Protecting Customers Through a Cybersecurity Control Tower


cybersecurity.png

Citizens National Bank of Texas, the third-oldest independent financial institution in the state, has remained deeply committed to its local community since its founding in 1868. The bank’s hometown, personalized approach to serving customers in the Dallas-Fort Worth area has played an integral role in its success. It was this focus on the surrounding community that led CNB to provide its customers with an extra layer of security by working with DefenseStorm, a Seattle-based provider of cloud based cybersecurity solutions.

As a full-service community bank with $859 million in assets, CNB aims to offer its customers the same service they would receive at any major, nationwide financial institution. This includes technology-driven services like online banking, mobile banking and bill pay. To offer these digital banking capabilities without exposing its network to new security vulnerabilities, CNB invested in security infrastructure and additional safeguards to protect customers and their financial information from potential cyber attacks. Although it had a solid system of security measures in place, the bank needed help monitoring its overall network activity and sought to increase the visibility of security threats.

This is where DefenseStorm comes in.

Heightened Visibility with a Cybersecurity Control Tower
DefenseStorm acts as security control tower for CNB to detect intrusions, investigate threats, take action to stop attacks and report on cybersecurity to regulators and the bank’s board of directors. Additionally, DefenseStorm’s team of security experts provides the bank with 24/7 monitoring support, triaging alerts and working alongside the bank to ensure the strongest security possible.

By constantly monitoring network activity and working with the bank to improve its security posture and quickly resolve incidents, DefenseStorm has helped CNB discover and neutralize at least 10 cyber threats in the past year.

Previously, the bank’s internal team would have to review and analyze all security event data. Now, the bank receives alerts in real time, which allows for a more efficient response and remediation process. Additionally, the bank uses DefenseStorm’s support ticketing feature to provide a clear, documented way to track events and how they are being handled.

Wade Jones, CNB’s senior vice president and chief information officer, values the extra support DefenseStorm provides. “It’s nice, the guardianship—having a security team sitting behind me watching the front line and letting me know if there’s something we need to work on,” says Jones.

Genuine Threat or False Alert?
CNB also leverages DefenseStorm’s search and reporting features, which enable the bank to transform complex and unstructured security event data from separate systems into meaningful, actionable insight. Oftentimes, systems will produce a constant stream of security alerts, many of which are not genuine threats, but which analysts must still review. With only eight hours in the workday, it can be difficult to assess each alert—and that can desensitize employees toward alerts, potentially resulting in a genuine threat being ignored. CNB has overcome this challenge and enacted a more proactive security response by sharpening its ability to interpret large sets of event data, so the bank is only notified if a threat is genuine. Now, the bank can quickly determine the scope of a threat and escalate the event into the remediation process with a click of a button.

The ability to provide a unified, comprehensive view of the bank’s network and systems is vital. “In our journey with DefenseStorm, we’ve brought everything together, log-wise, for all systems in the bank so we can take a more holistic approach,” says Mark Singleton, chief executive officer at CNB.

Enhancing Security without Expanding Staff
Furthermore, DefenseStorm brings a level of cybersecurity expertise that would be difficult for CNB to recruit in its own market. Given the shortage of cybersecurity talent across industries, hiring qualified candidates is challenging, especially for a small community bank, as professionals with advanced security credentials are typically hired by larger corporations. To make it worse, cyber criminals realize this, often assuming that a smaller bank has less sophisticated technology and fewer defenses. However, with DefenseStorm, CNB is able to provide an enhanced level of security, comparable to larger financial institutions, without hiring an extra security expert.

For community banks, business is personal. CNB realizes this and has invested in the infrastructure needed to safeguard its customers’ financial assets.

“Unlike big banks that never see their customers outside of work, we run into ours all the time—at church or at the grocery store,” says Singleton. “If we mess up, it’s our communities, our friends and our grandmothers who are ultimately affected. It’s our job to protect them and DefenseStorm helps us do that.”

New Rules for Financial Firms in New York Put New Onus on Boards


cybersecurity-7-10-17.pngNew York-based financial services companies are under a new rule of law, intended to protect consumers from the repercussions of a cyberattack and one that puts boards in a front-and-center role when it comes to the company’s security.

