Banks and other financial institutions are prime targets for hackers because criminals can gain access to financial and personal information that leads them to additional sources of funds. For the same amount of effort, corporate accounts give hackers access to much more data. Criminals are working hard to stay a step ahead of security experts, who are trying their best to protect corporate accounts.
Hackers are looking at the interconnectivity of mobile devices and other systems to find ways to squeeze in viruses and capture information. IT experts are also looking at how they can use interconnectivity to incorporate security tools for banks and other industries.
No system is as secure as banks would like for it to be, which makes it difficult for them to know how much insurance would be sufficient in the event of a breach if they are considering the purchase of coverage.
Any way you approach it, protecting against cyberattacks is an expensive proposition.
Banks and other financial institutions stand to lose more than funds and data. Other potential costs include the loss of brand reputation and losses due to exposure for not complying with security regulations.
Several different things make corporate banking accounts difficult to protect. Corporations usually have multiple people listed on their accounts who need to be able to deposit, transfer and withdraw funds. Having different employees accessing the account on a regular basis, either in person or remotely, opens up opportunities for fraud. Transactions also tend to be larger on corporate accounts than on personal accounts, so there is more to lose.
Senior executives and directors don’t always understand the information that their tech departments provide about how they are protecting the bank’s various computer systems, so they have no way of assessing whether the security programs are effective. A 2017 report by MediaPro surveyed 809 employees working in the financial services industry and classified 80 percent of their employees as “risks” or “novices” relative to cybersecurity. Lack of awareness among financial services employees increases the risk of work practices that could lead to a security breach.
Cybersecurity expert Ariel Evans cautions managers at financial institutions to be aware of IT departments that take a “bottom-up approach” to cybersecurity, which only describes the implementation status of the control and stops at the system level, lacking the ability to detect vulnerabilities within the system. When these cybersecurity systems fail to tie in the business processes to the data assets and systems, the security essentially stops at the system level. A bank may have the most sophisticated, mature security system available, but its effectiveness is nil because it’s not being measured at all.
Evans recommends a top-down approach that ties the business impact of the assets and processes to cyber risk. This approach measures the risk posed to the assets and prioritizes remediation efforts. This information is also helpful to insurance providers since it provides them with more accurate information to offer cyber-risk insurance policies that cover adequate amounts in the event of a breach. (To learn more about why cybersecurity should be a concern for your organization, read this white paper written in conjunction with the NYSE to improve your cybersecurity practices.)
Financial institutions can protect their consumers with cyber risk insurance policies. Many experts question if banks are considering the full cost of what they would risk in the event of a cyberattack. Directors need to carefully assess if they have enough cyber risk insurance. Discussions will no doubt include weighing the cost of the insurance with the amount of protection it provides, due to the large amounts that could be lost in the event of a breach.
Having data about the effectiveness of cybersecurity systems is instrumental in keeping insurance premiums low enough to offset large liability limits.
Directors have a huge task in front of them as they make decisions about cybersecurity. They need to have assurance from the IT department that the security tools they use are mature and effective. They also need to understand all the layers of security, including making sure that they’ve taken steps to make employees aware of their responsibilities in keeping accounts secure. Finally, directors need to understand what their cyber risk insurance policies cover, as well as any limits, conditions and exclusions that apply.
Cybersecurity is quickly moving to the forefront of pressing concerns for financial institutions and their leaders. Regulators and examiners increasingly are expecting the board of directors and C-suite executives to obtain a greater familiarity with cyber threats and mitigation measures.
In May 2017, for example, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool (CAT), which was developed to help identify an institution’s risks and determine its preparedness. The FFIEC’s instructions for using the assessment explicitly contemplate the involvement of the chief executive officer and the board. Banks aren’t yet required to use CAT, but it’s expected to become mandatory eventually.
The message is clear—executives no longer can afford to take a hands-off approach to cybersecurity. They need to stay informed on critical security issues, and their chief information security officers (CISOs) should play a key role in keeping them up-to-date.
Role of the CISO The CISO plays an advisory role, helping other C-suite executives make better, risk-informed decisions in the day-to-day execution of the bank’s operations. A CISO also can help design and implement the security strategy a bank deploys to effectively protect itself and its customers from known threats.
