Can a Hybrid Work Model’s Cyber Risk Be Tamed?

Many U.S. banks are beginning to repatriate their employees to the office after some 16 months of working at home during the Covid-19 pandemic.

Some, like JPMorgan Chase & Co., have demanded that their staff return to the office full time even though many of them may prefer the flexibility that working from home affords. A recent McKinsey & Co. survey found that 52% of respondents wanted a flexible work model post-pandemic, but that doesn’t impress JPMorgan’s Jamie Dimon. “Oh, yes, people don’t like commuting, but so what?” the CEO of the country’s largest bank said at The Wall Street Journal’s CEO Council in May, according to a recent article in the paper. “It’s got to work for the clients. It’s not about whether it works for me, and I have to compete.”

Other banks, like $19.6 billion Atlantic Union Bankshares Corp. in Richmond, Virginia, are adopting a hybrid work model where employees will rotate between their homes and the office. “We have taken a pretty progressive view there is no going back to normal,” says CEO John Asbury. “Whatever this new normal is will absolutely include a hybrid work environment.” Asbury says the bank has surveyed its employees and “they have spoken clearly that they expect and desire some degree of flexibility. They do not want to go back into the office five days a week [and] if we are heavy-handed, we risk losing good people.”

However, a hybrid work model does create unique cybersecurity issues that banks have to address. From a cyber risk perspective, the safest arrangement is to have everyone working in the office on a company-issued desktop or laptop computers in a closed network. In a hybrid work environment, employees are using laptops that they carry back and forth between the office and home. And at home, they may be using Wi-Fi connections that are less secure than what they have at the office.

“If you think of a typical brick and mortar [environment], the network and computer systems are walled off,” says David McKnight, a principal at the consulting firm Crowe LLP. “No one can gain access to it unless they’re physically there.” In a hybrid work environment, McKnight says, “There are additional footholds on to my network that I don’t necessarily have full visibility into, whether that’s my employee’s home office, or the hotel they’re at or their lake house. That introduces different dynamics, connectivity-wise.”

Still, there are ways of making hybrid arrangements more secure. Full disk encryption protects the content of a laptop’s hard drive if it is stolen. Virtual private networks – or VPNs – can provide a secure environment when an employee is working from a remote location. Multi-factor identification, where employees must provide two or more pieces of authentication when signing on to a system, makes it harder for hackers to break-in to the network. And new cloud-based platforms can enhance security if configured properly.

Many smaller banks struggled to adapt when the pandemic essentially shut the U.S. economy down in the spring of last year, and many banks sent their employees to work from home. Some banks didn’t even have enough laptops to equip all of their workers and had to scramble to procure them, or ask employees to use their own if they had them.

Atlantic Union was fortunate from two perspectives. First, it had already completed a transition throughout the company from desktop computers to laptops, so most of its employees already had them when the pandemic struck. And the bank considers the laptop to be a “higher risk perimeter device,” according to Ron Buchanan, the bank’s chief information security officer. “What that means is you’re putting it in a high-risk environment, and you just expect that it’s going to be on a compromised network [and] it’s going to be attacked.”

The bank has a VPN that only company-issued laptops can access, and this gives it the same level of control and visibility regardless of where an employee was working.

Other security measures include full disk encryption, multi-factor authentication and administrator-level access, which prevents employees from installing unauthorized software and also makes it more difficult for hackers to break into a laptop.

Although cyber risk can never be completely eliminated, it is possible to create a secure environment as banks like Atlantic Union did. But they have to make the investment in upgrading their technology and cybersecurity skill sets. “The tools are there, and the abilities are there,” says Buchanan.

Risk Practices For Today’s Economy

Organizations’ ability to strategically navigate change proved crucial during the Covid-19 pandemic, which required financial institutions to respond to a health and economic crisis. The resiliency of bank teams proved to be a silver lining in 2020, but banks can’t take their eye off the ball just yet.

Bank Director’s 2021 Risk Survey, sponsored by Moss Adams LLP,  focuses on the key risks facing banks today and how the industry will emerge from the pandemic environment. In this video, Craig Sanders, a partner in the financial services practice at Moss Adams, shares his perspective and expertise on these issues.

