How Risk Culture Drives a Sound Third-Party Risk Management Program

Written by


risk-10-1-18.pngRisk culture plays a role in every conversation and decision within a financial institution, and it is the key determinant as to whether a bank performs in a manner consistent with its mission and core values. Risk culture is a set of encouraged, acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk.

Third-party risk management (TPRM) is a fairly new discipline that has evolved over the past few years from legacy processes of vendor or supplier management functions previously used by companies to manage processes or functions outsourced to third parties. A “third-party” now refers to any business arrangement between two organizations.

The interagency regulatory guidance (The Federal Reserve Board, OCC, FFIEC and CFPB) says a bank cannot outsource the responsibility for managing risk to a third-party especially when additional risks are created. These risks may relate to executing the process or managing the relationship.

The recent Center for Financial Professionals (CFP) Third Party Risk Management survey “Third Party Risk: A Journey Towards Maturity” underpinned the issue around risk culture given the resourcing dilemma that most organizations face. Getting top-down support and buy-in was an issue posed by respondents in the survey. One respondent stated, “The greatest challenge ahead is to incorporate third party risk management goals into the goals of the first line of defense.” Another respondent stated, “Challenges will be to embed this into the organization, including [the] establishment of roles and responsibilities.” In particular, TPRM teams found it challenging to get buy-in from the first line of defense for the management of cyber risk and concentration risk.

Effective TPRM can only be achieved when there is a risk-centric tone, at the top, middle and bottom, across all layers of the company. Clear lines of authority within a three-lines-of-defense model are critical to achieving the appropriate level of embeddedness, where accountabilities and preferred risk management behaviors are clearly defined and reinforced.

Root cause analyses on third-party incidents and risk events (inclusive of near-misses) should be better used by organizations to reinforce training and lessons learned as it relates to duties performed by the third party. Risk event reporting and root cause analysis allows leadership to identify and understand why a third party incident occurred, identifies trends with non-performance of service-level agreements with the third party, and ensures appropriate action is taken to prevent repeat occurrences as it relates to training, education or communication deficiencies.

Risk culture is paramount to achieving benefits from the value proposition of an effective and sustainable TPRM program, and also satisfies regulators’ use test benchmarks.

Roles and responsibilities must be clearly defined and integrated within a “hub and spoke” model for the second-line TPRM function, the first line third-party relationship managers and its risk partners. Clearly, there is a need for financial institutions to (1) implement a robust training and communication plan to socialize TPRM program standards, and (2) ensure first-line relationships and business owners have been provided training.

Risk culture mechanisms that facilitate clear, concise communication are fundamental components for a successful TPRM program – empowering all parties to fulfill responsibilities in an efficient, effective fashion. The challenge of managing cultural and personnel change components cannot be underestimated. As a result, the involvement of human resources, as a risk partner, is critical to a successful resource model. With respect to cultural change, a bank should observe and assess behaviors with current third-party arrangements. The levels of professionalism and responsibility exhibited by key stakeholders in existing third-party arrangements may indicate how much TPRM orientation or realignment is required.

Key success factors to build a robust risk culture across TPRM include:

  • Clear roles and responsibilities across the three lines of defense and risk partners within the “hub and spoke” model for risk oversight.
  • Greater consistency of practices with regards to treatment of third parties. Eliminate silos.
  • Increase understanding of TPRM activities and policy requirements across the relationship owners and risk partners.

Indicators of a sound TPRM culture and program include:

  • Tone from the top, middle and bottom – the board and senior management set the core values and expectations for the company around effective TPRM processes from the top down; and front-line business relationship manager behavior is consistent from the bottom-up with those values and expectations. 
  • Accountability and ownership – all stakeholders know and understand core values and expectations, as well as enforcement implications for misconduct. 
  • Credible and effective challenge – logic check for overall TPRM framework elements, whereby (1) decision-makers consider a range of views, (2) practices are tested and (3) open discussion is encouraged.
  • Incentives – rewarding behaviors that support the core values and expectations.

Setting a proper risk culture across the company is indeed the foundation to building a sound TPRM program. In other words, you need to walk before you can run.