Touted as the first law of its kind in the United States, New York enacted new cybersecurity regulations this year, outlining standards that are sure to resonate beyond the financial businesses—such as banks, insurance companies and other financial services firms—that the law targets.

How Far Does Regulation Go?
Companies regulated by the state’s Department of Financial Services (DFS) are required as of March 1, 2017, to create and maintain a cybersecurity program to protect the privacy of consumers and the safety of the state’s financial services industry.

It only applies to those that DFS oversees—in other words, only financial services organizations must comply with the regulation.

New York’s rules, DFS notes, don’t extend to nonfinancial companies. There are limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
Still, the message from New York is a strong one: consumers are protected here, and financial firms will be held accountable.

Several of the regulation’s mandates outline the ways in which a company must comply, and in doing so, vastly widens the base of those culpable for a breach and the requirements of a board to pay attention to its potential vulnerability and its cybersecurity planning.

New Duty for Board Members
The idea that board members should make cybersecurity a priority has risen over the years, coming into focus with the Target data breach in 2013 that resulted in members of the board of directors being sued.

In reality, banking regulators have held boards responsible for their banks’ cybersecurity program for years, as described in the Federal Financial Institutions Examination Council’s IT Examination HandBook.

In it, the banking regulators place oversight of the development, implementation and maintenance of the IT security program in the board’s hands, and say the board must hold senior management accountable for its actions and review the overall status of the program at least annually.

This new regulation expands on that. It requires board members to ensure that there’s a framework in place at the company “for a robust cybersecurity program,” and one “that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”

That means nontechnical leaders on the board must take an active role in security oversight.

For the first time, the new rules say the firm must hire a chief information security officer, or CISO, to oversee policies and ensure that they’re working effectively. The CISO would report at least annually to the board, the DFS says, and according to the regulation, that person can be employed by an affiliate or third-party provider instead of being employed by the company itself.

It’s not uncommon for companies to have much of the new regulation’s guidelines already in their processes, but it’s good to tie it to risk assessments. Lastly, as the law firm McGuireWoods notes, the new rules require penetration testing at least annually and vulnerability assessments at least quarterly. Among new provisions, institutions must track and maintain cybersecurity records for at least six years, encrypt sensitive data and report any cybersecurity event to the Department of Financial Institutions within 72 hours of becoming aware of it.

What Comes Next
Entities have varying times to comply with specific requirements, from 180 days to two years after the regulation went into effect in March. Financial companies outside of New York are likely to look at these regulations to get a sense of what’s coming for the greater industry.

To learn more about protecting your organization’s security as a member of a board, read this white paper written in conjunction with the New York Stock Exchange to improve your cybersecurity practices.

Fifth Third CEO Says Pace of Bank Industry Change Is Fastest He’s Ever Seen


growth-6-14-17.pngWhile the audience was largely optimistic at Bank Director’s Bank Audit & Risk Committees Conference in Chicago yesterday, many of the speakers, including Fifth Third Bancorp President and CEO Greg Carmichael, hit a note of caution in a sea of smiles.

During an audience poll, 51 percent said the nation will see a period of economic growth ahead but 28 percent said the nation has hit a high point economically. Bank stock prices soared following the presidential election. Credit metrics are in good shape and profitability is up. Capital levels are higher than they’ve been in decades. And political power in Washington has turned against bank regulation, as evidenced by the U.S. Treasury Department’s recent report on rolling back the Dodd-Frank Act.

“It’s unlikely we will have increasing regulatory burdens and instead, we’ll go regulatory light,” said Steve Hovde, an investment banker and chairman and CEO of Hovde Group.

Although there’s a sense that bank stocks may be overvalued at this point, or “cantilevered over a pillar of hope,’’ as Comerica Chief Economist Robert Dye put it, the economy itself is resilient. “We’ll have another recession and we’ll get through it fine,” he said.

But financial technology is transforming the industry and creating entirely new business models, said Carmichael. That won’t be a problem for banks as long as they adapt to the change. “The volume and pace of what’s emerging is amazing,’’ he said. “I’ve never seen it before in our industry.”

