2023 Risk Survey Results: Deposit Pressures Dominate

In 2023, the overarching question on bank leaders’ minds is how their organization will fare in the next crisis.

That manifested in increased concerns around interest rates, liquidity, credit and consumer risk, and other issues gauged in Bank Director’s 2023 Risk Survey, sponsored by Moss Adams LLP. The survey was fielded in January, before a run on deposits imperiled several institutions and regulators began closing banks in March, including $209 billion SVB Financial Corp.’s Silicon Valley Bank.

Well before this turmoil, bank executives and board members were feeling the pressure as the Federal Open Market Committee raised rates, leading bankers to selectively raise deposit rates and control their cost of funds. Over the past year, respondent concerns about interest rate risk (91%), credit risk (77%) and liquidity (71%) all increased markedly. Executives and directors also identify cybersecurity (84%) and compliance (70%) as areas where their concerns have increased, but managing the balance sheet has become, by and large, their first priority.

Bank leaders name deposit pricing (51%) and talent retention (50%) among the top strategic challenges their organization faces in 2023. Sixty-one percent say their bank has experienced some deposit loss, with minimal to moderate impacts on their funding base, and another 11% say that deposit outflows had a significant impact on their funding base.

Net interest margins improved for a majority (53%) of bank leaders taking part in the survey, but respondents are mixed about whether their bank’s NIM will expand or contract over 2023.

Three-quarters of bank executives and board members report that business clients remain strong in spite of inflation and economic pressures, although some are pausing growth plans. As commercial clients face increasing costs of materials and labor, talent pressures and shrinking revenues, that’s having an impact on commercial loan demand, some bankers say. And as the Federal Reserve continues to battle inflation against an uncertain macroeconomic backdrop, half of respondents say their concerns around consumer risk have increased, a significant shift from last year’s survey.

Key Findings

Deposit Pressures
Asked about what steps they might take to manage liquidity, 73% of executives and directors say they would raise interest rates offered on deposits, and 62% say they would borrow funds from a Federal Home Loan Bank. Less favored options include raising brokered deposits (30%), the use of participation loans (28%), tightening credit standards (22%) and using incentives to entice depositors (20%). Respondents say they would be comfortable maintaining a median loan-to-deposit ratio of 70% at the low end and 90% at the high end.

Strategic Challenges Vary
While the majority of respondents identify deposit pricing and/or talent retention as significant strategic challenges, 31% cite slowing credit demand, followed by liquidity management (29%), evolving regulatory and compliance requirements (28%) and CEO or senior management succession (20%).

Continued Vigilance on Cybersecurity
Eighty-seven percent of respondents say their bank has completed a cybersecurity assessment, with most banks using the tool offered by the Federal Financial Institutions Examination Council. Respondents cite detection technology, training for bank staff and internal communications as the most common areas where they have made changes after completing their assessment. Respondents report a median of $250,000 budgeted for cybersecurity-related expenses.

Stress On Fees
A little over a third (36%) of respondents say their bank has adjusted its fee structure in anticipation of regulatory pressure, while a minority (8%) did so in response to direct prodding by regulators. More than half of banks over $10 billion in assets say they adjusted their fee structure, either in response to direct regulatory pressure or anticipated regulatory pressure.

Climate Discussions Pick Up
The proportion of bank leaders who say their board discusses climate change at least annually increased over the past year to 21%, from 16% in 2022. Sixty-one percent of respondents say they do not focus on environmental, social and governance issues in a comprehensive manner, but the proportion of public banks that disclose their progress on ESG goals grew to 15%, from 10% last year.

Stress Testing Adjustments
Just over three-quarters of respondents say their bank conducts an annual stress test. In comments, offered before the Federal Reserve added a new component to its stress testing for the largest banks, many bank leaders described the ways that they’ve changed their approach to stress testing in anticipation of a downturn. One respondent described adding a liquidity stress test in response to increased deposit pricing and unrealized losses in the securities portfolio.

To view the high-level findings, click here.

Bank Services members can access a deeper exploration of the survey results. Members can click here to view the complete results, broken out by asset category and other relevant attributes. If you want to find out how your bank can gain access to this exclusive report, contact [email protected].

2023 Risk Survey: Complete Results

Bank Director’s 2023 Risk Survey, sponsored by Moss Adams LLP, finds interest rates and liquidity risk dominating bank leaders’ minds in 2023.

The survey, which explores several key risk areas, was conducted in January, before a run on deposits imperiled several institutions, including $209 billion SVB Financial Corp., which regulators closed in March. Bank executives and board members were feeling pressure on deposit costs well before that turmoil, as the Federal Open Market Committee raised the federal funds rate through 2022 and into 2023.

