Digital transformation isn’t an end unto itself; the goal should ultimately be to make your customers’ financial lives easier. Without figuring out what customers need help with, a bank’s digital journey lacks strategic focus, and risks throwing good money after bad. In this video, Devin Smith, experience principal at Active Digital, walks through the key questions executives should ask when investing in digital transformation.
Credit card fraud has steadily increased over the past five years, according to the Federal Trade Commission. Reports of credit card fraud peaked at more than 118,000 reports in the second quarter of 2022. As e-commerce continues to gain traction with consumers and retailers alike, there is a growing number of fraudsters that target customers’ credit cards using their bank identification number (BIN).
BIN attacks occur when fraudsters run the first six digits of a credit card, which are specific to each card-issuing bank, through sophisticated software to methodically produce the remaining numbers, CCVs and expiration dates. They then test to determine which cards are active. These days, fraudsters are capable of developing programs that assess hundreds of card numbers a minute, making detection harder for both fraud systems and consumers.
BIN attacks are a major headache for banks that get stuck with both the financial and operating costs resulting from fraudulent charges. But it may take some time for compromised cards to get monetized, giving banks some leeway to avert more damage.
Compromised cards harvested from BIN attacks can cause significant fraud losses for banks, in the form of accumulating chargebacks, call centers and re-issuance expenses. Adding fuel to the fire, the ensuing cardholder disruption and friction can further damage a bank’s reputation and lead to losses in debit interchange revenues.
Banks are still at risk in the wake of a BIN attack, and should continue monitoring for suspicious activity by reviewing electronic transaction trails for important data like time stamps, geolocation and IP addresses. However, these corrective and protective measures can require costly resources that many banks cannot afford. When an institution comes under attack from fraudsters, manual and purely consultative solutions are a start but must do more.
Bolstering Against BIN Attacks Luckily, there are efficient ways that banks can fight back against the fraudsters. Here are several tips on proactive monitoring strategies to stop or limit damage from BIN attacks and other card fraud.
Randomize card account numbers and expiration dates.
Set up card transaction limits and velocity rules.
Think about placing risk controls and transaction limits in foreign countries. BIN attacks from tested transactions often originate outside the U.S. Banks should pay close attention to countries that appear in FinCEN advisories.
Implement decision rules to bar transactions from fraudulent merchants to hinder card testing. Analyzing transaction data for suspicious patterns can reveal card testing. If for a legitimate merchant reaches a transaction threshold, the bank can include a rule to monitor transaction velocity per hour and restrict transactions when further investigation is necessary.
Automate the monitoring of BINs and transactions with a system to mitigate and act against fraudulent credit card activity. This system should automatically identify whether your bank is a victim of a BIN attack, including repeated low-value transactions, high decline rates and a high volume of CCV errors.
Take advantage of automated network surveillance to pinpoint both legitimate and fraudulent merchants involved in BIN attacks. This gives banks an opportunity to obstruct additional BIN attacks if other fraudulent merchants are caught during this process.
Work with your vendor to deploy fraudster-level tools and strategies to detect and prevent BIN attacks. Vendors can offer a wide variety of solutions, including fraud score, compromise card detection, merchant type, merchant category code (MCC), geography, zip codes and device ID, among others.
Preventative measures that can immediately interrupt BIN attacks paired with automated monitoring and surveillance gives banks a way to stay ahead of suspicious activity and effectively identify compromised cards. Mitigation may not stop BIN attacks completely, but it can reduce the resulting financial and operating costs while reinforcing the bank’s fraud department resiliency against BIN attacks.
Banks continue to meet unprecedented challenges of the Covid-19 pandemic, geopolitical cyberthreats and increasing public awareness of environment, social and governance (ESG) issues.
With the current landscape posing ever-evolving risks for banks, Moss Adams collaborated with Bank Director to conduct the 2022 Risk Survey and explore what areas are front of mind for bank industry leaders. Top insights from Bank Director’s 2022 Risk Survey include that the vast majority of survey respondents reported that cybersecurity and interest rate risks pose increasing concerns, and they expect these challenges to persist in the second half of the year, due to turbulent economic and geopolitical conditions. The survey also identified that banks increasingly focus on issues related to compliance and regulatory risks.
Cybersecurity Oversight Concerns about cybersecurity topped the survey responses: 93% of respondents stated that a need for increased cybersecurity grew significantly or somewhat. Bank executives and board members submitted survey responses in January, prior to heightened federal government warnings of increased Russian cyberattacks. Banks’ concerns will likely continue to increase as a result.