  • Managing Credit Uncertainty
  • More Eyes on Business Continuity
  • Cybersecurity Today

What Banks Need to Know About Cyber Resiliency

In a world full of adversity, there is much to be said about the knowledge and strength it takes to overcome setbacks on an individual and organizational level — in short, resiliency.

That is especially crucial in an environment like cybersecurity, where the landscape is constantly changing. Banks must adapt to stay ahead of cyber threats through cyber resiliency.

The National Institute of Standards and Technology defines cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Today, organizations are complementing their cyber resilience strategies with security solutions that uphold their posture. While cybersecurity focuses on protecting information, technical devices, and systems, cyber resilience focuses on keeping business and resources intact amid industry failures and threats. Many dangers exist that can have a detrimental impact on your bank’s daily operations and overall reputation. The main three threats to your bank’s cybersecurity posture include:

  • Data Breaches: An unauthorized entry into an organization’s database that allows cybercriminals to access customer data.
  • Cybercrime: Organized crimes to steal, abuse, or misuse personal and confidential information.
  • Human Error: Employees fail to follow data privacy protocol and policies and accidentally sharing, leaking or exposing confidential information.

While these three are among the most prevalent risks, they are not alone. Your organization should educate employees about the malicious actors that exist in the cyberworld.

Pillars of Cyber Resilience
Your bank’s cyber resiliency posture cannot be assessed until you consider all the pillars that make up a proper strategy. Below are the five pillars of an ideal cyber resilience framework according to Security Intelligence:

  • Identify: Banks should have a strong understanding of all the resources that support the organization’s critical functions from both a business and cybersecurity standpoint.
  • Protect: Banks should safeguard all critical infrastructure services and information by implementing cybersecurity policies and solutions to create a robust layer of protection.
  • Detect: Banks should constantly monitor their enterprise network traffic for malicious activity, searching for any signs of data breaches or other significant threats. A cybersecurity solution will create a more effortless process for scanning your network.
  • Respond: Banks should respond to any significant threats or unsuspected activity in real-time.
  • Recover: Banks should implement disaster recovery and business continuity plans in case of a data breach or comprising cybersecurity incident.

By considering these five pillars, your bank will be well-suited to perfecting its cyber resiliency posture and ensuring it has all the resources and strength to bounce back from any potential setback quickly.

Taking Control of Your Cybersecurity Experience
The patterns of cyberattacks are evolving in response to changes in the cyber environment and the Internet of Things. For a more practical experience, your bank must consider the social and capital investments necessary to develop a cybersecurity strategy.

According to the Ponemon Institute, “organizations are making investments in technology that do not strengthen their cybersecurity budget based on the wrong metrics. Fifty percent of respondents say their organizations are wasting limited budgets on investments that don’t improve their cybersecurity posture. The primary reasons for the failure are system complexity, personnel and vendor support issues.”

It is not uncommon for security-related responsibilities to fall on employees. Ultimately, it is the company and the employees’ responsibility to protect their networks, servers, and personal and professional information. The key to building a better cybersecurity toolbox is rooted in the relationship between a cybersecurity solution and its users. An ideal cybersecurity solution should include elite features like one-touch compliance reporting and automation tools, integrated threat intelligence, around-the-clock monitoring search for leaked accounts on the deep and dark web, managed compliance, detection, and response, and fast deployment (90 minutes or less).

Prioritizing Cybersecurity
Having a strategy and system in place that continues running smoothly despite adversities directly reflects an institution’s cyber resilience. Your bank should be able to identify, protect, detect and react when facing cyberattacks. Investing your time, resources, and capital into cybersecurity solutions is an essential measure of success. It will ensure network security and protection. As stated in Security Magazine, information technology “should enable businesses to make informed decisions on how to manage cyber risk while continuing their growth agenda. Most directors or CEOs today realize the consequences on the bottom line apart from the damage to reputation caused by a breach or an attack.”

Proper growth always begins internally. Banks that normalize and implement security best practices can achieve cyber resilience. If your organization can adapt its traditional approaches to cybersecurity, it will be better equipped to recover from difficulties it may face. In the end, a quick bounce back is better than a long-term setback. So, what better time than now to act?

Goodbye, Wild West: Are You Prepared for a Cyberattack?