Over the past year, respondent concerns about interest rate risk (91%), credit risk (77%) and liquidity (71%) all increased markedly. Executives and directors also identify cybersecurity and compliance as areas where their concerns have increased, but managing the balance sheet has become, by and large, their first priority.

Bank leaders name deposit pricing as the top strategic challenge their organization faces in 2023, and a majority say their bank has experienced some deposit loss, with minimal to significant impacts on their funding base. Most respondents say their No. 1 liquidity management strategy would be to raise the rates they pay on deposits, followed by increasing their borrowings from a Federal Home Loan Bank.

While SVB operated a unique business model that featured a high level of uninsured deposits and a pronounced concentration in the tech industry, many banks are facing tension as deposits reprice faster than the loans on their books.

Net interest margins improved for a majority of bank leaders taking part in the survey, but respondents are mixed about whether their bank’s NIM will expand or contract over 2023.

Click here to view the complete results.

Key Findings

Deposit Pressures
Asked about what steps they might take to manage liquidity, 73% of executives and directors say they would raise interest rates offered on deposits, and 62% say they would borrow funds from a Federal Home Loan Bank. Less favored options include raising brokered deposits (30%), the use of participation loans (28%), tightening credit standards (22%) and using incentives to entice depositors (20%). Respondents say they would be comfortable maintaining a median loan-to-deposit ratio of 70% at the low end and 90% at the high end.

Strategic Challenges Vary
While the majority of respondents identify deposit pricing and/or talent retention as significant strategic challenges, 31% cite slowing credit demand, followed by liquidity management (29%), evolving regulatory and compliance requirements (28%) and CEO or senior management succession (20%).

Continued Vigilance on Cybersecurity
Eighty-seven percent of respondents say their bank has completed a cybersecurity assessment, with most banks using the tool offered by the Federal Financial Institutions Examination Council. Respondents cite detection technology, training for bank staff and internal communications as the most common areas where they have made changes after completing their assessment. Respondents report a median of $250,000 budgeted for cybersecurity-related expenses.

Stress On Fees
A little over a third (36%) of respondents say their bank has adjusted its fee structure in anticipation of regulatory pressure, while a minority (8%) did so in response to direct prodding by regulators. More than half of banks over $10 billion in assets say they adjusted their fee structure, either in response to direct regulatory pressure or anticipated regulatory pressure.

Climate Discussions Pick Up
The proportion of bank leaders who say their board discusses climate change at least annually increased over the past year to 21%, from 16% in 2022. Sixty-one percent of respondents say they do not focus on environmental, social and governance issues in a comprehensive manner, but the proportion of public banks that disclose their progress on ESG goals grew to 15%, from 10% last year.

Stress Testing Adjustments
Just over three-quarters of respondents say their bank conducts an annual stress test. In comments, offered before the Federal Reserve added a new component to its stress testing for the largest banks, many bank leaders described the ways that they’ve changed their approach to stress testing in anticipation of a downturn. One respondent described adding a liquidity stress test in response to increased deposit pricing and unrealized losses in the securities portfolio.

Research Report: A Practical Guide to ESG

For years, investors and activists have worked to compel large, public companies to report their stance on environmental, social and governance issues — better known as ESG. And recently, additional pressure has come from bank regulators on one specific ESG risk: climate. Smaller banks, meanwhile, see the writing on the wall and are taking steps to beef up their ESG programs.

As regulated entities, banks are no strangers to many elements of ESG, which Bank Director explores in the newly launched research report Choose Your Path: A Practical Guide to ESG, which is sponsored by Crowe LLP. Board structure and composition, cybersecurity and data privacy, risk management and regulatory compliance are all areas that fall under the governance umbrella. Social elements, which include financial access, diversity and community involvement, also incorporate into day-to-day operations as financial institutions comply with fair lending rules and other regulations. But it’s the ‘E’ for environmental — specifically, measuring greenhouse gas emissions — that frustrates some bankers who would rather focus on serving their communities than spending time and resources on that complex assessment.

In this report, Bank Director provides intelligence for bank boards and leadership teams seeking to better understand the current regulatory and investor landscape, and uncover what’s relevant for their own organizations. Inside, you’ll find:

  • A quick overview of how ESG has become a language of sorts to describe a company’s activities to investors and other stakeholders
  • Where Washington stands on ESG
  • How investors have focused their attention
  • How banks leverage ESG to uncover new opportunities, including how three community banks have identified core areas that are relevant to their own operations
  • Key material matters for banks to prioritize
  • What role boards could play in ESG oversight, and questions directors might ask

“[A]s disclosures grow, [investors] have more information to make comparable decisions, and that will just continue to grow because of the regulatory environment,’’ says Chris McClure, a partner at Crowe who leads the firm’s ESG team.

