Bank Director | Cybersecurity Archives

Does Your Board Need More Cyber Expertise?

Posted on May 11, 2023 at 12:01 am.

Despite continued and growing anxiety around cybersecurity, boards have long struggled to understand the intricacies of the bank’s security efforts. Instead, they have often left it to the technology and security experts within the institution. But with increased scrutiny from regulators, a shift toward proactive oversight at the board level may be in the works.

According to Bank Director’s 2023 Risk Survey, 89% of bank executives and board members reported in January that their institution conducted a cybersecurity assessment in 2021-22. In response to that assessment, 46% said that the board had increased or planned to increase its oversight of cybersecurity moving forward.

Ideally, that could have the board taking an active oversight role by asking pointed questions about the threats facing the organization and how it would respond in various scenarios. In order to do that, boards could look to add cybersecurity experts to their membership.

For public banks, a requirement to make known the cybersecurity expertise on the board is expected to go into effect soon. The Securities and Exchange Commission announced last year that public companies would need to disclose which board members have cybersecurity expertise, with details about the director’s prior work experience and relevant background information, such as certifications or other experience. The SEC adds that cyber expertise on the board doesn’t decrease the responsibilities or liabilities of the remaining directors. The proposed rules, which also include expectations around disclosing cyber incidents, were first expected to go into effect in April 2023.

The demand for cyber expertise in the boardroom “will eventually trickle down to all community banks,” predicts Joe Oleksak, a partner focused on cybersecurity at the business advisory firm Plante Moran. “Very few [people] have that very specific cybersecurity experience,” he continues. “It’s often confused with technology experience.”

Last year, Bank Director’s 2022 Governance Best Practices Survey found 72% of directors and CEOs indicating a need for more board-level training about cybersecurity. The previous year, 45% reported that at least one board member had cyber expertise.

Often, bank boards seek cyber expertise by adding new directors with that particular skill set; other times, a board member may take ownership over the space and learn how to oversee it. Both approaches come with significant hurdles. An existing board member may not have the extra time required to become the board’s de facto cyber expert. An in-demand outsider may not be willing to financially commit to the bank; board members are typically subject to ownership requirements.

Boards rely on information from the bank’s executives as part of the deliberation process. It’s common for directors to trust the chief technology officer, chief security officer or the chief information security officer to provide updates on cyber threats and tactics. But understanding the incentives and expertise of the executive would ensure that directors understand the value of the information they receive, says Craig Sanders, a partner of the accounting firm Moss Adams, which sponsored the Risk Survey.

Boards leaning on their CSO, for instance, need to understand that these officers solely focus on broad defense of the institution, which includes both physical and digital protection of the bank. The CISO, on the other hand, homes in on securing data. Meanwhile, the CTO should have a broad understanding of cybersecurity, but likely will not be able to dig into the weeds as they’re primarily focused on the bank’s technology.

A third party can help fill in the gaps for the board.

“If you have someone coming in that has seen hundreds of institutions, then you get a better lens,” says Sanders. An outside advisor can educate directors about common security threats based on what’s happening at other institutions. A third party can also provide an external point of view.

Some, however, hesitate in suggesting that a board should seek to add a cyber expert to its membership. “It’s going to taint your board or what the purpose of your board is,” says Joshua Sitta, co-founder and CISO at the cybersecurity advisor Sittadel. “I think you’re going to have a voice driving [the board] toward risk management.”

Sitta explains that those focused on cybersecurity will push for more security. But a board’s role is oversight, governance and providing a sounding board to executive management to keep the bank safe, sound and growing. Having cyber talent at the board level could discourage growth opportunities for fear that any new initiative could pressure security efforts.

Banks should ensure they’re protected against large breaches of critical data, says Sitta, but should avoid complete protection that has them investing to prevent every breach or fraud alert, no matter how insignificant. Understanding what’s a reasonable concern is important for the board to grasp. But cybersecurity experts within the company or advising the board should simply “inform” the board, according to Sitta. With that information, the board can then assess whether the bank has the risk appetite to add a debated service or investment.

