Fifth Third CEO Says Pace of Bank Industry Change Is Fastest He’s Ever Seen


growth-6-14-17.pngWhile the audience was largely optimistic at Bank Director’s Bank Audit & Risk Committees Conference in Chicago yesterday, many of the speakers, including Fifth Third Bancorp President and CEO Greg Carmichael, hit a note of caution in a sea of smiles.

During an audience poll, 51 percent said the nation will see a period of economic growth ahead but 28 percent said the nation has hit a high point economically. Bank stock prices soared following the presidential election. Credit metrics are in good shape and profitability is up. Capital levels are higher than they’ve been in decades. And political power in Washington has turned against bank regulation, as evidenced by the U.S. Treasury Department’s recent report on rolling back the Dodd-Frank Act.

“It’s unlikely we will have increasing regulatory burdens and instead, we’ll go regulatory light,” said Steve Hovde, an investment banker and chairman and CEO of Hovde Group.

Although there’s a sense that bank stocks may be overvalued at this point, or “cantilevered over a pillar of hope,’’ as Comerica Chief Economist Robert Dye put it, the economy itself is resilient. “We’ll have another recession and we’ll get through it fine,” he said.

But financial technology is transforming the industry and creating entirely new business models, said Carmichael. That won’t be a problem for banks as long as they adapt to the change. “The volume and pace of what’s emerging is amazing,’’ he said. “I’ve never seen it before in our industry.”

Carmichael, who has an unusual background as a bank CEO—he was originally hired by the bank in 2003 to serve as its chief information officer—is working hard to transform Fifth Third.

Sixty percent of the bank’s transactions are now processed through digital channels, such as mobile banking. Forty-six percent of all deposits are handled digitally. And the bank has seen an increase of 17 percent in mobile banking usage year-over-year.

To meet the needs of its customers, Fifth Third recently announced it had joined the person-to-person payments network Zelle, an initiative of several large banks. It has a partnership with GreenSky, which will quickly qualify consumers for small dollar loans, and which Fifth Third invested $50 million into last year. Consumers can walk into a retailer such as Home Depot, order $17,000 worth of windows, and find out on the spot if they qualify for a loan.

Fifth Third is gradually reducing its branch count, and new branches are smaller, with fewer staff that can handle more tasks. Carmichael is trying to make the organization more agile, with less bureaucracy, and less cumbersome documentation.

Automation will allow the bank to automate processes “and allow us to better service our customers instead of focusing on processes that don’t add value,” he said.

Banks that are going to do better are those that can use the data they have on their customers to better serve them, he said. But when it comes to housing enormous amounts of personal and financial data on their customers, the biggest worry for bank CEOs is cybersecurity risk, Carmichael said–not the traditional commercial banking risk, which is credit.

When he was a chief information officer, executives often asked how the bank could make its network secure, and his completely honest response was, “when you turn it off.”

Adding to the cybersecurity challenge, returns on capital are low for the industry compared to other, more profitable sectors, and measures of reputation are middling for banks compared to more popular companies such as Apple, Nordstrom, Netflix and Netflix.

Carmichael encouraged banks not to get mired in pessimism.

“There’s a lot of change but we can step up and embrace it and leverage it to better serve our customers and create more value for our shareholders and contribute to the success of our communities,” he said.

What’s Changed When It Comes to Audit & Risk?


cybersecurity-6-12-17.pngIt’s not surprising that in the wake of the financial crisis, risk has become a much more important topic on bank boards. What’s more surprising is that it is still front and center, even as credit and economic conditions have remarkably improved.

As Bank Director hosts its Bank Audit & Risk Committees Conference in Chicago this week, risk still is top of mind for attendees and speakers. There are a few notable changes, though, during the past few years.

Five or six years ago, much of the talk for community bank boards was about starting an enterprise risk management system. Regulators were talking about it. Bank officers were talking about it. Boards were trying to figure out how to manage the bank’s various risks in a more integrated, comprehensive manner.

Now, enterprise risk management has plateaued at many banks, says Tim Kosiek, a certified public accountant and partner at Baker Tilly, an accounting and advisory firm. Fewer people are talking about it, or starting new programs. Many banks have already established ERM programs, especially those above $1 billion in assets.