On Dec. 2, 2022, the Federal Reserve issued a request for comment on proposed principles for institutions over $100 billion in assets. These principles focus on climate-related financial risks: everything from ​​governance and policies and procedures to strategic planning and risk management. It’s in line with similar guidance issued by the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.

At least one Fed Governor doesn’t believe the guidance is necessary: “Climate change is real, but I disagree with the premise that it poses a serious risk to the safety and soundness of large banks and the financial stability of the United States,” stated Christopher Waller. “The Federal Reserve conducts regular stress tests on large banks that impose extremely severe macroeconomic shocks and they show that the banks are resilient.”

In 2023, the Securities and Exchange Commission is expected to finalize its rule around climate disclosure, adding another element of compliance for all publicly traded companies — not just the biggest banks. While some exemptions are anticipated for smaller companies, the rule would expect companies to share how climate-related risks are managed and governed, along with the material impacts of these risks on operations and strategy. Companies could be required to measure greenhouse gas emissions — including emissions by vendors and clients — and share their goals for transitioning to a greener economy.

At the same time, governments in conservative states are working to oppose these rules, going after banks and asset managers that they believe discriminate against the oil and gas or gun sectors. It’s a tricky environment to navigate. Increasingly, some disclosure will be mandated, at least for publicly traded institutions. But bank leaders will still determine their own strategies for the road ahead — and banks that are successful will find the path that’s right for their organization.

To access the report, click here.

If you have feedback on the contents of this report, please contact Bank Director’s vice president of research, Emily McCormick, at [email protected].

Fighting Disaster Through Business Continuity Planning

As Hurricane Ian began to coalesce in the Caribbean in late September, all of Florida hunkered down. This included Climate First Bancorp, the holding company for $250 million Climate First Bank, which serves primarily commercial organizations. The storm was initially expected to make landfall in the U.S. by hitting St. Petersburg, Florida, Climate First’s headquarters. The bank’s leaders knew that they had to begin preparations, so they turned to their business continuity plan. 

The two-year-old bank is also in the middle of shifting its data storage to a third-party, so servers aren’t hosted at individual branches. As the storm rolled forward, though, the bank had to undergo a temporary shift of the data and operations from the St. Pete location to one in Winter Park, near Orlando. This gave the organization protection in case St. Petersburg saw significant damage. 

It served them well. As the state suffered flooding and destruction that reports have estimated between $50 billion and $65 billion, St. Petersburg and Orlando avoided the worst of the storm. Still, customers saw little disruption and the experience further prepared Climate First Bank for another hurricane that would hit weeks later. “We’re a climate focused bank, and this is supposed to be more than a 100-year flood,” says Lex Ford, president at Climate First Bank. “How many years in a row have we had a 100-year flood?”

Business continuity planning isn’t just a nice-to-have, but a requirement by regulators. How robust the continuity plan is, however, will determine how ready the organization can react when unexpected disturbances or upheavals in the normal course of business occurs. With the rate of natural disasters rising, so does the possibility that banks will have to lean on continuity preparation. Boards have a responsibility to ensure that such plans have robust strategies in place, but many organizations lack certain coverage.

Business continuity planning within institutions shifted in response to Covid-19. With more than 80% of executives and directors reporting that their organizations have remote workers, 44% saw a gap in their bank’s business continuity plan with regards to remote work procedures and policies, according to Bank Director’s 2022 Risk Survey, conducted in January 2022. That rate is down from 77% admitting such a gap in 2021. 

Meanwhile, despite the increase in intensity of hurricanes and other tropical storms since 1995, according to the Environmental Protection Agency, only 16% of respondents said their board has discussed the impact of climate change on the organization at least annually, according to the 2022 Risk Survey. Six out of 10 respondents said their board and senior leadership team understood the physical risks the bank faced due to climate change.

But when it comes to continuity preparations, “you’re not just planning for things that are obvious,” says Julie Stackhouse, a director at $27 billion Simmons First National Corp., headquartered in Pine Bluff, Arkansas. Stackhouse also served at the Federal Reserve Bank of Minneapolis in 2001, and was at a meeting in the New York Federal Reserve during 9/11. She witnessed first-hand the response of financial institutions. This experience of seeing banks react to the sudden attack crystalized the importance of continuity planning for Stackhouse.

When a disaster hits, “human beings have an emotional response,” says Stackhouse. Employees will worry about family and friends, not just the bank. During these moments, “you need to think about the practicality of personality,” Stackhouse adds.

How will employees respond under the pressure of an attack or a storm that destroys nearby homes, or a ransomware that could threaten their jobs? Considering those emotions during moments of clarity — and planning for an expectation that some employees won’t be available — is vital to the success of any continuity plan. For boards, ensure that management has considered the employees’ emotional response to such situations, or else the best plan may prove worthless when pressure rises. 