To provide the expected advisory services, the CISO must be aware of the current threats (including general threats, industry-specific threats and even institution-specific threats) confronting the bank. In addition to understanding this threat landscape, the CISO needs intimate knowledge of the bank’s ability to mitigate these threats, which includes evaluating the existence and effectiveness of the security program and its controls, and communicating the results to the C-suite.
Armed with measurements of the existence and effectiveness of the security program’s controls, the CISO can provide specific advice to the CEO and other C-suite members about the risks facing the bank and the additional steps that might be necessary.
The CISO regularly should brief executives on the following:
Status of Security Controls Security controls—composed of people, processes and technology working together to mitigate specific threats—are the bedrock of any cybersecurity program. Executives must understand the status of such controls to know how well the bank is equipped to defend against threats.
Evaluating the status of such controls can be accomplished with dashboards that provide executives with a visual representation of all required security controls and the effectiveness of each. It is important for executives to understand how the effectiveness is measured. Is it a system that just measures the existence of the control, or is some form of measurement or testing done on the control? Historical metrics related to control implementation and effectiveness also are essential to provide perspective and illustrate progress (or lack thereof).
Status of Regulatory Compliance Banks are subject to a broad and complex web of compliance obligations. Depending on the services they offer, applicable state and local regulations, and the types of information they process, the regulatory burden can differ dramatically among banks. For every financial institution, though, failure to comply can lead to fines, lawsuits and customer loss. The CISO should brief fellow C-suite executives on the bank’s current compliance status with all applicable laws and regulations. He or she also should update executives on how the bank is tracking and proactively preparing for potential regulatory changes.
Upcoming Security Initiatives The CISO should explain current threats and the areas of risk that need to be addressed through various security initiatives, a measure which might require capital expenditures and approval from executive management. The explanation should cover not only where the security program stands today but also the overall direction going forward. Because this information can affect business initiatives that are not directly related to security, it facilitates risk-informed decision making.
Risk Management Risk management is an ongoing process conducted by the security team to identify the areas with the highest level of risk based on known threats, weaknesses, controls and assets. In the end, the security team might determine that some identified risks are not sufficiently mitigated or that the residual risks remaining after the controls have been implemented are so considerable that they require new security initiatives. This information is vital for executives, as risks that aren’t adequately addressed must be considered when conducting business operations.
Know What You Know—And What You Don’t No one, not even regulators and examiners, expect C-suite executives to be experts on cybersecurity issues. These executives should, however, understand their banks’ security posture so they can satisfy regulatory expectations and make better, risk-informed decisions for the overall business.
For many bank chief executive officers and their boards, it could be one of their worst nightmares: Hackers have penetrated their bank’s computer systems and possibly made off with highly sensitive customer information, and a series of decisions will have to be made very quickly under a great deal of pressure. What remedial action should be taken, and by whom? Who else should be involved as the bank responds to the situation? And what should the bank tell its customers and its regulators?
The author J.R.R. Tolkien once mused in his popular novel “The Hobbit” that “It does not do to leave a live dragon out of your calculations if you live near him.” The metaphorical dragon that bankers need to include in their calculations is a global army of hackers—some representing nation states, some just crooks and some a combination of the two—that has emerged as one of the greatest threats facing the banking industry today. As even the smallest, most conservative banks in the country continue to adopt an increasing array of digital strategies, the industry’s cyber risk exposure has increased accordingly. And that’s why when the cyber dragon attacks, bankers need a remediation plan that they can activate quickly.
It doesn’t have to be an enormously complex plan—and in fact, the simpler the better. Jena Valdetero, a partner at the law firm Bryan Cave who has lots of experience working with companies, including banks, that have been the target of cyber attacks, says she has seen incident response plans that were 35 pages long that become an encumbrance when responders have to move quickly. “We always say that it’s better to have a three- to five-page incident response plan that hits the highlights and that your team can easily learn, remember, absorb and train on than to have a much larger plan,” she says.
Dave McKnight, a senior manager who leads consulting firm Crowe Horwath’s incident management services, says that he follows the National Institute of Standards and Technology’s Computer Security Incident Handling Guide, which was issued in 2012. “Basically, what this says is, the lifecycle of an incident response program should be preparation, detection and analysis, containment, recovery and then a post-incident review,” McKnight says.
