Embracing Disruption: Why Banks and Fintechs Should Work Together in a Regulated Environment


disruption.png

At first glance, financial technology companies and banks are competitors with similar products but different business models. Fintech companies need fast growth to survive. They must exercise quick marketing strategies and adaptive technologies. And they excel at reaching customers in new ways and providing more personalized customer service. Banks, on the other hand, rely on well-established customer networks, deep pockets and industry experience for their success. However, if they want to preserve their customer base and continue to grow, banks will have to adapt to what’s happening in the financial technology space.

Fintech companies and banks both face many unique challenges. Fintech companies must often decide how to allocate limited resources between marketing, intellectual property, compliance and cybersecurity concerns. Banks depend on legacy technology, lack market speed and must continue to keep pace with new banking regulations and technologies. Although both fintech companies and banks face significant legal barriers, they have different needs and strengths. Fintech companies need the deep regulatory experience that banks have developed over many decades. Banks need flexibility to adapt new technologies to changes in the compliance landscape. These differing but not incompatible needs present an opportune cross point for partnership.

The following laws and regulations exemplify a small portion of the regulatory challenges and business relationship opportunities for fintech companies and banks. Please be aware that all financial products—especially new financial technology products with uncharted regulatory profiles–may implicate many other laws not discussed below.

  • Money transmission laws: In order for a fintech company to transfer money between two individuals, it must be licensed under federal and state money transmission laws. State money transmitter laws vary greatly and this creates a considerable barrier to entering the market on a national scale. Banks are generally exempt from state money transmitter laws. Fintech companies can meet money transmitter compliance requirements by strategically structuring the flow of money with banks. Alternatively, fintech companies can act as an authorized agent of a licensed money transmitter service provider.
  • Lending and brokerage laws: State law may require a lender, buyer, servicer or loan broker to be licensed to engage in its respective activity. A fintech company may face severe consequences for unlicensed lending or brokerage practices. Banks in many cases are able to engage in these types of activities. Fintech companies and banks can structure a business relationship to ensure that appropriate legal precautions are in place. Even if a fintech company is licensed, it does not have the ability to use and apply the interest rates of its home state, a power that is afforded to national banks. Fintech companies may be stuck with interest rate limitations set by the state where the borrower lives. Thus, a strategically structured relationship between a bank and fintech company may provide other non-compliance advantages for lending and brokerage products.
  • UDAP/UDAAP laws: Unfair, deceptive or abusive acts or practices affecting commerce are prohibited by law. Both fintech companies and banks face exposure to penalties for engaging in unfair, deceptive or abusive acts. Taking advantage of fintech companies’ adaptive technologies may help banks minimize the risk of committing the prohibited practices. For example, fintech companies may help banks design software that utilizes pop up warnings on a customer’s phones before the customer makes an overdraft.
  • Financial data law: Financial data is a growing industry that has seen increasing regulatory oversight. Both fintech companies and banks collect enormous amounts of data and may use it for various legal purposes. Data is the core part of the fintech business; fintech companies collect data and rely on data. However, fintech startups do not have the legal and technical resources of traditional banks to resolve a variety of regulatory and cybersecurity concerns related to the use of data. Fintech companies can partner with banks, particularly with respect to cybersecurity issues. A bank offering products through or with a third party is responsible for assessing the cybersecurity risk related to that third party and mitigating it, and thus parties should consider some important questions upfront, including where the data is located, who owns it and how it is protected.

Despite the many issues and concerns that may arise from the partnership between fintech companies and banks, cooperation colors the future. Fintech companies can take advantage of the industry knowledge that bankers possess, certain regulatory advantages that banks enjoy and the industry’s cybersecurity infrastructure. Banks can take advantage of fintech companies’ ability to create new products, certain regulatory advantages and adaptability to regulations. With an understanding of the legal and regulatory framework of fintech companies and banks, their different business models can be used as an opportunity rather than a barrier to business.

Aggressive Action Needed to Secure Banking’s Digital Future


cybersecurity.png

As a community bank stock investor one of my biggest tasks is to read. To stay on top of what is going on in the industry I read all the pertinent releases from the FDIC, the Fed and the OCC. I also read a few bank hundred earnings reports every quarter as well as the transcripts of the company conference calls if they are available. Over the years it became obvious that I needed to stay informed of developments concerning the major lending markets so I added reports from homebuilders, real estate developers and REITs to the mix. When it became clear that fintech was going to change the industry in a meaningful way, I added the reports of public fintech companies to the mix as well.

