Coronavirus Strategies, Considerations for Banks

Over the past two weeks, we have received numerous inquiries from financial institutions on what actions should be taken or considered to address the COVID-19, or the new coronavirus, pandemic. While the current situation is evolving each day, we have engaged in numerous discussions with banks on various strategies and considerations that are being reviewed or implemented during this uncertain time.

Business Continuity Plan

Every financial institution should have implemented pandemic planning contingencies contained in its business continuity plan. In response to the burgeoning public health crisis, the Federal Financial Institutions Examination Council issued revised guidance on March 6 on how to address pandemic planning in a bank’s business continuity plans. The revision updates previous guidance issued in response to the avian flu pandemic of 2007.

Although there are no substantive updates contained in the revised Pandemic Planning Guidance, the FFIEC’s update reiterates and emphasizes the importance of maintaining a pandemic response plan that includes strategies to minimize disruptions and recover from a pandemic wave. The updated guidance states that banks should consider minimizing staff contact, encouraging employees to telecommute and redirecting customers from branch to electronic banking services. We anticipate that regulators will review an institution’s utilization of its business continuity plan at upcoming safety and soundness examinations.

Branch Operations

Based on our discussions, we believe that many banks have taken or plan to take actions related to their branch operations. Below is a summary of various actions that a bank may wish to take regarding its branch operations.

Branches Remain Open, with Caveats. A number of banks have elected to close branch lobbies and direct customers to utilize drive-up facilities, walk-up teller lines and ATM machines where possible. In addition, they are also directing customers to their online platforms. Some banks are requesting customers who require physical or in-person assistance, such as access to a safe deposit box, to schedule an appointment with bank employees.

Branch Closures. To the extent a bank may be readying a branch closure strategy, below are federal and state requirements that must be satisfied.

Federal Requirements. On March 13, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve Board issued corresponding guidance addressing COVID-19’s impact on customers and bank operations indicating that they expect bank branch closures, or changes to branch hours. In such an event, they recommend that a bank (i) notify the applicable federal banking regulator as soon as practicable of the closure/change in bank hours, (ii) comply with any notice or filing requirements with applicable state banking regulators and (iii) place a customer notice on the front entrance of the impacted branch describing the reason for the closure and/or change in hours.

State Law Requirements. Closing lobbies and redirecting customers to drive-ups does not generally require a bank to obtain the approval of state banking authorities, but some state banking authorities have requested that banks provide notice of such changes. For example, Illinois-chartered banks seeking to fully close a branch or change branch hours must provide prior notice to the Illinois Department of Financial and Professional Regulation, Division of Banking, and obtain an official proclamation from the IDB under the Illinois Banking Emergencies Act (205 ILCS 610). In addition, the bank must post notice of the temporary closing or change in branch hours and the authorization for such change on the main entrance doors of the applicable branch.

ATM/Cash-On-Hand Strategies. In a push to increase customer traffic to ATMs and minimize direct customer contact, some banks have increased or plan to increase ATM daily allowable cash withdrawal limits. The size of the increase depends on the individual circumstances of the institution. Banks may experience greater cash withdrawal requests from depositors and may wish to keep higher levels of cash in its branch offices.

Regular and Periodic Cleaning of Branches. Each bank we spoke with also indicated that they have implemented enhanced periodic cleaning of their branches and offices. Some banks have indicated that “deep” cleanings are being completed on a weekly basis.

Employee Considerations

Flexible Work-from-Home Arrangements. We have also discussed the potential for implementing flexible work-from-home or telecommuting arrangements for specific business line employees with institutions. Whether or not this is a viable option for a specific institution is dependent upon a number of specific circumstances: whether the bank’s information technology systems can support an increased number of employees utilizing the bank’s server remotely, ensuring that each employee who remotely accesses the bank’s systems can do so in a confidential manner that protects that bank’s data and whether there are geographic and business-line specific considerations that prevent working remotely, among others. Nonetheless, a bank should plan to test their IT systems and update policies prior to implementing such arrangements.

Utilization of Split-Staff and Split-Location Strategies. In addition, we’ve discussed split-staff and split-location strategies;  a number of banks indicated that they are currently utilizing a split-staff strategy. Under a split-staff strategy, an institution staggers its employees on any given day. For instance, half of the institution’s employees come in on Monday, Wednesday and Friday, and the other half of the employees come in on Tuesday, Thursday and Saturday. The aim is that limiting employee interaction with customers on any given day allows a bank to maintain operations on a much more limited basis if only one group of employees is potentially exposed to COVID-19.

In addition, some institutions also indicated that they plan to utilize a split-location strategy, distributing staff across various branches and offices. If one location is potentially exposed to COVID-19, a bank’s operations can continue through its other locations.

Employee Training. Banks have also implemented staff training on how to properly interact with customers during this troubling time. Following guidance from the World Health Organization and Centers for Disease Control and Prevention, banks have implemented new procedures meant to limit physical contact (like prohibiting handshakes) and eliminating or reducing scheduled meetings.

Liquidity and Capital Considerations

During times of uncertainty and financial market volatility, like the financial crisis, banks have often found it difficult to enhance liquidity and raise additional capital when they may need it the most. Based on our discussions, we recommend that financial institutions review their current and near-term liquidity/capital strategies. Below are a few items to consider.

Subordinated Debt and Equity Issuances. Banks may need to weather a prolonged economic slowdown. Bankers agree that reviewing the firm’s capital strategies in uncertain times is a critical consideration to address any potential need to enhance immediate or near-term liquidity or to shore up capital. Other banks may also wish to review various alternatives available to issue debt for additional liquidity, to potentially refinance outstanding debt arrangements at lower rates, or to provide additional capital.

