. A lesson learned from the financial crisis has been to be proactive in risk management to stay ahead of the risk curve—and not be left to be reactive to negative effects.

During the crisis, many banks suffered greater losses due to their reluctance to initiate remediation in response to deteriorating credit. M&A credit due diligence must be treated as an anticipation of the future, not a validation of the past, and an investment in curtailing future losses.