Data Breach Rates and Precautions While only 5% of respondents reported experiencing a data breach or ransomware attack at their own institution in the years 2020 and 2021, 65% reported data breaches at their bank’s vendors. In response, 60% stated they updated their institution’s third-party vendor management policies, processes, or risk oversight.
As a critical U.S. industry, banks follow stringent regulatory requirements for data security. The Federal Financial Institutions Examination Council (FFIEC) cybersecurity assessment tool provides a maturity model for banks to assess their cybersecurity maturity as baseline, evolving, intermediate, advanced or innovative. Ninety percent of respondents completed a cybersecurity assessment over the past 12 months; 61% used the FFIEC’s tool in combination with other methodologies, and another 19% only used the FFIEC’s tool. And 83% of respondents said that the maturity of their bank’s cybersecurity program increased in 2021, compared to previous assessments.
Room for Improvement Banks noted several areas of improvement for their cybersecurity programs, including training for bank staff (83%), technology to better detect and deter cyberthreats and intrusions (64%) and internal controls (43%). Thirty-nine percent believe they need to better attract and retain quality cybersecurity personnel. Banks’ investments in cybersecurity programs remained flat compared to the 2021 survey, with a median budget of $200,000.
As cybersecurity risks increase, banks should focus on researching and making appropriate investments, as well as implementing comprehensive planning for staff training, technology and governance. At the board level, respondents noted several activities as part of that body’s oversight of the cybersecurity risk management program. Key among these is board-level training (79%), ensuring continual improvements by management of their cybersecurity programs (75%) and being aware of any deficiencies in the bank’s cybersecurity program (71%).
Interest Rate Risk Concerns The prospect of rising interest rates fueled anxiety for our respondents: 71% noted increased concern. As the Federal Open Market Committee combats higher inflation by hiking interest rates, 74% reported hoping that they wouldn’t raise rates by more than one percentage point by the end of 2022 — which is currently below what’s projected.
Faced with likely rate hikes, banks are looking to their own business models to navigate a potential decrease in overall lending volume and potential pressure on profit margins. Respondents also noted that they were increased their focus in sectors such as commercial and industrial, commercial real estate and construction, or with the Small Business Administration or obtaining other small business loans.
ESG Initiatives Banks are under increasing pressure to adopt ESG initiatives. More than half of respondents don’t yet focus on ESG issues in a comprehensive manner, and regulators have yet to impose ESG requirements for banks. However, more than half of survey respondents say they have set goals and objectives in a variety of ESG-related areas, primarily in the social and governance verticals — employee development and community needs in particular topped the list.
Only 6% said that investors or other company stakeholders currently look for more disclosure around ESG initiatives, with diversity, equity and inclusion topping the list at 88%. Banks that haven’t established ESG strategies could first identify their top priority areas. These priorities may vary for each organization and will need to consider the values of investors, customers and local community.
To keep up in an increasingly competitive world, banks have embraced the need for digital transformation, upgrading their technology stacks to automate processes and harness data to help them grow and find operational efficiencies.
However, while today’s community and regional banks are increasingly making the move to digital, their documentation and contracting are still often overlooked in this transformation – and left behind. This “forgotten transformation” means their documentation remains analog, which means their processes also remain analog, increasing costs, time, data errors and risk.
What’s more, documentation is the key that drives the back-office operations for all banks. Everything from relationship management to maintenance updates and new business proposals rely on documents. This is especially true for onboarding new clients.
The Challenges of Onboarding Onboarding has been a major focus of digital transformation efforts for many banks. While account opening has become more accessible, it also arguably requires more customer effort than ever. These pain points are often tied back to documentation: requesting multiple forms of ID or the plethora of financial details needed for background verification and compliance. This creates friction at the first, and most important, interaction with a new customer.
While evolving regulatory concerns in areas such as Know-Your-Customer rules as well as Bank Secrecy Act and anti-money laundering compliance have helped lower banks’ risks, it often comes at the expense of the customer experience. Slow and burdensome processes can frustrate customers who are accustomed to smoother experiences in other aspects of their digital lives.
The truth is that a customer’s perception of the effort required to work with a bank is a big predictor of loyalty. Ensuring customers have a quick, seamless onboarding experience is critical to building a strong relationship from the start, and better documentation plays a key role in better onboarding.
