What’s At Stake In A Tech-Driven World


technology-10-2-18.pngTechnology is driving a wave of disruption across the entire financial services landscape. Financial services companies are increasingly finding themselves both competing with and working alongside more agile, highly entrepreneurial technology-based entities in a new and evolving ecosystem.

There are a number of global trends creating opportunities for financial services companies:

  • China’s population is growing at about 7 percent annually, roughly the equivalent of creating a country the size of Mexico every year.
  • At the same time, China and other emerging, fast-growing economies are raising many of their people above the poverty line, creating a new class of financial services consumer.
  • In more developed countries, people are retiring later and living longer.

These trends are driving a growing need for financial services. However, the story does not end with demographics and economics. Changes in technology are reshaping the ways these services are being delivered and consumed.

Consumers expect simplicity and mobility. Smartphones provide a wide range of financial services at our fingertips. With the rapid growth in artificial intelligence and machine learning applications, savvy financial services companies are adapting to the new ecosystem of digital service delivery and customer relationship providers. Gone are the days when customers have to visit the local bank branch to get most of the services and products they needed. The shakeup in providers will make for a vastly different landscape for competing financial services organizations in the near future.

While the adoption of blockchain technology is still in its infancy, it will potentially reshape the financial services landscape. Much of the transaction processing, matching, reconciliation and the movement of information between different parties will be a thing of the past. Once regulation has caught up, blockchain, or distributed ledger technology, will become ubiquitous.

Financial services companies need to understand where they fit in this digitally fueled, rapidly evolving environment. They need to decide how to take advantage of digital transformation. Many are starting to use robotic process automation to reduce their costs. But the reality is the spread of automation will soon level the playing field in terms of cost, and these companies will once again need to look for competitive advantage, either in the products and services they offer or the way they can leverage their relationships with customers and partners.

When companies leverage technology and data to achieve their business goals in this new environment, they also introduce new risks. Cybersecurity and data governance are two areas where financial services companies continue to struggle. The safety of an ecosystem will be dependent on its weakest link. For instance, if unauthorized breaches occur in one entrepreneurial technology company with less mature controls, those breaches can put all connected institutions and their customer information at risk. Further, automation can result in decisions based solely on data and algorithms. Without solid data governance, and basic change controls, mistakes can rapidly propagate and spiral before they can be detected, with dramatic consequences for customer trust, regulatory penalty and shareholder value.

Strategically, financial services companies will need to decide if they want to be curators of services from various providers—and focus on developing strong customer relationships—or if they want to provide the best product curated and offered by others. Investing in one of these strategies will be a key to success.

Three Important Things Jerome Powell Said To Congress


strategy-8-9-18.pngJerome Powell’s semi-annual appearance before Congress was perhaps a bit more newsworthy than it has been for past chairmen of the Federal Reserve, and his core message signals a few key moves that will certainly impact how banks manage themselves over the next several months.

Powell’s appearance was overshadowed with questions about trade policy and what was happening further down Pennsylvania Avenue, but the core message from Powell, who has been on the job for less than a year, was that the central bank is continuing on a path toward normalization of interest rates, a place the U.S. economy hasn’t seen in a decade or longer.

Despite the tangents that media-savvy politicians tried to take Powell down, his core messages as it applies to bankers is important and provides signals as to how the Fed will manage the economy over the next several months.

Here’s some takeaways:

Bank profitability likely to remain high. Powell’s comments about the overall tax climate and overall business environment point to good things on the horizon for banks, which have reported strong earnings since the end of last year when tax reforms were passed.

Said Powell: “Our financial system is much stronger than before the crisis and is in a good position to meet the credit needs of households and businesses … Federal tax and spending policies likely will continue to support the expansion.”
Second-quarter results have illustrated that, with some banks reporting quarterly earnings per share around 40 percent above last year.

Fed getting back to “normal.” For several years since the crisis, the Fed bought large quantities of U.S. Treasury bonds—known as quantitative easing—to pump cash into the market and boost the economy. With plenty of indicators that the economy is now humming, Powell said the Fed has begun allowing those securities to mature, bringing that practice to an end.

“Our policies reflect the strong performance of the economy and are intended to help make sure that this trend continues,” Powell said.