Many boards, though, might not have a full awareness of the level of attacks the bank faces. In Bank Director’s 2022 Risk Survey, conducted last year, board members and executives were asked if their bank experienced a data breach or ransomware attack in 2020-21, with 93% noting that they had not. This could indicate that board members and top executives aren’t fully aware of the threats their bank faces on a daily basis, or that they could weather a threat soon.

“They get into a false sense [of security],” says Sanders. “Everyone is going to have some kind of disclosure. Assessing the program and making changes once a year probably isn’t sufficient.”

While 71% of respondents in last year’s Risk Survey said their board was apprised of deficiencies in the bank’s cybersecurity risk program, less than half — 42% — reported that their board reviewed detailed metrics or scorecards that outlined cyber incidents, and 35% used data and relevant metrics to facilitate strategic decisions and monitor cyber risk.

The lack of awareness of a threat or breach could give the board a sense of ease. But this could hold the bank back from making the shifts needed to protect from the largest attacks. Further, a board that remains unaware of the true rates of incidents could underestimate the imperative to build or adjust a cyber response.

Another factor that boards must consider is how they have long prioritized cybersecurity.

“A lot of smaller organizations view cybersecurity as a cost center,” says Oleksak. The 2023 Risk Survey found that banks budget a median $250,000 for cybersecurity, ranging from $125,000 reported for the smallest institutions to $3 million for banks above $10 billion in assets. “It’s like insurance. You understand that it’s not a revenue generation center, [but] ignoring it can significantly affect the organization.”

Resources
Bank Director’s 2023 Risk Survey, sponsored by Moss Adams, surveyed 212 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including interest rate risk, credit and cybersecurity. Members of the Bank Services Program have exclusive access to the complete results of the survey, which was conducted in January 2023.

Bank Director’s 2022 Governance Best Practices Survey, sponsored by Bryan Cave Leighton Paisner, surveyed 234 independent directors and CEOs of U.S. banks below $100 billion in assets to explore governance practices, board culture, committee structure and ESG oversight. The survey was conducted in February and March 2022

Risk issues like these will be covered during Bank Director’s Bank Audit & Risk Conference in Chicago, June 12-14, 2023.

Why the Duty of Cybersecurity is the Next Evolution for Fiduciary Duties

Posted on April 14, 2023 at 12:01 am.

Written by Erin Register

Bank directors know they can be personally liable for breaches of their fiduciary duties.

Through cases like In re Caremark International Inc. Derivative Litigation 698 A.2d 959 (Del. Ch. 1996), Stone v. Ritter, 911 A.2d 362 (Del. 2006), and Marchand v. Barnhill, 212 A.3d 805 (Del. 2019), Delaware courts have held boards responsible for failing to implement systems to monitor, oversee and ensure compliance with the law.

Recently, the Delaware Court of Chancery formally expanded those rules in In re McDonald’s Corporation Stockholder Derivative Litigation, Del. Ch. Ca. No. 2021-0324-JTL. The ruling established that the fiduciary duties of the officers of a Delaware corporation include a duty of oversight that is comparable to the responsibility of directors. These cases make clear that when the duty of oversight meets with the immense cybersecurity responsibilities of financial institutions, a duty of cybersecurity is added to the fiduciary responsibilities of directors and officers.

The lawsuit by 25 former McDonald’s employees alleged that corporate executives failed to address systemic harassment, leading to a hostile work environment. By allowing failure to oversee and monitor claims against the officers in that case, all corporate executives are now forced to take a leadership role in monitoring and addressing company-wide issues.

Given prior rulings in Delaware courts concerning the duty of oversight and officer fiduciary duties, the McDonald’s decision reiterates the importance of implementing robust compliance programs. It also clarifies that officers and directors must actively address compliance.