Climate First’s plan deals with the human side by spreading employees across the state. Even with two branches, the majority of its employees work from home. This served them well during Ian. But the bank took its experience with Ian and began to expand the states that it would hire from to ensure an interruption in Florida wouldn’t impact every employee of the bank. Some employees work permanently outside the state, and others occasionally do. “Many [new hires] live three, four, five states away,” Ford says. 

It’s one strategy the bank has used to counter the threat of any one incident shutting the organization down. But it’s a solution unique to the institution itself. For directors, it’s vital to review the continuity plan, seeking insight into key issues for the individual bank. 

“The first question” for boards, says Stackhouse, “is have you seen the business continuity plan? Do you know how often it’s updated? Do you know if the key expectations are laid out in the plan?” 

Stackhouse says that it’s surprising how many directors have failed to even inquire about the plan on this basic level. Once you have looked at the plan, though, you need to go further, asking about how communication will occur if a disturbance to the organization’s infrastructure takes place, Stackhouse says. How will leaders communicate with employees and each other? Banks should have tactics in place for such communication and expect different layers of disruption. You may not know what unexpected disaster could eventually impact the organization, but you can lean on other scenarios — in the news or experienced directly by the bank — to prepare in case communication is disrupted in an unexpected way.

Another key question: Does the bank have business continuity staff? As a director, know what their roles are, what they do and how they handle key issues within the continuity strategy. Having ownership over the continuity plan will prevent it from becoming a secondary concern. “It is never a good answer if it’s everybody’s responsibility,” adds Stackhouse. 

One of the best ways to pressure test your institution’s continuity plan is to have practice runs with scenarios that could prevent the bank from operating. Discussing these scenarios will allow the organization to see what works, what doesn’t and what should be tweaked. Directors should take part in many of those tests, since they will likely be a key resource if a large enough event takes place. Not to mention, in such scenarios, management may lean on boards of directors for guidance.

For community banks, where resources may be more limited, focus on events that are more likely to occur. This will depend on the organization but could be a hurricane or extended power outage or cyberattack. Having run-throughs while leaning on the continuity plan will test what the C-suite has put together. Did communication hold? What additional resources do employees need to do their job? How did they react? Seeing this under a guided test-run will ease nerves if the real event occurs. 

Larger banks may have a team that can run specialized tests to simulate very specific scenarios, like, say, a war or unexpected attack on the nation. While you may not know what scenario will occur, having these test-runs will allow the bank to have case studies on hand, in the event a similar disruption happens.

For Climate First, the plan they put in place served them through the hurricane season this year. They will incorporate their experience into continuity planning for the future. The goal? To ensure customers never realize a disruption occurred. 

With the most distant client living in Hawaii, that person “probably didn’t even know we were going through a storm,” says Ford. 

“And I hope they couldn’t tell.” 

* * *  

For more information about other aspects of business continuity planning, consider reading “Getting Proactive About Third-Party Cyber Risk,” or  “The Topic That’s Missing From Strategic Discussions.” 

Bank Director’s 2022 Risk Survey, sponsored by Moss Adams LLP, surveyed 222 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas. The survey was conducted in January 2022.

Community Banks Fuel the Future of Renewable Energy

The transformational Inflation Reduction Act (IRA) contains a number of provisions designed to entice a large numbers of community and regional banks to deploy capital into renewable energy projects across the US.

Large U.S. banks and corporations have made significant renewable energy tax credit investments for over a decade. Through the IRA, there is greater opportunity for community and regional banks to participate.

The act extends solar tax credits, or more broadly renewable energy investment tax credits, (REITCs) for at least 10 more years, until greenhouse gas emissions are reduced by 70%. It also retroactively increases the investment tax credit (ITC) rate from 26% to 30%, effective Jan. 1, 2022. This extension and expansion of ITCs, along with other meaningful incentives included in the act, should result in a significant increase in renewable energy projects that are developed and constructed over the next decade.

Community banks are a logical source of project loans and renewable energy tax credit investments, such as solar tax equity, in response to this expected flood of mid-size renewable projects. REITCs have a better return profile than other types of tax credit investments commonly made by banks. REITCs and the accelerated depreciation associated with a solar power project are fully recognized after it is built and begins producing power. This is notably different from other tax credit investments, such as new markets tax credits, low-income housing tax credits and historic rehabilitation tax credits, where credits are recognized over the holding period of the investment and can take 5, 7, 10 or 15 years.

Like other tax equity investments, renewable energy tax equity investments require complex deal structures, specialized project diligence and underwriting and active ongoing monitoring. Specialty investment management firms can provide support to community banks seeking to make renewable energy or solar tax credit investments by syndicating the investments across small groups of community banks. Without support, community banks may struggle to consistently identify suitable solar project investment opportunities built by qualified solar development partners.