“The payment of interest on balances held by banks in their accounts at the Federal Reserve has played a key role in carrying out these policies … Payment of interest on these balances is our principal tool for keeping the federal funds rate in the FOMC’s target range. This tool has made it possible for us to gradually return interest rates to a more normal level without disrupting financial markets and the economy.”

Cybersecurity tops list of risks. In his appearance before the House Financial Services Committee, Powell said cybersecurity, and the unexpected threats therein, is what keeps him up at night, aside from what he called “elevated” asset prices that would fall under more traditional concerns, like commercial real estate.

Preparing for the worst-case cybersecurity scenario is top-of-mind, he said, even more than traditional risks. Preventing and preparing should be the focus, he said.

“(Do) as much as possible, and then double it,” he said, a signal of how serious the Fed views the issue.
He then tamped that statement down, and said the Fed “does a great deal” with its supervision of banks, and advised them to continually maintain “basic cyber hygiene” by keeping up to date on emerging trends and threats.

“We do everything we can to prevent failure, but then we have to ask what would we do if there were a successful cyberattack,” he said. “We have to have a plan for that too.”

What CEOs and Directors Should Know About Cybersecurity


cybersecurity-8-6-18 (1).pngAccording to Javelin’s 2018 Identity Fraud Report, identity theft reached an all-time high in 2017 with more than 16 million consumers being affected. On top of this, 24 percent of network breaches target financial institutions, according to Verizon’s 2017 Data Breach Investigations Report. This 1-2 punch combination is affecting banks of all sizes. The days of cybersecurity attacks only affecting the largest financial institutions are gone.

Criminal tactics are evolving and becoming more sophisticated. Increasingly, smartphones are targeted through spam text messages and a myriad of social media scams. These tactics could compromise the phone of a customer that may be accessing a mobile banking application or a bank employee accessing internal bank systems, such as email. The Internet of Things, or IoT, is the network of physical devices, vehicles, home appliances, and other items that can connect and exchange data. Criminals are compromising IoT to launch sophisticated cyberattacks against financial institutions and their customers.

As a bank executive or board member, there are steps you can take to fight back. It starts by recognizing your bank and your customers are targets and can become victims. As leaders, it is important to understand your responsibility to oversee the bank’s cybersecurity program and educate yourself on the current threats and trends. The following recommendations are the first steps to take as you oversee your bank’s cybersecurity program.

What the CEO should be doing

  1. The Financial Services Sector Coordinating Council has an Excel-based Automated Cyber Assessment Tool (ACAT) available for download at https://www.fsscc.org/. Ensure it is completed by management and updated at least annually.
  2. Management should develop a cybersecurity risk appetite and understand where the bank is exposed to the greatest risk.
  3. Oversee and monitor the bank’s cybersecurity program. Ensure a strategic and tested incident response program is in place.
  4. Challenge preparedness results by reviewing the ACAT and not accepting “baseline” control maturity levels as the desired control level. 
  5. Budget appropriately for cybersecurity preparedness. Compare the funding for cybersecurity controls to physical security controls. Assuming cybersecurity threats are greater than physical security threats, then funding of cybersecurity controls should be in parity with physical security investments.

What the board should be doing

  1. Consult with cybersecurity professionals to provide education on an annual basis.
  2. Ask the CEO and senior management to present the bank’s vision, risk appetite, and overall strategic direction for the bank’s cybersecurity program. 
  3. Review the results of ongoing monitoring of the bank’s exposure to and preparedness for cyber threats. Challenge the status quo and do not become complacent. Expect control proficiency levels to increase from baseline levels to evolving levels and higher. Criminals are not standing still and neither should you.
  4. Ensure proper budgeting of cybersecurity controls and review the bank’s cyber liability insurance annually.
  5. Ensure the bank’s systems are tested against cybersecurity threats at least annually and utilize the same techniques criminals use to break in.

What bank CEOs should know

  1. Where is our bank most at risk?
  2. Are our cybersecurity controls improving beyond baseline?
  3. Are we comfortable with residual risk levels?
  4. Are we reviewing the ACAT at least quarterly?
  5. Are our cybersecurity controls improving fast enough to outpace the evolving cybersecurity threats?