Cybersecurity is paramount among the myriad of compliance issues that all corporate officers and directors must address. For example, in 2019, In re Google Inc. Shareholder Derivative Litigation, the proceedings against Google’s parent company involved claims that the company’s board of directors and officers failed to discharge their oversight duties related to the 2018 Google+ security vulnerability. That suit settled for $7.5 million and the company agreed to implement significant governance reforms to address data privacy issues. Similarly, In re Yahoo! Inc. Shareholder Derivative Litigation, multiple cybersecurity breaches between 2013 and 2016 led to a shareholder derivative lawsuit, which settled for $29 million in 2019.

And, in the past year, multiple financial institutions, including Wells Fargo & Co., JPMorgan Chase & Co., and Bank of America Corp., faced lawsuits also seeking to hold their officers and directors personally liable for, amongst other things, failing to:

1. Protect customer data adequately.
2. Oversee the bank’s cybersecurity practices.
3. Prevent data breaches that exposed customer personal information.

In these cases, and many others, cybersecurity and data breaches have caused reputational damage for officers and directors and damaged the corporation’s relationships with customers and partners. In addition, these corporate leaders risk:

• Breach of fiduciary duty claims. If directors or officers do not take reasonable steps to protect the corporation from a data breach, they risk breaching their fiduciary duties and could be held personally liable for the damages caused by the breach.
• Accusations of Negligence. Directors and officers can be accused of negligence for failing to implement appropriate security measures, train employees on cybersecurity best practices and respond to a breach in a timely and effective manner.
• Criminal prosecution. If directors and officers intentionally or recklessly cause a breach or fail to report it to the authorities, they may face criminal prosecution.
• Regulatory penalties. Government or financial regulators can impose significant fines for cybersecurity failures.

And, just as the risks for directors and officers explode, they face an insurance whipsaw. First, directors’ and officers’ (D&O) insurance policies may include specific exclusions for cyber-related claims or require separate cyber insurance to cover these risks. Next, increased personal exposure for officers and directors will increase the likelihood facing lawsuits, increasing the premiums for D&O insurance. To protect themselves, directors and officers should insist on increased corporate governance protection, including:

• The prioritization by boards of cybersecurity and data privacy as crucial risk management areas, including putting proper reporting and monitoring systems into place.
• Requiring directors and officers to actively understand the evolving landscape of cybersecurity and data privacy risks and regulations.
• Corporate investment in appropriate cybersecurity measures and employee training to minimize the risk of data breaches as well as the associated legal and reputational risks.

To mitigate their risk of personal liability, corporate officers and directors must understand, implement and monitor the cybersecurity safeguards their financial institutions need. And, the courts have sent a clear message to bank directors and officers: To discharge your duty of cybersecurity, you must actively oversee and monitor institutional cybersecurity and data privacy programs.

2023 Risk Survey Results: Deposit Pressures Dominate

Posted on March 27, 2023 at 12:01 am.

Written by Erin Register

In 2023, the overarching question on bank leaders’ minds is how their organization will fare in the next crisis.

That manifested in increased concerns around interest rates, liquidity, credit and consumer risk, and other issues gauged in Bank Director’s 2023 Risk Survey, sponsored by Moss Adams LLP. The survey was fielded in January, before a run on deposits imperiled several institutions and regulators began closing banks in March, including $209 billion SVB Financial Corp.’s Silicon Valley Bank.

Well before this turmoil, bank executives and board members were feeling the pressure as the Federal Open Market Committee raised rates, leading bankers to selectively raise deposit rates and control their cost of funds. Over the past year, respondent concerns about interest rate risk (91%), credit risk (77%) and liquidity (71%) all increased markedly. Executives and directors also identify cybersecurity (84%) and compliance (70%) as areas where their concerns have increased, but managing the balance sheet has become, by and large, their first priority.

Bank leaders name deposit pricing (51%) and talent retention (50%) among the top strategic challenges their organization faces in 2023. Sixty-one percent say their bank has experienced some deposit loss, with minimal to moderate impacts on their funding base, and another 11% say that deposit outflows had a significant impact on their funding base.

Net interest margins improved for a majority (53%) of bank leaders taking part in the survey, but respondents are mixed about whether their bank’s NIM will expand or contract over 2023.