Not all solar projects are created equally; and it is critical for a community bank to properly evaluate all aspects of a solar tax equity investment. Investment in particular types of solar projects, including utility, commercial and industrial, municipal and community solar projects, can provide stable and predictable returns. However, a community bank investor should perform considerable due diligence or partner with a firm to assist with the diligence. There are typically three stages of diligence:

  1. The bank should review the return profile and GAAP financial statement impact with their tax and audit firm to validate the benefits demonstrated by the solar developer and the anticipated impact of the investment on the bank’s earnings profile and capital.
  2. The bank should work with counsel to identify the path to approval for the investment. Solar tax equity investments are permissible for national banks under a 2021 OCC Rule (12 CFR 7.1025), and banks have been making solar tax equity investments based on OCC-published guidance for over a decade. In 2021, the new rule codified that guidance, providing a straightforward roadmap and encouraging community banks to consider solar tax equity investments. Alternatively, under Section 4(c)(6) of the Bank Holding Company Act, holding companies under $10 billion in assets may also invest in a properly structured solar tax equity fund managed by a professional asset manager.
  3. The bank must underwrite the solar developer and each individual solar project. Community banks should consider partnering with a firm that has experience evaluating and underwriting solar projects, and the bank’s due diligence should ensure that there are structural mitigants in place to fully address the unique risks associated with solar tax equity financings.

Solar tax credit investments can also be a key component to a bank’s broader environmental, social and governance, or ESG, strategy. The bank can monitor and report the amount of renewable energy generation produced by projects it has financed and include this information in an annual renewable energy finance impact report or a broader annual sustainability report.

The benefits of REITCs are hard to ignore. Achieving energy independence and reducing carbon emissions are critical goals in and of themselves. And tax credit investors that are funding renewable energy projects can significantly offset their federal tax liability and recognize a meaningful annual earnings benefit.

Top Priorities for Compensation Committees Today

The compensation landscape in banking is constantly evolving, and compensation committees must evolve with it. We want to highlight three priorities for bank compensation committees today: the rising cost of talent, the uncertain economic environment, and the link between environmental, social, and governance (ESG) issues and human capital and compensation.

The Rising Cost of Talent
The always-fierce competition for top banking talent has intensified in recent years, especially in certain pockets like digital, payments and commercial banking. Banks are using a variety of approaches to compete in this market and make their compensation and benefits programs more attractive, including special one-time cash bonuses or equity awards, larger annual or off-cycle salary increases, flexible work arrangements and other enhanced benefits.

In evaluating these alternative approaches, compensation committees must weigh the value each offers to employees compared to the cost to the bank and its shareholders. For example, increasing salaries provides near-term value to employees but results in additional fixed costs. Special equity awards that vest over multiple years provide less near-term value to employees but represent a one-time expense and are more retentive.

We expect the “hot” talent market, combined with inflation, to continue applying upward pressure on compensation. However, the recent rate of increase in compensation levels is untenable over the long-term, particularly in the current uncertain economic environment. Banks will need to optimize other benefits, such as work-life balance and professional development opportunities, to attract and retain top talent.

The Uncertain Economic Outlook
In 2021, many banks had strong earnings as the quicker-than-expected economic recovery allowed them to reverse their loan loss provisions from 2020. As a result, many banks could afford to pay significantly higher incentives for 2021’s performance than they did for 2020’s performance. The performance outlook for 2022 is unclear. Inflation, rising interest rates and macroeconomic uncertainty will impact bank performance results in 2022. Results will likely vary significantly from bank to bank, based on the institution’s business mix and balance sheet makeup.

Compensation committees will need to consider how the push and pull of these factors impact financial results and, as a result, incentive payouts. Some compensation committees may need to consider adjusting payouts to recognize the quantifiable financial impact of unanticipated conditions outside of management’s control, like the Federal Reserve’s aggressive interest rate increases. Banks may find it harder to quantify the financial impact of other economic conditions, like inflation. As a result, many compensation committees may find it more effective to use discretion to align incentive compensation with their overall view of performance.
Bank compensation committees considering using discretion to adjust incentive payouts for 2022 should follow three principles:

1. Be consistent: Apply discretion when macroeconomic factors negatively or positively impact financial results.
2. Align final payouts with performance and profitability.
3. Clearly communicate rationale to participants and shareholders.

Compensation committees at public banks should also be aware of potential criticism from shareholders or proxy advisory firms. The challenge for compensation committees will be balancing these principles with the business need to retain key employees in a tight labor market.