What the bank should be doing

  • Your bank should be a member of information sharing organizations such as Financial Services – Information Sharing and Analysis Center (FS-ISAC) and share information in bank peer group meetings. 
  • Work with cybersecurity experts to develop regular board reporting on cybersecurity threats and risk management.
  • Improve cybersecurity control proficiency beyond baseline. Remember that improvement does not have to be overly expensive.
    • Maximize the use of all currently available controls.
    • Do not wait on examiners or IT auditors to make you improve. It could be too late.

Many executives and boards feel unprepared to address cybersecurity threats and risks. The good news is there are many well trained and qualified cybersecurity professionals that can help you. Enact change where needed and provide ongoing oversight of the cybersecurity program at your bank. Doing so will go a long way towards ensuring your bank does not become another victim of cybersecurity attack.

Effective Cybersecurity Demands Involvement From Everyone at Your Bank


cybersecurity-7-10-18.pngCybersecurity is one of the most discussed risks facing financial services companies today, but many organizations are taking too narrow an approach to combating cybercrime. These organizations make the mistake of placing responsibility for defending against the risks solely on their IT professionals.

As criminals continue to develop increasingly targeted attacks, institutions must tackle cybersecurity from an enterprise-wide perspective that goes further than mere regulatory compliance. Cybersecurity can no longer be the function of a single department–executives must see that it is embedded throughout the enterprise, from the branch to the boardroom.

Common Cybersecurity Gaps
Even institutions that have invested funding, allocated resources, built perimeters, and complied with regulations can fall prey to a single point of cybersecurity failure. Some of the recent major attacks have resulted, at least in part, from one of the following fail points:

  • Poor governance
  • Weak passwords
  • Inaccurate monitoring or unattended security information and event monitoring functions
  • Inadequate system patching procedures
  • Lack of cyberintelligence (external information gathered on known attacks)
  • Insufficient training
  • Lack of incident response planning

Notably, vulnerabilities such as weak passwords and insufficient training involve more than just IT staff. Organizations that involve all departments empower their employees and think daily about how their actions protect or expose the organization, and translates into multiple points of control. Strong governance is, of course, essential to achieving such an embedded mindset.

The Need for a Tailored Approach
Many financial services organizations have responded to cyberthreats by investing heavily in costly, one-size-fits-all technology systems. They rely on traditional controls for protection, like firewalls, encryption, anti-virus software, and multifactor authentication. These components are helpful and most often are necessary; however, many institutions require more tailored controls and processes. Instead, organizations should adopt enterprise-wide cybersecurity programs commensurate to their particular risks and sensitive assets.

For example, it’s common for a financial service organization to provide employee training on cyber risks. But standardized, “off-the-shelf” training does not consider the varying degrees of risk across the staff population. For training to be meaningful, it must be customized to different employees’ roles and access to data.

To develop such training, as well as other appropriate controls, an organization will need to identify the assets it wishes to protect and the associated access points. Each department or business unit that maintains sensitive information must catalog the information and classify the sensitivity of each asset, taking into account the organization’s risk appetite (the acceptable level of risk exposure). The departments then should identify all methods of access to each asset, as well as the parties with such access, and quantify the resulting risk.

Only when armed with this information can a financial services organization tailor appropriate controls and properly allocate resources against the related cyberthreats. For example, most organizations do not need to treat data across the enterprise equally. Rather, they can define unique security controls for the most sensitive data. Similarly, it might be wise to institute the most comprehensive training in the departments with access to sensitive data, are customer-facing, or those who provide information to third parties on behalf of the organization.

Enterprise incident response is another area that calls for a more customized. An organization should identify employees best positioned to notice suspicious activity and ensure they know how to respond. IT employees who are monitoring account and system activity should be included in this process, but key stakeholders and employees who are client and third-party facing also should be involved. The organization also must have an appropriate response plan ready to execute when those on the front lines raise the red flag.

Critical Steps
To adopt an enterprise-wide cybersecurity program, financial services organizations should:

  1. Identify and prioritize sensitive assets.
  2. Design and implement tailored and global controls aligned with sensitive assets and their associated risks (including dual controls for especially sensitive areas).
  3. Ensure executives and the board are aware of and aligned to the tailored program, which includes making cybersecurity part of the overall strategy of the institution.
  4. Educate employees specific to their roles and the associated.
  5. Manage cybersecurity at the enterprise level and on employee devices.
  6. Continuously monitor significant areas and environmental changes.
  7. Keep software and systems up to date.