Three-quarters of bank executives and board members report that business clients remain strong in spite of inflation and economic pressures, although some are pausing growth plans. As commercial clients face increasing costs of materials and labor, talent pressures and shrinking revenues, that’s having an impact on commercial loan demand, some bankers say. And as the Federal Reserve continues to battle inflation against an uncertain macroeconomic backdrop, half of respondents say their concerns around consumer risk have increased, a significant shift from last year’s survey.

Key Findings

Deposit Pressures
Asked about what steps they might take to manage liquidity, 73% of executives and directors say they would raise interest rates offered on deposits, and 62% say they would borrow funds from a Federal Home Loan Bank. Less favored options include raising brokered deposits (30%), the use of participation loans (28%), tightening credit standards (22%) and using incentives to entice depositors (20%). Respondents say they would be comfortable maintaining a median loan-to-deposit ratio of 70% at the low end and 90% at the high end.

Strategic Challenges Vary
While the majority of respondents identify deposit pricing and/or talent retention as significant strategic challenges, 31% cite slowing credit demand, followed by liquidity management (29%), evolving regulatory and compliance requirements (28%) and CEO or senior management succession (20%).

Continued Vigilance on Cybersecurity
Eighty-seven percent of respondents say their bank has completed a cybersecurity assessment, with most banks using the tool offered by the Federal Financial Institutions Examination Council. Respondents cite detection technology, training for bank staff and internal communications as the most common areas where they have made changes after completing their assessment. Respondents report a median of $250,000 budgeted for cybersecurity-related expenses.

Stress On Fees
A little over a third (36%) of respondents say their bank has adjusted its fee structure in anticipation of regulatory pressure, while a minority (8%) did so in response to direct prodding by regulators. More than half of banks over $10 billion in assets say they adjusted their fee structure, either in response to direct regulatory pressure or anticipated regulatory pressure.

Climate Discussions Pick Up
The proportion of bank leaders who say their board discusses climate change at least annually increased over the past year to 21%, from 16% in 2022. Sixty-one percent of respondents say they do not focus on environmental, social and governance issues in a comprehensive manner, but the proportion of public banks that disclose their progress on ESG goals grew to 15%, from 10% last year.

Stress Testing Adjustments
Just over three-quarters of respondents say their bank conducts an annual stress test. In comments, offered before the Federal Reserve added a new component to its stress testing for the largest banks, many bank leaders described the ways that they’ve changed their approach to stress testing in anticipation of a downturn. One respondent described adding a liquidity stress test in response to increased deposit pricing and unrealized losses in the securities portfolio.

To view the high-level findings, click here.

Bank Services members can access a deeper exploration of the survey results. Members can click here to view the complete results, broken out by asset category and other relevant attributes. If you want to find out how your bank can gain access to this exclusive report, contact [email protected].

2023 Risk Survey: Complete Results

Posted on March 27, 2023 at 12:01 am.

Written by Erin Register

Bank Director’s 2023 Risk Survey, sponsored by Moss Adams LLP, finds interest rates and liquidity risk dominating bank leaders’ minds in 2023.

The survey, which explores several key risk areas, was conducted in January, before a run on deposits imperiled several institutions, including $209 billion SVB Financial Corp., which regulators closed in March. Bank executives and board members were feeling pressure on deposit costs well before that turmoil, as the Federal Open Market Committee raised the federal funds rate through 2022 and into 2023.

Over the past year, respondent concerns about interest rate risk (91%), credit risk (77%) and liquidity (71%) all increased markedly. Executives and directors also identify cybersecurity and compliance as areas where their concerns have increased, but managing the balance sheet has become, by and large, their first priority.

Bank leaders name deposit pricing as the top strategic challenge their organization faces in 2023, and a majority say their bank has experienced some deposit loss, with minimal to significant impacts on their funding base. Most respondents say their No. 1 liquidity management strategy would be to raise the rates they pay on deposits, followed by increasing their borrowings from a Federal Home Loan Bank.