ESG and the Compensation Committee
Bank boards are spending more and more time thinking about their bank’s ESG strategies. The role of many compensation committees has expanded to include oversight of ESG issues related to human capital, such as diversity, equity and inclusion (DEI). Employees, regulators and shareholders are increasingly paying attention to DEI practices and policies of banks. In response, many large banks have announced public objectives for increasing diversity and establishing cultures of equity and inclusion.

In an attempt to motivate action and progress, compensation committees are also considering whether ESG metrics have a place in incentive plans. In recent years, the largest banks have disclosed that they are considering progress against DEI objectives in determining incentive compensation for executives. Most of these banks disclose evaluating DEI on a qualitative basis, as part of a holistic discretionary assessment or as part of an individual or strategic component of the annual incentive plan. Banks considering adopting a DEI metric or other ESG metrics should do so because the metric is a critical part of the business strategy, rather than to “check the box.” Human capital is a critical asset in banking; many banks may find that DEI is an important part of their business strategy. For these banks, including a DEI metric can be a powerful way to signal to employees and shareholders that DEI is a focus for the bank.

Tips for Banks to Navigate Top Risks in 2022

Banks continue to meet unprecedented challenges of the Covid-19 pandemic, geopolitical cyberthreats and increasing public awareness of environment, social and governance (ESG) issues.

With the current landscape posing ever-evolving risks for banks, Moss Adams collaborated with Bank Director to conduct the 2022 Risk Survey and explore what areas are front of mind for bank industry leaders. Top insights from Bank Director’s 2022 Risk Survey include that the vast majority of survey respondents reported that cybersecurity and interest rate risks pose increasing concerns, and they expect these challenges to persist in the second half of the year, due to turbulent economic and geopolitical conditions. The survey also identified that banks increasingly focus on issues related to compliance and regulatory risks.

Cybersecurity Oversight
Concerns about cybersecurity topped the survey responses: 93% of respondents stated that a need for increased cybersecurity grew significantly or somewhat. Bank executives and board members submitted survey responses in January, prior to heightened federal government warnings of increased Russian cyberattacks. Banks’ concerns will likely continue to increase as a result.

Data Breach Rates and Precautions
While only 5% of respondents reported experiencing a data breach or ransomware attack at their own institution in the years 2020 and 2021, 65% reported data breaches at their bank’s vendors. In response, 60% stated they updated their institution’s third-party vendor management policies, processes, or risk oversight.

As a critical U.S. industry, banks follow stringent regulatory requirements for data security. The Federal Financial Institutions Examination Council (FFIEC) cybersecurity assessment tool provides a maturity model for banks to assess their cybersecurity maturity as baseline, evolving, intermediate, advanced or innovative. Ninety percent of respondents completed a cybersecurity assessment over the past 12 months; 61% used the FFIEC’s tool in combination with other methodologies, and another 19% only used the FFIEC’s tool. And 83% of respondents said that the maturity of their bank’s cybersecurity program increased in 2021, compared to previous assessments.

Room for Improvement
Banks noted several areas of improvement for their cybersecurity programs, including training for bank staff (83%), technology to better detect and deter cyberthreats and intrusions (64%) and internal controls (43%). Thirty-nine percent believe they need to better attract and retain quality cybersecurity personnel. Banks’ investments in cybersecurity programs remained flat compared to the 2021 survey, with a median budget of $200,000.

As cybersecurity risks increase, banks should focus on researching and making appropriate investments, as well as implementing comprehensive planning for staff training, technology and governance. At the board level, respondents noted several activities as part of that body’s oversight of the cybersecurity risk management program. Key among these is board-level training (79%), ensuring continual improvements by management of their cybersecurity programs (75%) and being aware of any deficiencies in the bank’s cybersecurity program (71%).

Interest Rate Risk Concerns
The prospect of rising interest rates fueled anxiety for our respondents: 71% noted increased concern. As the Federal Open Market Committee combats higher inflation by hiking interest rates, 74% reported hoping that they wouldn’t raise rates by more than one percentage point by the end of 2022 — which is currently below what’s projected.

Faced with likely rate hikes, banks are looking to their own business models to navigate a potential decrease in overall lending volume and potential pressure on profit margins. Respondents also noted that they were increased their focus in sectors such as commercial and industrial, commercial real estate and construction, or with the Small Business Administration or obtaining other small business loans.

ESG Initiatives
Banks are under increasing pressure to adopt ESG initiatives. More than half of respondents don’t yet focus on ESG issues in a comprehensive manner, and regulators have yet to impose ESG requirements for banks. However, more than half of survey respondents say they have set goals and objectives in a variety of ESG-related areas, primarily in the social and governance verticals — employee development and community needs in particular topped the list.

Only 6% said that investors or other company stakeholders currently look for more disclosure around ESG initiatives, with diversity, equity and inclusion topping the list at 88%. Banks that haven’t established ESG strategies could first identify their top priority areas. These priorities may vary for each organization and will need to consider the values of investors, customers and local community.