Multiplying the Benefits
Financial services organizations that take a broad view of cybersecurity establish more effective and cost-efficient controls. Moreover, organizations with all of their employees on the same page are more likely to enjoy improved performance.

How Financial Institutions Should Prepare For and Respond to a Cybersecurity Incident


cybersecurity-7-2-18.pngCybersecurity incidents and data compromises continue to plague financial institutions on a seemingly daily basis. Without a proper response plan in place, financial institutions risk significant damage to their reputation and operations, as well as serious potential liability from regulators and class-action litigation. This guide outlines the procedures financial institutions should implement to prepare for and respond to a cybersecurity incident.

It is crucial that financial institutions adopt a response policy to mitigate the harm of a cybersecurity incident. This policy should establish a response team, including an executive officer and technical and operational personnel, charged with handling all cybersecurity incidents.

Time is of the essence during any cybersecurity incident, and communication is vital to the response team’s effective handling and investigation of the situation. Each employee should know how to report an incident. Notification processes, responsible personnel, and other elements of the communications plan should be as seamless as possible to enable the cybersecurity response team to immediately investigate the potential incident and determine whether an incident actually occurred. As soon as the incident is confirmed, the team must immediately respond.

Determine the severity of the incident. The response team should first determine the severity of the harm and the type of incident that occurred. This will help determine the scope of response necessary to appropriately address the incident. The team should be sure to create a detailed record of all investigations and responses.

Mitigate the harm. The response team next should work to mitigate the harm on its systems. For example, the team can quarantine or isolate the compromised system, install security patches to prevent further incidents, update anti-virus signatures, and conduct a vulnerability analysis to identify elements of the system potentially at risk of a similar incident.

Establish lines of communication. Pre-determined and clear lines of communication, both internal and external, are critical to responding to an incident. The response team should also be in communication with appropriate auxiliary teams in the financial institution. For example, if the cybersecurity incident led to customer information being compromised, the response team should coordinate with the customer relations team to facilitate customer notification. Senior management should also inform the board of directors of the incident so that the directors can assist in developing a response strategy as appropriate.

When deemed necessary, the response team should also be in contact with third-party advisors, such as legal counsel or forensics experts. If the response team determines an incident has potentially compromised personally identifiable information or other legally protected information, the team should immediately contact legal counsel and the institution’s insurance carrier (unless instructed otherwise by legal counsel).

Review and repair vulnerabilities. After a financial institution has experienced a cybersecurity incident, it should evaluate system vulnerabilities by identifying the incident’s source and method. The financial institution should rectify or mitigate the risk of the vulnerabilities as soon as possible.

After addressing the incident, the financial institution should also evaluate its response team’s efficiency and effectiveness. Are there aspects of the plan that can be improved? Were the communication lines clear and efficient? How long did it take for the team to spring into action? How long did it take to implement the mitigation? Was the response team appropriately staffed? Answers to these and other probing questions will serve to better prepare the institution for the next incident and should provide the basis for improvements to policies and procedures.

Preparing in advance for a cybersecurity incident can mean the difference between quarantining the release of sensitive data and having the sensitive data released to the public; and because preparations help control damage even if a breach happens, they can also make the difference between a small, manageable cybersecurity incident and a large, cumbersome data breach that could severely damage the reputation and operations of the company.

Advice for New Bank Directors


governance-8-30-17.pngIf you have recently been appointed to a bank board, chances are you’re like most new directors in that you came from outside the industry and have little knowledge of banking other than what you might have learned as a customer. If, for example, you’re the owner of a local business that relies heavily on its banking relationships to keep the enterprise going (as most small businesses do), you will certainly have an opinion about what constitutes good customer service. And also you bring your own judgment and life experience outside of banking to the task, which will no doubt be very valuable to the board. But to be an effective bank director, you’re going to have broaden your knowledge base considerably when it comes to banking. Good judgment isn’t enough. There are certain things that you will need to know.