How a bank responds to an incident often depends on its size. Large banks will probably rely on an in-house cybersecurity team, possibly augmented by resources from an outside consulting team that it has on retainer. Most smaller banks that lack the necessary funding to support an in-house response team will rely more on outside firms to handle any incidents that occur. Typically, the response team would operate from what McKnight calls a “playbook,” which is essentially a set of reference materials that would lay out the steps that the response team should take depending on what kind of incident has occurred—ransomware versus denial of service, for example—guiding the team through the various stages including containment, removal and recovery.
“Then there should be some type of look-back activity on how that was handled,” says McKnight. “Was there an opportunity for improvement in either our documentation or our skill set? How do we enrich the rest of our process so that next time around, we do it better, faster and more inclusively?”
If the bank does expect to rely on outside consultants to assist in the remediation effort, McKnight says it’s important to have those arrangements made well in advance, in part because the bank can’t necessarily count on having immediate access those firms when an incident occurs. “Without a retainer, you don’t have a guarantee that someone is going to be available because these aren’t scheduled events,” he says of an attempted or successful hack. But merely having an outside firm on retainer isn’t enough, adds McKnight. The outside firm also needs to be thoroughly familiar with the bank’s operations, networks and cybersecurity defenses before an incident occurs. “I want [them] to understand what our plan and program and capabilities are,” he says. “That way [they’re] addressing my problems… [they’re] doing so swiftly and accurately and you’re not asking for stuff that you should know I don’t have. You’re asking for things I do have as soon as you need them.”
For banks that have a chief information security officer (CISO), this individual would typically quarterback the remediation effort, or, in the absence of a CISO, that role might be assigned to the chief information officer. But in a situation where a hacker has gained access to a bank’s computer systems, the remediation effort entails more than simply kicking them out, assessing the damage (including any loss of data) and putting a recovery plan in place. There often are stakeholders and customers to inform, as well, and possible impacts on the bank’s business. This means that the incident response team should include a wide range of executives throughout the organization.
In addition to the data personnel, members of the remediation team would typically include the bank’s chief executive officer and possibly the chief operating and chief financial officers, as well as members of the public relations team since it will most likely be necessary to communicate with the media in the event of a serious incident. “It really depends on how your organization is set up, but you want key stakeholders in the room—people with senior-level decision-making ability,” Valdetero says.
The board of directors typically does not have a hands-on role in the remediation effort, although the non-executive chairman (or lead director if the CEO also serves as board chairman) should be kept apprised of the remediation efforts as they unfold. Serious data breaches that involve the loss of funds or significant amounts of customer data can pose both a financial and reputational risk to the bank, which is of primary concern to the board of directors.
“I think the role [of the board] is typically overseeing from a high level the management team and making sure they are responding adequately,” Valdetero says. This would include making sure the investigation is being conducted in a thorough manner, that the team has adequate resources and the bank is complying with all applicable laws.
Another important member of the team is the bank’s general counsel if it has one, or outside counsel if it doesn’t. This is critically important if the incident involves the loss of customer information. Valdetero says it’s desirable that banks conduct their investigation under the protection of attorney-client privilege, and a lawyer will provide that protection. “I approach these types of breaches… from my background as a litigator, and as a litigator you’re always thinking worst case scenario,” she explains. “If we are sued down the road as a result of this breach… what do you want to be able to protect from disclosure, if at all possible?” Valdetero adds that while underlying factual information cannot be protected from disclosure, “you can protect legal advice and specific communications that took place for the purpose of getting legal advice, and you need legal advice in these situations because there is a myriad of laws that might be implicated by a breach.”
The bank’s remediation team may also want to reach out to law enforcement agencies such as the Federal Bureau of Investigation or Secret Service in the event of a serious data breach. Phyllis Schneck, managing director and global leader of cyber solutions at Promontory Financial Group, advises banks to establish a relationship with these agencies in advance so a communication link already exists when an incident occurs. “Typically, you want your law enforcement relationships [established] ahead of time,” Schneck says. “You want to know who to call by first name, and they’ll do that for you. You do not want to be calling 1-800-law enforcement when your hair is on fire.”
Banks are required to inform their primary federal regulator when “the institution becomes aware of an incident involving unauthorized access or use of sensitive customer information…,” according to interagency guidance on data security issues. The guidance defines sensitive customer information as a customer’s name, address or telephone number, account number, credit or debit card number, or a personal identification number or password that would permit access to a customer’s account.