Research Report: Fortifying Boards for the Future

Good corporate governance requires, among many other things, a strong sense of balance.

How do you bring in new perspectives while also sticking to your core values? How does the board balance responsibilities among committees? What’s the right balance between discussion about the fundamentals of banking, versus key trends and emerging issues?

There’s an inherent tension between the introduction of new ideas or practices and standard operating procedures. We explore these challenges in Bank Director’s 2022 Governance Best Practices Survey, sponsored by Bryan Cave Leighton Paisner LLP. But tension isn’t necessarily a bad thing.

The survey polled 234 directors, chairs and chief executives at U.S. banks with less than $100 billion in assets during February and March 2022. Half of respondents hailed from banks with $1 billion to $10 billion of assets. Just 9% represent a bank above the $10 billion mark. Half were independent directors.

We divide the analysis into five modules in this report: board culture, evaluating performance, building knowledge, committee structure and environmental, social and governance oversight in the boardroom. Jim McAlpin, a partner at the Bryan Cave law firm in Atlanta and leader of the firm’s banking governance practice, advised us on the survey questions and shared his expertise in examining the results.

We also sought the insights of three independent bank directors: Samuel Combs III, a director and chair of the board’s governance committee at $2.8 billion First Fidelity Bancorp in Oklahoma City; Sally Steele, lead director with $15.6 billion Community Bank System in DeWitt, New York; and Maryann Goebel, the compensation and governance chair at $11 billion Seacoast Banking Corp. of Florida, which is based in Stuart, Florida. They weighed in on a range of governance practices and ideas, from the division of audit and risk responsibilities to board performance assessments.

The proportion of survey respondents representing boards that conduct an annual performance assessment rose slightly from the previous year’s survey, to 47%. Their responses indicate that many boards leverage evaluations as an opportunity to give and receive valuable feedback — rather than as an excuse to handle a problem director.

Forty-seven percent of respondents describe their board’s culture as strong, while another 45% rank it as “generally good,” so the 30% whose board doesn’t conduct performance assessments may believe that their board’s culture and practices are solid. Or in other words, why fix something that isn’t broken? However, there’s always room for improvement.

Combs and Steele both attest that performance evaluations, when conducted by a third party to minimize bias and ensure anonymity, can be a useful tool for measuring the board’s engagement.

Training and assessment practices vary from board to board, but directors also identify some consistent knowledge gaps in this year’s results. Survey respondents view cybersecurity, digital banking and e-commerce, and technology as the primary areas where their boards need more training and education. And respondents are equally split on whether their board would benefit from a technology committee, if it doesn’t already have one.

And while directors certainly do not want to be mandated into diversifying their ranks, in anonymous comments some respondents express a desire to get new blood into the boardroom and detail the obstacles to recruiting new talent.

“Our community bank wants local community leaders to serve on our board who reflect our community,” writes one respondent. “Most local for[-] profit and not-for-profit boards are working to increase their board diversity, and there are limited numbers of qualified candidates to serve.”

To read more about these critical board issues, read the white paper.

To view the results of the survey, click here.

A Look Inside Fifth Third’s ESG Journey

Mike Faillo was recently promoted to the new role of chief sustainability officer at Fifth Third Bancorp, with a team focused on the Cincinnati-based regional bank’s environmental, social and governance (ESG) program, including its climate strategy and social and governance reporting. Faillo started his career in public accounting at PwC in 2008, just in time for the collapse of Lehman Brothers and the onset of the financial crisis. He spent the next several years auditing a trillion dollar bank, and then working on Comprehensive Capital Analysis and Review (CCAR) stress tests and developing resolution plans.

Faillo says those experiences informed his journey to lead ESG at $211.5 billion Fifth Third. 

When he joined the bank’s investor relations team in 2019, he dug into Fifth Third’s ESG profile and learned that the organization wasn’t effectively telling its story. So with support from the bank’s executive leadership team, including Chairman and CEO Greg Carmichael, Faillo transformed Fifth Third’s corporate social responsibility report into a broader, data-driven report in 2020 that tells the bank’s complete ESG story. Faillo jokes that he went from writing about the death of a bank through living wills to the life of it in the ESG report.

In this edition of the Slant podcast, Faillo also discusses the need for agility and teamwork on ESG, and how he works across the organization to uncover opportunities for the bank. He also digs into the complexities of measuring carbon emissions, and why it’s a great opportunity to work with business clients to help them on their own journeys to net zero. And he addresses what’s easiest — and hardest — for banks to get right on ESG. The interview was conducted in advance of Bank Director’s Bank Audit & Risk Committees Conference, where Faillo appears as part of a panel discussion, “How Banks Are Stepping Up Their ESG Plans.”