Learning is a life-long exercise, and for as long as you serve on a bank board there will always be new things to learn. But here are four areas that I think new directors should give extra attention to:

Learn About Regulation.
Banking is a complicated and highly regulated industry, and banks can pay a steep price for their compliance sins. Take the time to understand the industry’s regulatory structure and the expectations of your bank’s primary regulators, which will vary depending on the size of your institution and whether it has a state or national charter. Also, zero in on the regulations that can have the greatest impact on your bank (for example, the Bank Secrecy Act and the various consumer protection rules). The regulators will hold your board accountable for any serious compliance violations, so it’s not a responsibility to be taken lightly.

Learn How Your Bank Works.
Banking is very different from most other businesses like, say, manufacturing and retailing, or professional services like accounting and lawyering. Yours is a governance rather than an operating role, but you should still learn how your bank works inside and out so you can engage fruitfully with management. Learn how your bank makes most of its money and where its greatest risks lie. Service on the board’s audit committee would provide a very powerful introduction to the workings of your bank, because there’s very little that the audit committee doesn’t get involved in.

Learn About Technology and Try to Embrace It.
Technology tends to be a black hole for most boards. Most people in their 60s and 70s, which fits the profile of many directors who serve on bank boards, don’t understand or use technology as comfortably as those who are 20 or 30 years younger. The problem is that banking is undergoing a technological revolution that goes well beyond mobile (which gets most of the attention these days) and touches almost every area of the bank. Directors need to understand how these trends are likely to impact their institution. Some banks try to recruit at least one tech-savvy director to their board, but these people are hard to find—and even if you find one, you can’t delegate the responsibility to understand technology to that person. Regular board-level briefings from your bank’s chief technology officer, attendance at industry conferences and a commitment to read up on the topic can all help educate you. Also, experiment with some of the consumer technology that has come into financial services in recent years. If you have an iPhone, activate its wallet feature. Open a Venmo account and use it. And if you don’t use your own bank’s mobile banking app, shame on you!

Learn About Cybersecurity.
As banks become more digital, their cyber risk profile will increase ipso facto. Trying to lessen the risk by resisting the push toward digital banking isn’t a rational strategy because your institution will be left behind. The U.S. economy and our national culture are all being profoundly impacted by the digital phenomenon, and it’s a game that all banks simply have to play. Your role as a director is to make sure your bank has a good cybersecurity program and team in place, that the program conforms to the latest industry standards and regulatory expectations, and that the board is being briefed regularly.

These are not the only critical areas that new directors need to understand, of course, but they would be on my short list of things to go to school on if I had just joined a bank board. Congratulations and good luck!

Three Themes Are at the Top of Bankers’ Minds Right Now


risk-6-14-18.pngIf one looks at the bank industry as a whole, it’s easy to agree with Jamie Dimon, the chairman and CEO of JPMorgan Chase & Co., the nation’s biggest bank by assets, that we are in the midst of a “golden age of banking.”

This is true on multiple fronts. Dimon’s comments were directed specifically at the easing of the regulatory burden on banks, an evolution that has been going on since the change in administration at the beginning of last year. The lighter touch is most evident at the Consumer Financial Protection Bureau, which has taken a more passive approach to enforcement actions under its current acting director, Mick Mulvaney. The broadest base of regulatory relief culminated last month, when federal legislation was signed into law that eased the compliance burden on smaller banks in particular.

Banks are also reaping benefits from the cut last year in the corporate income tax rate from 35 percent down to 21 percent. The change led to a surge in profits and profitability.

These events highlight a trio of themes that emerged from this year’s Bank Audit & Risk Committees Conference hosted by Bank Director in Chicago. Each theme is unique, but the common denominator is that bank boards face an evolving landscape when it comes to the macroeconomic environment, cyber security threats and the means through which a bank can navigate this landscape.

Profitability is a point that Steve Hovde, chairman and CEO of Hovde Group, stressed in a presentation on the current and future state of banking. Banks earned a record $56 billion in the first quarter of the year, which amounted to 28 percent growth over the same quarter of 2017. And while the industry has yet to report a return on assets above 1 percent on an annual basis since the financial crisis a decade ago, the average bank eclipsed that figure in the first three months of the year.