Financial institution security practices and policies have substantially evolved since popular media depicted robbers in the Wild West as masked men running down a dirt road with a sack full of cash.

The glorified bank robbery scenario has underpinned the traditional image of bank security: armed guards, panic buttons, armoured vaults and vans — all of which are necessary to protect consumers’ physical money, but do nothing to thwart cybercriminals from attacking.

In June of 2019, Boston Consulting Group’s “Global Wealthreport found that financial services firms were 300 times more likely the target of cyberattacks than other companies. This trend seems to be continuing, as an April 2021 article from Alloy found that high-risk new account applications were up 137% from March to December of 2020, as compared to the same time period during 2019. The Covid-19 crisis escalated workers’ transition to unsecured networks at home, forced consumers to move to digital channels and increased institutions’ risk appetite, among other factors.

Cyberthreats like data breaches, malware, ransomware, keyloggers, synthetic fraud, identity theft and trojans — to name a few — are continuously evolving over time. Attacks can happen at opportune moments, like when hackers find weaknesses in networks and firewalls to execute a data breach, or can sit unnoticed in bank systems, harvesting and tracking data over time.

Historically, banks have sought to mitigate the effects of cybercrime, like advising customers with compromised data to close their accounts and open new ones, or reset their passwords.

While these instructions were adequate in the early 2000s, they will not work in 2021 and beyond. Much further than repairing the damages a cyber incident causes, customers expect the incident not to occur in the first place.

Banks need to adopt proactive, real-time cybersecurity initiatives if they wish to retain customers, stay ahead of the cyberattack curve and protect their data.  It is not enough to perform an annual vulnerability scan. It is not enough to have two-factor identification. It is not enough to encrypt data. Cybersecurity practices must become an integral and consistent part of a bank’s overall strategy and culture if it wishes to keep customer trust and industry credibility.

But banks don’t have to venture into this endeavor alone. In fact, many don’t want to: Cornerstone Advisors’ 2021 “What’s Going On in Banking” report found that 70% of responding banks were interested in a fintech partnership that provided fraud and risk management services or products. An additional 20% were already engaged in one. When it came to data breach and identity protection services, 67% of banks were interested and 7% were already engaged.

Many financial technology companies are dedicated to working with banks to better secure data and assets. Their products span an incredible range, from completely managing and monitoring a bank’s network to software installation that verifies account data in real time. Just as cyberthreats evolve over time, cybersecurity measures are advancing beside it.

Three fintechs that have proven to work with banks in protecting their institutions from cyberattacks are:

Cimcor’s CimTrak Integrity Suite, which alerts an enterprise of potential breaches by detecting real-time changes to its information technology’s infrastructure. CimTrak monitors the integrity of critical files, folders, configuration settings, users, policies and authorized registry keys. It also offers complete visibility into a breach from detection to recovery, tracking and encrypting all of the forensic details of the attack and storing them in its database.

DefenseStorm, a cybersecurity company that consolidates security data from all of a bank’s data sources to provide a comprehensive view of online security. Its Threat Ready Active Compliance team co-manages and monitors the network in conjunction with the bank, so it doesn’t necessarily need to have a full-time cybersecurity officer or team on staff. DefenseStorm was selected as a finalist for Bank Director’s 2021 Best of FinXTech Awards. 

Illusive, a fintech that plants deceptive data — information that looks exactly like what attackers need to progress in a cyberattack — across a bank’s network, servers and endpoints, which are physical stopping points that include laptops, desktops, workstations and mobile devices, etc. Once attacked, Illusive detects and captures forensics from the compromised machine.

Banks are constantly put in high-risk situations, and one cyberattack could derail decades of relationship building. Finding the right technology providers to help thwart attacks, partnered with adaptive internal policies, procedures and training, could give a bank the proactive stance it needs to protect its data, assets and customers in the new Wild West of today.

*All three technology companies are included in Bank Director’s FinXTech Connect platform, a curated database of proven financial technology solutions that are working with banks to better connect them with digital offerings. Fintechs cannot pay to be included and are selected through an interview and vetting process. For more information, please email finxtech@bankdirector.com with any questions, comments or concerns.