Lines of Credit. As lenders, banks are aware that their borrowers may be considering a draw down on existing lines of credit. Banks may also wish to consider potentially drawing down on their existing lines of credit (such as Federal Home Loan Bank advances or holding company lines of credit) as an effective tool to increase the holding company’s or bank’s liquidity. Before either drawing down any existing line of credit or utilizing the proceeds for any purpose other than increasing cash-on-hand, a bank should carefully review the covenants in the underlying loan agreements.

Securities Portfolio. Reviewing current strategies pertaining to an institution’s securities portfolio is also a consideration for banks. Many banks have built-in gains in their portfolio. Consequently, institutions are reviewing their portfolios to determine whether to realize existing gains to boost liquidity in the short-term or maintain its current strategy to assist earnings in the longer-term.

Stock Repurchase Programs. Many publicly traded banks have suspended their stock repurchase programs as part of a capital conservation strategy. While no bank has announced plans to cut dividends, now is the time to review contingency plans and consider when such action may be warranted.

Federal Reserve Discount Window. Bankers should also discuss potentially using the Federal Reserve’s short-term emergency loans dispensed through the discount window if necessary. While many institutions consider using the discount window as a last resort and could indicate dire financial straits, senior bank management should revisit their policies and procedures to ensure their institution can access the discount window should circumstances require it.

Importantly, on March 17, the Federal Reserve and eight of the largest financial institutions in the U.S. worked together to provide these large financial institutions access to the discount window. Largely symbolic, the actions are being viewed by banks as an effort to remove the stigma of accessing the discount window. Whether these coordinated efforts will be a success remains to be seen.

Stress Testing of Loans. We anticipate that many institutions will consider the need to begin stress testing their portfolios, and some already are. For some, stress testing may be centered on specific industries and sectors of the loan portfolio that may have been more substantially impacted by COVID-19 (such as hospitality/restaurants, travel, entertainment and companies with supply chains dependent upon China or Europe). For others, the entire loan portfolio may be tested, under the assumption it could be subject to pandemic-related stress.

Review Insurance Policies. Another consideration we’ve discussed with banks is the need to review in-place insurance policies for business disruption coverage to determine if they would cover matters resulting from the COVID-19 pandemic.

Assist Impacted Customers. Consistent with the recent guidance issued by the Fed, FDIC and OCC, banks are considering offering a variety of relief options related to specific product/service lines to customers. Some banks may waive late fees on loan payments or credit cards and others may waive ATM- and deposit-related fees. We expect these relief options will be limited to specific product and service lines, and to a certain period of time.

On March 19, the FDIC issued a set of Frequently Asked Questions for banks impacted by the coronavirus. The FAQs provide insight into how the FDIC, and potentially other federal banking regulators, will view payment accommodations, reporting of delinquent loans, document retention and reporting requirements, troubled debt restructurings, nonaccrual loans and the allowance for loan and lease losses. Banks should review the FAQs in connection with providing any financial assistance to impacted customers.

The items noted above should not be considered definitive or exclusive. A financial institution should carefully consider the above items, among others, and determine how to tailor any proposed changes to its operations in light of the very fluid circumstances surrounding the current COVID-19 pandemic.

Click here to review the March 13 OCC Bulletin 2020-15 (Pandemic Planning: Working With Customers Affected by Coronavirus and Regulatory Assistance).

Click here to review the March 13 FDIC FIL-17-2020 (Regulatory Relief: Working with Customers Affected by the Coronavirus).

Click here to review the March 13 FRB SR 20-4/CA 20-3 (Supervisory Practices Regarding Financial Institutions Affected by Coronavirus).

What Regulators Are Doing About Coronavirus

For the last few weeks, bank regulators have been gearing up their responses and preparations as the U.S. financial industry and broader economy confront the impact of the coronavirus pandemic.

On March 13, President Donald Trump declared a national state of emergency that freed billions in aid as cities and sectors grappled with the pandemic. The announcement capped off a tumultuous week of market freefalls and rallies, the cancelation of major sporting events, closed college campus and the start of millions of Americans voluntary and involuntary quarantining and national social distancing. It remains to be seen how long the outbreak will last and when it will peak, as well as the potential economic fallout on businesses and consumers.

Already, the Federal Open Market Committee has lowered the federal funds rate twice; the most recent was a surprise 100-basis point decline on March 15, to the range of 0 to 25 basis points. The Fed last lowered interest rates to near zero back in late 2008. The move is intended to support economic activity and labor market conditions, and the benchmark rate will stay low until the Fed is confident the economy has weathered recent events.

Additionally, the Fed announced it would increase its holdings of both Treasury securities by at least $500 billion and agency mortgage-backed securities by at least $200 billion.

Bank executives and directors must now contend with near-zero rates as they work with borrowers to contain the economic implications of the coronavirus.

“The adverse economic effects of a pandemic could be significant, both nationally and internationally,” the Federal Financial Institutions Examination Council wrote in recently updated guidance on how banks can minimize the adverse effects of a pandemic. “Due to their crucial financial and economic role, financial institutions should have plans in place that describe how they will manage through a pandemic event.”

The ongoing events serve as a belated reminder that pandemic preparedness should be considered as part of board’s periodic review of business continuity planning, according to a March 6 interagency release. These plans should address how a bank anticipates delivering products and services “in a wide range of scenarios and with minimal disruption.”