While SVB operated a unique business model that featured a high level of uninsured deposits and a pronounced concentration in the tech industry, many banks are facing tension as deposits reprice faster than the loans on their books.

Net interest margins improved for a majority of bank leaders taking part in the survey, but respondents are mixed about whether their bank’s NIM will expand or contract over 2023.

Click here to view the complete results.

Key Findings

RankingBanking: Fueling Successful Strategies

Posted on December 9, 2022 at 12:01 am.

Written by Erin Register

Bank Director’s recent RankingBanking study, sponsored by Crowe LLP, identified the best public banks in the U.S. While their strategies may vary, these banks share a few common traits that enable their success. These include a consistent strategy and a laser focus on customer experience, says Kara Baldwin, a partner and financial services audit leader at Crowe. Training and organizational efficiency also allow these bankers to retain that customer focus through challenging times. In the year ahead, banks will need to manage through myriad issues, including credit quality, net interest margin management and new regulatory concerns.

Topics include:

Cultural Consistency
Organizational Efficiencies
Customer Centricity

Click here to read the complete RankingBanking study.

Getting Everyone on Board the Digital Transformation Journey

Posted on October 6, 2022 at 12:01 am.

Written by Erin Register

Digital transformation isn’t a “one and done” scenario but a perpetual program that evolves with the ever-changing terrain of the banking industry. Competition is everywhere; to stay in the game, bank executives need to develop a strategy that is based, in large part, on what everyone else is doing.

According to a What’s Going On In Banking 2022 study by Cornerstone Advisors, credit unions got a digital transformation head start on banks: 16% launched a strategy in 2018 or earlier, versus just 9% of banks that had launched a strategy the same year. But it’s not only credit unions and traditional big banks that community financial institutions need to be watching. Disruptors like Apple and Amazon.com pose a threat as they roll out new innovations. Fintech players like PayPal Holding’s Venmo and Chime are setting the pace for convenient customer payments. And equally menacing are mortgage lenders like Quicken’s Rocket Mortgage and AmeriSave, which approve home loans in a snap.

An essential consideration in a successful digital transformation is having key policy and decision-makers on the same page about the bank’s technology platforms. If it’s in the bank’s best interest to scrap outdated legacy systems that no longer contribute to its long-term business goals, the CEO, board of directors and top executives need to unanimously embrace this position in support of the bank’s strategy.

Digital transformation is forcing a core system decision at many institutions. Bank executives are asking: Should we double down on digital with our existing core vendor or go with a new, digital platform? Increasingly, financial institutions are choosing to go with digital platforms because they believe the core vendors can’t keep up with best-in-class innovation, user experience and integration. Many are now opting for next-generation, digital-first cores to run their digital platform, with an eye towards eventually converting their legacy bank over to these next-gen cores.

Digital transformation touches every aspect of the business, from front line workers to back-end systems, and it’s important to determine how to separate what’s vital from what’s not. Where should banks begin their digital transformation journey? With a coordinated effort and a clear path to achieving measurable short- and long-term goals.

Here are some organization-wide initiatives for banks to consider as they dive into new digital transformation initiatives or enhance their current ones.

1. Set measurable, achievable transformation goals. This can include aspirations like improving customer acquisition and retention by upgrading customer digital touchpoints like the website or mobile app.
2. Prioritize systems that can produce immediate returns. Systems that automate repetitive tasks or flag incomplete applications create cost-efficient and optimal outcomes for institutions.
3. Invest in a discipline to instill a changed mindset. A bank that upgrades a system but doesn’t alter its people’s way of thinking about everything from customer interaction to internal processes will not experience the true transformational benefit of the change.
4. Conduct a thorough evaluation of all sales and service channels. This will enable the bank to determine not only how to impact the maximum number of customers, but also impart the greatest value to them through product assessment and innovation.
5. Get employees on board with “digital” readiness. Form small training groups that build on employees’ specialized knowledge and skills, rather than adopting a one-size-fits-all model. Employees that are well-trained in systems, processes and technology are invaluable assets in your institution’s digital transformation journey.