“Bankers are not finding this showing up in the regulatory exams to the degree it was five or six years ago,” says Kosiek, mostly because credit conditions have improved.

ERM still has no set framework. There are no set guidelines from regulators that will tell you exactly how to set one up, or what the perfect ERM program looks like.

But as part of it, compared to four or five years ago, many more banks do have a risk appetite statement, and boards are discussing their risk tolerances for various types of risk, such as credit and compliance.

Challenges still remain. For example, it’s still tough for banks to ensure that their various divisions are sticking to the risk tolerances that have been established, Kosiek says. Also, not all banks have a comprehensive enterprise risk management program in place. The people in charge of risk in the organization don’t necessarily have their compensation clearly tied to their performance as risk officers, for example.

Still, despite those challenges, there are some areas where banks have made significant progress as a whole. In general, bank boards are much more likely to discuss cybersecurity risk. They want to learn about it, they want regular updates from bank management and they want to ensure their organizations have good defenses.

In Bank Director’s 2014 Risk Practices Survey, 51 percent of bank directors said cybersecurity was a top concern. In 2017, 85 percent did.

It’s no secret why they are worried. The reality that pretty much every bank is vulnerable has set in. Twenty-six percent of respondents to Bank Director’s 2017 Risk Practices Survey said their bank has experienced a data breach in the last two years.

It’s not just the risk but the difficulty getting a handle on the risk that is so vexing. Cyberattacks, with their constantly changing bad actors and tactics, are difficult to prepare for.

“[Bankers] have spent so much time on credit risk, which they can have an influence on,’’ Kosiek says. “In the cyber side, they just don’t have all the information.”

The topic is so high up on the board’s agenda, Bank Director digital magazine devoted an entire issue to cybersecurity.

While bank boards fretted over cybersecurity concerns during the last few years, they also had to get ready for one of the biggest accounting changes in decades, CECL, which stands for current expected credit loss standard. Basically, banks must start estimating losses for loans and other assets as soon as they acquire them for the life of the asset. CECL goes into effect for public banks’ fiscal years after Dec. 15, 2019 and for nonpublic banks a year later. Audit committees are overseeing the process.

For more information on preparing your bank for the standard, see The Audit & Risk issue.

All these changes are one reason the job of serving on an audit or risk committee is certainly one of the toughest on a bank board. Even as banks have watched their profitability and credit metrics improve in the last few years, the focus on risk coming out the financial crisis has not gone away. It has only shifted.

Fintech Opportunities for Your Bank: A Voyage Into New, But Not Uncharted Waters


strategy-6-9-17.pngFinancial technology, or fintech, is creating a dynamic range of new services and products for banks. Much of the initial discussion about fintech focused on disruption and replacement of traditional banking products and services.

Now, fintech is evolving and is creating new opportunities for banks to expand their products and services, as well as creating various non-interest revenue possibilities through partnering and joint venturing with fintech entities.

Increasingly, fintech entities such as online lenders and payment systems are turning towards partnering and joint venturing with banks for a simple reason they need banks. They need banks because banks can hold federally insured deposits and have the experience and track record of existing and prospering under various federal and state regulatory regimes. However, working with a fintech is not necessarily a voyage into uncharted waters while regulators may adapt with new technologies, banks are comfortable working in the existing banking regulatory ecosystem.

Some existing examples of fintech entities working with banks include:

  • licensing online lending platforms
  • licensing online customer interface platforms
  • using banks as insured depository support for payment systems
  • developing cryptocurrencies
  • developing digital tools that allow banks to mine and harness data for more efficient operations

State and federal regulators are expanding their ever-advancing regulatory agenda to cover fintech’s unique aspects. Indeed, the Office of the Comptroller of the Currency recently announced plans to start issuing Special Purpose National Bank charters to fintech entities, which the state regulators are heavily criticizing. Fintech entities are debating whether they will seek a federal charter in its proposed form.

Nevertheless, if your bank is considering working with a fintech entity, you should consider the following issues:

Strategic Plan: The first, and primary issue that your bank should consider is whether the fintech opportunity fits your bank’s strategic vision and innovation plan. If the opportunity does not, the relationship may not only be not successful, but ultimately detrimental to your bank’s efforts in this area.