The FFIEC’s guidance says pandemic preparation in a bank’s business continuity plan should include a preventive program, a documented strategy that is scaled to the stages of an outbreak, a comprehensive framework outlining how it will continue critical operations and a testing and oversight program. The plan should be appropriate for the bank’s size, complexity and business activities.

A group of agencies including prudential bank regulators are encouraging financial institutions to work constructively with customers in communities impacted by the new coronavirus, according a statement released on March 9. They also pledge to provide “appropriate regulatory assistance to affected institutions,” adding that prudent accommodations that follow “safe and sound lending practices should not be subject to examiner criticism.”

The regulators also acknowledged that banks may face staffing and other challenges associated with operations. The statement says regulators will expedite requests to provide “more convenient availability of services in affected communities” where appropriate, and work with impacted financial institutions for scheduling exams or inspections.

The Federal Deposit Insurance Corp and the Office of Comptroller of the Currency highlighted more specific ways banks can work with customers in a set of releases dated March 13. Some of the suggested potential accommodations, made in a safe and sound manner and consistent with bank laws, include:

  • waiving ATM, overdraft, early time deposit withdrawal and late credit card or loan fees
  • increasing ATM daily cash withdrawal limits
  • reducing restrictions on cashing out-of-state and non-customer checks
  • increasing card limits for creditworthy borrowers
  • payment accommodations that could include deferring or skipping payments or extending the payment due date to avoid delinquencies and negative reporting if a disruption is related to COVID-19.

The OCC points out that lending accommodations for existing or new customers can help borrowers facing pressured cash flows, improve their ability to service debt and ultimate help the bank collect on the loans. It adds that banks should individually evaluate whether a loan modification would constitute a troubled debt restructuring.

The regulator also acknowledged that some banks with customers impacted by issues related to the coronavirus may experience an increase in delinquent or nonperforming loans, and says it will consider “the unusual circumstances” these banks face when reviewing their financial condition and weighing the supervisory response.

The FDIC specifically encouraged banks to work with borrowers in industries that are “particularly vulnerable to the volatility” stemming from COVID-19 disruption, as well as the small business and independent contractors reliant on those industries.

“A financial institution’s prudent efforts to modify the terms on existing loans for affected customers will not be subject to examiner criticism,” the FDIC wrote in its release.

Some of the largest and most dramatic regulatory accommodation related to the new coronavirus has come from the Federal Reserve, given its role in the funding market and its role overseeing large bank holding companies.

The Fed announced on March 12 that it would inject $1.5 trillion into the U.S. market for repurchase agreements over the course of two days. The increased purchases, which serve as short-term loans for banks, were not meant to directly stimulate the economy. Instead, they were done to “address the unusual disruption” in Treasury financing markets from the coronavirus and help ensure it would continue functioning properly.

The Fed also announced several more changes to accommodate banks on March 15. It is now allowing depository institutions to borrow from the discount window for as long as 90 days and is encouraging banks to use its intraday credit. It is explicitly encouraging banks to use their capital and liquidity buffers to lend to customers impacted by the coronavirus and lowered the reserve requirement ratio to 0%, effective at the start of the next reserve maintenance period on March 26.

For more information from the regulators, check out their websites

FDIC: Coronavirus (COVID-19) Information for Bankers and Consumers
OCC: COVID-19 (Coronavirus)
Federal Reserve Board: Coronavirus Disease 2019 (COVID-19)
Conference of State Bank Supervisors: Information on COVID-19 Coronavirus and State Agency Nonbank Communication/Guidance on Coronavirus/COVID-19

How Risk Culture Drives a Sound Third-Party Risk Management Program


risk-10-1-18.pngRisk culture plays a role in every conversation and decision within a financial institution, and it is the key determinant as to whether a bank performs in a manner consistent with its mission and core values. Risk culture is a set of encouraged, acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk.

Third-party risk management (TPRM) is a fairly new discipline that has evolved over the past few years from legacy processes of vendor or supplier management functions previously used by companies to manage processes or functions outsourced to third parties. A “third-party” now refers to any business arrangement between two organizations.

The interagency regulatory guidance (The Federal Reserve Board, OCC, FFIEC and CFPB) says a bank cannot outsource the responsibility for managing risk to a third-party especially when additional risks are created. These risks may relate to executing the process or managing the relationship.

The recent Center for Financial Professionals (CFP) Third Party Risk Management survey “Third Party Risk: A Journey Towards Maturity” underpinned the issue around risk culture given the resourcing dilemma that most organizations face. Getting top-down support and buy-in was an issue posed by respondents in the survey. One respondent stated, “The greatest challenge ahead is to incorporate third party risk management goals into the goals of the first line of defense.” Another respondent stated, “Challenges will be to embed this into the organization, including [the] establishment of roles and responsibilities.” In particular, TPRM teams found it challenging to get buy-in from the first line of defense for the management of cyber risk and concentration risk.

Effective TPRM can only be achieved when there is a risk-centric tone, at the top, middle and bottom, across all layers of the company. Clear lines of authority within a three-lines-of-defense model are critical to achieving the appropriate level of embeddedness, where accountabilities and preferred risk management behaviors are clearly defined and reinforced.

Root cause analyses on third-party incidents and risk events (inclusive of near-misses) should be better used by organizations to reinforce training and lessons learned as it relates to duties performed by the third party. Risk event reporting and root cause analysis allows leadership to identify and understand why a third party incident occurred, identifies trends with non-performance of service-level agreements with the third party, and ensures appropriate action is taken to prevent repeat occurrences as it relates to training, education or communication deficiencies.