Carmichael, who has an unusual background as a bank CEO—he was originally hired by the bank in 2003 to serve as its chief information officer—is working hard to transform Fifth Third.

Sixty percent of the bank’s transactions are now processed through digital channels, such as mobile banking. Forty-six percent of all deposits are handled digitally. And the bank has seen an increase of 17 percent in mobile banking usage year-over-year.

To meet the needs of its customers, Fifth Third recently announced it had joined the person-to-person payments network Zelle, an initiative of several large banks. It has a partnership with GreenSky, which will quickly qualify consumers for small dollar loans, and which Fifth Third invested $50 million into last year. Consumers can walk into a retailer such as Home Depot, order $17,000 worth of windows, and find out on the spot if they qualify for a loan.

Fifth Third is gradually reducing its branch count, and new branches are smaller, with fewer staff that can handle more tasks. Carmichael is trying to make the organization more agile, with less bureaucracy, and less cumbersome documentation.

Automation will allow the bank to automate processes “and allow us to better service our customers instead of focusing on processes that don’t add value,” he said.

Banks that are going to do better are those that can use the data they have on their customers to better serve them, he said. But when it comes to housing enormous amounts of personal and financial data on their customers, the biggest worry for bank CEOs is cybersecurity risk, Carmichael said–not the traditional commercial banking risk, which is credit.

When he was a chief information officer, executives often asked how the bank could make its network secure, and his completely honest response was, “when you turn it off.”

Adding to the cybersecurity challenge, returns on capital are low for the industry compared to other, more profitable sectors, and measures of reputation are middling for banks compared to more popular companies such as Apple, Nordstrom, Netflix and Netflix.

Carmichael encouraged banks not to get mired in pessimism.

“There’s a lot of change but we can step up and embrace it and leverage it to better serve our customers and create more value for our shareholders and contribute to the success of our communities,” he said.

What’s Changed When It Comes to Audit & Risk?


cybersecurity-6-12-17.pngIt’s not surprising that in the wake of the financial crisis, risk has become a much more important topic on bank boards. What’s more surprising is that it is still front and center, even as credit and economic conditions have remarkably improved.

As Bank Director hosts its Bank Audit & Risk Committees Conference in Chicago this week, risk still is top of mind for attendees and speakers. There are a few notable changes, though, during the past few years.

Five or six years ago, much of the talk for community bank boards was about starting an enterprise risk management system. Regulators were talking about it. Bank officers were talking about it. Boards were trying to figure out how to manage the bank’s various risks in a more integrated, comprehensive manner.

Now, enterprise risk management has plateaued at many banks, says Tim Kosiek, a certified public accountant and partner at Baker Tilly, an accounting and advisory firm. Fewer people are talking about it, or starting new programs. Many banks have already established ERM programs, especially those above $1 billion in assets.

“Bankers are not finding this showing up in the regulatory exams to the degree it was five or six years ago,” says Kosiek, mostly because credit conditions have improved.

ERM still has no set framework. There are no set guidelines from regulators that will tell you exactly how to set one up, or what the perfect ERM program looks like.

But as part of it, compared to four or five years ago, many more banks do have a risk appetite statement, and boards are discussing their risk tolerances for various types of risk, such as credit and compliance.

Challenges still remain. For example, it’s still tough for banks to ensure that their various divisions are sticking to the risk tolerances that have been established, Kosiek says. Also, not all banks have a comprehensive enterprise risk management program in place. The people in charge of risk in the organization don’t necessarily have their compensation clearly tied to their performance as risk officers, for example.

Still, despite those challenges, there are some areas where banks have made significant progress as a whole. In general, bank boards are much more likely to discuss cybersecurity risk. They want to learn about it, they want regular updates from bank management and they want to ensure their organizations have good defenses.

In Bank Director’s 2014 Risk Practices Survey, 51 percent of bank directors said cybersecurity was a top concern. In 2017, 85 percent did.

It’s no secret why they are worried. The reality that pretty much every bank is vulnerable has set in. Twenty-six percent of respondents to Bank Director’s 2017 Risk Practices Survey said their bank has experienced a data breach in the last two years.