Banks also have a legal obligation under the guidance to inform their customers when a serious data breach has occurred. “Financial institutions have an affirmative duty to protect their customer’s data against unauthorized access or use,” the guidance states. “Notifying customers of a security incident involving the unauthorized access or use of the customer’s information… is a key part of that duty.”
What should customers be told and when should they be told it? “In my opinion, you should tell them exactly what’s going on and if you’ve run a good cybersecurity program that will be a good message,” Schneck says. “Everybody understands that these events will happen and that we can’t prevent them 100 percent. If you have a good program, you’ll be able to bounce back.” However, in the event of a serious data breach, the bank may find itself trying to balance the need to communicate to customers quickly that an incident has occurred that could negatively impact them, with the need to communicate the correct information.
When Target Corp. was hit with a massive data breach in December 2013, it originally estimated that approximately 40 million customers had been effected. But as Target dug deeper into the breach it was forced to announce later that approximately 70 million customers had been impacted, which suggested that the company was not in full control of the situation. Says Valdetero, “We usually advise clients, if they’re going to make public-facing statements, that generally you should not commit to a specific number of affected individuals.”
While there’s a myriad of technologies and companies on the market trying to make banking data more secure and prevent hacking, knowing which technologies and partners to choose from can be a daunting task. With cyber criminals looking for any conceivable way to get into banking systems, monitoring for potential threats can seem almost impossible. Think of cyber security as a house with multiple “points of access” for potential burglars, like windows or doors. The problem is that each digital access point, from branch networks to remote data centers, presents a distinct set of cyber security problems. This often leads banks to involve multiple software, solutions and partners. The result can be a disjointed cyber security strategy where banks are spread thin dealing with multiple vendors and systems.
That’s precisely the issue that Live Oak Bank—a North Carolina institution specializing in small business loans—faced as the bank’s employees were looking to improve their cybersecurity. Part of Live Oak’s promise to its customers is top-notch cyber security, but with their systems, the bank struggled to gain visibility into every potential point of access that cyber criminals might seek to exploit.
“We really wanted to protect ourselves across the board,” recalls Thomas Hill, chief technology officer at Live Oak. “But we had to address each potential security issue with separate technologies, which quickly became overwhelming. You’ve got to monitor all these devices and systems all the time, and be on top of them if—and when—a hacker comes in.”
Hill and Live Oak began evaluating options to respond to breaches quickly when they happen, and possibly detect them ahead of time. They decided to partner with Seattle-based cybersecurity company, DefenseStorm.
“Live Oak needed visibility into all areas of its network to support company-wide security and operational activities,” explains DefenseStorm chief technology officer Sean Cassidy. “With branches, staff and data centers located across the U.S., [employees] had multiple systems to monitor each point of access. They needed a way to consolidate visibility into each system, while still allowing the systems to continue operating as intended.”
DefenseStorm’sstack of cybersecurity capabilities includes real-time incident reporting, automated initial threat response and—most importantly—a proprietary big data engine built specifically for banks to analyze metadata patterns that could be indicative of a hack. Live Oak was then able to aggregate all their cyber security logs and event data into one analysis engine—with the objective of increasing visibility of security threats, and speeding up reaction time to potential breaches. They did this by implementing software that aggregates data from existing systems, and places it all into a single, easy-to-monitor dashboard. Incident tracking for compliance purposes also became more efficient, allowing the bank to report cyber incidents to state and federal regulatory agencies sooner than before.
“DefenseStorm’s incident response system allows me to not only easily see data indicating a potential hack, it allows me to immediately assign it to one of our engineers,” says Hill of Live Oak. “It really empowers them to focus in-depth on potential threats and dig deep to see if there’s a hack underway.”
DefenseStorm also continues to provide Live Oak with 24-hour monitoring and support through its so-called Guardian team, who are also responsible for offering assistance in investigating—and uncovering—potential threats. The Guardian team provides advice and recommendations to Live Oak on how to better secure its network in the future. This underscores the trend of“threat hunting,” as businesses and organizations seek to be more proactive in how they monitor systems for potential hackers.