Risk culture is paramount to achieving benefits from the value proposition of an effective and sustainable TPRM program, and also satisfies regulators’ use test benchmarks.

Roles and responsibilities must be clearly defined and integrated within a “hub and spoke” model for the second-line TPRM function, the first line third-party relationship managers and its risk partners. Clearly, there is a need for financial institutions to (1) implement a robust training and communication plan to socialize TPRM program standards, and (2) ensure first-line relationships and business owners have been provided training.

Risk culture mechanisms that facilitate clear, concise communication are fundamental components for a successful TPRM program – empowering all parties to fulfill responsibilities in an efficient, effective fashion. The challenge of managing cultural and personnel change components cannot be underestimated. As a result, the involvement of human resources, as a risk partner, is critical to a successful resource model. With respect to cultural change, a bank should observe and assess behaviors with current third-party arrangements. The levels of professionalism and responsibility exhibited by key stakeholders in existing third-party arrangements may indicate how much TPRM orientation or realignment is required.

Key success factors to build a robust risk culture across TPRM include:

  • Clear roles and responsibilities across the three lines of defense and risk partners within the “hub and spoke” model for risk oversight.
  • Greater consistency of practices with regards to treatment of third parties. Eliminate silos.
  • Increase understanding of TPRM activities and policy requirements across the relationship owners and risk partners.

Indicators of a sound TPRM culture and program include:

  • Tone from the top, middle and bottom – the board and senior management set the core values and expectations for the company around effective TPRM processes from the top down; and front-line business relationship manager behavior is consistent from the bottom-up with those values and expectations. 
  • Accountability and ownership – all stakeholders know and understand core values and expectations, as well as enforcement implications for misconduct. 
  • Credible and effective challenge – logic check for overall TPRM framework elements, whereby (1) decision-makers consider a range of views, (2) practices are tested and (3) open discussion is encouraged.
  • Incentives – rewarding behaviors that support the core values and expectations.

Setting a proper risk culture across the company is indeed the foundation to building a sound TPRM program. In other words, you need to walk before you can run.

Shelter From the Cyber Storm


cybersecurity-11-16-17.pngIn 2014, the Federal Financial Institutions Examination Council issued a statement on behalf of its members—including the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau—recommending that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization focused on threat intelligence analysis and sharing. Cybersecurity has been a growing issue for the U.S. economy and the banking industry, and cyber intelligence is a significant focus of the organization, as well as natural disasters, such as the recent hurricanes that hit Texas, Florida and Puerto Rico. “Participating in information-sharing forums is an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents,” the FFIEC said in the statement. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyberattacks on their systems. Additionally, these institutions have gained deeper insight into specific vulnerabilities and collected methods for identifying vulnerabilities on their systems and enhancing controls.”

Resources like FS-ISAC help banks learn from each other about the cybersecurity threats facing the industry. But what happens when hackers hit your bank, and customers’ data is compromised?

Sheltered Harbor, an affiliate of FS-ISAC based in Reston, Virginia, was established following a series of cybersecurity simulation exercises, called the Hamilton Series, which were conducted by the Financial Services Coordinating Council, in coordination with the U.S. Dept. of the Treasury and with support from FS-ISAC. “These exercises are tabletop simulations of possible events with the goal to exercise, in the classic sense of practice, and to identify vulnerabilities that should be addressed by the industry,” says Steven Silberstein, the chief executive of Sheltered Harbor. “Sheltered Harbor is the industry’s response for one of these vulnerabilities: to ensure business continuity for retail banking customers if an attack happens, and all defenses fail.” The organization partners with member banks to ensure their customers’ accounts are safe should a cyberattack damage the bank’s data. If a bank is unable to recover from such an attack in a timely manner, the bank’s customers would still be able to access their accounts through another member financial institution. The data is encrypted and remains private, and there is no disruption in service for the customer.

Much like its parent organization, FS-ISAC, Sheltered Harbor helps banks work together to ensure the safety of consumer data. Regulators don’t require that banks join, but Sheltered Harbor already represents 63 percent of U.S. retail bank and brokerage accounts, according to the organization. Membership fees are based on a sliding scale and are determined by the size of the financial institution.

In this interview, Bank Director Director of Research Emily McCormick asks Silberstein about lessons learned from recent cyberattacks, and the policies and procedures that institutions should have in place to protect customers if a cyberattack damages account data.

BD: What are some lessons that bank boards should take to heart following recent cyberattacks, including the Equifax data breach?

Silberstein: Bank boards should have a tight pulse on the organization’s cybersecurity preparedness and cyber hygiene. Many corporations have cybersecurity scorecards that are updated and shared with the board of directors. These scorecards enable the board to assess the security of the enterprise and make appropriate decisions about strategy, staffing and internal standards.

In this rapidly evolving cyber environment, it’s important to use the most advanced technology to protect all of the “doors” to your company. Utilize scorecards as living and evolving tools to maintain a pulse on preparedness, and always ask what could happen from a business point of view, not just a cyber point of view. I call this healthy paranoia.

BD: What information should be included on those cybersecurity scorecards?

Silberstein: Each organization needs a consistent framework to continually assess risks, report on them, and respond to current and future risks. These include internal and external risks, existing vulnerabilities and remediation programs underway, recent events and lessons learned, organizational challenges, and third-party risk. Additionally, an organization can measure its cybersecurity implementation using frameworks like the Integrated Adaptive Cyber Defense, or IACD, framework and/or the National Institute of Standards and Technology [NIST] cybersecurity framework. Using the IACD framework, financial institutions can quickly prevent, detect and respond to attacks that may impact customers using technical guidelines for application of commercially available automation technology tools and systems. The NIST framework is about assessing risk and developing a risk management plan. The two frameworks complement each other.