Vendor Management: Vendor management is an especially critical area because most banks will choose to work with a fintech entity that owns, develops and services the technology. The key for banks in this area is know their fintech partner and understand the deal. Fintech partners can range from early-stage start-ups to mature entities. Many of these fintech entities have little bank regulatory experience and may be learning as they develop and deploy their products without the legacy regulatory experience. They may also propose contract terms that expose banks to unnecessary risks. The challenge for banks is to conduct thorough due diligence on their fintech partner and understand the agreement.

Cybersecurity: Because essentially all fintech-based products and services are online, cybersecurity is a significant consideration. Additionally, most fintech accumulates and evaluates customer data, which is very attractive to cybercriminals. The critical issue for banks is the ability to ensure that their fintech partners are employing best-of-class cybersecurity practices, not simply regulatory compliant cybersecurity, because the cybercriminals are almost always one step ahead of their targets, as well as the regulators. This will also help the bank protect itself in the event of a data breach or an attack.

Data Privacy: If your bank is working with a fintech, banks should ensure that there are provisions to protect your customer’s data so that it is not used or disseminated in a way that violates the law, as well as provide adequate disclosures to your customers about how their data is used.

Consumer Banking Laws and Regulations: If a bank is working with a fintech entity in providing any type of consumer services, federal and state consumer lending laws and regulations will likely apply to that activity. The combination of new technologies and a fintech entity without a great deal of regulatory experience could spell trouble for a bank partner.

Bank Secrecy Act/Know Your Customer/Anti-Money Laundering: BSA/KYC/AML issues remain critically important for regulators and fintech entities working with banks need to be fully versed in them.

Even considering the regulatory and related issues, working with a fintech is not a voyage into uncharted waters. The tide is also changing, and fintech can provide your bank potentially great opportunities to grow and develop as technology evolves and as fintech entities mature in this sector.

A Review of Emerging Technology Trends


technology-1.png

The emergence of a vibrant financial technology sector has dramatically changed the banking industry by enabling new products and services that cater to the needs and preferences of consumers in today’s digital age. In preparation for FinTech Week, an event that FinXTechis holding April 25-26 in New York, here is a look back at our recent coverage of emerging technology trends and innovation strategies for banks. These stories have appeared on the BankDirector.com website, and in digital and print versions of Bank Director magazine.

ARE YOU A BANKER OR A VISIONARY?
The power of digital banking goes beyond a fundamentally different, more satisfying customer experience.

MAKING SENSE OF FINTECH LENDING MODELS
What type of fintech lending solution should your bank pursue? In this video, Mike Dillon of Akouba outlines what management teams and boards need to know about these lending models, and how each can benefit the bank.

PAYPAL’S BIG BET
The former eBay subsidiary is turning itself into a global payments powerhouse with mobile at the heart of its strategy.

CYBERSECURITY: A BOARDROOM CONVERSATION
Radius Bank CEO Mike Butler sits down for an interview about how to manage the risk of doing business with fintech companies.

COMMUNITY BANKS TO FINTECH: WE NEED YOU
Banks attending the Acquire or Be Acquired Conference in Phoenix, Arizona, discussed ways that technology companies could improve profitability and the customer experience.

GETTING THE MOST OUT OF MOBILE
If you’re on a bank board, it pays to ask some questions about mobile.

HOW STRONG IS YOUR CORE TECHNOLOGY?
Changes in customer preferences and pressure from fintech competitors are forcing banks to innovate. Is your core provider up to the task?

2016 BANK DIRECTOR’S TECHNOLOGY SURVEY
As the banking industry struggles to innovate to meet shifting consumer expectations, 81 percent of bank chief information officers and chief technology officers responding to Bank Director’s 2016 Technology Survey say that their core processor is slow to respond to innovations in the marketplace.

Six Tech Trends for 2017


tech-trends-4-17-17.pngFor capital markets participants worldwide, Nasdaq operates as a pioneer in maintaining market resiliency and mobilizing the latest practical technologies to strengthen and optimize the business performance of our partners and, most importantly, our clients. Amidst a rapidly changing economic and political environment, the technological advances used in financial services during 2016 reached staggering new heights by year-end.

As a financial technology company, we are especially excited about what is in store for 2017. We believe the following technology trends will have a significant impact on the capital markets this year.