Live Oak’s previous security system was unable to perform accurate and timely security analyses, mainly due to the increasingly large amount of data traffic occurring on the bank’s networks. Reaction time to security incidents has been greatly reduced, says Cassidy.
Finally, one of the most unique parts of this partnership is that Live Oak has chosen to participate as a proof of concept customer for features and capabilities of DefenseStorm’s software that are in the final stages of development. “With all the tools and support they provide, DefenseStorm is really turning out to be a Swiss Army knife for us—and potentially the entire banking industry,” says Hill. “This partnership has been a huge win.”
Issues like cybersecurity, digital transformation and future business models now require the attention of not just management teams, but also bank boards. As directors engage more deeply in these issues, Bill Fisher of Diligent explains how they can enhance the effectiveness of the board to be a true strategic asset to the bank.
Citizens National Bank of Texas, the third-oldest independent financial institution in the state, has remained deeply committed to its local community since its founding in 1868. The bank’s hometown, personalized approach to serving customers in the Dallas-Fort Worth area has played an integral role in its success. It was this focus on the surrounding community that led CNB to provide its customers with an extra layer of security by working with DefenseStorm, a Seattle-based provider of cloud based cybersecurity solutions.
As a full-service community bank with $859 million in assets, CNB aims to offer its customers the same service they would receive at any major, nationwide financial institution. This includes technology-driven services like online banking, mobile banking and bill pay. To offer these digital banking capabilities without exposing its network to new security vulnerabilities, CNB invested in security infrastructure and additional safeguards to protect customers and their financial information from potential cyber attacks. Although it had a solid system of security measures in place, the bank needed help monitoring its overall network activity and sought to increase the visibility of security threats.
This is where DefenseStorm comes in.
Heightened Visibility with a Cybersecurity Control Tower
DefenseStorm acts as security control tower for CNB to detect intrusions, investigate threats, take action to stop attacks and report on cybersecurity to regulators and the bank’s board of directors. Additionally, DefenseStorm’s team of security experts provides the bank with 24/7 monitoring support, triaging alerts and working alongside the bank to ensure the strongest security possible.
By constantly monitoring network activity and working with the bank to improve its security posture and quickly resolve incidents, DefenseStorm has helped CNB discover and neutralize at least 10 cyber threats in the past year.
Previously, the bank’s internal team would have to review and analyze all security event data. Now, the bank receives alerts in real time, which allows for a more efficient response and remediation process. Additionally, the bank uses DefenseStorm’s support ticketing feature to provide a clear, documented way to track events and how they are being handled.
Wade Jones, CNB’s senior vice president and chief information officer, values the extra support DefenseStorm provides. “It’s nice, the guardianship—having a security team sitting behind me watching the front line and letting me know if there’s something we need to work on,” says Jones.
Genuine Threat or False Alert?
CNB also leverages DefenseStorm’s search and reporting features, which enable the bank to transform complex and unstructured security event data from separate systems into meaningful, actionable insight. Oftentimes, systems will produce a constant stream of security alerts, many of which are not genuine threats, but which analysts must still review. With only eight hours in the workday, it can be difficult to assess each alert—and that can desensitize employees toward alerts, potentially resulting in a genuine threat being ignored. CNB has overcome this challenge and enacted a more proactive security response by sharpening its ability to interpret large sets of event data, so the bank is only notified if a threat is genuine. Now, the bank can quickly determine the scope of a threat and escalate the event into the remediation process with a click of a button.
The ability to provide a unified, comprehensive view of the bank’s network and systems is vital. “In our journey with DefenseStorm, we’ve brought everything together, log-wise, for all systems in the bank so we can take a more holistic approach,” says Mark Singleton, chief executive officer at CNB.
Enhancing Security without Expanding Staff
Furthermore, DefenseStorm brings a level of cybersecurity expertise that would be difficult for CNB to recruit in its own market. Given the shortage of cybersecurity talent across industries, hiring qualified candidates is challenging, especially for a small community bank, as professionals with advanced security credentials are typically hired by larger corporations. To make it worse, cyber criminals realize this, often assuming that a smaller bank has less sophisticated technology and fewer defenses. However, with DefenseStorm, CNB is able to provide an enhanced level of security, comparable to larger financial institutions, without hiring an extra security expert.