BD: What does it mean when a financial institution becomes Sheltered Harbor ready?

Silberstein: When a financial institution becomes Sheltered Harbor ready, it means that it has implemented the additional resiliency prescribed by the Sheltered Harbor specification. At a high level, the model empowers financial institutions to securely store and rapidly restore customer account information using an industry standard format. Consumers would then benefit by having access to their accounts and basic transactions rapidly restored after a major incident at an institution.

BD: What policies, systems and personnel does the bank need to have in place in order to make this work?

Silberstein: First, most institutions are using a service provider for core banking services. Most large service providers are already implementing Sheltered Harbor capability, so for these institutions the focus is mainly on the business continuity planning that is specific to the Sheltered Harbor Model.

For institutions running their own core processing, an additional process of extracting customer account data, then putting the data into a standard format, encrypting it and finally storing the data in a very secure fashion per the specification encompasses most of the work. The institution must do some resiliency planning and organize a backup core service provider. The Sheltered Harbor specifications provide the controls and processes needed to ensure interoperability.

BD: The initiative helps member financial institutions store secure customer data above and beyond existing practices. Why should banks, particularly community banks, invest in putting this into in place?

Silberstein: Our industry’s investment in protecting everyone connected to financial institutions is second to none. Nevertheless, we cannot guarantee 100 percent protection. So if a financial institution is severely disabled, we need a safety net like Sheltered Harbor to protect consumers, allowing them to continue to manage daily financial transactions in their lives.

What CEOs and Directors Need to Know About Their Bank’s Cyber Risks


cybersecurity-8-21-17.pngCybersecurity is quickly moving to the forefront of pressing concerns for financial institutions and their leaders. Regulators and examiners increasingly are expecting the board of directors and C-suite executives to obtain a greater familiarity with cyber threats and mitigation measures.

In May 2017, for example, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool (CAT), which was developed to help identify an institution’s risks and determine its preparedness. The FFIEC’s instructions for using the assessment explicitly contemplate the involvement of the chief executive officer and the board. Banks aren’t yet required to use CAT, but it’s expected to become mandatory eventually.

The message is clear—executives no longer can afford to take a hands-off approach to cybersecurity. They need to stay informed on critical security issues, and their chief information security officers (CISOs) should play a key role in keeping them up-to-date.

Role of the CISO
The CISO plays an advisory role, helping other C-suite executives make better, risk-informed decisions in the day-to-day execution of the bank’s operations. A CISO also can help design and implement the security strategy a bank deploys to effectively protect itself and its customers from known threats.

To provide the expected advisory services, the CISO must be aware of the current threats (including general threats, industry-specific threats and even institution-specific threats) confronting the bank. In addition to understanding this threat landscape, the CISO needs intimate knowledge of the bank’s ability to mitigate these threats, which includes evaluating the existence and effectiveness of the security program and its controls, and communicating the results to the C-suite.

Armed with measurements of the existence and effectiveness of the security program’s controls, the CISO can provide specific advice to the CEO and other C-suite members about the risks facing the bank and the additional steps that might be necessary.

The CISO regularly should brief executives on the following:

Status of Security Controls
Security controls—composed of people, processes and technology working together to mitigate specific threats—are the bedrock of any cybersecurity program. Executives must understand the status of such controls to know how well the bank is equipped to defend against threats.

Evaluating the status of such controls can be accomplished with dashboards that provide executives with a visual representation of all required security controls and the effectiveness of each. It is important for executives to understand how the effectiveness is measured. Is it a system that just measures the existence of the control, or is some form of measurement or testing done on the control? Historical metrics related to control implementation and effectiveness also are essential to provide perspective and illustrate progress (or lack thereof).

Status of Regulatory Compliance
Banks are subject to a broad and complex web of compliance obligations. Depending on the services they offer, applicable state and local regulations, and the types of information they process, the regulatory burden can differ dramatically among banks. For every financial institution, though, failure to comply can lead to fines, lawsuits and customer loss. The CISO should brief fellow C-suite executives on the bank’s current compliance status with all applicable laws and regulations. He or she also should update executives on how the bank is tracking and proactively preparing for potential regulatory changes.

Upcoming Security Initiatives
The CISO should explain current threats and the areas of risk that need to be addressed through various security initiatives, a measure which might require capital expenditures and approval from executive management. The explanation should cover not only where the security program stands today but also the overall direction going forward. Because this information can affect business initiatives that are not directly related to security, it facilitates risk-informed decision making.

Risk Management
Risk management is an ongoing process conducted by the security team to identify the areas with the highest level of risk based on known threats, weaknesses, controls and assets. In the end, the security team might determine that some identified risks are not sufficiently mitigated or that the residual risks remaining after the controls have been implemented are so considerable that they require new security initiatives. This information is vital for executives, as risks that aren’t adequately addressed must be considered when conducting business operations.

Know What You Know—And What You Don’t
No one, not even regulators and examiners, expect C-suite executives to be experts on cybersecurity issues. These executives should, however, understand their banks’ security posture so they can satisfy regulatory expectations and make better, risk-informed decisions for the overall business.

New Rules for Financial Firms in New York Put New Onus on Boards


cybersecurity-7-10-17.pngNew York-based financial services companies are under a new rule of law, intended to protect consumers from the repercussions of a cyberattack and one that puts boards in a front-and-center role when it comes to the company’s security.