2021 Risk Survey Results: High Anxiety

An outsized crisis requires bold action. The banking industry responded in kind when the economy spiraled as a result of the Covid-19 pandemic.

Financial institutions across the country assisted small businesses by issuing Paycheck Protection Program loans. Banks also almost universally modified loans to help borrowers weather the storm, according to Bank Director’s 2021 Risk Survey, sponsored by Moss Adams LLP. At the peak of the downturn, 43% of the directors, CEOs, chief risk officers and other senior executives responding to the survey say their bank modified more than 10% of the loans in their portfolio.

Conducted on the heels of a tumultuous 2020 — with the pandemic, social strife and political change continuing into January — the survey reveals high levels of anxiety across the risk spectrum. In particular, respondents indicate greater unease regarding cybersecurity (92%) and credit (89%), as well as strategic (62%) and operational (52%) risks.

Almost half of respondents indicate that some or most of the loan modifications extended into the fourth quarter 2020, and two-thirds reveal concerns about concentrations in their loan portfolio, with most pointing to commercial real estate (43%) and/or the hospitality industry (31%).

Forty-three percent indicate that their bank tightened underwriting standards during the downturn. Looking ahead, many are unsure whether they’ll ease their standards to lend to business customers in 2021 and 2022. The challenges to bankers have been deep during the past year.

As the CEO of a small, southeastern community bank put it: “What doesn’t kill you makes you stronger.”

Despite this uncertainty, bankers express some optimism. More than three-quarters believe that supporting their communities during the pandemic has positively affected their bank’s reputation. Eighty-seven percent expect fewer than 10% of their bank’s business customers to fail. And 84% will improve their bank’s business continuity plan due to what they’ve experienced.

Key Findings

More Robust Stress Testing
More than 80% say their bank conducts an annual stress test. Of these, 60% have expanded the quantity and/or depth of economic scenarios examined in response to the Covid-19 pandemic.

Cybersecurity Gaps
Sixty-three percent say their institution increased its oversight of cybersecurity and data privacy in 2020. Most say the bank needs to improve its cybersecurity program by training staff (68%) and implementing technology to better detect or deter threats and intrusions (65%).

Pandemic Plans Adjusted
Respondents identify several areas where they’ll enhance their business continuity plan as a result of the pandemic. The majority point to formalizing remote work procedures and policies (77%), educating and training employees (56%) and/or providing the right tools to staff (55%). Roughly half say that fewer than a quarter of employees will work remotely when the pandemic abates; 25% say that no employees will work remotely.

Banking Marijuana
Forty-one percent of respondents represent a bank headquartered where marijuana use is at least partly legal. Overall, one-third are unsure if their bank would be willing to serve marijuana businesses. Just 7% serve these businesses; 34% have discussed banking this industry but don’t work with these companies yet.

Climate Change Still Not a Hot Topic
Just 14% say their board discusses the risks posed by climate change at least annually; this is up slightly from 11% in last year’s survey. Fewer than 10% say an executive reports to the board about the risks and opportunities that climate change presents to the institution.

To view the full results of the survey, click here.

Developing a Digital-First Approach to Risk Management

The world has leaned further and further into the digital realm, largely thanks to a younger, more tech-dependent generation.

The Covid-19 pandemic accelerated a years-long push toward online and mobile banking use. Does your institution have a true digital banking strategy to deliver simple and secure digital banking services to your customers? As the primary channel through which customers conduct nearly all their banking activities, digital is your bank now.

But as more consumers turn to digital channels, cybercriminals are following suit — as demonstrated by increasing incidents of fraud and unauthorized account access. To mitigate cybersecurity threats and protect your customers, your bank’s risk management strategy now requires a digital-first approach.

Risk Management in Digital Banking
Even though customers demand digital transformation, delivering frictionless experiences comes with certain inherent challenges and risks. Once you identify these hurdles, you can mitigate them so that your institution can move forward.

The most pressing digital banking risk management issues fall into two categories: overcoming organizational challenges and mitigating regulatory risks. Each of them has several considerations and variables your institution should consider.