Your Digital Transformation Is Not Just About Technology

Written by


technology-9-3-18.pngFor an increasing number of consumers, the primary means of interacting with their financial institution is the mobile banking app on their smartphone. This number will continue to grow, as will the number of ways they want to use digital devices to interact with their financial institutions. Though oft-criticized for their risk-averse natures, especially when it comes to new technology, banks understand and are responding.

The success of their initiatives will depend on how well each can navigate the complexity associated with effectively closing the digital gap. Establishing competitive parity in the digital race requires more than simply selecting a new digital banking platform to replace the legacy, disparate system. Banks must navigate the digital challenge holistically. To achieve the goals desired, digital transformation must encompass many aspects of an institution’s operations.

Shift the Org Chart From Vertical to Horizontal
Technology is an important part of any digital transformation, but too often banks rush to make a choice in this area before considering basic elements in their own operations that play a profound role in in its success or failure. For example, the organizational charts of most banks is built on a vertical, “line of business” model. Technology, however, especially that which inspires a digital transformation, is horizontal in its role and impact.

This difference between how a bank is structured organizationally and how digital technology should be used within an institution means bank’s leadership must have a horizontal mindset about technology. The manner in which a midsized regional bank addressed this challenge is a good example. The bank converted a digital banking team of four, working in the retail side of the business, into a department of more than 30 that included each person who has or will directly contribute to the digital strategy of the bank. To ensure communication and ideas flowed as freely as possible, the bank housed all the people on this digital team in the same area of their headquarters using an open-office concept.

Adjust Budgeting From Project-Based to Forward-Based
Another area to consider during the early stages of any digital transformation is an institution’s budgeting process. Many banks use a project-based budgeting process where the senior executive responsible for a project works with others to build a business case, project plan, and budget that goes through several approvals before reaching the board of directors. Given the material levels of investment of many projects within a bank’s operation, this vetting process seems justified.

However, because the project-based model is optimized to minimize risk, progress can be painfully slow and take a very long time. It is therefore ill-suited for any organization that wants to maintain parity in the digital marketplace where the only things that change faster than technology are the expectations of the customer. To respond to this rate of change, banks must be able to move quickly. In the case of one bank, this was achieved by implementing a “forward-based” budgeting model that designated a specific investment level for digital at the start of the year. The digital leadership of the bank was given the authority to use this money marked for digital in whatever way deemed necessary for the institution to respond to evolving customer demands and technological innovation.

This Isn’t Your Grandparents’ Technology
When an institution does turn its focus to determining what third-party solutions and services will best support its digital aspirations, there are non-negotiable qualities from vendors that should be part of the evaluation process. These qualities are not typically on the list of “must-haves,” and can typically decrease both cost and complexity.

In the case of three regional banks going through a digital transformation, the non-negotiable item was control. Each felt it was essential that the vendors with which they would build their digital future delivered a product that gave the banks control over their own digital future at the solution level. In other words, does the solution allow a bank to make changes at a branch level, only be exposed to customers in that branch’s area, without needing the assistance of the vendor? This is important as many banks have had limited ability because the solutions required vendor intervention for even the smallest change.

Digital transformation is about more than choosing the right replacement for legacy, disparate, online and mobile banking systems. It should touch every aspect of an institution. This is an undertaking not for the faint of heart. Many institutions will insist they are different and can win without changing the way they operate. Unfortunately, such evaluations are why the billions of dollars of investments made collectively by financial institutions will not delay how quickly they become irrelevant to the customers.

What It Takes to Go De Novo Today

Written by


de-novo-7-27-18.pngAaron Dorn spent two years putting together a checklist of things that needed to be in place and questions that needed to be answered before starting a new bank.

He considered buying an existing bank, but acquiring a company built on legacy core technology was a big inhibitor to building a digital-only bank, which was Dorn’s business plan. However, the idea of going de novo became too costly and intensive to justify the effort after the FDIC increased its capitalization requirements for startups following the financial crisis. Now, there are signs that the environment for de novos is improving. Economic conditions around the country are better and bank stock values are higher, but there are other factors that could also be significant drivers behind a recent uptick in de novo activity, all of which Dorn discovered in Nashville as he considered the de novo route.