An additional challenge for many banks is that employees see onboarding and its associated documentation as a time consuming and complicated process from an operations perspective. It can take days or even weeks to onboard a new retail customer and for business accounts it can be much worse; a Deloitte report suggests it can take some banks up to 16 weeks to onboard a new commercial customer. Most often, the main problems in onboarding stem from backend processes that are manual when it comes to documentation, still being largely comprised of emails, word documents and repositories that sit in unrelated silos across an organization, collecting numerous, often redundant, pieces of data.
While all data can be important, better onboarding requires more collaboration and transparency between banks and their customers. This means banks should be more thoughtful in their approach to onboarding, ensuring they are using data from their core to the fullest to reduce redundant and manual processes and to make the overall process more streamlined. The goal is to maximize the speed for the customer while minimizing the risk for the bank.
Better Banking Through Better Documentation Many banks do not see documentation as a data issue. However, by taking a data-driven approach, one that uses data from the core and feed backs into it, banks transform documents into data and, in turn, into an opportunity. Onboarding documents become a key component of the bank’s overall, end-to-end digital chain. This can have major impacts for banks’ operational efficiencies as well as bottom lines. In addition to faster onboarding to help build stronger customer relationships, a better documentation process means better structured data, which can offer significant competitive advantages in a crowded market.
When it comes to documentation capabilities, flexibility is key. This can be especially true for commercial customers. An adaptable solution can feel less “off the shelf” and provide the flexibility to meet individual client needs, while giving a great customer experience and maintaining regulatory guidelines. This can also provide community bankers with the ability to focus on what they do best, building relationships and providing value to their customers, rather than manually gathering and building documents.
While digitizing the documents is critical, it is in many ways the first step to a better overall process. Banks must also be able to effectively leverage this digitized data, getting it to the core, and having it work with other data sources.
Digital transformation has become an imperative for most community banks, but documentation continues to be overlooked entirely in these projects. Even discounting the operational impacts, documents ultimately represent the two most important “Rs” for banks – relationships and revenue, which are inextricably tied. By changing how they approach and treat client documentation, banks can be much more effective in not only the customer onboarding process, but also in responding to those customer needs moving forward, strengthening those relationships and driving revenue now and in the future.
Fintech collaborations are an increasingly critical component of a bank’s strategy.
So much so that Bank Director launched FinXTech, committed to bridging the gap between financial institutions and financial technology companies. Identifying and establishing the right partner enables banks to remain competitive among peers and non-bank competitors by allowing them to access modern and scalable solutions. With over 10,000 fintechs operating in the U.S. alone, finding and vetting the right solution can seem like an arduous task for banks.
The most successful partnerships are prioritized at the board and executive level. Ideally, each partnership has an owner — one that is senior enough to make decisions that dictate the direction of the partnership. With prioritization and owners in place, banks can consider fintech companies at all stages of maturity as potential partners. While early-stage companies inherently carry more risk, the trade-off often comes in the form of enhanced customization or pricing discounts. These earlier-stage partnerships may require the bank to be more involved during the implementation, compliance or regulatory processes, compared to working with a more-mature company.
There is no one-size-fits-all approach, and it’s important for banks to evaluate potential partners based on their own strategic plan and risk tolerance. When conducting diligence on fintechs of any stage or category, banks should place emphasis on the following aspects of a potential partner:
1. Analyze Business Health. This starts with understanding the fintech’s ability to scale while remaining in viable financial conditions. Banks should evaluate financial statements, internal key performance indicator reports, and information on sources of funding, including major investors.
Banks should also research the company’s competitive environment, strength of its client base and potential expansion plans. This information can help determine the fintech’s capability to sustain operations and satisfy any financial commitments, allowing for a long-term, prosperous partnership. This analysis is even more important in the current economic environment, where fresh capital may be harder to come by.
2. Determine Legal and Compliance. Banks need to assess a fintech’s compliance policies to determine if their partner will be able to comply with the bank’s own legal and regulatory standards. Executives should include quarterly and annual reports, litigation or enforcement action records, and other relevant public materials, such as patents or licenses, in this evaluation.
Banks may also want to consider reviewing the fintech’s relationship with other financial institutions, as well as the firm’s risk management controls and regulatory compliance processes in areas relevant to the operations. This can give bank executives greater insight into the fintech’s familiarity with the regulatory environment and ability to comply with important laws and regulations.
3. Evaluate Data Security. Banks must understand a fintech’s information and security framework and procedures, including how the company plans to leverage customer or other potentially sensitive, proprietary information.
Executives should review the fintech’s policies and procedures, information security control assessments, incident management and response policies, and information security and privacy awareness training materials. In addition, external reports, such as SOC 2 audits, can be key documents to aid in the assessment. This due diligence can help banks understand the fintech’s approach to data security, while upholding the regulator’s expectations.