It’s not just the risk but the difficulty getting a handle on the risk that is so vexing. Cyberattacks, with their constantly changing bad actors and tactics, are difficult to prepare for.

“[Bankers] have spent so much time on credit risk, which they can have an influence on,’’ Kosiek says. “In the cyber side, they just don’t have all the information.”

The topic is so high up on the board’s agenda, Bank Director digital magazine devoted an entire issue to cybersecurity.

While bank boards fretted over cybersecurity concerns during the last few years, they also had to get ready for one of the biggest accounting changes in decades, CECL, which stands for current expected credit loss standard. Basically, banks must start estimating losses for loans and other assets as soon as they acquire them for the life of the asset. CECL goes into effect for public banks’ fiscal years after Dec. 15, 2019 and for nonpublic banks a year later. Audit committees are overseeing the process.

For more information on preparing your bank for the standard, see The Audit & Risk issue.

All these changes are one reason the job of serving on an audit or risk committee is certainly one of the toughest on a bank board. Even as banks have watched their profitability and credit metrics improve in the last few years, the focus on risk coming out the financial crisis has not gone away. It has only shifted.

Fintech Opportunities for Your Bank: A Voyage Into New, But Not Uncharted Waters


strategy-6-9-17.pngFinancial technology, or fintech, is creating a dynamic range of new services and products for banks. Much of the initial discussion about fintech focused on disruption and replacement of traditional banking products and services.

Now, fintech is evolving and is creating new opportunities for banks to expand their products and services, as well as creating various non-interest revenue possibilities through partnering and joint venturing with fintech entities.

Increasingly, fintech entities such as online lenders and payment systems are turning towards partnering and joint venturing with banks for a simple reason they need banks. They need banks because banks can hold federally insured deposits and have the experience and track record of existing and prospering under various federal and state regulatory regimes. However, working with a fintech is not necessarily a voyage into uncharted waters while regulators may adapt with new technologies, banks are comfortable working in the existing banking regulatory ecosystem.

Some existing examples of fintech entities working with banks include:

  • licensing online lending platforms
  • licensing online customer interface platforms
  • using banks as insured depository support for payment systems
  • developing cryptocurrencies
  • developing digital tools that allow banks to mine and harness data for more efficient operations

State and federal regulators are expanding their ever-advancing regulatory agenda to cover fintech’s unique aspects. Indeed, the Office of the Comptroller of the Currency recently announced plans to start issuing Special Purpose National Bank charters to fintech entities, which the state regulators are heavily criticizing. Fintech entities are debating whether they will seek a federal charter in its proposed form.

Nevertheless, if your bank is considering working with a fintech entity, you should consider the following issues:

Strategic Plan: The first, and primary issue that your bank should consider is whether the fintech opportunity fits your bank’s strategic vision and innovation plan. If the opportunity does not, the relationship may not only be not successful, but ultimately detrimental to your bank’s efforts in this area.

Vendor Management: Vendor management is an especially critical area because most banks will choose to work with a fintech entity that owns, develops and services the technology. The key for banks in this area is know their fintech partner and understand the deal. Fintech partners can range from early-stage start-ups to mature entities. Many of these fintech entities have little bank regulatory experience and may be learning as they develop and deploy their products without the legacy regulatory experience. They may also propose contract terms that expose banks to unnecessary risks. The challenge for banks is to conduct thorough due diligence on their fintech partner and understand the agreement.

Cybersecurity: Because essentially all fintech-based products and services are online, cybersecurity is a significant consideration. Additionally, most fintech accumulates and evaluates customer data, which is very attractive to cybercriminals. The critical issue for banks is the ability to ensure that their fintech partners are employing best-of-class cybersecurity practices, not simply regulatory compliant cybersecurity, because the cybercriminals are almost always one step ahead of their targets, as well as the regulators. This will also help the bank protect itself in the event of a data breach or an attack.

Data Privacy: If your bank is working with a fintech, banks should ensure that there are provisions to protect your customer’s data so that it is not used or disseminated in a way that violates the law, as well as provide adequate disclosures to your customers about how their data is used.