Touted as the first law of its kind in the United States, New York enacted new cybersecurity regulations this year, outlining standards that are sure to resonate beyond the financial businesses—such as banks, insurance companies and other financial services firms—that the law targets.

How Far Does Regulation Go?
Companies regulated by the state’s Department of Financial Services (DFS) are required as of March 1, 2017, to create and maintain a cybersecurity program to protect the privacy of consumers and the safety of the state’s financial services industry.

It only applies to those that DFS oversees—in other words, only financial services organizations must comply with the regulation.

New York’s rules, DFS notes, don’t extend to nonfinancial companies. There are limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
Still, the message from New York is a strong one: consumers are protected here, and financial firms will be held accountable.

Several of the regulation’s mandates outline the ways in which a company must comply, and in doing so, vastly widens the base of those culpable for a breach and the requirements of a board to pay attention to its potential vulnerability and its cybersecurity planning.

New Duty for Board Members
The idea that board members should make cybersecurity a priority has risen over the years, coming into focus with the Target data breach in 2013 that resulted in members of the board of directors being sued.

In reality, banking regulators have held boards responsible for their banks’ cybersecurity program for years, as described in the Federal Financial Institutions Examination Council’s IT Examination HandBook.

In it, the banking regulators place oversight of the development, implementation and maintenance of the IT security program in the board’s hands, and say the board must hold senior management accountable for its actions and review the overall status of the program at least annually.

This new regulation expands on that. It requires board members to ensure that there’s a framework in place at the company “for a robust cybersecurity program,” and one “that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”

That means nontechnical leaders on the board must take an active role in security oversight.

For the first time, the new rules say the firm must hire a chief information security officer, or CISO, to oversee policies and ensure that they’re working effectively. The CISO would report at least annually to the board, the DFS says, and according to the regulation, that person can be employed by an affiliate or third-party provider instead of being employed by the company itself.

It’s not uncommon for companies to have much of the new regulation’s guidelines already in their processes, but it’s good to tie it to risk assessments. Lastly, as the law firm McGuireWoods notes, the new rules require penetration testing at least annually and vulnerability assessments at least quarterly. Among new provisions, institutions must track and maintain cybersecurity records for at least six years, encrypt sensitive data and report any cybersecurity event to the Department of Financial Institutions within 72 hours of becoming aware of it.

What Comes Next
Entities have varying times to comply with specific requirements, from 180 days to two years after the regulation went into effect in March. Financial companies outside of New York are likely to look at these regulations to get a sense of what’s coming for the greater industry.

To learn more about protecting your organization’s security as a member of a board, read this white paper written in conjunction with the New York Stock Exchange to improve your cybersecurity practices.

Bank Regulatory Update: Three Things to Think About for 2017


regulation-1-18-17.pngSignificant regulatory changes continued to affect the banking industry in 2016. The industry generally has moved beyond implementing the requirements of the Dodd-Frank and Wall Street Reform and Consumer Protection Act, but regulatory expectations continue to rise, with increased emphasis on each institution’s ability to respond to and withstand adverse economic conditions. Regulatory supervision, often through oversight from multiple agencies, is becoming more focused on supporting compliance efforts with strong corporate cultures within the institution. Managing regulatory compliance risk for a financial institution has never been more complex.

Looking forward to 2017, regulators are expected to continue to ramp up expectations in several areas. Industry stakeholders undoubtedly will be watching closely as the new administration takes control of the White House. However, regulators are expected to continue to increase their emphasis on three areas: cybersecurity risk, consumer compliance and third-party risk management.

1. Cybersecurity Risk
Cybersecurity is likely to remain a key supervisory focal point for regulators in 2017. Regulatory officials have stressed that cybersecurity vulnerabilities are not just a concern at larger financial institutions: small banks also are at risk. As such, financial institutions of all sizes need to improve their ability to more aptly identify, assess and mitigate risks in light of the increasing volume and sophistication of cyberthreats.

The Federal Financial Institutions Examination Council (FFIEC) agencies have established a comprehensive cybersecurity awareness website that serves as a central repository where financial services companies of all sizes can access valuable cybersecurity tools and resources. The website also houses an FFIEC cybersecurity self-assessment tool to help banks identify their risks and assess their cybersecurity preparedness. The voluntary assessment provides a repeatable and quantifiable process that measures a bank’s cybersecurity preparedness over time.

2. Consumer Compliance
The Consumer Financial Protection Bureau (CFPB)—now a more mature entity—is having a dramatic impact on the supervisory processes around consumer financial products. While the CFPB conducts on-site consumer exams for financial institutions with more than $10 billion in assets, it also has begun to work with regulators in consumer supervisory efforts in smaller banks. The CFPB also has issued a significant number of new and revised consumer regulations that apply to institutions of all sizes. Some of the more onerous requirements center on mortgage lending and truth-in-lending integrated disclosures (TRID).

The CFPB also continues to cast a wide net when it comes to gathering consumer complaints about financial products and services through its consumer complaint database. The latest snapshot shows the database contains information on more than one million complaints about mortgages, student loans, deposit accounts and services, other consumer loans, and credit cards.

CFPB examiners often use complaints received through the database as a channel for reviewing practices and identifying possible violations. This continued pressure has forced financial institutions to ensure their compliance management systems are supported by effective policies, procedures and governance. But keep in mind, it’s even more important now to adequately aggregate, analyze and report customer-level data, so your institution can identify and remediate problems before the regulators come after you, and so you don’t get accused of “abusive” practices under the Dodd-Frank Act.