For community banks, business is personal. CNB realizes this and has invested in the infrastructure needed to safeguard its customers’ financial assets.
“Unlike big banks that never see their customers outside of work, we run into ours all the time—at church or at the grocery store,” says Singleton. “If we mess up, it’s our communities, our friends and our grandmothers who are ultimately affected. It’s our job to protect them and DefenseStorm helps us do that.”
New York-based financial services companies are under a new rule of law, intended to protect consumers from the repercussions of a cyberattack and one that puts boards in a front-and-center role when it comes to the company’s security.
Touted as the first law of its kind in the United States, New York enacted new cybersecurity regulations this year, outlining standards that are sure to resonate beyond the financial businesses—such as banks, insurance companies and other financial services firms—that the law targets.
How Far Does Regulation Go? Companies regulated by the state’s Department of Financial Services (DFS) are required as of March 1, 2017, to create and maintain a cybersecurity program to protect the privacy of consumers and the safety of the state’s financial services industry.
It only applies to those that DFS oversees—in other words, only financial services organizations must comply with the regulation.
New York’s rules, DFS notes, don’t extend to nonfinancial companies. There are limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets. Still, the message from New York is a strong one: consumers are protected here, and financial firms will be held accountable.
Several of the regulation’s mandates outline the ways in which a company must comply, and in doing so, vastly widens the base of those culpable for a breach and the requirements of a board to pay attention to its potential vulnerability and its cybersecurity planning.
New Duty for Board Members The idea that board members should make cybersecurity a priority has risen over the years, coming into focus with the Target data breach in 2013 that resulted in members of the board of directors being sued.
In it, the banking regulators place oversight of the development, implementation and maintenance of the IT security program in the board’s hands, and say the board must hold senior management accountable for its actions and review the overall status of the program at least annually.
This new regulation expands on that. It requires board members to ensure that there’s a framework in place at the company “for a robust cybersecurity program,” and one “that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”
That means nontechnical leaders on the board must take an active role in security oversight.
For the first time, the new rules say the firm must hire a chief information security officer, or CISO, to oversee policies and ensure that they’re working effectively. The CISO would report at least annually to the board, the DFS says, and according to the regulation, that person can be employed by an affiliate or third-party provider instead of being employed by the company itself.
It’s not uncommon for companies to have much of the new regulation’s guidelines already in their processes, but it’s good to tie it to risk assessments. Lastly, as the law firm McGuireWoods notes, the new rules require penetration testing at least annually and vulnerability assessments at least quarterly. Among new provisions, institutions must track and maintain cybersecurity records for at least six years, encrypt sensitive data and report any cybersecurity event to the Department of Financial Institutions within 72 hours of becoming aware of it.
What Comes Next Entities have varying times to comply with specific requirements, from 180 days to two years after the regulation went into effect in March. Financial companies outside of New York are likely to look at these regulations to get a sense of what’s coming for the greater industry.
To learn more about protecting your organization’s security as a member of a board, read this white paper written in conjunction with the New York Stock Exchange to improve your cybersecurity practices.
While the audience was largely optimistic at Bank Director’s Bank Audit & Risk Committees Conference in Chicago yesterday, many of the speakers, including Fifth Third Bancorp President and CEO Greg Carmichael, hit a note of caution in a sea of smiles.
During an audience poll, 51 percent said the nation will see a period of economic growth ahead but 28 percent said the nation has hit a high point economically. Bank stock prices soared following the presidential election. Credit metrics are in good shape and profitability is up. Capital levels are higher than they’ve been in decades. And political power in Washington has turned against bank regulation, as evidenced by the U.S. Treasury Department’s recent report on rolling back the Dodd-Frank Act.
“It’s unlikely we will have increasing regulatory burdens and instead, we’ll go regulatory light,” said Steve Hovde, an investment banker and chairman and CEO of Hovde Group.
Although there’s a sense that bank stocks may be overvalued at this point, or “cantilevered over a pillar of hope,’’ as Comerica Chief Economist Robert Dye put it, the economy itself is resilient. “We’ll have another recession and we’ll get through it fine,” he said.
But financial technology is transforming the industry and creating entirely new business models, said Carmichael. That won’t be a problem for banks as long as they adapt to the change. “The volume and pace of what’s emerging is amazing,’’ he said. “I’ve never seen it before in our industry.”