Consumer Banking Laws and Regulations: If a bank is working with a fintech entity in providing any type of consumer services, federal and state consumer lending laws and regulations will likely apply to that activity. The combination of new technologies and a fintech entity without a great deal of regulatory experience could spell trouble for a bank partner.

Bank Secrecy Act/Know Your Customer/Anti-Money Laundering: BSA/KYC/AML issues remain critically important for regulators and fintech entities working with banks need to be fully versed in them.

Even considering the regulatory and related issues, working with a fintech is not a voyage into uncharted waters. The tide is also changing, and fintech can provide your bank potentially great opportunities to grow and develop as technology evolves and as fintech entities mature in this sector.

A Review of Emerging Technology Trends


technology-1.png

The emergence of a vibrant financial technology sector has dramatically changed the banking industry by enabling new products and services that cater to the needs and preferences of consumers in today’s digital age. In preparation for FinTech Week, an event that FinXTechis holding April 25-26 in New York, here is a look back at our recent coverage of emerging technology trends and innovation strategies for banks. These stories have appeared on the BankDirector.com website, and in digital and print versions of Bank Director magazine.

ARE YOU A BANKER OR A VISIONARY?
The power of digital banking goes beyond a fundamentally different, more satisfying customer experience.

MAKING SENSE OF FINTECH LENDING MODELS
What type of fintech lending solution should your bank pursue? In this video, Mike Dillon of Akouba outlines what management teams and boards need to know about these lending models, and how each can benefit the bank.

PAYPAL’S BIG BET
The former eBay subsidiary is turning itself into a global payments powerhouse with mobile at the heart of its strategy.

CYBERSECURITY: A BOARDROOM CONVERSATION
Radius Bank CEO Mike Butler sits down for an interview about how to manage the risk of doing business with fintech companies.

COMMUNITY BANKS TO FINTECH: WE NEED YOU
Banks attending the Acquire or Be Acquired Conference in Phoenix, Arizona, discussed ways that technology companies could improve profitability and the customer experience.

GETTING THE MOST OUT OF MOBILE
If you’re on a bank board, it pays to ask some questions about mobile.

HOW STRONG IS YOUR CORE TECHNOLOGY?
Changes in customer preferences and pressure from fintech competitors are forcing banks to innovate. Is your core provider up to the task?

2016 BANK DIRECTOR’S TECHNOLOGY SURVEY
As the banking industry struggles to innovate to meet shifting consumer expectations, 81 percent of bank chief information officers and chief technology officers responding to Bank Director’s 2016 Technology Survey say that their core processor is slow to respond to innovations in the marketplace.

Six Tech Trends for 2017


tech-trends-4-17-17.pngFor capital markets participants worldwide, Nasdaq operates as a pioneer in maintaining market resiliency and mobilizing the latest practical technologies to strengthen and optimize the business performance of our partners and, most importantly, our clients. Amidst a rapidly changing economic and political environment, the technological advances used in financial services during 2016 reached staggering new heights by year-end.

As a financial technology company, we are especially excited about what is in store for 2017. We believe the following technology trends will have a significant impact on the capital markets this year.

Machine Learning and Artificial Intelligence
Machine learning and artificial intelligence will cross-cut almost everything that we do, and it will be applicable across the board—from helping customers to trade to market surveillance. We are bringing in nontraditional data sets including email and text messaging, sentiment and macroeconomics data, and we are mining log files from different systems for insights. The technology will be used to calculate and generate indices and exchange-traded funds. It will also be integrated into exchange matching engines (the system that matches buy and sell orders) so that it can make certain trade decisions.

Collaboration Tools
Secure collaboration software and online portals will play an important part in how corporate directors and leadership teams work as compliance, board management and the need for a central document repository have become increasingly vital business propositions. These web and mobile app-based tools are typically designed with multiple security and functionality features to provide greater governance, engagement and transparency throughout an organization. As more companies begin to integrate collaboration software into their business workflows, the secure sharing of critical information will become more simplified.

Cloud Computing
Cloud providers are taking security seriously, and we anticipate that the financial cloud will soon be more secure than most traditional on-ground data centers. That would potentially allow us to make sensitive information more broadly available than on traditional, centralized databases. Exchanges need to comply with rules and regulations on fair and equal access for clients, so moving front-office applications to the cloud necessitates some technology changes. Running middle-office and back-office applications in the cloud is more straightforward, but in 2017 we will continue work to address the remaining security concerns regarding data separation and customer access to data.