Machine Learning and Artificial Intelligence
Machine learning and artificial intelligence will cross-cut almost everything that we do, and it will be applicable across the board—from helping customers to trade to market surveillance. We are bringing in nontraditional data sets including email and text messaging, sentiment and macroeconomics data, and we are mining log files from different systems for insights. The technology will be used to calculate and generate indices and exchange-traded funds. It will also be integrated into exchange matching engines (the system that matches buy and sell orders) so that it can make certain trade decisions.

Collaboration Tools
Secure collaboration software and online portals will play an important part in how corporate directors and leadership teams work as compliance, board management and the need for a central document repository have become increasingly vital business propositions. These web and mobile app-based tools are typically designed with multiple security and functionality features to provide greater governance, engagement and transparency throughout an organization. As more companies begin to integrate collaboration software into their business workflows, the secure sharing of critical information will become more simplified.

Cloud Computing
Cloud providers are taking security seriously, and we anticipate that the financial cloud will soon be more secure than most traditional on-ground data centers. That would potentially allow us to make sensitive information more broadly available than on traditional, centralized databases. Exchanges need to comply with rules and regulations on fair and equal access for clients, so moving front-office applications to the cloud necessitates some technology changes. Running middle-office and back-office applications in the cloud is more straightforward, but in 2017 we will continue work to address the remaining security concerns regarding data separation and customer access to data.

Data Analytics
The ability to mine data, normalize it, update analytics in real time and present it in a consolidated view is a source of competitive advantage. We are now seeing a seismic shift across the industry with machine learning and artificial intelligence enabling users to eliminate bias in the analysis and discover new patterns in the data.

There will be a diverse set of use cases for data analytics within financial services, including its application in the investor relations function, where analytics can assist the IR team by aggregating specific investor data points, filtering institutional investors by the positions they hold in your company’s stock and identifying specific investment characteristics.

Mobile Technology
Advancements in mobile technology have changed the way business professionals collaborate and access information. A new generation of cloud-based applications has simplified information sharing across device types. For example, we have combined mobile technology with other technologies—particularly cloud and blockchain—to enable remote proxy voting. To some extent, financial firms have been laggards in adopting mobile technology because of the security concerns, but addressing those will drive increased penetration.

Blockchain
Blockchain technology could create important efficiencies in position-keeping and reconciliation. For cash-settled securities, it could accelerate the clearing and settlement time frame from three days to same-day, significantly reducing risk in the system. Collateral could be moved around quickly and easily. On the settlement side, blockchain could complement several services, including managing payments and cash, transferring securities, facilitating collateral and tri-party arrangements, and securities lending.

It is clear that financial services in 2017 will evolve rapidly as new technology is integrated into the marketplace. These technologies will change how financial institutions manage their infrastructure, interact with one another, and ultimately, how industry leaders scale and grow their businesses. We are excited to see how the year unfolds.

Are Directors Tone Deaf on Cybersecurity?


cybersecurity-3-27-17.pngAre the boards of directors at U.S. banks taking the cybersecurity threat seriously enough?

In Bank Director’s 2017 Risk Practices Survey, 85 percent of the 167 respondents—a group that includes bank directors, CEOs, chief risk officers, and chief information and chief technology officers—identify cybersecurity as the risk category they are the most concerned about. And that heightened level of concern is evident across all sizes of institutions in the survey, from banks under $1 billion in assets to those greater than $10 billion.

After all of the high profile, highly successful and highly publicized cyberattacks that have occurred over the last several years, surely every bank director understands the serious nature of cyber risk today. Hackers are incredibly creative and persistent in their efforts to penetrate bank security systems and steal sensitive customer data, money—or both. A successful intrusion can be costly to the bank, damage its reputation with customers, and become an issue with regulators if they believe the bank has a weak cybersecurity program.

Twenty-six percent of the respondents say their bank has experienced a data breach or some other type of cyberattack since 2015, and another 4 percent were the victims of a breach prior to 2015. In other words, nearly one-third of the respondents have already experienced a breach—an incident rate that should get all directors’ attention regardless of whether their banks have been victmized or not.