Overcoming Organizational Challenges

Outdated corporate culture: Entrenched processes and perspectives can stall your digital transformation. Promoting a more forward-thinking culture must start at the top and flow down in order for the entire institution to embrace change. Confirm your bank’s risk management personnel are onboard, and involve them from the beginning to ensure a secure and safe transformation.

Refocusing of key positions: Some of your bank’s key positions may change in response to digital transformation. Digitization may shift the focus of some, but these positions are still critical to the institution’s success. For example, instead of manually performing tasks, employees working in an operations department may begin focusing on automating processes for the institution.

Resistance to change: Many institutions have executives that will champion progress, while others are resistant to the changes required to adopt a digital-first approach. Identify the champions at your institution and empower them to lead your digital transformation.

Lack of innovative thought leadership: It will take true out-of-the-box thinking to digitally compete with the big banks and emerging fintech companies. Encourage that kind of modern thinking within your institution.

Misguided beliefs: Quash any notions that a mobile banking app is the only component of a digital strategy, or that a digital-first approach means that personalization is no longer needed. Back-end operations and internal processes must fully support a digital environment that effectively identifies and fulfills individual customer needs based on their actions and behaviors — without adding friction to the customer experience.

Mitigating Regulatory Risks

Digital compliance and cybersecurity: Banks operating in a digital environment must still comply with all applicable laws and regulations. This includes paying attention to uniquely digital processes that are covered under specific rules, such as electronically signing documents per the E-Sign Act. To mitigate risk, institutions should invest in technology designed to ensure compliance and strengthen cybersecurity.

Third-party risk management: Many banks are outsourcing all or part of their digital strategy to fintechs and other third-party vendors out of necessity. But institutions are still ultimately responsible for all functions, whether they are performed internally or externally. A robust vendor management program is key to avoiding unqualified third-party providers. A provider must understand applicable regulatory requirements, be able to adhere to them and guarantee compliance.

Fraud and identity theft: The increase in banking without face-to-face interaction can increase the risk of synthetic identity fraud, traditional identity theft and account takeovers. Your bank should meet these challenges by reviewing and strengthening your Bank Secrecy Act/anti-money laundering (BSA/AML), know your customer (KYC), customer due diligence (CDD), cybersecurity and other relevant compliance programs. Digitizing internal processes will result in more available data as well as the ability to use AI to monitor customer behaviors and efficiently identify potential fraud.

While digitization can increase certain risks for banks that undertake such a transformation, enabling enhanced digital banking risk management to secure digital channels, mitigate risk and deliver a frictionless customer experience is worth the effort.

Does your Bank Need a SOC?

Banks’ IT departments are at risk of burning out, given the constant pressure to comply with industry standards while preventing emerging cybersecurity threats.

Risk management solutions are in high demand within the financial industry, as the need for continuous network monitoring has only grown. If this sounds more like your current reality than a distant memory, a security operation center (SOC) could be the ideal cybersecurity solution that your bank needs.

What is a SOC?
Gartner defines a security operations center as “a team, often operating in shifts 24/7, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance.”

SOCs are responsible for monitoring and analyzing activity on networks, servers, and more. The service center is consistently looking for abnormal activity, indicating a potential breach, security incident, or malicious activity in your network. SOCs also detect harmful attempts to compromise your network and assist with the incident response lifecycle, allowing your bank’s IT team to respond more efficiently and work towards preventing security threats altogether. The goal is simple: get the job done quickly and accurately.

The key to deciding whether to move forward with external SOC support is the ability to deliver all of your enterprise network traffic, laptops, desktops, firewalls, VPNs, routers, switches and application security application detections to your SOC for their review and analysis. Paying a SOC service to watch your firewall traffic isn’t comprehensive enough and will give you a false sense of security. This is why you should consider buying a Security Information and Event Management (SIEM) platform that will ingest all of your data, making it easier for your SOC to protect your network.