Banks must foster their unique cultures and hard-earned reputations to remain competitive in this ever-changing financial services landscape. As they build out digital strategies, they must continue fine-tuning the problem-solving skills that will keep them relevant in the face of evolving customers, markets and opportunities. Most importantly, banks must embrace a lasting commitment to an ongoing transformation strategy, across the organization and in all their day-to-day activities. For this long-term initiative, it’s as much about the journey as it is the destination.

Digital Transformation Starts With the Customer

Posted on September 29, 2022 at 12:01 am.

Written by Erin Register

Digital transformation isn’t an end unto itself; the goal should ultimately be to make your customers’ financial lives easier. Without figuring out what customers need help with, a bank’s digital journey lacks strategic focus, and risks throwing good money after bad. In this video, Devin Smith, experience principal at Active Digital, walks through the key questions executives should ask when investing in digital transformation.

Customer Centricity
Creating a Cohesive Experience
Build versus Buy

Ways to Fight Back Against BIN Attacks, Card Fraud

Posted on August 12, 2022 at 12:01 am.

Written by Erin Register

Credit card fraud has steadily increased over the past five years, according to the Federal Trade Commission. Reports of credit card fraud peaked at more than 118,000 reports in the second quarter of 2022. As e-commerce continues to gain traction with consumers and retailers alike, there is a growing number of fraudsters that target customers’ credit cards using their bank identification number (BIN).

BIN attacks occur when fraudsters run the first six digits of a credit card, which are specific to each card-issuing bank, through sophisticated software to methodically produce the remaining numbers, CCVs and expiration dates. They then test to determine which cards are active. These days, fraudsters are capable of developing programs that assess hundreds of card numbers a minute, making detection harder for both fraud systems and consumers.

BIN attacks are a major headache for banks that get stuck with both the financial and operating costs resulting from fraudulent charges. But it may take some time for compromised cards to get monetized, giving banks some leeway to avert more damage.

Compromised cards harvested from BIN attacks can cause significant fraud losses for banks, in the form of accumulating chargebacks, call centers and re-issuance expenses. Adding fuel to the fire, the ensuing cardholder disruption and friction can further damage a bank’s reputation and lead to losses in debit interchange revenues.

Banks are still at risk in the wake of a BIN attack, and should continue monitoring for suspicious activity by reviewing electronic transaction trails for important data like time stamps, geolocation and IP addresses. However, these corrective and protective measures can require costly resources that many banks cannot afford. When an institution comes under attack from fraudsters, manual and purely consultative solutions are a start but must do more.

Bolstering Against BIN Attacks
Luckily, there are efficient ways that banks can fight back against the fraudsters. Here are several tips on proactive monitoring strategies to stop or limit damage from BIN attacks and other card fraud.

Randomize card account numbers and expiration dates.
Set up card transaction limits and velocity rules.
Think about placing risk controls and transaction limits in foreign countries. BIN attacks from tested transactions often originate outside the U.S. Banks should pay close attention to countries that appear in FinCEN advisories.
Implement decision rules to bar transactions from fraudulent merchants to hinder card testing. Analyzing transaction data for suspicious patterns can reveal card testing. If for a legitimate merchant reaches a transaction threshold, the bank can include a rule to monitor transaction velocity per hour and restrict transactions when further investigation is necessary.
Automate the monitoring of BINs and transactions with a system to mitigate and act against fraudulent credit card activity. This system should automatically identify whether your bank is a victim of a BIN attack, including repeated low-value transactions, high decline rates and a high volume of CCV errors.
Take advantage of automated network surveillance to pinpoint both legitimate and fraudulent merchants involved in BIN attacks. This gives banks an opportunity to obstruct additional BIN attacks if other fraudulent merchants are caught during this process.
Work with your vendor to deploy fraudster-level tools and strategies to detect and prevent BIN attacks. Vendors can offer a wide variety of solutions, including fraud score, compromise card detection, merchant type, merchant category code (MCC), geography, zip codes and device ID, among others.