3. Third-Party Risk Management
As a component of safety and soundness examinations, effective third-party risk management is regarded as an important indicator of a financial institution’s ability to manage its business. As a result, regulatory examinations consistently include an element of third-party risk management, and all of the federal bank regulators have issued some form of guidance related to third-party risk. The Federal Reserve’s (Fed’s) SR 13-19 applies to all financial services companies under Fed supervision. The Fed guidance focuses on outsourced activities that have a substantial impact on a bank’s financial condition or that are critical to ongoing operations for other reasons, such as sensitive customer information, new products or services, or activities that pose material compliance risk.

Guidance from the Office of the Comptroller of the Currency (OCC) on third-party risk (Bulletin 2013-29) generally is more comprehensive than the Fed guidance and requires rigorous oversight and management of third-party relationships that involve critical activities. The OCC bulletin specifically highlights third-party activities outside of traditional vendor relationships.

Outlook
The critical areas discussed here are just a few for which banks need to expect more regulatory scrutiny in 2017. While there are early indicators that some elements of Dodd-Frank and other regulatory requirements could be pared back as the new administration takes control of the White House, the industry will need to closely monitor any changes and adjust compliance efforts accordingly.

The Three Top Reasons For Vendor Consolidation


vendor-manangement-11-8-16.pngWhy should banks and credit unions consider consolidating their vendor relationships? Here are three top reasons why:

1. Save Time And Money
Banks and credit unions that reduce the number of their vendor partnerships can increase their operational efficiency and productivity. When an institution partners with multiple vendors, typically that means staff has to deal with multiple back-end systems, often accessing each system numerous times a day and struggling to keep abreast of all of the updates for every system. Sometimes, staff is even unnecessarily bogged down with having to deal with duplicative systems from multiple vendors.

Consolidating vendor relationships also can significantly reduce the amount of training for staff as well as for customers. Bank and credit union staff typically has to train customers on how to use vendors’ private-labeled portals, and that can be time-consuming, particularly if a financial institution uses multiple vendors with multiple portals. But if an institution uses the same vendor for multiple solutions that all have the same look and feel and the same technology, then training of both staff and customers is significantly reduced.

When banks and credit unions are able to negotiate fewer contracts, they can conduct less due diligence on potential vendors, as well as get more for their money by reducing the amount of monitoring and reporting required for risk and assessment compliance. On the other hand, having multiple contracts with multiple vendors adds even more burden to staff because they will also have to monitor different contract term dates for renewal, and then they’ll have to determine how one expiring contract could impact solutions from other vendors.

Furthermore, when a bank or credit union uses fewer vendors, the institution has more negotiating power because it frees up more dollars with the remaining vendors. The higher the volume provided to a vendor, the more likely they will offer their best pricing resulting in lower cost.

2. Save On Vendor Due Diligence
Financial institutions are increasingly responsible for keeping up with the third-party vendor management requirements of the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the National Credit Union Administration, the Federal Reserve, and for state-chartered institutions, the requirements of state regulators.

For example, the FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008), provides four main elements of an effective third-party risk management process: risk assessment, due diligence in selecting a third party, contract structuring and review and oversight. But today, there’s even more heightened scrutiny, as a number of high-profile security breaches of major vendors has caused regulators to make sure that financial institutions are actually taking all the necessary steps spelled out in the regulations, such as the IT handbook of the Federal Financial Institutions Examination Council (FFIEC).

Banks and credit unions can find it very time consuming to conduct the proper due diligence and ongoing monitoring on each vendor. By partnering with a one vendor, financial institutions can significantly reduce their compliance burden.

3. Help Customers
Consolidating vendors can enable banks to greatly elevate the experience for their customers, by providing a single platform that is easy to navigate. Banks may also have access to additional monitoring and reporting of customer activity to help prevent and detect fraud.

Vendor consolidation can provide substantial return on investment by saving time and achieving cost savings, as well as reduce regulatory burdens by providing the right monitoring and reporting to meet compliance requirements. Partnering with a one vendor can not only save time and money and boost return on investment, but also enhance customer loyalty by elevating the user experiences on the platform.

The New FFIEC Information Security Examination Procedures: What Boards Should Be Doing Now


FFIEC-9-14--16.pngHow effective is your bank’s approach to information security, including cybersecurity? On September 9, the Federal Financial Institutions Examination Council (FFIEC) published new information security examination procedures. It is critical that boards and management teams quickly get up to speed on the new exam procedures so there are no surprises in the bank’s next exam that adversely impact earnings, capital or value creation.

The new exam procedures focus on assessing the quality and effectiveness of the bank’s information security program, including its culture, governance, security operations, with emphasis on cybersecurity, and assurance processes, such as self-assessments, penetration tests, vulnerability assessments and independent audits. The procedures contain eleven objectives for the examiners to attain.

The objective relating to security operations and cybersecurity is especially noteworthy, as it contains enhanced expectations. Both in the preamble and in the specific exam procedures, there is recognition that it is not a question of if, but when an attacker will break into the network, so banks need to enhance threat identification, monitoring, detection and response. Examiners will evaluate whether the bank has monitoring in place to identify malicious activity, a process to identify possible compromises in the bank’s systems, and whether it uses tools that reveal and trace an attacker’s actions, such as attack or event trees, to size up exposures and respond effectively.

While speaking on cybersecurity on the main stage at Bank Director’s 2016 Bank Audit and Risk Committees Conference in June, I electronically polled the bank directors and senior executives in attendance. The results from the 206 respondents indicate a need for banks to beef up cybersecurity to meet these enhanced regulatory expectations. While cybersecurity is a top concern for bank boards, seventy-seven percent indicated that they do not review cybersecurity at every board meeting. Fifty-nine percent of attendees said that detecting anomalous activity or threats from malicious insiders are the cybersecurity risks for which their bank is least prepared.