And banks aren’t just more profitable, they’re also arguably safer, former Comptroller of the Currency Thomas Curry noted in a conversation with Bank Director magazine Editor in Chief Jack Milligan. Curry pointed to the fact that banks have more capital than they’ve had in decades.

Yet, as Hovde noted, many of these positive performance trends are not being experienced equally across the industry, with the lion’s share going to the biggest banks. The return on average assets of banks with between $10 billion and $50 billion in assets is 1.27 percent compared to 0.72 percent for banks with less than $1 billion in assets. This is also reflected in bank valuations, with big banks trading on average for more than two times tangible book value compared to 1.4 percent for smaller banks.

This gap is projected to grow with time, in part because of a second theme that coursed through conversations at this year’s Bank Audit & Risk Committees Conference: trends in technology and cyber threats, which large banks have deeper pockets to address. Of all the things that concern bank officers and directors right now, especially those tasked with audit- and risk-related duties, the need to defend against cyber threats is at the top of the list.

There are approximately 20 million hostile cyber events every day, with an estimated 200,000 of these targeted at financial institutions, noted Alex Hernandez, vice president of DefenseStorm, a cybersecurity defense firm. Seventy-three percent are perpetrated by people outside the organization compared to 28 percent by insiders. It isn’t just criminals who pose a threat, as nation-state actors are behind 12 percent of hostile cyber events, with their timing tending to coincide with elections.

The solution, Hernandez notes, is to double down on the fundamentals of cyber defense. “The most effective way to address cyber threats isn’t to focus on the latest shiny object like artificial intelligence, it’s about educating your staff and securing your network.” To this point, most threats come through unsophisticated channels, be it an email phishing scheme or malware delivered by way of a thumb drive.

One challenge in addressing these threats is simply recruiting the right expertise—not only on the bank level, but also on the board. Finding and retaining the right talent in not only information security but elsewhere was also a recurring theme. Most board members in attendance acknowledge they don’t know enough about technology to ask the right questions. But recruiting people who do is easier said than done, especially for banks in rural communities, who often try to tap into nearby metro areas for talent, or offer creative compensation plans to mitigate risk and retain younger officers.

There are certainly reasons to suggest big banks are experiencing a golden age, but smaller and mid-size banks shouldn’t use this recent change in fortune as an excuse to rest on their laurels. It remains incumbent on bank officers and directors to stay vigilant against ever-evolving cybersecurity risks and focused on recruiting the talent and designing effective governance structures to address them.

The Good and the Bad Facing Audit and Risk Committees Today


committee-6-12-18.pngIn today’s news cycle, it seems barely a week goes by before another headline flitters across a social news feed about a data breach at some major U.S. or foreign company. Hackers and scams seem to abound across the marketplace, regardless of industry or any defining factor.

Cybersecurity itself has become an increasingly important issue for bank boards—84 percent of directors and executives responding to Bank Director’s 2018 Risk Survey earlier this year cited cybersecurity as one of the top categories of risk they worry about most. Facing the industry’s cyber threats has become a principal focus for many audit and risk committees as well, along with their oversight of other external and internal threats.

Technology’s influence in banking has forced institutions to come to terms with both the inevitability of not just integrating technology somewhere within the bank’s operation, but the risk that’s involved with that enhancement. Add to that the percolating influence of blockchain and cryptocurrency and the impending implementation of the new current expected credit loss (CECL) standards issued by the Financial Accounting Standards Board, and bank boards—especially the audit and risk committees within those boards—have been thrust into uncharted waters in many ways and have few points of reference on which to guide them, other than what might be general provisions in their charters.

And lest we forget, audit and risk committees still face conventional yet equally important duties related to identifying and hiring the independent auditor, oversight of the internal and external audit function, and managing interest rate risk and credit risk for the bank—all still top priorities for individual banks and their regulators.

The industry is also in a welcome period of transition as the economy has regained its health, which has influenced interest rates and driven competition to new heights, and the current administration is bent on rolling back regulations imposed in the wake of the 2008 crisis that have affected institutions of all sizes.

These topics and more will be addressed at Bank Director’s 2018 Audit & Risk Committees Conference, held June 12-13 at Swissôtel in Chicago, covering everything from politics and the economy to stress testing, CECL and fintech partnerships.