So, what is being done about this? Over the past two years, the survey participants’ banks have made a number of improvements to their cybersecurity programs, including:

  • Eighty-two percent have invested in technology to better detect and deter cyber threats and intrusions.
  • Eighty-one percent have improved training for staff.
  • Eighty percent have increased their focus on cybersecurity at the board level.
  • Seventy-five percent have improved their internal controls related to cybersecurity.
  • Seventy-five percent have improved and tested their bank’s cyber-incident management and response plan.

But there is still more that can be done to protect against hackers. According to the survey, 38 percent of the respondents still don’t employ a full-time chief information security officer (CISO). As one might expect, this deficiency is most evident at banks under $1 billion is assets, even though they are still likely targets for a cyberattack. The benefit of having a CISO, rather than giving this responsibility to the chief risk officer or chief information officer, is that cybersecurity has become so specialized that it should be handled full-time by one individual with experience in the field. Fifty-one percent of the survey participants say their bank won’t be hiring a CISO in 2017, and 43 percent say they are unsure. Banks under $1 billion are already less likely to employ a CISO, and the survey data suggests that they’re unlikely to hire one this year.

Most surprising of all is that only 17 percent of the respondents say cybersecurity is discussed at every board meeting. Thirty-six percent say the board reviews the issue quarterly, 19 percent say they discuss it semi-annually and 10 percent talk about cybersecurity just once a year. If cybersecurity is truly the most pressing risk management issue facing bank boards today, then why isn’t it being discussed at every board meeting, at every bank?

If it’s the board’s responsibility to set the tone at the top when it comes to risk governance throughout the bank, then it would seem that a lot of boards are tone-deaf when it comes to cybersecurity.

Handling Today’s Top Risk Challenges



Cybersecurity and compliance are the top two areas of concern for the bank executives and directors responding to Bank Director’s 2017 Risk Practices Survey, sponsored by FIS. What are the best practices that boards should implement to mitigate these risks? In this video, Sai Huda of FIS highlights the survey results and details how boards can stay proactive.

  • Cybersecurity and Compliance Gaps
  • Five Cybersecurity Best Practices
  • Three Ways to Strengthen Internal Controls

Are Bankers Growing Less Concerned About Fintech Competitors?


competitor.png

I talk to a lot of bankers, and lately I have detected a shift in bankers’ attitudes towards fintech. Just a few years ago, a discussion of fintech with community bankers would have inspired a certain amount of fear. It was widely believed at the time that fintech startups would disrupt and replace traditional banks. Millennials would turn to new marketplace lenders for their credit needs and use the new payment services from the likes of Apple for all their financial needs, leaving the banks with an aging clientele that would eventually die off. As time has passed, bankers and fintech companies alike have come to understand that is simply not going to happen. Going forward, fintech companies need banks just as much, if not more, than banks need them.

I recently saw a presentation titled The Impact of FinTech on Community Banks: Deal Breaker or Money Maker, by Ronald Shevlin, director of research at the consulting firm Cornerstone Advisors. He pointed out that while the number of marketplace lenders has grown rapidly, they still account for just 1 percent of the total loan market. And while they may have seen some growth, it appears they have not done so by keeping their customers happy. According to a U.S. Treasury Department report, marketplace lenders received a customer satisfaction rate of just 15 percent, compared to community banks whose satisfaction rate hit 75 percent.

Shevlin also pointed out that as millennials age, their attitudes towards money is changing. When you are 22 with a couple of thousand dollars in the bank and a couple of credit cards with $2,000 limits, it is easy to choose the flashy and fastest. When we start adding some zeros to their account balances, safety and security begin to matter more than the latest technology. Because of strict regulatory oversight and FDIC insurance, banks have an enormous edge when it comes to consumer comfort with the safety of their funds.

Bankers are starting to realize that they do not need to be innovators. As Shevlin pointed out in his presentation, it is easier to innovate when you don’t have a large installed customer base. Community banks can treat fintech firms like any other vendor. They need to recognize and deploy those innovative processes that survive the birthing process and add value to the bank. Bankers looking at a new technology offered today are asking: Does this adds value to the bank? Does it make me more efficient? Are are my customers demanding it? If the answers to these questions are no, then there is no need to add the technology to their existing offerings. Fintech companies are no longer scary competitors, but instead are another class of vendors that banks may or may not choose to do business with based on their needs.