Carmichael, who has an unusual background as a bank CEO—he was originally hired by the bank in 2003 to serve as its chief information officer—is working hard to transform Fifth Third.
Sixty percent of the bank’s transactions are now processed through digital channels, such as mobile banking. Forty-six percent of all deposits are handled digitally. And the bank has seen an increase of 17 percent in mobile banking usage year-over-year.
To meet the needs of its customers, Fifth Third recently announced it had joined the person-to-person payments network Zelle, an initiative of several large banks. It has a partnership with GreenSky, which will quickly qualify consumers for small dollar loans, and which Fifth Third invested $50 million into last year. Consumers can walk into a retailer such as Home Depot, order $17,000 worth of windows, and find out on the spot if they qualify for a loan.
Fifth Third is gradually reducing its branch count, and new branches are smaller, with fewer staff that can handle more tasks. Carmichael is trying to make the organization more agile, with less bureaucracy, and less cumbersome documentation.
Automation will allow the bank to automate processes “and allow us to better service our customers instead of focusing on processes that don’t add value,” he said.
Banks that are going to do better are those that can use the data they have on their customers to better serve them, he said. But when it comes to housing enormous amounts of personal and financial data on their customers, the biggest worry for bank CEOs is cybersecurity risk, Carmichael said–not the traditional commercial banking risk, which is credit.
When he was a chief information officer, executives often asked how the bank could make its network secure, and his completely honest response was, “when you turn it off.”
Adding to the cybersecurity challenge, returns on capital are low for the industry compared to other, more profitable sectors, and measures of reputation are middling for banks compared to more popular companies such as Apple, Nordstrom, Netflix and Netflix.
Carmichael encouraged banks not to get mired in pessimism.
“There’s a lot of change but we can step up and embrace it and leverage it to better serve our customers and create more value for our shareholders and contribute to the success of our communities,” he said.
It’s not surprising that in the wake of the financial crisis, risk has become a much more important topic on bank boards. What’s more surprising is that it is still front and center, even as credit and economic conditions have remarkably improved.
As Bank Director hosts its Bank Audit & Risk Committees Conference in Chicago this week, risk still is top of mind for attendees and speakers. There are a few notable changes, though, during the past few years.
Five or six years ago, much of the talk for community bank boards was about starting an enterprise risk management system. Regulators were talking about it. Bank officers were talking about it. Boards were trying to figure out how to manage the bank’s various risks in a more integrated, comprehensive manner.
Now, enterprise risk management has plateaued at many banks, says Tim Kosiek, a certified public accountant and partner at Baker Tilly, an accounting and advisory firm. Fewer people are talking about it, or starting new programs. Many banks have already established ERM programs, especially those above $1 billion in assets.
“Bankers are not finding this showing up in the regulatory exams to the degree it was five or six years ago,” says Kosiek, mostly because credit conditions have improved.
ERM still has no set framework. There are no set guidelines from regulators that will tell you exactly how to set one up, or what the perfect ERM program looks like.
But as part of it, compared to four or five years ago, many more banks do have a risk appetite statement, and boards are discussing their risk tolerances for various types of risk, such as credit and compliance.
Challenges still remain. For example, it’s still tough for banks to ensure that their various divisions are sticking to the risk tolerances that have been established, Kosiek says. Also, not all banks have a comprehensive enterprise risk management program in place. The people in charge of risk in the organization don’t necessarily have their compensation clearly tied to their performance as risk officers, for example.
Still, despite those challenges, there are some areas where banks have made significant progress as a whole. In general, bank boards are much more likely to discuss cybersecurity risk. They want to learn about it, they want regular updates from bank management and they want to ensure their organizations have good defenses.
In Bank Director’s 2014 Risk Practices Survey, 51 percent of bank directors said cybersecurity was a top concern. In 2017, 85 percent did.
It’s no secret why they are worried. The reality that pretty much every bank is vulnerable has set in. Twenty-six percent of respondents to Bank Director’s 2017 Risk Practices Survey said their bank has experienced a data breach in the last two years.
It’s not just the risk but the difficulty getting a handle on the risk that is so vexing. Cyberattacks, with their constantly changing bad actors and tactics, are difficult to prepare for.