What New Climate Disclosure Means for Banks

Climate risk assessment is still in its infancy, but recent pronouncements by federal regulators should have bank directors and executives considering its implications for their own organizations.   

Under a new rule proposed by the Securities and Exchange Commission, publicly traded companies would be required to report on certain climate-related risks in regular public filings. 

Though the SEC’s proposal only applies to publicly traded companies, some industry observers say it’s only a matter of time before more financial institutions are expected to grapple with climate-related risks. Not long after the SEC issued its proposal, the Federal Deposit Insurance Corp. issued its own draft principles for managing climate risk. While the principles focus on banks with over $100 billion of assets, Acting Chair Martin Gruenberg commented further that “all financial institutions, regardless of size, complexity, or business model, are subject to climate-related financial risks.” 

The practice of assessing climate risk has gained momentum in recent years, but many boards aren’t regularly talking about these issues. Just 16% of the directors and officers responding to Bank Director’s 2022 Risk Survey say their board discusses climate change annually.

To understand what this means for their own organizations, boards need to develop the baseline knowledge so directors can ask management smarter questions. They should also establish organizational ownership of the issue and think about the incremental steps they might take in response to those risk assessments. 

“Climate risk is like every other risk,” says Ivan Frishberg, chief sustainability officer at $7 billion Amalgamated Financial Corp. in New York. “It needs the same systems for managing it inside a bank that any other kind of risk does. It’s going to require data, it’s going to require risk assessments, it’s going to require strategy. All of those things are very traditional frameworks.” 

The SEC’s proposed rule intends to address a major challenge with sizing up climate risk: the lack of uniform disclosures of companies’ greenhouse gas emissions and environmental efforts. The agency also wants to know how banks and other firms are incorporating climate risks into their risk management and overall business strategies. That includes both physical risk, or the risk of financial losses from serious weather events, and transition risk, arising from the shift to a low-carbon economy.  

Bank Director’s Risk Survey finds that many boards need to start by getting up to speed on the issue. Though 60% of survey respondents say that their board and senior leadership have a good understanding of physical risks, just 43% say the same about transition risk. Directors should also get a basic grasp of what’s meant by Scope 1, Scope 2 and Scope 3 emissions to better gauge the impact on their own institutions.  

Understanding Carbon Emissions

Scope 1: Emissions from sources directly owned or controlled by the bank, such as company vehicles.

Scope 2: Indirect emissions associated with the energy a bank buys, such as electricity for its facilities. 

Scope 3: Indirect emissions resulting from purchased goods and services (business travel, for example) and other business activities, such as lending and investments.

 

The SEC’s proposal would not require scenario analysis. However, directors and executives should understand how their loan portfolios could be affected under a variety of scenarios. 

Talking with other banks engaged in similar efforts could help institutions benchmark their progress, says Steven Rothstein, managing director of the Ceres Accelerator for Sustainable Capital Markets, a nonprofit that works with financial institutions on corporate sustainability. Boards could also look to trade associations and recent comments by federal regulators. In a November 2021 speech, Acting Comptroller of the Currency Michael Hsu outlined five basic questions that bank boards should ask about climate risk. The Risk Management Association recently established a climate risk consortium for regional banks. 

Assessing climate risk involves pulling together large amounts of data from across the entire organization. Banks that undertake an assessment of their climate-related risks should appoint somebody to coordinate that project and keep the board apprised.  

Banks might also benefit from conducting a peer review, looking at competing institutions as well as banks with similar investor profiles, says Lorene Boudreau, co-leader of the environment, social and governance  working group at Ballard Spahr. “What are the other components of your investors’ profile? And what are they doing? Use that information to figure out where there’s a [gap], perhaps, between what they’re doing and what your company is doing,” she says.

Finally, boards should think about the shorter term, incremental goals their bank could set as a result of a climate risk assessment. That could look like smaller, sector-specific goals for reducing financed emissions or finding opportunities to finance projects that address climate-related challenges, such as storm hardening or energy efficiency upgrades. 

A number of big banks have made splashy pledges to reduce their greenhouse gas emissions to net zero by 2050, but fewer have gotten specific about their goals for 2030 or 2040, Boudreau says. “It doesn’t have a lot of credibility without those interim steps.” 

While many smaller financial institutions will likely escape regulatory requirements for the near term, they can still benefit from adopting some basic best practices so they aren’t caught off guard in a worst-case scenario. 

“Climate risk is financial risk,” says Rothstein. “If you’re a bank director thinking about the safety and soundness of a bank, part of your job has to be to look at climate risk. Just as if someone said, ‘Is the bank looking at cyber risk? Or pandemic risk or crypto risk?’ All of those are risks that directors, through their management team, have to be aware of.”