4. Ask for References. When considering a potential fintech partnership, executives should consult with multiple references. References can provide the bank with insight into the company’s history, conflict resolution, strengths and weakness, renewal plans and more, allowing for a deeper understanding of the fintech’s past and current relationships. If possible, choose the reference you speak with, rather than allowing the fintech to choose.
5. Ensure Cultural Alignment. The fintech’s culture plays an important role in a partnership, which is why on-site visits to see the operations and team in action can help executives with their assessment. Have conversations with the founders about their goals and speak with other members of the team to get a better idea of who you will be working with. Partners should be confident in the people and technology — both will create a mutually successful and meaningful relationship.
Despite the best intentions, not all partnerships are successful. Common mistakes include lack of ownership and strategy, project fatigue, risk aversion and unreasonable expectations. Too often, banks are looking for a silver bullet, but meaningful outcomes take time. Setting expectations and continuing to re-evaluate the success and performance of these partnerships frequently will ensure that both parties are achieving optimal results.
Once banks establish partnerships, they must also nurture the relationship. Again, this is best accomplished by having a dedicated partner owner who is responsible for meeting objectives. As someone who analyzes hundreds of fintechs to determine quality, viability and partner value, I am encouraged by the vast number of technology solutions available to financial institutions today. Keeping a focused, analytical approach to partnering with fintechs will put your bank well on its way to implementing innovative new technology for all stakeholders.
Cybersecurity continues to be the top risk identified in Bank Director’s 2022 Risk Survey, sponsored by Moss Adams. But other risk areas have also grown increasingly prominent for the bank executives and board members responding to the survey, particularly interest rate risk. In this video, Moss Adams Partner Craig Sanders shares areas where banks can strengthen their weaknesses on cybersecurity. He also addresses the impact of fintechs on bank strategies and the rising prominence of environmental, social and governance (ESG) matters.
Topics addressed include:
Proactive Vendor Risk Management
Strategic Risks to Consider
Rising Interest Rates
Focusing on ESG
The 2022 Risk Survey explores several important risk areas, including credit risk, cybersecurity and emerging issues such as ESG. The survey results are also explored in the 2nd quarter 2022 issue of Bank Director magazine.
Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, finds most bank executives and board members (65%) report that at least one vendor experienced a data breach or ransomware attack in 2020-21. While most weren’t directly affected by these incidents, 60% of respondents whose vendor experienced an attack took the opportunity to update third-party management policies, processes and/or risk oversight in response.
Cyberattacks on U.S. financial institutions are rarely impactful, according to the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) “Navigating Cyber 2022” report. However, the cyber-focused industry consortium added that “several high-profile third-party incidents have impacted the security and availability of products and services used by many financial firms.” Banks have responded by devoting resources to assessing exposure, patching and mitigating, as well as increasing compliance mandates for third-party operational resilience.
Regulators are taking note of the threat. An interagency rule approved by the Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. in November 2021 mandates that banks must notify their primary regulator of a cyber incident within 36 hours; this rule went into effect on April 1, 2022. Service providers must notify affected bank clients “as soon as possible” when they determine that a cyber incident has or will cause a “material service disruption or degradation” for four hours or more. From there, banks must assess whether the incident will have a material impact on the organization and its customers, and whether that will trigger a notification by the bank to its regulator.
In March 2022, the Securities and Exchange Commission proposed new rules around cybersecurity disclosure that would include how companies select and monitor third-party providers. And guidance is still pending from the primary financial regulators around risks related to third-party relationships. That guidance would include an assessment of the vendor’s information security program, including if the vendor has “sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities.”
Bank boards and leadership teams will need to be proactive — rather than reactive — as regulators get even more serious about this issue. “Know where you stand and what [vendors are] doing to address any of your concerns, and that starts with having a defined criteria of what you require,” says Cody Harrell, managing director at Strategic Resource Management (SRM), a Memphis, Tennessee-based consulting firm.
Broadly, bank executives and boards need to understand the risks inherent with all of the bank’s vendors, including existing ones, says Harrell. “Who are the most critical vendors to our business? Who are the ones that house sensitive data? Where’s our biggest risk? And not only from a liability standpoint, but from an operational standpoint.” If a vendor falls victim to a cyberattack, will the bank still be able to serve customers? “You need to have a vendor due diligence checklist for each vendor, regardless of whether there’s a problem or not,” he adds. “[Make] sure that everyone that’s within the ecosystem is in compliance with your requirements.”