Preventative measures that can immediately interrupt BIN attacks paired with automated monitoring and surveillance gives banks a way to stay ahead of suspicious activity and effectively identify compromised cards. Mitigation may not stop BIN attacks completely, but it can reduce the resulting financial and operating costs while reinforcing the bank’s fraud department resiliency against BIN attacks.

Tips for Banks to Navigate Top Risks in 2022

Posted on July 6, 2022 at 12:01 am.

Written by Erin Register

Banks continue to meet unprecedented challenges of the Covid-19 pandemic, geopolitical cyberthreats and increasing public awareness of environment, social and governance (ESG) issues.

With the current landscape posing ever-evolving risks for banks, Moss Adams collaborated with Bank Director to conduct the 2022 Risk Survey and explore what areas are front of mind for bank industry leaders. Top insights from Bank Director’s 2022 Risk Survey include that the vast majority of survey respondents reported that cybersecurity and interest rate risks pose increasing concerns, and they expect these challenges to persist in the second half of the year, due to turbulent economic and geopolitical conditions. The survey also identified that banks increasingly focus on issues related to compliance and regulatory risks.

Cybersecurity Oversight
Concerns about cybersecurity topped the survey responses: 93% of respondents stated that a need for increased cybersecurity grew significantly or somewhat. Bank executives and board members submitted survey responses in January, prior to heightened federal government warnings of increased Russian cyberattacks. Banks’ concerns will likely continue to increase as a result.

Data Breach Rates and Precautions
While only 5% of respondents reported experiencing a data breach or ransomware attack at their own institution in the years 2020 and 2021, 65% reported data breaches at their bank’s vendors. In response, 60% stated they updated their institution’s third-party vendor management policies, processes, or risk oversight.

As a critical U.S. industry, banks follow stringent regulatory requirements for data security. The Federal Financial Institutions Examination Council (FFIEC) cybersecurity assessment tool provides a maturity model for banks to assess their cybersecurity maturity as baseline, evolving, intermediate, advanced or innovative. Ninety percent of respondents completed a cybersecurity assessment over the past 12 months; 61% used the FFIEC’s tool in combination with other methodologies, and another 19% only used the FFIEC’s tool. And 83% of respondents said that the maturity of their bank’s cybersecurity program increased in 2021, compared to previous assessments.

Room for Improvement
Banks noted several areas of improvement for their cybersecurity programs, including training for bank staff (83%), technology to better detect and deter cyberthreats and intrusions (64%) and internal controls (43%). Thirty-nine percent believe they need to better attract and retain quality cybersecurity personnel. Banks’ investments in cybersecurity programs remained flat compared to the 2021 survey, with a median budget of $200,000.

As cybersecurity risks increase, banks should focus on researching and making appropriate investments, as well as implementing comprehensive planning for staff training, technology and governance. At the board level, respondents noted several activities as part of that body’s oversight of the cybersecurity risk management program. Key among these is board-level training (79%), ensuring continual improvements by management of their cybersecurity programs (75%) and being aware of any deficiencies in the bank’s cybersecurity program (71%).

Interest Rate Risk Concerns
The prospect of rising interest rates fueled anxiety for our respondents: 71% noted increased concern. As the Federal Open Market Committee combats higher inflation by hiking interest rates, 74% reported hoping that they wouldn’t raise rates by more than one percentage point by the end of 2022 — which is currently below what’s projected.

Faced with likely rate hikes, banks are looking to their own business models to navigate a potential decrease in overall lending volume and potential pressure on profit margins. Respondents also noted that they were increased their focus in sectors such as commercial and industrial, commercial real estate and construction, or with the Small Business Administration or obtaining other small business loans.

ESG Initiatives
Banks are under increasing pressure to adopt ESG initiatives. More than half of respondents don’t yet focus on ESG issues in a comprehensive manner, and regulators have yet to impose ESG requirements for banks. However, more than half of survey respondents say they have set goals and objectives in a variety of ESG-related areas, primarily in the social and governance verticals — employee development and community needs in particular topped the list.