In reading the fintech reports one thing became very obvious to me. The key to fintech’s future is going to be cybersecurity. None of the innovation and productivity improvements offered by the new technology for banking means anything if the data and funds can easily be hacked, manipulated or stolen. So I have added cybersecurity companies to my reading list and that’s what led me to the transcript of a quarterly call with the CEO of Vasco Data Security Systems.

Vasco is a leader in providing two-factor authentication and digital signature solutions to financial institutions. It does business with many of the world’s largest financial institutions and has more than 10,000 customers around the globe. Founder and CEO Ken Hunt has been involved in the cybersecurity industry since the 1990s and has seen its growth explode as cyber crime became the next big thing in criminal activity. On his most recent conference call he discussed the current trends in cybersecurity with a special emphasis on the banking industry.

The growing use of EMV cards has made it more difficult to steal data and funds during the payment process. While Hunt sees this as a major step forward in protecting the customer’s money, it has not deterred the cyber thieves but merely pushed them in new directions such as mobile and online banking as venues for stealing data and funds.

Hunt pointed out that according to a recent report from consulting firm KPMG nearly three out of four consumers–and almost 90 percent of millennials–use mobile banking. While it is the wave of the future, unfortunately it is also one of the most vulnerable points in the banking process. Staying out in front of potential cyber threats to their mobile banking systems will be critical for banks going forward as the same study points out that most consumers would switch banks if their current institution was hacked and it did not take immediate steps to fix the situation and reimburse their losses. Banks have to offer mobile platforms for competitive and customer preference reasons, but they will also have to spend money to keep the platform secure from what will be relentless hacking efforts by the bad guys.

According to Hunt, biometric identification is going to be a big part of the mobile security solution. We are already seeing some banks and credit card processors use fingerprints and what MasterCard is calling “selfie” identification to control access to mobile banking and payment systems. He cited a study recently released by Acuity Market Intelligence that estimates that by the end of 2018 all smartphones shipped will contain a biometric identification system. Banks that want to stay in the forefront of mobile banking will need to consider adopting such a system if they want to retain a security conscious customer base.

While mobile is a cyber security hot spot, Hunt also referenced what he called the “enduring nature” of hardware-based security. Cyber attacks against banks are not going to go away, but will become more aggressive and sophisticated over time. Hardware-based security programs will need to be constantly updated. Traditional bank robberies have declined in number in recent years. Typically, they are the work of not very bright criminals, and an estimated 98 percent of them are captured and spend a significant portion of their lives as guests of Uncle Sam. Cyber criminals tend to be smarter and have the luxury of being able to attack from remote locations. They will be much harder to catch and their tactics will evolve as protection systems grow stronger, so it is likely that hacking attempts directed at banks will continue to grow a rapid pace.

Fintech is changing banking and it is happening very quickly, particularly in the mobile space. Reading Hunts discussion with investors and analysts reveals that banks that want to survive and thrive will need to take aggressive action to protect customer data and funds as we move into an increasingly digital and mobile world of banking.

Raising the Bar: Top Challenges Facing Bank Boards


Regulators are expecting more and more from bank management teams and boards. In this video, Lynn McKenzie, a partner at KPMG, offers solutions to help address the top challenges facing the industry.

  • Legal and Regulatory Compliance
  • Cybersecurity
  • Financial and Regulatory Reporting
  • Vendor Risk Management

Taking on the Toughest Challenges


As bank leaders explore different avenues for growth, they must also weigh the risks that could threaten their institution. In this panel discussion from Bank Director’s 2016 Bank Audit & Risk Committees Conference, led by President & CEO Al Dominick, Dale Gibbons of Western Alliance Bancorp., Lynn McKenzie of KPMG and Bill Fay of Barack Ferrazzano Kirschbaum & Nagelberg focus on the key issues that bank boards and executive teams need to address, from third-party vendor risk to strategic growth.

Highlights from this video:

  • Top Issues for Audit & Risk Committees
  • Aligning Growth Strategy & Risk
  • Evaluating Partnership Opportunities
  • Addressing Technology & Cybersecurity as a Board

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance


cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.