Data Analytics
The ability to mine data, normalize it, update analytics in real time and present it in a consolidated view is a source of competitive advantage. We are now seeing a seismic shift across the industry with machine learning and artificial intelligence enabling users to eliminate bias in the analysis and discover new patterns in the data.

There will be a diverse set of use cases for data analytics within financial services, including its application in the investor relations function, where analytics can assist the IR team by aggregating specific investor data points, filtering institutional investors by the positions they hold in your company’s stock and identifying specific investment characteristics.

Mobile Technology
Advancements in mobile technology have changed the way business professionals collaborate and access information. A new generation of cloud-based applications has simplified information sharing across device types. For example, we have combined mobile technology with other technologies—particularly cloud and blockchain—to enable remote proxy voting. To some extent, financial firms have been laggards in adopting mobile technology because of the security concerns, but addressing those will drive increased penetration.

Blockchain
Blockchain technology could create important efficiencies in position-keeping and reconciliation. For cash-settled securities, it could accelerate the clearing and settlement time frame from three days to same-day, significantly reducing risk in the system. Collateral could be moved around quickly and easily. On the settlement side, blockchain could complement several services, including managing payments and cash, transferring securities, facilitating collateral and tri-party arrangements, and securities lending.

It is clear that financial services in 2017 will evolve rapidly as new technology is integrated into the marketplace. These technologies will change how financial institutions manage their infrastructure, interact with one another, and ultimately, how industry leaders scale and grow their businesses. We are excited to see how the year unfolds.

Are Directors Tone Deaf on Cybersecurity?


cybersecurity-3-27-17.pngAre the boards of directors at U.S. banks taking the cybersecurity threat seriously enough?

In Bank Director’s 2017 Risk Practices Survey, 85 percent of the 167 respondents—a group that includes bank directors, CEOs, chief risk officers, and chief information and chief technology officers—identify cybersecurity as the risk category they are the most concerned about. And that heightened level of concern is evident across all sizes of institutions in the survey, from banks under $1 billion in assets to those greater than $10 billion.

After all of the high profile, highly successful and highly publicized cyberattacks that have occurred over the last several years, surely every bank director understands the serious nature of cyber risk today. Hackers are incredibly creative and persistent in their efforts to penetrate bank security systems and steal sensitive customer data, money—or both. A successful intrusion can be costly to the bank, damage its reputation with customers, and become an issue with regulators if they believe the bank has a weak cybersecurity program.

Twenty-six percent of the respondents say their bank has experienced a data breach or some other type of cyberattack since 2015, and another 4 percent were the victims of a breach prior to 2015. In other words, nearly one-third of the respondents have already experienced a breach—an incident rate that should get all directors’ attention regardless of whether their banks have been victmized or not.

So, what is being done about this? Over the past two years, the survey participants’ banks have made a number of improvements to their cybersecurity programs, including:

  • Eighty-two percent have invested in technology to better detect and deter cyber threats and intrusions.
  • Eighty-one percent have improved training for staff.
  • Eighty percent have increased their focus on cybersecurity at the board level.
  • Seventy-five percent have improved their internal controls related to cybersecurity.
  • Seventy-five percent have improved and tested their bank’s cyber-incident management and response plan.

But there is still more that can be done to protect against hackers. According to the survey, 38 percent of the respondents still don’t employ a full-time chief information security officer (CISO). As one might expect, this deficiency is most evident at banks under $1 billion is assets, even though they are still likely targets for a cyberattack. The benefit of having a CISO, rather than giving this responsibility to the chief risk officer or chief information officer, is that cybersecurity has become so specialized that it should be handled full-time by one individual with experience in the field. Fifty-one percent of the survey participants say their bank won’t be hiring a CISO in 2017, and 43 percent say they are unsure. Banks under $1 billion are already less likely to employ a CISO, and the survey data suggests that they’re unlikely to hire one this year.