Community bankers are worried about the brave new digital world. I go to several conferences during the year and I have noted more than a few cybersecurity vendors in the exhibit hall. I have also noticed that more insurance companies are in attendance offering cyber insurance. One insurance vendor told me that they were seeing several dozen claims related to ransomware alone every day. The CEO of a $300 million bank out west said that cybersecurity was the only issue that kept her up and night.

Jared Hamilton, senior manager of cybersecurity at the consulting firm Crowe Horwath, gave a talk recently on cybersecurity issues where he told the bankers that they needed to pay greater attention to this critical area going forward. There needs to be someone handling cybersecurity for the bank on a full-time basis and not just as part of the administrative or IT functions. He also suggested that the purchase of cybersecurity insurance was not optional. In today’s world, your bank must have this coverage. Judging by the furrowed brows and slumped shoulders I saw in the room at one conference recently, the costs of cybersecurity will become as big a concern for community banks as climbing regulatory costs have been over the past several years.

Bank Regulatory Update: Three Things to Think About for 2017


regulation-1-18-17.pngSignificant regulatory changes continued to affect the banking industry in 2016. The industry generally has moved beyond implementing the requirements of the Dodd-Frank and Wall Street Reform and Consumer Protection Act, but regulatory expectations continue to rise, with increased emphasis on each institution’s ability to respond to and withstand adverse economic conditions. Regulatory supervision, often through oversight from multiple agencies, is becoming more focused on supporting compliance efforts with strong corporate cultures within the institution. Managing regulatory compliance risk for a financial institution has never been more complex.

Looking forward to 2017, regulators are expected to continue to ramp up expectations in several areas. Industry stakeholders undoubtedly will be watching closely as the new administration takes control of the White House. However, regulators are expected to continue to increase their emphasis on three areas: cybersecurity risk, consumer compliance and third-party risk management.

1. Cybersecurity Risk
Cybersecurity is likely to remain a key supervisory focal point for regulators in 2017. Regulatory officials have stressed that cybersecurity vulnerabilities are not just a concern at larger financial institutions: small banks also are at risk. As such, financial institutions of all sizes need to improve their ability to more aptly identify, assess and mitigate risks in light of the increasing volume and sophistication of cyberthreats.

The Federal Financial Institutions Examination Council (FFIEC) agencies have established a comprehensive cybersecurity awareness website that serves as a central repository where financial services companies of all sizes can access valuable cybersecurity tools and resources. The website also houses an FFIEC cybersecurity self-assessment tool to help banks identify their risks and assess their cybersecurity preparedness. The voluntary assessment provides a repeatable and quantifiable process that measures a bank’s cybersecurity preparedness over time.

2. Consumer Compliance
The Consumer Financial Protection Bureau (CFPB)—now a more mature entity—is having a dramatic impact on the supervisory processes around consumer financial products. While the CFPB conducts on-site consumer exams for financial institutions with more than $10 billion in assets, it also has begun to work with regulators in consumer supervisory efforts in smaller banks. The CFPB also has issued a significant number of new and revised consumer regulations that apply to institutions of all sizes. Some of the more onerous requirements center on mortgage lending and truth-in-lending integrated disclosures (TRID).

The CFPB also continues to cast a wide net when it comes to gathering consumer complaints about financial products and services through its consumer complaint database. The latest snapshot shows the database contains information on more than one million complaints about mortgages, student loans, deposit accounts and services, other consumer loans, and credit cards.

CFPB examiners often use complaints received through the database as a channel for reviewing practices and identifying possible violations. This continued pressure has forced financial institutions to ensure their compliance management systems are supported by effective policies, procedures and governance. But keep in mind, it’s even more important now to adequately aggregate, analyze and report customer-level data, so your institution can identify and remediate problems before the regulators come after you, and so you don’t get accused of “abusive” practices under the Dodd-Frank Act.

3. Third-Party Risk Management
As a component of safety and soundness examinations, effective third-party risk management is regarded as an important indicator of a financial institution’s ability to manage its business. As a result, regulatory examinations consistently include an element of third-party risk management, and all of the federal bank regulators have issued some form of guidance related to third-party risk. The Federal Reserve’s (Fed’s) SR 13-19 applies to all financial services companies under Fed supervision. The Fed guidance focuses on outsourced activities that have a substantial impact on a bank’s financial condition or that are critical to ongoing operations for other reasons, such as sensitive customer information, new products or services, or activities that pose material compliance risk.