Among the headlining moments of the conference will be a moderated discussion with Thomas Curry, a former director of the Federal Deposit Insurance Corp. who later became the 30th Comptroller of the Currency, serving a 5-year term under President Barack Obama and, briefly, President Donald Trump.

Curry was at the helm of the OCC during a key time in the post-crisis recovery. Among the topics to come up in the discussion with Bank Director Editor in Chief Jack Milligan are Curry’s views on the risks facing the banking system and his advice for CEOs, boards and committees, and his thoughts about more contemporary influences, including the recently passed regulatory reform package and the shifting regulatory landscape.

Cybersecurity Should Keep Bank Leaders Up at Night


cybersecurity-6-11-18.pngTwo years in a row, Mike Morris and his team at the consulting firm Porter Keadle Moore dinged a client bank for what the firm saw as a potential security threat by allowing access to personal email accounts while using company equipment.

Then about a month ago, on a Friday afternoon, Morris, a partner and cybersecurity expert at PKM, got a call. The bank they had written up two straight years for the same potential security lapse had, in fact, been breached by someone using personal email on company equipment, exactly what they had identified as the possible threat.

Such cybersecurity threats are among the most serious for any institution for a multitude of reasons, from fiduciary responsibilities to reputation and beyond. Cybersecurity will be a common topic at the Bank Director’s 2018 Bank Audit & Risk Committees Conference, held June 12-13 in Chicago.

Morris has multiple stories about hacks and phishing scams that have in some way compromised personal data or a customer’s own money.

Another recent case: A customer fell victim to a phishing scam, and the source in China managed to wire $150,000 through another bank before they “got lazy” and tried to draw another $150,000 directly from the customer’s bank. The second transaction, thankfully, was caught by the bank’s compliance team in review.

“That’s happening on a regular basis, and it’s not a new trend, but yeah, it’s happening all the time,” Morris says.

Some of the financial services industry’s most experienced experts paint a dark picture about how prepared—or not—banks generally are for cyberattacks, or perhaps more generally, just threats to customer information that could ultimately pose a risk to the bank.

It’s not a new challenge for the industry. Banks have had training along with regulator attention and oversight for at least a decade on this topic, but with an increasingly vast digital footprint, troves of data and relationships outside the walls of the bank with vendors, the potential threats grow in parity.

“Firms that successfully introduce cutting-edge technologies need to infuse cybersecurity risk management practices throughout the entire development life cycle to identify and mitigate new risks as they emerge,” said Bob Sydow, a principal at Ernst & Young, in testifying before the Senate Banking Committee in late May. “This shift in mindset from thinking about cybersecurity as a cost of doing business to seeing it as a growth enabler is not easy, but it is the only viable path forward.”

The data about cyber threats—not to mention what seems like weekly headlines about data breaches—doesn’t help dissuade any worry that bank leaders or risk officers might have. The 2017-18 Global Information Security Survey by Ernst & Young found nearly 90 percent of some 1,200 bankers around the world said their cybersecurity function doesn’t fully meet their organization’s need. More than a third said their data protection policies were ad hoc or nonexistent, Sydow told senators, just weeks after Facebook CEO Mark Zuckerberg was on Capitol Hill testifying about Cambridge Analytica’s use of the social network’s user data.

“As banks and other financial services firms define their digital strategies, their operations are becoming ever more integrated into an evolving and, at times, poorly understood cyber ecosystem,” Sydow said.

That integration Sydow talked about is an area where there’s considerable risk, Morris says, that should be reviewed and understood by audit committees, risk committees, boards and other bank leaders. Financial institutions are working with an increasing number of third-party vendors for specific services or products, some of which require that vendor to access the data of the bank’s customers. That itself presents a risk, and boards should be especially careful when negotiating contracts that in early draft stages tend to favor the interests of the vendor but are often revised through the negotiation process.

Morris says it should be a top priority for banks to have a right-to-audit clause or confidentiality clause in those agreements, which gives the bank some authority to ensure the data to which they are allowing access is treated properly and kept secure. Boards should also take the opportunity to update or revise long-standing contractual agreements, like those with core system providers, when they come up for renewal.