What to look for in a SOC?
Searching for an ideal security operations center is not an easy task. There can be delays due to limited knowledge about key features. Below is a list of some primary features your bank should require in a SOC service:

  • Network Monitoring: The service should continuously monitor your network traffic and detect potential intrusions. You should also receive real-time alerts for any anomalous or malicious activity.
  • Incident Response: The incident response lifecycle starts with the initial detection and containment, then continues to the eradication phase, and finally returns to normal business operations.
  • Account Privilege: Privilege analysis of every account, system and group provides a financial institution’s staff with knowledge of exactly who can access the most sensitive data.
  • Compliance Reporting: Compliance reporting tools should include PCI DSS (Payment Card Industry), NIST (National Institute of Standards and Technology), and HIPAA. The FFIEC’s Cyber Assessment Tool (CAT) should be directly integrated into the service as well.
  • 360° View of Network: A SOC service should have the capability to monitor and defend networks on-premise, in the cloud continuously, and across the globe.

According to an Information Security Buzz article, the key to maximizing features like those listed above is to “integrate the data flowing among all the tools. This gives your entire security operations team a filtered view into what the information means.” The more perspectives that analytics can produce from data flow, the higher the value of that analysis. While all SOCs are different, they have critical components that will make or break the success of your bank’s cybersecurity team.

Why prioritize your network’s security?
Cybercriminals are becoming more creative and methodical with their attacks, especially now that remote work is the new normal. The occurrences and threat potentials of data breaches and cyberattacks are at an all-time high, and Security Ventures projects cybercrime damage to total $6 trillion by 2021.

It’s unrealistic to expect your bank’s IT department to quickly and efficiently monitor and solve every problem as demand increases. Your team should feel like they can do their job without continuously worrying about capacity concerns. By implementing a SOC service into your cybersecurity roadmap, your organization can expand its security capabilities, without breaking the bank, for years to come.

Embracing a Challenging Environment to Evolve

New York University economist Paul Romer once said, “A crisis is a terrible thing to waste.”

With a nod to Dr. Romer, we believe banks have an extraordinary opportunity to embrace the challenging environment created by the Covid-19 pandemic to enhance critical housekeeping matters. Here are five areas where banks may find opportunities to declutter or reengineer policies, procedures and best practices.

Culture
One of the most obvious opportunities for banks is to focus on culture. Employees working from home has eliminated the ability to have typical office parties, barbeques and other events to build comradery. Remote and semi-remote working environments are challenging employees in many difficult ways. Fortunately, banks are finding simple, yet creative, ways to stay in contact with their employees and build culture through additional correspondence and feedback — electronic happy hours, car parades, and socially distant visits, for example. Creatively maintaining high engagement in challenging times will serve to improve communication and culture over the long term. As management consultant Peter Drucker once said, “Culture eats strategy for breakfast.”

Cybersecurity
Cybersecurity risk continues to be top of mind for bankers and regulators given the remote work brought on by Covid. Certainly, most banks’ cybersecurity risk management planning did not contemplate the immediate scale of remote work, but the extreme experience is an opportunity to drill down on underlying policies and procedures. Banking agencies have provided the general blueprint on sound risk management for cybersecurity.

This heightened risk environment provides executives with a perfect opportunity to note where their vulnerabilities may exist or be discovered, where cyberattacks focus and what works—or doesn’t —for your bank. Use the guidance provided to assess your bank’s response and resilience capabilities. Consider the overall map and configuration of your cyber architecture. Consider authentication requirements and permissions to protect against unauthorized access. Take the time to work with information technology experts to clean up access controls and response plans. This is an active situation that provides bankers the unique opportunity to learn and adapt in real time.

Compliance
Banks also face enhanced compliance originating from federal programs aimed at keeping businesses afloat. A worthy endeavor to be sure, but the rollout of some federal programs such as the Small Business Administration’s Paycheck Protection Program has far outpaced the guidance for banks tasked with implementation. The trickle of (often inconsistent) guidance on the documentation, eligibility and certification adds compliance challenges in reporting under the Bank Secrecy Act, fair lending under the Equal Credit Opportunity Act and unfair or deceptive acts and practices under the Federal Trade Commission Act, for example.

Compliance teams have an opportunity to shine at something they are already extraordinarily good at: documentation. They should document the processes and practices they deploy to demonstrate compliance, despite the uncertainty and pace at which they are expected to operate. This documentation can support real-time decision-making that may come up with regulators in the future, and can serve as a basis for improvement on future best practices and training. Compliance teams will discover new questions to ask, novel scenarios to address and gaps to fill.