“[Bankers] have spent so much time on credit risk, which they can have an influence on,’’ Kosiek says. “In the cyber side, they just don’t have all the information.”
The topic is so high up on the board’s agenda, Bank Director digital magazine devoted an entire issue to cybersecurity.
While bank boards fretted over cybersecurity concerns during the last few years, they also had to get ready for one of the biggest accounting changes in decades, CECL, which stands for current expected credit loss standard. Basically, banks must start estimating losses for loans and other assets as soon as they acquire them for the life of the asset. CECL goes into effect for public banks’ fiscal years after Dec. 15, 2019 and for nonpublic banks a year later. Audit committees are overseeing the process.
All these changes are one reason the job of serving on an audit or risk committee is certainly one of the toughest on a bank board. Even as banks have watched their profitability and credit metrics improve in the last few years, the focus on risk coming out the financial crisis has not gone away. It has only shifted.
Financial technology, or fintech, is creating a dynamic range of new services and products for banks. Much of the initial discussion about fintech focused on disruption and replacement of traditional banking products and services.
Now, fintech is evolving and is creating new opportunities for banks to expand their products and services, as well as creating various non-interest revenue possibilities through partnering and joint venturing with fintech entities.
Increasingly, fintech entities such as online lenders and payment systems are turning towards partnering and joint venturing with banks for a simple reason they need banks. They need banks because banks can hold federally insured deposits and have the experience and track record of existing and prospering under various federal and state regulatory regimes. However, working with a fintech is not necessarily a voyage into uncharted waters while regulators may adapt with new technologies, banks are comfortable working in the existing banking regulatory ecosystem.
Some existing examples of fintech entities working with banks include:
licensing online lending platforms
licensing online customer interface platforms
using banks as insured depository support for payment systems
developing digital tools that allow banks to mine and harness data for more efficient operations
State and federal regulators are expanding their ever-advancing regulatory agenda to cover fintech’s unique aspects. Indeed, the Office of the Comptroller of the Currency recently announced plans to start issuing Special Purpose National Bank charters to fintech entities, which the state regulators are heavily criticizing. Fintech entities are debating whether they will seek a federal charter in its proposed form.
Nevertheless, if your bank is considering working with a fintech entity, you should consider the following issues:
Strategic Plan: The first, and primary issue that your bank should consider is whether the fintech opportunity fits your bank’s strategic vision and innovation plan. If the opportunity does not, the relationship may not only be not successful, but ultimately detrimental to your bank’s efforts in this area.
Vendor Management: Vendor management is an especially critical area because most banks will choose to work with a fintech entity that owns, develops and services the technology. The key for banks in this area is know their fintech partner and understand the deal. Fintech partners can range from early-stage start-ups to mature entities. Many of these fintech entities have little bank regulatory experience and may be learning as they develop and deploy their products without the legacy regulatory experience. They may also propose contract terms that expose banks to unnecessary risks. The challenge for banks is to conduct thorough due diligence on their fintech partner and understand the agreement.
Cybersecurity: Because essentially all fintech-based products and services are online, cybersecurity is a significant consideration. Additionally, most fintech accumulates and evaluates customer data, which is very attractive to cybercriminals. The critical issue for banks is the ability to ensure that their fintech partners are employing best-of-class cybersecurity practices, not simply regulatory compliant cybersecurity, because the cybercriminals are almost always one step ahead of their targets, as well as the regulators. This will also help the bank protect itself in the event of a data breach or an attack.
Data Privacy: If your bank is working with a fintech, banks should ensure that there are provisions to protect your customer’s data so that it is not used or disseminated in a way that violates the law, as well as provide adequate disclosures to your customers about how their data is used.
Consumer Banking Laws and Regulations: If a bank is working with a fintech entity in providing any type of consumer services, federal and state consumer lending laws and regulations will likely apply to that activity. The combination of new technologies and a fintech entity without a great deal of regulatory experience could spell trouble for a bank partner.
Bank Secrecy Act/Know Your Customer/Anti-Money Laundering: BSA/KYC/AML issues remain critically important for regulators and fintech entities working with banks need to be fully versed in them.
Even considering the regulatory and related issues, working with a fintech is not a voyage into uncharted waters. The tide is also changing, and fintech can provide your bank potentially great opportunities to grow and develop as technology evolves and as fintech entities mature in this sector.