FFIEC.PNG
Source: 206 respondents, Bank Director Audit and Risk Committees Conference June 2016

When I asked how many had implemented ongoing reviews of the network visibility map for risk oversight, only 31 percent had done so. This map visually shows all assets inside the network and helps identify threats. Without this visual map, the bank will be managing its cyber risks in the blind.

What the Board Should Do
Here are five steps that boards should take to remain proactive regarding information security.

  1. Review cybersecurity at every board meeting. Cybersecurity must be handled as a strategic boardroom issue, not as a back-office IT issue.
  2. Use the new information security exam procedures to perform a self-assessment. Identify and eliminate any deficiencies well in advance of the next exam.
  3. Review the network visibility map at every board meeting to visually identify all assets and the risk mitigation in place to protect them.
  4. Task a “hunt” team to identify anomalies within the bank’s network, as described in the new exam procedures. On average, attackers roam inside the network undetected for more than 200 days. Eliminate the exposure using advanced analytics that can mine through millions of records and reveal the attacker and the entire exposure. Response must be prompt.
  5. Conduct ongoing but randomly scheduled social engineering and phishing simulation training to keep employee awareness heightened. Education can prevent employees from falling victim to real attacks and becoming the weakest link in the chain.

In March, the Consumer Financial Protection Bureau fined an online payment processor for engaging in unfair, deceptive or abusive acts and practices (UDAAP), due to its failure to implement an adequate information security program and protect consumer data. Other regulators have taken notice, and will not hesitate to assess enforcement actions for information or cybersecurity deficiencies using UDAAP or other enforcement tools available against banks and its technology providers. Information or cybersecurity lapses can cause irreparable harm to the bank, and tarnish its reputation instantly. The stakes are very high. Banks must stay one step ahead.

Cybersecurity: Steps to Take Now


cybersecurity-7-1-16.pngThe Federal Financial Institutions Examination Council (FFIEC) and its member agencies are treating cybersecurity and the management of cybersecurity risks as a critical priority. Bank executives and board members should be aware of published guidelines that cover four key areas the FFIEC believes are most important:

  1. Governance: What are the bank’s policies and procedures? How does the bank establish and communicate expectations and conduct training? Is the entire organization, not just the IT department, involved in addressing cybersecurity risk? How would the institution react if something goes wrong?
  2. Threat intelligence: How does the institution monitor and remain aware of potential threats? What internal and external resources does the bank use to keep up-to-date on potential risks? What threat detection tools does the institution use? Does the bank participate in the FBI’s InfraGard and other intelligence sharing programs? How does the bank monitor and guard against unforeseen threats?
  3. Third-party relationships: As banks continue to outsource more non-core activities, the responsibility to manage cybersecurity with third party vendors is also increasing. Does the bank follow the Office of the Comptroller of the Currency (OCC) guidelines? Can the bank’s third parties pass the scrutiny of independent reviews (e.g., Service Organization Control (SOC 1, 2, 3) examinations)? It should be noted that the data breach at the retailer Target occurred a few years ago, at least in part, because of the activities of a third party vendor, and the FFIEC is focused on preventing that type of vulnerability within the banking system.
  4. Incident response: At last count, there were forty-six state laws and innumerable federal laws and regulations that address the reporting of data breaches of different types. Many of these laws and regulations differ in terms of when breaches must be reported and to whom. Determining if a breach actually occurred and how it occurred may add both time and complexity to the incident reporting process. A strong and effective incident response plan may help banks cut the time needed to manage and report the incident. It is critical that institutions have an incident response plan that can be successfully executed.

Federal legislation and additional regulatory scrutiny are surely on the horizon, as are state regulations that cover state-chartered institutions. For now, institutions should make these best practices a priority.

  • Begin at the top: Build a security culture that encompasses all departments and operations. Cybersecurity isn’t an IT issue, compliance issue, or audit committee issue. It is an organizational issue.
  • Be aware: Understand the recommendations and guidance from the FFIEC and the role that the OCC and other agencies play in safeguarding the banking industry. Become familiar with the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).
  • Align strategies: Cybersecurity and risk management strategies shouldn’t be treated as stand-alone initiatives, but should be combined with general business practices as an integral part of an institution’s day-to-day operations.
  • Manage risks: Develop policies and procedures for monitoring, measuring, and mitigating risks—again, not just for IT employees, but for all departments and processes. Understand that risks can come from both inside (employees and vendors) and outside (hackers and cybercriminals). Also, understand, evaluate, and deploy the latest threat management tools.
  • Establish governance: Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organization, especially to senior management, and to regulatory agencies and industry organizations. Establish clear procedures and actions that include accountability.
  • Participate: Take part in government and industry information-sharing groups and learn from other institutions and government officials.
  • Conduct ongoing training: As always, the three critical components of risk management are people, processes and technology. Ongoing education and training for all employees is critical to an overall risk management and cybersecurity strategy. Even lower-level employees with minimal network access can be a point of vulnerability that a hacker or third party can exploit.

Institutions that don’t have the internal resources to develop and implement a risk management and cybersecurity strategy can use outside specialists to manage all or part of the process.

Cybersecurity once focused on fraud (i.e., how banks can avoid losing money). Now, the federal government seeks to protect the integrity of the nation’s banking system, a much larger task. Institutions of all sizes will be expected to make cybersecurity an integral part of their operations going forward.