Guidance from the Office of the Comptroller of the Currency (OCC) on third-party risk (Bulletin 2013-29) generally is more comprehensive than the Fed guidance and requires rigorous oversight and management of third-party relationships that involve critical activities. The OCC bulletin specifically highlights third-party activities outside of traditional vendor relationships.

Outlook
The critical areas discussed here are just a few for which banks need to expect more regulatory scrutiny in 2017. While there are early indicators that some elements of Dodd-Frank and other regulatory requirements could be pared back as the new administration takes control of the White House, the industry will need to closely monitor any changes and adjust compliance efforts accordingly.

Cybersecurity Governance: How to Protect the Bank


cybersecurity-12-23-16.pngModern banking increasingly relies upon technology and the internet to manage and streamline business operations. With increased dependence on technology comes an increased risk of security threats. Kaspersky Lab reported it had detected 323,000 malware files per day using its software in 2016. This number is 4 percent higher than in 2015.

The impact of a successful cyberattack is often quite damaging: legal liabilities, brand reputation, lack of trust from customers and partners, and ultimately, revenue. The average cost of a data breach is now up to $4 million, according to a 2016 Ponemon study.

Banks are responsible for more data than ever and as data use continues to grow, banks face the challenge of properly creating strategies, frameworks and policies for keeping sensitive data secure. Meanwhile, criminals develop new and sophisticated tactics to target valuable data.

Security is, and should be, a concern for all employees. However, leadership must be responsible for establishing and maintaining a framework for information security governance. Information security governance is defined as a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, and manages risks while monitoring the success or failure of the IT security program.

Whether it is the board of directors, executive management or a steering committee that is involved—or all of these—information security governance requires strategic planning and decision-making.

Best Practices
Despite the threats of cyberattacks and data breaches, banks can take proactive steps to better position themselves for successful security governance. What follows are five strategic best practices for information security governance:

1. Take a holistic approach.
Security strategy is about aligning and connecting with business and IT objectives. A holistic approach can provide leadership with more levels of control and visibility.

What data needs to be protected? Where are the risks? Take a unified view of how information security impacts your organization and how employees view security. Get early buy-in from key stakeholders, such as those in the IT, sales, marketing, operations and legal departments. Scope out what data needs to be protected and how that fits into the larger picture.

2. Increase awareness and training.
Although developed by leadership, information security governance speaks to all employees within the organization and requires continued level of awareness. Governance creates policies and assigns accountabilities, but each member is responsible for following the security standards.

Constant training and education on security best practices is vital. The cyberthreat landscape is rapidly changing and employees, and company training, must keep up. This way, if new threats emerge, you will be prepared.

3. Monitor and measure.
Information security governance should never have a “set it, then forget it” approach. It’s about ongoing assessment and measuring. Monitoring ensures that objectives are being achieved and resources are appropriately managed. What security governance policies are working? Which policies are not?

Conduct mock data breach scenarios to test the efficacy of corporate teams and company incident response plans. Test results can reveal strong and weak links—what the bank needs to concentrate on, and what security governance policies work well under pressure.

4. Foster open communication.
Stakeholders should feel they can openly communicate directly with leadership, even when sharing bad news. Open communication promotes trust and brings a higher level of visibility throughout. Engagement is key. Consider creating a steering committee comprised of executive management and key team leads (IT, marketing, finance, PR, legal, operations, etc.) to review and assess current security risks.

5. Promote agility and adaptability.
Gone are the days of monolithic, cumbersome governance; banks need to adapt quickly to meet the changing tide of security threats. IT management, which is typically concerned with making tactical decisions to mitigate security risks, might have some hands-on experience and opinions about the effectiveness of a particular security policy, but their recommendations can only go so far without C-suite support. Leadership must quickly determine how to implement suggested changes throughout the bank. And if a security governance policy is ineffective, leadership must be willing to jettison the policy.

Overall, successful information security governance involves a continuous process of learning, revising and adapting. Banks need to be proactive and strategic with their security posture. Threats and incidents are inevitable, but moving strategic security governance to the forefront of your organization can help protect valuable information.

Download the full Diligent white paper: Five Best Practices for Information Security Governance.