All vendors also need to comply with regulatory guidelines. The November 2021 notification rule specifies that service providers must comply even if the contract states otherwise. But bank boards are ultimately responsible for ensuring compliance. “If the bank doesn’t have a program of regularly conducting annual vendor diligence and sending renewed questionnaires and identifying gaps, then you’re not conducting ongoing diligence,” says Steve Cosentino, a partner at the law firm Stinson LLP who regularly negotiates agreements between banks and their service providers.
Here are four considerations for bank boards seeking to enhance their third-party oversight.
Understand how vendors will respond to a cyber incident. This should be uncovered during due diligence.
When a breach occurs, “how much you did in the vendor diligence area [will impact] how quickly you’re able to respond to an incident,” says Cosentino. “If you have a quality vendor diligence program [with] extensive diligence and ongoing monitoring, those will all be helpful facts if you’re subject to a potential litigation claim or class action, which has been more and more common.”
In line with the regulatory rule around security notifications, banks need to know when they’ll be notified of an incident, and whether the vendor or the bank will communicate with affected customers. And even if individuals weren’t affected, that doesn’t absolve the vendor from notifying the bank, says Cosentino. “It’s evidence of a flaw in [the vendor’s] systems and security processes that next time could potentially affect the bank, and the bank needs to be apprised of what they’re doing to remedy that.” He adds that these obligations could differ in a security breach, where confidential data may have been accessed, versus a security incident, which may not involve the theft of personal information.
Banks should also know if the service provider will engage an outside cyber forensics firm to investigate a breach, and whether that company is on retainer and can respond quickly. “Taking a day or two out to review different forensic investigators and getting a contract in place and all that, that’s time that’s lost,” says Cosentino. Regulators will ask, “Why did it take so long between the time that the breach occurred and [when] the notices went out?”
The bank should also know what the vendor won’t do. “What are the things that my critical vendor, my third-party provider, is requiring me to take care of, that they’re not?” says Moss Adams Partner Craig Sanders. That could include password resets, network design or educating administrators.
Don’t overlook fourth parties. Vendors have their own vendors, from smaller fintechs that may provide ancillary services to big cloud platforms like Amazon Web Services or Microsoft Corp.’s Azure, and those can pose their own risks. Effective diligence on fourth parties can be difficult, says Cosentino, but banks can take a few steps. Questionnaires sent to third-party vendors should address their own due diligence with subcontractors, and banks should access SOC (System and Organization Controls) reports on those fourth parties. In addition, “Put in your agreement some language that says that the service provider may use subcontractors, [but] they always have to be responsible for [their vendors’] actions and omissions,” he says. “But they can only do so after completion of a third-party risk management vendor diligence review consistent with the FFIEC IT examination handbook and interagency guidance on third-party relationships.”
Don’t silo due diligence. The due diligence exercise shouldn’t be limited to the bank’s technology team.
“The IT group doesn’t always have an understanding of all of the software and systems that process personal information or nonpublic personal information. And that slips through the cracks a lot,” says Cosentino. He recommends a data mapping exercise that includes multiple areas so the bank knows where all of its information is housed. “Conduct that review with your IT group, obviously, but also with the marketing team, your sales team, your operations team, your legal team, because you will find when you do that, there are a number of engagements with third-party service providers where nonpublic personal information is involved, and they’re not picked up in the vendor diligence process,” says Cosentino. Involving multiple teams in the bank will ensure everyone’s on the same page before a breach occurs. “If you do have a data security incident, you have to know where all that information is stored, and how to address, analyze and review [where the] personal information is and what actions you need to take with respect to notifications and remediations and all that,” he says.
While multiple teams within the bank should be included along the way, centralizing vendor management — ensuring an individual has responsibility or using a vendor management platform, or both — can help banks stay on track. “A lot of the financial institutions that we see, various departments control a contract or a decision or a vendor evaluation, and they’re not necessarily speaking to the other departments and having a defined criteria that everyone should comply with,” says Harrell. Vendor diligence requires a lot of documentation, and that needs to be tracked. “Make this a systematic approach.”
Set the tone at the top. In a 2019 letter, the FDIC reminded financial institutions that “boards of directors and senior management are responsible for managing risks related to relationships with technology service providers. Effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response.”
Unfortunately, boards often lack the skill sets to understand cybersecurity, says Sanders. “They’ve got to have that knowledge and expertise at the governance level to really understand what should be going on.” He recommends that boards hear from the bank’s chief information security officer at least quarterly and should seek the best technology providers that meet the bank’s strategic needs — not selecting a solution because it’s the cheapest option. The bank may find it gets what it pays for.