Most surprising of all is that only 17 percent of the respondents say cybersecurity is discussed at every board meeting. Thirty-six percent say the board reviews the issue quarterly, 19 percent say they discuss it semi-annually and 10 percent talk about cybersecurity just once a year. If cybersecurity is truly the most pressing risk management issue facing bank boards today, then why isn’t it being discussed at every board meeting, at every bank?

If it’s the board’s responsibility to set the tone at the top when it comes to risk governance throughout the bank, then it would seem that a lot of boards are tone-deaf when it comes to cybersecurity.

Handling Today’s Top Risk Challenges



Cybersecurity and compliance are the top two areas of concern for the bank executives and directors responding to Bank Director’s 2017 Risk Practices Survey, sponsored by FIS. What are the best practices that boards should implement to mitigate these risks? In this video, Sai Huda of FIS highlights the survey results and details how boards can stay proactive.

  • Cybersecurity and Compliance Gaps
  • Five Cybersecurity Best Practices
  • Three Ways to Strengthen Internal Controls

Are Bankers Growing Less Concerned About Fintech Competitors?


competitor.png

I talk to a lot of bankers, and lately I have detected a shift in bankers’ attitudes towards fintech. Just a few years ago, a discussion of fintech with community bankers would have inspired a certain amount of fear. It was widely believed at the time that fintech startups would disrupt and replace traditional banks. Millennials would turn to new marketplace lenders for their credit needs and use the new payment services from the likes of Apple for all their financial needs, leaving the banks with an aging clientele that would eventually die off. As time has passed, bankers and fintech companies alike have come to understand that is simply not going to happen. Going forward, fintech companies need banks just as much, if not more, than banks need them.

I recently saw a presentation titled The Impact of FinTech on Community Banks: Deal Breaker or Money Maker, by Ronald Shevlin, director of research at the consulting firm Cornerstone Advisors. He pointed out that while the number of marketplace lenders has grown rapidly, they still account for just 1 percent of the total loan market. And while they may have seen some growth, it appears they have not done so by keeping their customers happy. According to a U.S. Treasury Department report, marketplace lenders received a customer satisfaction rate of just 15 percent, compared to community banks whose satisfaction rate hit 75 percent.

Shevlin also pointed out that as millennials age, their attitudes towards money is changing. When you are 22 with a couple of thousand dollars in the bank and a couple of credit cards with $2,000 limits, it is easy to choose the flashy and fastest. When we start adding some zeros to their account balances, safety and security begin to matter more than the latest technology. Because of strict regulatory oversight and FDIC insurance, banks have an enormous edge when it comes to consumer comfort with the safety of their funds.

Bankers are starting to realize that they do not need to be innovators. As Shevlin pointed out in his presentation, it is easier to innovate when you don’t have a large installed customer base. Community banks can treat fintech firms like any other vendor. They need to recognize and deploy those innovative processes that survive the birthing process and add value to the bank. Bankers looking at a new technology offered today are asking: Does this adds value to the bank? Does it make me more efficient? Are are my customers demanding it? If the answers to these questions are no, then there is no need to add the technology to their existing offerings. Fintech companies are no longer scary competitors, but instead are another class of vendors that banks may or may not choose to do business with based on their needs.

Community bankers are worried about the brave new digital world. I go to several conferences during the year and I have noted more than a few cybersecurity vendors in the exhibit hall. I have also noticed that more insurance companies are in attendance offering cyber insurance. One insurance vendor told me that they were seeing several dozen claims related to ransomware alone every day. The CEO of a $300 million bank out west said that cybersecurity was the only issue that kept her up and night.

Jared Hamilton, senior manager of cybersecurity at the consulting firm Crowe Horwath, gave a talk recently on cybersecurity issues where he told the bankers that they needed to pay greater attention to this critical area going forward. There needs to be someone handling cybersecurity for the bank on a full-time basis and not just as part of the administrative or IT functions. He also suggested that the purchase of cybersecurity insurance was not optional. In today’s world, your bank must have this coverage. Judging by the furrowed brows and slumped shoulders I saw in the room at one conference recently, the costs of cybersecurity will become as big a concern for community banks as climbing regulatory costs have been over the past several years.