Many institutions have lengthy contracts with their core technology providers, and with data security a preeminent concern, those renewals should be taken seriously.

“You have that moment of power when you haven’t signed an updated agreement that you can get some of these clauses put in there,” Morris says.

Regulatory Issues to Watch In 2018


regulation-5-22-18.pngAs 2018 unfolds, all eyes in the financial services industry continue to look to Washington,D.C. In addition to monitoring legislative moves toward regulatory reform and leadership changes at federal regulatory agencies, bank executives also are looking for indications of expected areas of regulatory focus in the near term.

Regulatory Relief and Leadership Changes
Both the U.S. House of Representatives and the Senate began 2018 with a renewed focus on regulatory reform, which includes rollbacks of some of the more controversial provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the sweeping reform passed after the 2008 financial crisis. These legislative actions are ongoing, and the final outcomes remain uncertain. Moreover, even after a final bill is signed, regulatory agencies will need time to incorporate the results into their supervisory efforts and exam processes.

Meanwhile, the federal financial institution regulatory agencies are adjusting to recent leadership changes. The Federal Reserve (Fed), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), and Consumer Financial Protection Bureau (CFPB) have new leaders in place or forthcoming, some of whom have been vocal supporters of a more “common sense” approach to financial regulation and who generally are supportive of regulatory relief. In the case of the CFPB, the ultimate direction of the agency could remain uncertain until a permanent director is appointed later in 2018.

Regulators’ Priorities in 2018
Notwithstanding the regulatory reform efforts, following are some areas likely to draw the most intense scrutiny from regulatory agencies during 2018 examination cycles:

Credit-related issues. While asset quality continues to be generally sound industrywide, concerns over deteriorating underwriting standards and credit concentrations continue to attract significant regulatory attention, accounting for the largest share of matters requiring attention (MRAs) and matters requiring board attention (MRBAs).

The federal banking regulators have encouraged banks in recent months to maintain sound credit standards within risk tolerances, understand the potential credit risks that might be exposed if the economy weakens, and generally strengthen their credit risk management systems by incorporating forward-looking risk indicators and establishing a sound governance framework. At the portfolio level, regulators are particularly alert to high concentrations in commercial real estate, commercial and industrial, agriculture, and auto loans, according to the FDIC.

Information technology and cybersecurity risk. The Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool in May 2017. Although its use is voluntary, federal and state banking regulators typically consider a bank’s use of the FFIEC tool or some other recognized assessment or framework as part of their assessment of an organization’s cybersecurity risk management, controls, and resilience.

On a broader scale, in February 2018, the Department of Justice announced a new cybersecurity task force. Although the task force is not directed specifically at the financial services industry, its first report, expected to be released this summer, could provide useful insight into the scope of the task force’s activities and potential guidance into what types of regulatory actions and controls to expect in the coming years.

Bank Secrecy Act and anti-money laundering (BSA/AML) compliance. The industry has seen a steady increase in enforcement actions—some of which have included severe sanctions— when regulators perceived banks had pared back resources in this area too severely. Compliance with Office of Foreign Assets Controls (OFAC) requirements and efforts to prevent terrorist financing are also continuing to draw regulatory scrutiny.

Consumer lending practices. Regulatory priorities in this area are likely to remain somewhat fluid given the leadership changes occurring at the CFPB, where a permanent director is to be appointed by September. Additionally, legislative efforts that could affect the structure and authority of the bureau also are underway.

Third-party and vendor risk management. It has been nearly five years since the OCC released OCC Bulletin 2013-29, which expanded the scope of banks’ third-party risk management responsibilities and established the expectation for a formal, enterprise-wide third-party risk management effort. Since then, regulatory agencies have issued several follow-up publications, such as OCC Bulletin 2017-7, which spells out supplemental exam procedures. Also in 2017, the FDIC’s Office of Inspector General issued a report with guidance regarding third-party contract terms, business continuity planning, and incident response provisions, and the Fed published an article, “The Importance of Third-Party Vendor Risk Management Programs,” which includes a useful overview of third-party risk issues.

Despite the industry’s hopes for regulatory relief in some areas, all financial services organizations should continue to focus on maintaining sound risk management policies and practices that reflect today’s environment of continuing change and growing competitive pressures.