Operational Planning
The best time to consider the impacts of Covid on your bank’s operations is while events and memories are fresh. Banks all over the country are experiencing what a handful of institutions may go through in the wake of a natural disaster: devastation, uncertainty and a need for banking support. This is the time to review your bank’s disaster recovery and business continuity plans, specifically including pandemic planning, to assess the plans against reality.  

To help, the Federal Financial Institutions Examination Council released an updated statement on pandemic planning suggesting actions that banks can take to potentially minimize a pandemic’s adverse effects. This is an chance to improve business continuity planning for similar future events, understanding that they may not be as deep or prolonged as the coronavirus. Exercising the plans in real time, compared to a scheduled test, can reveal helpful improvements that will only strengthen the bank.

Customer Experience
Coping with remote work and providing banking services outside of a branch provides the opportunity for banks to consider strategies around technology and financial technology partnerships. Customers have been rerouted to electronic avenues, and many seem to have embraced technology to deposit checks, access accounts online and transact business.

This evolution offers banks the opportunity to adapt and recognize the use of financial technologies. Many customers will understandably return to branches to conduct some of their business when they reopen, but may require them less. Banks may want to consider how they can satisfy future customer demand and improve the customer experience more broadly. These are just five areas where we see opportunities for banks of all levels and complexity to enhance their policies, procedures and best practices as they prepare to move forward.

Risk, Business Continuity Planning: Trends and Lessons from Covid-19

The Covid-19 pandemic has introduced unprecedented strains to the economy, enhancing concerns about credit risk and pressuring lenders’ ability to serve their borrowers.

Cybersecurity and other risk environments have also evolved, following government-mandated work from home models. These shifts are prompting bank leaders to evaluate their business continuity plans and pandemic planning initiatives to ensure they’re putting safety and efficiency first.

Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, was conducted in January before the U.S. economy felt the full effect of the coronavirus. Yet, insights derived from this annual survey of bank executives and board members help paint a picture of how the industry will move forward in a challenging operating environment.

Credit Risk
Most community banks have issued loans through the Paycheck Protection Program (PPP), the Small Business Administration’s loan created under the Coronavirus Aid, Relief and Economic Security (CARES) Act passed in late March. These loans, which may be forgiven if borrowers meet specified conditions, allowed small businesses to retain staff, pay rent and cover identified operating expenses.

However, it’s likely that businesses will seek additional credit sources as the economy restarts. The lapse in business revenue generation will pose significant underwriting challenges for banks.

More than half of respondents in the 2020 Risk Survey revealed enhanced concerns around credit risk over the past year, while 67% believed that competing banks and credit unions had eased underwriting standards.

While there’s no way to determine what the future holds, near-term lending decisions will likely occur amid an uncertain economic recovery. There are some important questions institutions should consider when determining their lending approach:

  • How will our organization evaluate lending to businesses that have been closed due to the coronavirus?
  • Should a pandemic-related operational gap be treated as an anomaly, or should lenders consider this as they underwrite commercial loans?
  • What other factors should be considered in the current environment?
  • How much bank capital are we willing to put at risk?

Cybersecurity
Directors and executives who responded to the survey consistently indicate that cybersecurity is a key risk concern. In this year’s survey, 77% revealed their bank had placed significant emphasis on increasing cybersecurity and data privacy in the wake of cyberattacks targeting financial institutions, such as Capital One Financial Corp.

With more bank staff working remotely, cyber risks are even greater now. Employees are also emotionally taxed with concerns about their health, family and jobs, increasing the risk for errors and oversights. Unfortunately, the COVID-19 pandemic presents cybercriminals with a ripe opportunity to prey on individuals.

Business Continuity
In the survey, respondents whose bank had weathered a natural disaster within the last two years were asked if they were satisfied with their institution’s business continuity plan. The majority, or 79%, indicated they were.

However, the Covid-19 pandemic isn’t a typical natural disaster. Although buildings haven’t been destroyed, companies are still experiencing significant disruption to their normal operations — if they’re able to operate at all.

These circumstances, coupled with expanding technology and banks operations increasingly moving to the cloud, will likely lead to further changes in business continuity planning.