Three Critical Challenges for Bank Audit Committees


audit-committee-5-17.pngAs the effects of the banking crisis continue to recede, regulatory agencies have shifted their focus. As asset quality concerns gradually diminish, regulators are scrutinizing corporate governance and risk management issues more closely.

In this environment, audit committees are being challenged to meet a higher standard regarding their understanding of their organization’s risk profile and often must adapt their approach to reflect changing business priorities. Three areas of concern merit special attention as they present audit committees with significant challenges.

Challenge 1: Cybersecurity Risk
Cybersecurity is a paramount issue in financial institutions today, ranking as the number one concern of bank executives and board members in the annual Bank Director Risk Practices Survey for two years running. In the 2016 survey, 77 percent of the respondents said cybersecurity was their top concern, and more than half said preparing for cyber attacks is one of their biggest risk management challenges.

Those numbers are not surprising because banks are a natural target for hackers. But the challenge of managing cybersecurity risk is complicated by banks’ natural reluctance to publicize breaches due to their legitimate fear of alerting other hackers to their vulnerabilities. Unfortunately, this justifiable secrecy makes it more difficult for other banks to learn from their peers’ experiences and hinders banks’ ability to recognize comparable weaknesses in their own systems and third-party relationships.

Another complicating factor is the makeup of the audit committee itself. Committee members very rarely have professional IT backgrounds, so they must rely on qualified third parties to provide insights into risks and mitigation strategies.

Recent regulatory guidance can help overcome this challenge to some extent. Audit committee members should be thoroughly familiar with the Federal Financial Institutions Examination Council’s two-part Cybersecurity Assessment Tool, which was issued in 2015 to help institutions identify their risk exposure and determine if their risk management programs are appropriately aligned. The audit committee should make sure management completes this assessment and integrates its principles into the overall risk management effort.

In addition, the Office of the Comptroller of the Currency (OCC) regularly issues joint statements with other bank regulatory bodies on specific cybersecurity concerns such as new malware developments, extortion attempts, and other current trends. Committee members should stay abreast of the most recent OCC statements on the agency’s website and confirm that management is following the specific preventive steps listed in those statements.

Challenge 2: Reallocating Audit Resources
In the current industry environment of shrinking margins and growing cost pressures, audit committees often must address increasing regulatory compliance demands and growing cybersecurity risk while struggling with resource constraints. Fortunately, there often are unrecognized opportunities to control risk management costs by reallocating resources to reflect changing business models.

For example, as customer habits and access methods change, some financial institutions are reassessing whether it is cost-effective to continue applying the same level of risk mitigation activity at the branch level. Steps such as lengthening the intervals between traditional branch audits and reassigning certain risk control responsibilities to operational managers make it possible to reallocate some internal audit resources to new, more pressing areas of risk. Audit committee members should be alert to such opportunities to reassess and fine-tune the audit approach to reflect today’s business reality.

Challenge 3: Adapting to New Strategies
Shrinking margins also are leading banks to look for opportunities to diversify their revenue strategies. But every new revenue stream requires new operational and support functions and opens up new categories of risk that must be assessed, controlled, and managed. One of the important responsibilities of the audit committee is to actively assess how a new business line will affect the institution’s risk parameters and to determine how those parameters can be addressed effectively and efficiently.

New revenue streams and changing business strategies are nothing new, of course. Historically, bank directors always have been challenged to adapt to shifts in economic and business priorities. In today’s environment, however, with greater regulatory emphasis on the management of risk, the challenges to audit committees are intensified. An effective response to these challenges can have a direct, significant and positive effect on an institution’s long-term success.

Technology’s Old Guard Focuses on Cybersecurity


cybersecurity.png

In the good old days, robbing a bank took some logistical planning. You needed enough gun-wielding associates to cover the lobby while the heist went down, and of course you needed a getaway car and a place to lay low. Today, all you need to rob a bank is a cheap laptop, some hacking skills and a high speed wireless connection. Talk to bankers and they’ll tell you that cybersecurity is their top concern. The reputational risk of a successful attack, let alone the potential financial exposure, is devastating.

Famed bank robber Willie Sutton once said he kept robbing banks because that’s where the money was. Of course, cyber thieves now steal identities and credit information instead of greenbacks, and their dogged persistence has turned cybersecurity into a growth industry. According to a recent report published by Homeland Security Research Corp., “Banking and Financial Services Cybersecurity: U.S. Market 2015-2020,” the financial services industry is the largest nongovernment cybersecurity market in the country. The industry is projected to spend $75 billion between 2016 and 2020 on cybersecurity measures.