“Be honest with yourself about where the risk is and what the involvement from the institution is that should take place at the governance level,” says Sanders. “From the top down, give the support to management and compliance to go out and do what they need to do.”
Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, surveyed 222 independent directors, chief executive officers, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including credit risk, cybersecurity and emerging issues such as ESG. Bank Services members have exclusive access to the complete results of the survey, which was conducted in January 2022.
For many banks, 2020 and 2021 had surprising results. Liquidity and capital were strong, loan growth escalated from pent-up demand and income levels were favorable.
These positive trends could lead many management teams to become complacent — which can lead to risk. In its 2022 Fiscal Year Bank Supervision Operating Plan, the Office of the Comptroller of the Currency (OCC) listed guarding against complacency as a top priority for examiners. Complacency, by definition, is a state where one’s satisfaction with their own achievements leads them to be unaware of potential danger. Heeding the OCC’s warning to address indications or perceptions of emerging risks, we’ve identified five focus areas for boards and management teams.
1. Strategic and Operational Planning
Executives and boards should evaluate strategic planning in the context of the current environment. Post-pandemic, banks have increased opportunities for growth including, but not limited to, mergers and acquisitions. The key to strategic planning is to be strategic. Shape your strategic planning sessions to consider new industry opportunities and threats. Approach each opportunity and threat methodically — whether succession planning, mergers or acquisitions, fintech partnerships, changing demographics, the shift in the regulatory perimeter or another area relevant to your institution.
Operational planning is just as critical. Crafting a well-established plan to profitably service your bank’s target markets remains a balancing act of priorities for directors. Consider new products and services to meet the needs and expectations of your evolving customer base. Thoughtfully evaluate your bank’s target market, planned growth, the potential for enhanced products and services and any prospective investments to maintain profitability. Allow talent, technology, and financial resource risk assessments to guide your institution’s operational planning process, asking, “Where is my bank growing and am I ready?”
2. Credit Risk
We continually hear about the great credit quality that banks have experienced thus far in the post-pandemic period. Yet, credit risk remains a critical priority for banks and regulators, especially since coronavirus relief funds may have dramatically changed the financial view for borrowers.
Covid-19 relief funds served a temporary purpose of keeping businesses operating during the peak of the pandemic. However, high levels of inflation and continuing labor and supply chain disruptions has put continued pressure on many small businesses and may have a yet-to-be-realized impact on the credit quality within your bank.
Now more than ever, remaining engaged with your borrowers and looking past traditional credit metrics to identify issues could reduce future losses for your financial institution. Credit risk monitoring tools like stress testing remain relevant with the prospective of rising interest rates.
3. Cybersecurity Risk
Cybersecurity risk, like credit risk, is here to stay. Executives must stay focused in this area as risks increase; the instances of public attacks across all industries reflect a relentless pursuit by cybercriminals to steal data for financial gain. The most recent reminder of this are Russian state-sponsored cyber threats. As banks gather and maintain more and more data, it’s paramount to have experienced talent and protocols for protection of customer data.
Bank management teams should be able to show evidence of their institution’s capability to respond or recover from destructive cyberattacks that are increasingly routine. The bank’s risk assessment process is a critical component of managing its cybersecurity risk, and should incorporate any processes or controls that may have changed as result of a new strategic or operational plan.
4. Compliance Risk
Compliance matters are always evolving, and regulatory emphasis on applicable laws and regulations is only increasing. The focus on Bank Secrecy Act and anti-money laundering rules, fair lending, Community Reinvestment Act and overall prioritization of compliance management are not shifting.
Compliance risk management requires banks to have a strong internal system. It also requires a deep understanding of the various rules and proficiency in identifying, implementing and auditing the changes. It has never been more critical for banks to have strong independent review systems to account for updated rules and regulations.
5. Management and Board Education
The operational and strategic landscape of banking is changing. Management team and board members must be informed and educated. As you decide how your bank will adjust to this new environment, identify industry-specific third parties to meet with your management team and board to provide a strong foundation to strategic planning.
We see numerous opportunities and areas of focus for banks in 2022. If we’ve learned anything during this time, it’s that banks need to look at risk differently in this ever-changing environment. Now is not the time to be complacent.
The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader. Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.
Cybersecurity has lately become a top concern for bank boards and their senior management teams in the face of an unrelenting wave of ransomware attacks. Now you can add heightened geopolitical tension resulting from Russia’s invasion of Ukraine to the worry list.