Only 6% said that investors or other company stakeholders currently look for more disclosure around ESG initiatives, with diversity, equity and inclusion topping the list at 88%. Banks that haven’t established ESG strategies could first identify their top priority areas. These priorities may vary for each organization and will need to consider the values of investors, customers and local community.

Digitizing Documentation: The Missed Opportunity in Banking

Posted on June 28, 2022 at 12:01 am.

Written by Erin Register

To keep up in an increasingly competitive world, banks have embraced the need for digital transformation, upgrading their technology stacks to automate processes and harness data to help them grow and find operational efficiencies.

However, while today’s community and regional banks are increasingly making the move to digital, their documentation and contracting are still often overlooked in this transformation – and left behind. This “forgotten transformation” means their documentation remains analog, which means their processes also remain analog, increasing costs, time, data errors and risk.

What’s more, documentation is the key that drives the back-office operations for all banks. Everything from relationship management to maintenance updates and new business proposals rely on documents. This is especially true for onboarding new clients.

The Challenges of Onboarding
Onboarding has been a major focus of digital transformation efforts for many banks. While account opening has become more accessible, it also arguably requires more customer effort than ever. These pain points are often tied back to documentation: requesting multiple forms of ID or the plethora of financial details needed for background verification and compliance. This creates friction at the first, and most important, interaction with a new customer.

While evolving regulatory concerns in areas such as Know-Your-Customer rules as well as Bank Secrecy Act and anti-money laundering compliance have helped lower banks’ risks, it often comes at the expense of the customer experience. Slow and burdensome processes can frustrate customers who are accustomed to smoother experiences in other aspects of their digital lives.

The truth is that a customer’s perception of the effort required to work with a bank is a big predictor of loyalty. Ensuring customers have a quick, seamless onboarding experience is critical to building a strong relationship from the start, and better documentation plays a key role in better onboarding.

An additional challenge for many banks is that employees see onboarding and its associated documentation as a time consuming and complicated process from an operations perspective. It can take days or even weeks to onboard a new retail customer and for business accounts it can be much worse; a Deloitte report suggests it can take some banks up to 16 weeks to onboard a new commercial customer. Most often, the main problems in onboarding stem from backend processes that are manual when it comes to documentation, still being largely comprised of emails, word documents and repositories that sit in unrelated silos across an organization, collecting numerous, often redundant, pieces of data.

While all data can be important, better onboarding requires more collaboration and transparency between banks and their customers. This means banks should be more thoughtful in their approach to onboarding, ensuring they are using data from their core to the fullest to reduce redundant and manual processes and to make the overall process more streamlined. The goal is to maximize the speed for the customer while minimizing the risk for the bank.

Better Banking Through Better Documentation
Many banks do not see documentation as a data issue. However, by taking a data-driven approach, one that uses data from the core and feed backs into it, banks transform documents into data and, in turn, into an opportunity. Onboarding documents become a key component of the bank’s overall, end-to-end digital chain. This can have major impacts for banks’ operational efficiencies as well as bottom lines. In addition to faster onboarding to help build stronger customer relationships, a better documentation process means better structured data, which can offer significant competitive advantages in a crowded market.

When it comes to documentation capabilities, flexibility is key. This can be especially true for commercial customers. An adaptable solution can feel less “off the shelf” and provide the flexibility to meet individual client needs, while giving a great customer experience and maintaining regulatory guidelines. This can also provide community bankers with the ability to focus on what they do best, building relationships and providing value to their customers, rather than manually gathering and building documents.

While digitizing the documents is critical, it is in many ways the first step to a better overall process. Banks must also be able to effectively leverage this digitized data, getting it to the core, and having it work with other data sources.

Digital transformation has become an imperative for most community banks, but documentation continues to be overlooked entirely in these projects. Even discounting the operational impacts, documents ultimately represent the two most important “Rs” for banks – relationships and revenue, which are inextricably tied. By changing how they approach and treat client documentation, banks can be much more effective in not only the customer onboarding process, but also in responding to those customer needs moving forward, strengthening those relationships and driving revenue now and in the future.