Technology companies are well aware of the size and potential of the financial institutions marketplace for cybersecurity products and are rushing to develop products to meet the need. I doubt that many of the smaller ones will make much headway in financial services without partnering with a major tech firm. The career risk for a bank chief technology officer who hires Garage Genius Cyber Security is too great. Hiring a new young, innovative company gets you fired if an attack is successful. Hiring an old established well known company not only helps protect the bank from attack, it helps protect the CTO’s job if something goes wrong.

The older, more established companies are aware they have to keep up and are partnering with or acquiring new startups with promising cybersecurity products and services. This should allow them to offer cutting edge services to the financial community and still offer the peace of mind of a well-established and deep pocketed technology provider.

Already very active in the bank cybersecurity market, IBM has been buying up smaller cybersecurity companies and I expect that to continue as the company moves to counter new and developing threats. Vasco Data Security International–a world leader in two-factor authentication and transaction signing for financial institutions with more than half the world’s top 100 banks on their client roster — last year completed its acquisition of Silanis Technology Inc., a leading provider of electronic signature and digital transaction solutions that had a strong presence in the financial institutions marketplace.

Unisys’ new Stealth cybersecurity products can be used to protect your core data as well as mobile and cloud based platforms. And Cisco will continue to build its presence in the financial services cybersecurity market via acquisition. The company started down this path in 2013 by buying Sourcefire and have since added ThreatGRID, OpenDNS, and Lancope, and I expect it to make additional acquisitions as well.

Given their elevated concern about cybersecurity, most financial institutions are going to be reluctant to use smaller, younger companies—which means the established technology leaders should see the bulk of the money. And they, in turn, will have to be aggressive about buying and developing new technology to remain in front of the increasingly innovative and aggressive attacks that criminals will employ.

How Banks Can Increase Cybersecurity Risk Management


cybersecurity-5-6-16.pngIn mid-2015, executives at a bank in Russia awoke one morning to discover that the institution had lost millions of rubles overnight through a series of unauthorized withdrawals made through the automated teller machines of other banks. Earlier in the year, the Russian ruble experienced a volatile 14-minute long swing in the exchange rate that resulted in one financial institution’s reported loss of $3.2 million due to trades. Another well-coordinated attack in 2013 resulted in a loss of $45 million taken from ATM locations around the world when hackers eliminated the cash-withdrawal limits for 12 debit card accounts.

Such attacks are not limited to Russian banks; hackers and other cyber criminals are threatening the security of financial institutions around the world. The rise in cyber threats puts a spotlight on the vulnerability of the IT systems at many financial institutions—and intensifies the need to implement more robust security procedures to protect institutional assets.

A comprehensive assessment of an institution’s cybersecurity environment would have gone a long way towards establishing appropriate technology governance and protecting the assets of those Russian banks.

Targeting the Weakest Link
The most common and effective form of cyberattack is social engineering—that is, contacting personnel by email or phone and duping them into disclosing confidential information that can subsequently be used to gain access to systems and data. Alternatively, emails can be opened by employees who unwittingly release customized and often quite sophisticated malware (the software used by hackers to infiltrate IT systems).

Financial institutions are clearly not immune to such attacks and the opportunities and attempts for unauthorized access have increased. Yet some security mechanisms such as firewalls are no longer enough to protect an institution from modern threats. Although in some cases they thwart cyberattacks, outdated banking processes and systems are commonly the weak link exploited in these scenarios.

Implement a Risk-Based Approach
Most banks would claim they have a rich risk-assessment process, and to an extent, this may be true. But the focus is often primarily on business risk, not cybersecurity, and therein lies the issue. As a result, areas of weakness such as interconnection to ATMs may be overlooked. In addition, most banks have limited personnel and security resources dedicated to IT so, despite being attacked virtually every day, they cannot react to all alerts. Moreover, a bank’s internal enterprise risk management group may not be familiar with current risks or trained to respond to advanced threats.

IT investments will be based in part on whether or not the institution has been compromised historically; if management thinks a breach won’t happen, they probably won’t invest heavily in cybersecurity. Larger banks may have the resources to absorb the costs caused by a cybersecurity attack, but that is not true for all financial institutions.