“Clearly we have a geopolitical situation going on which, given the threat actor, does raise cybersecurity concerns,” says Kevin Greenfield, deputy comptroller for operational risk policy at the Office of the Comptroller of the Currency. “And financial institutions, as well as government agencies themselves, are very focused on this heightened alert and are making sure that cyber defenses are up.”
And if they’re not, they certainly should be.
In an interview, Greenfield says that threat actors have been known to have used cyber attacks as an effective tool against their opponents in the past for political purposes. The concern is that at some point during the conflict in Ukraine, threat actors could potentially target cyber attacks against this country’s critical infrastructure – including its banking system.
“The financial system is a critical infrastructure, which means that it is something that is very important for not just individual institutions,” says Greenfield. “The banking system supports the U.S. economy and the U.S. people. And it’s important to maintain the integrity and resilience of that system. Banks need to make sure they lockdown key controls and make sure they are monitoring for any threat indicators.”
The OCC regulates banks with a national charter, but Greenfield’s comments are just as relevant to state-chartered banks regulated by states, the Federal Deposit Insurance Corp., or the Federal Reserve.
In the alert, CISA made the following recommendations for all U.S. companies, including banks.
1. Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
2. Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
3. Increase organization vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
CISA has also set up a website – Shields Up – focused on providing threat information, tools and resources to help all organizations safeguard and respond to geopolitical threats in cyber space. “We have pushed that information out to financial institutions because these are the experts,” says Greenfield.
Separate and apart from the current geopolitical situation, Greenfield says the OCC is also seeing an increase in ransomware attacks. “Just from personal observation, we’re seeing more use of ransomware and using [it] to solicit illicit funds from banks,” says Greenfield. “We’re seeing it and I think one of the reasons why is because it works.”
Greenfield says it’s up to banks whether they should pay a ransom if their critical data has been locked up following an attack. “That’s an institution’s decision,” he says. “Executive management and the board need to make that decision. The one thing I’ll tell you is, understand [that] you’re dealing with criminals. You’re not dealing with honest people. It’s not something that we would encourage, but there’s no regulation against it.”
Any bank that does decide to pay a ransom needs to make sure it doesn’t violate any restrictions that have been imposed by the Office of Foreign Assets Control (OFAC), an agency under the U.S. Treasury Department. “When paying ransoms, be aware of any OFAC requirements and any sanctions on those who might be getting paid,” he says. “You can contact OFAC to request a waiver, but that’s something that will be very important to ensure an institution does not violate any sanctions requirements.”
In the face of continued ransomware attacks, Greenfield says that banks should focus on fundamental elements of cyber security. “We have been very clear on our messaging to banks about the importance of cybersecurity and just fundamental cyber hygiene, because when events do occur and then we explore the root cause, it tends not to be a zero-day exploit, but a basic control oversight,” he says. A “zero-day exploit” is a previously unknown vulnerability in a software program.
At the top of Greenfield’s list of poor cyber hygiene habits that leave banks vulnerable to ransomware attacks are weak authentication controls, including the failure to use multi-factor authentication. And even when a multi-factor protocol is in place, banks sometimes grant exceptions that end up getting targeted by hackers who know to look for them.
Greenfield says the federal banking regulators have been emphasizing “effective authentication,” and recently the Federal Financial Institutions Examination Council (FFEIC) – an interagency group comprised of bank and credit union regulators – updated its guidance on authentication. “We tried not to be technology specific so there’s not a corporate requirement for multi-factor,” he says. “But our guidance is you need to have effective authentication, which typically we would see as a layered security approach with multi-factor or similarly strong technologies.”
The guidance also advocates that if nothing else, banks at least take a risk-based approach and protect their most sensitive or critical systems. “This is something that I communicate to all bank management teams; if it’s nonpublic and you don’t want anyone to gain access that’s not authorized, use multi-factor authentication or something similarly strong,” he says. “We’ve seen that malicious actors will get into a system and they will wait for the opportunity to exploit it and move laterally throughout the network as they’re able to figure it out.”
Another vulnerability is poor network management, a potential problem that has been exacerbated by the industry-wide shift to many employees working from home on laptops. Common shortcomings include networks that are not effectively configured, including a failure to turn on security controls that already exist within a particular software product or service. Or a failure to install an available patch when a vulnerability has been identified. “Sometimes we’re seeing they’re not changing default administrator IDs and passwords – I mean, simple things,” Greenfield says. “And especially when we’re talking about off-the-shelf software applications that everyone uses. All those user manuals that you have access to, the bad guys have access to as well, so they know how it works.”