Remain Flexible
In an interagency statement released a week before the World Health Organization declared that the Covid-19 outbreak a pandemic, federal regulators reminded depository institutions of their duty to “periodically review related risk management plans, including continuity plans, to ensure their ability to continue to deliver their products and services in a wide range of scenarios and with minimal disruption.”

The Federal Financial Institutions Examination Council also updated its pandemic guidance, noting the need for a preventative program and documented strategy to continue critical operations throughout a pandemic.

Since that time, banks have encouraged customers to broadly adopt digital platforms and, when necessary, serve customers in person through drive-through lines or by appointment to reduce face-to-face contact. Bank employees wear masks and gloves, branches are cleaned frequently and, where possible, staff work remotely.

Gain Insights
The pandemic is a real-world tabletop exercise that can provide important takeaways about the effectiveness of an organization’s business continuity plan. It’s important for organizations to take advantage of this opportunity.

For example, there could be another wave of Covid-19 later this year; alternately, it could be years before we see an event similar to what we’re experiencing. Either way, your bank must to consider the potential consequences of each outcome and have a plan ready. Reviewing your organization’s business continuity plans and initiatives can help reveal opportunities to move forward with confidence, despite challenging operating environments.

How One Bank Flattened Fraud

Argo.pngProtecting the bank and its customers — through cybersecurity measures, identity verification, fraud detection and the like — is vital in ensuring a financial institution’s safety and soundness, as well as its reputation in the marketplace. These investments typically represent significant cost centers, but fraud prevention tools can be an exception to the rule if they’re able to pay for themselves by preventing losses.

The idea is, when you put in a fraud system — and this is where some folks lose it — you want to make sure to catch more fraud than the system costs,” says Ronald Zimmerman, vice president in the operations department at $32.2 billion IBERIABANK Corp., based in Lafayette, Louisiana. “You always have to make sure that the cost doesn’t supersede your savings.”

Zimmerman implemented ARGO OASIS about a year ago. OASIS, which stands for Optimized Assessment of Suspicious Items, uses neural networks and image analytics to detect and prevent fraud. Modeled after the human brain, neural networks are a form of artificial intelligence designed to recognize patterns, making it well suited to identify check alterations, forgeries and other forms of transaction fraud. The solution then provides bank employees with detailed information to enable them to further investigate the activity.

Bank Director’s 2020 Risk Survey found that just 8% of executives and directors report that their bank uses AI technology to improve compliance. One-third are exploring these types of solutions.

IBERIA brought in OASIS to identify fraud in its “two-signature accounts” — customer accounts that require two signatures on a high-dollar check. “We have a queue set up in OASIS to monitor these checks as they come in through clearing. If a signature is missing or is in question, OASIS flags it for review,” Zimmerman says.

One thing about the technology that sets it apart is its check stock validation tool. “You have an overlay button where you can place a questioned check on top of a good check, and you have a little slide bar [so you] can see the small differences,” he says.

That tool alone has helped the bank stop roughly $300,000 in check fraud over the first eight months of use — meaning ARGO has already paid for itself. “We’ve caught a ton of fraud through this product,” says Zimmerman.

And $300,000 is a conservative estimate of the bank’s savings, Zimmerman says, because fraudsters have learned not to target his bank. “Check fraud flattened out, because the fraudsters have probably moved on, knowing that we’ve covered up a hole that was there before.”

ARGO OASIS was recognized as the Best Solution for Protecting the Bank at the 2020 Best of FinXTech Awards in May. ALTR, a blockchain-based security solution, and IDology, which uses big data for identity verification and fraud detection, were also finalists in the category.

Importantly, ARGO helps IBERIA stop fraud efficiently. A task that used to occupy three full-time employees’ time now takes two employees just a couple of hours.

IBERIA will soon merge with Memphis, Tennessee-based First Horizon National Corp. to form a $75 billion company. The deal was driven in part by the pursuit of scale.

Generating efficiencies is essential to better compete with big banks, said First Horizon CEO Bryan Jordan in a 2017 presentation. “We’ve got to be invested in technologies in such a way that we’re at or above table stakes,” he said. “The trick for us will be to … create efficiency in other parts of the business to create money that we can invest in leading-edge technologies and processes that really allow us to be competitive.”

Leveraging AI to reduce compliance busywork is a great place to start.