There are a number of steps that financial institutions can take in order to mitigate IT security risks:

  • User awareness training: One of the most effective actions that any organization can take to reduce the risk of successful security attacks is employee and customer education. Strong awareness and education processes are critical actions to take to minimize the risks that social engineering poses. Training will differ, depending on the roles and responsibilities of the users, but an educated workforce and customer base are strong defenses against attacks.
  • Review and apply controls using a risk-based approach: To be truly effective, a risk assessment must get down into the weeds. A robust compliance program will evaluate—and periodically re-evaluate—threats in the entire universe of the banking system.
  • Identify weaknesses: If the bank doesn’t examine the weaknesses in their systems, the hackers will. There is a reason why the hackers used the ATMs owned by one bank to steal money from another institution—they knew that most systems would give them a few hours’ lead time before their withdrawals were reported. Understanding this weakness and implementing mitigating controls such as alerts could have at least minimized the damage inflicted by such an attack.
  • Add controls: Management must develop and implement controls that are designed to keep incidents from occurring and serve as a deterrent against unauthorized access. That said, it should also be assumed that these controls will eventually fail at some point. Therefore, detective controls will help to monitor and alert an organization of any malicious or unauthorized activity, including malicious activity—taken knowingly or not—by employees. In addition, corrective controls can help limit the scope of an incident and contain unauthorized activity.

With so much at stake—potential financial losses, compromised brand reputations, access to operational capital and possible regulatory violations—taking action is a business imperative.

2016 Risk Practices Survey: Banks Beef Up on Cybersecurity


cybersecurity-3-21-16.pngFor 77 percent of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS, cybersecurity remains their top concern, for the second year in a row. More than half indicate that preparing for cyberattacks is one of their organization’s biggest risk management challenges. While these concerns aren’t new, respondents this year indicate a shift in how their boards and executives are addressing the threat. Unfortunately, the fact remains that many banks still aren’t doing enough to protect themselves—and their customers.

Just 18 percent indicate their bank has experienced a data breach, but it’s important to note that these breaches were almost as likely to occur at a smaller, $500 million asset institution as at a larger institution above $10 billion. Cybersecurity can no longer be dismissed as merely a “big bank” concern.

In addition to identifying cybersecurity practices within the industry, the online survey asked 161 independent directors and chairmen, chief risk officers, chief executive officers and other senior executives of U.S. banks above $500 million in assets to weigh in on their bank’s risk governance, culture and infrastructure. The survey was conducted in January.

Compared to last year’s survey results, more respondents indicate their board reviews cybersecurity at every board meeting, at 34 percent compared to 18 percent last year. While this shift represents a significant increase in board-level attention to cyberthreats compared to last year, these institutions remain the exception rather than the rule.

Many banks have yet to fully utilize the Cybersecurity Assessment Tool, developed by the Federal Financial Institutions Examination Council and made available to banks in 2015 “to help institutions identify their risks and determine their cybersecurity maturity.” Sixty-two percent of survey respondents indicate their bank has used the tool and completed an assessment. However, just 39 percent have validated the results, and 18 percent established board-approved triggers for update and reporting. All three prudential regulators—the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.— now use the tool in exams, regardless of the bank’s size. Several states have mandated its use as well.

Other key findings:

  • Seventy-eight percent indicate that their bank employs a full-time chief information security officer, up from 64 percent in last year’s survey.
  • Almost half report that the bank has a chief risk officer exclusively focused on risk, while 37 percent have a risk officer that is also focused on other areas of the bank.
  • Fifty-four percent of respondents who indicate that the bank has a CRO also say the board never meets with that individual.
  • Responses indicate a low level of board engagement with the chief risk officer: Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
  • Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
  • Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs.
  • Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.

To view the full results to the survey, click here.

Cybersecurity: Five Best Practices To Protect Your Bank


Cybersecurity: Five Best Practices To Protect Your Bank



Cybersecurity remains a top concern for the bank executives and board members surveyed in Bank Director’s 2016 Risk Practices Survey, sponsored by FIS. What can bank boards do to combat this threat? In this video, Sai Huda of FIS reveals best practices that boards can implement, based on the survey results.

  • Cybersecurity and the Board
  • The FFIEC Cybersecurity Assessment
  • Detecting an Intrusion