Successful cyber attacks can often be traced back to multiple causes. “Typically, it’s a combination of phishing or some other [tactic] to steal a credential, then weak multi-factor [authentication], and then looking for vulnerabilities such as misconfigured or unpatched systems,” Greenfield says. “The biggest thing I can tell any institution is, make sure your controls are up and as strong as they can be so that you’re not a target, because the one thing that I have seen with many malicious actors is, they’re going to go for the easiest target.”
*Clarification: This article has been amended from an earlier version in part to clarify that Greenfield did not specifically mention Russia in the interview.
Even in the midst of the Covid-19 pandemic, cybersecurity risk remains the No. 1 risk management concern for many banks. In fact, pandemic-driven changes — such as remote workforces, increased IT system use and greater reliance on third parties and cloud providers — actually make cybersecurity risk an even higher priority for boards and executive teams.
With banking operations so heavily dependent on secure and reliable data systems, bank directors and executives need to be actively involved in overseeing the management of technology and cybersecurity risks. Unfortunately, the challenge of addressing these risks sometimes is complicated by the myriad compliance requirements associated with today’s complex and expanding array of data privacy and security standards.
An essential early step in any cybersecurity effort is getting a clear picture of the bank’s overall data landscape and the associated compliance requirements. A thorough risk assessment enables management to produce a comprehensive inventory of the various types of data the bank collects, handles and maintains, along with a clear path tracing the data’s origins and recipients.
Directors should verify that, in addition to specific data-related regulatory requirements, the risk management team also assesses customers’ security expectations and third-party contractual requirements related to data security.
Broadly speaking, banks typically encounter four types of compliance requirements:
Banking regulations. Most directors are aware of specific cybersecurity-related regulatory requirements, such as the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool and the New York State Department of Financial Services cyber regulations. Periodic visits by regulators should confirm that the bank is managing these risks effectively.
Attestation requirements. Beyond specific regulatory requirements, independent certification by objective third parties can give customers and others confidence that the organization is effectively managing IT risk. Examples include system and organizational control audits, federal Cybersecurity Maturity Model Certification and compliance with payment card industry standards.
Good hygiene requirements. Banks adopt these optional frameworks to help provide organizational direction to their cybersecurity programs. Examples include National Institute of Standards and Technology frameworks and Critical Security Controls published by the Center for Internet Security.
Hybrid requirements. These are regulatory requirements that are not subject to regular attestation or examination but that could present risk, particularly if a security incident occurs. Examples include state privacy laws, International Traffic in Arms Regulations requirements and similar rules that generally become issues only after the fact if regulators determine they have not been managed properly.
Creating a unified control framework
Despite variations in standards, most data security frameworks involve similar control sets. By mapping and aligning these commonalities, banks can reduce their overall compliance burden, creating an integrated system of controls that satisfies the most demanding requirements of each framework.
Governance, risk and compliance (GRC) solutions can help manage and track these requirements while also documenting the bank’s control capabilities, testing and tracking of action plans and open items. Automating the GRC effort can improve compliance by synchronizing information, identifying overlaps and redundancies and enhancing efficiency.
Such GRC solutions should encompass third-party relationships. As banks engage with growing numbers of fintech companies and other external providers, they must be able to demonstrate that their third-party affiliates are complying with applicable cybersecurity standards. A unified control framework can streamline this effort, eliminating the need for separate audits and reviews of common controls.
Managing and maintaining the effort
In addition to triggering the initial design and implementation of a cybersecurity compliance program, bank boards and executive teams also must actively oversee its ongoing management. Cybersecurity compliance is not a “set it and forget it” event.
Directors have ongoing oversight responsibilities regarding the individuals and teams that are charged with tracking changes to cybersecurity requirements and maintaining, documenting, and reporting compliance. Because compliance is a critical business requirement, top-down support at the board level is critical.
Directors should verify there are clear lines of responsibility and reporting, with direct links to relevant board committees. Other nonattest services, such as penetration testing, can provide added confidence. In many instances, such testing is also a compliance requirement that regulators or assessors expect banks to perform.
Although cybersecurity compliance by itself does not guarantee data security, it does establish trust on the part of customers, shareholders, regulators and others who have valid interests in maintaining the security and integrity of critical data. As banking operations become even more reliant on data technology, it is increasingly important that bank directors are actively engaged in overseeing both compliance and security concerns.