Dorn, 37, formally began the process of raising capital in the fall of 2017 to form Studio Bank, which will officially open in a few weeks. He will serve as the CEO and also brought along a few former colleagues from Avenue Bank, where Dorn was the chief strategy and marketing officer. Avenue Bank was a 10-year-old “de facto de novo” (a recapitalized and rebranded Planters Bank of Tennessee) that sold in 2016 to Pinnacle Financial Partners, another Nashville-based bank. In fact, Studio’s music company-turned bank home sits in the shadow of Pinnacle’s headquarters building.

Just two banks have earned FDIC approval this year, but nearly more than a dozen de novo applications were awaiting approval in mid-June. That comes after just 13 banks opened in the seven preceding years, according to the agency. Capital raises for the new banks have been anywhere from a fairly standard $20 million to $100 million by Grasshopper Bank, based in New York.

This flurry of activity has naturally drawn attention and speculation about whether there will be a return to the level of new charter activity we saw previous to the financial crisis when in any given year there could be between 100 to 200 new bank formations. What exactly has inspired this growth in applications? Along with a stronger economy and higher valuations, the industry’s ongoing consolidation has created opportunities for former bankers like Dorn who are itching to get back into a business currently ripe with promise.

“These mergers are producing opportunities for groups to put together locally owned, more community focused financial institutions to service their market and also play an important role as community leaders,” said Phil Moore, managing partner at Porter Keadle Moore, an advisory and accounting firm.

But the question circulating among bankers and insiders is what has inspired the sharp increase in de novo activity. Or perhaps more importantly, what’s the recipe for starting a new bank today?

There’s a few things some agree need to be in place to get a new bank off the ground.

“The first is that these de novos are organizing in what could be considered underserved markets, secondly they are focusing on vibrant growth areas and third, they are generally organizing to serve an affinity group,” says Moore.

This is Dorn’s perspective also, who says he created Studio in part because the booming Nashville market has few local banks. Studio will focus on “creators,” as Dorn calls them, including musicians, nonprofits and startups, a very similar model to Avenue, except that Studio will operate from a digital platform.

The Nashville deposit market has doubled since the last de novo opened there in 2008, Dorn says. There is also a preference for local ownership. “Empirically, (Nashville is) a market that strongly prefers locally headquartered banks,” he says.

Studio is one of just two de novos that have been approved this year. The other, CommerceOne Bank, is in Birmingham, Alabama, another blossoming metro area that also has very few locally owned banks. Birmingham rates in the top 160 metro areas in the country, according to the Milken Institute’s 2017 Best-Performing Cities report.

Other pending applications that are also in high-performing areas like Oklahoma City, ranked 131, and Sarasota, Florida, ranked No. 6.

That’s still a far cry from the de novo activity seen in the decades prior to the financial crisis, but the interest in starting new companies can certainly be seen as encouraging.

Want to Go Fast, Go Alone. Want to Go Far, Go Together.

Written by


teamwork.png

There was a plaque in my father’s office that is attributed to the late David Ogilvy, often called “The Father of Advertising. It read, “Search the parks in all your cities, you’ll find no statues of committees,” which I always interpreted to mean, “YOU need to make something happen; don’t wait on others to get going.”

But going it alone in the banking industry is extremely difficult because of the complexities around regulation, underwriting, competition and the thousands of vendors that serve it. Combine that with record breaking investment in financial technology and the next few years may very well serve as our “big bang” and usher in a new era of banking.

I’ve observed how companies seeking to make a real impact within the industry rarely do it alone. While we need committees in business, maybe what we need more is a “virtual committee,” or community of fintech players, to better understand the nuances within the landscape. The value of this fintech community is to provide industry intelligence, serve as a sounding-board for new ideas and foster relationships to move you faster in achieving your organizational goals.

The fintech community should also include thought leaders, published research and reports—and most importantly, peers from outside your organization. Even competitors can be valuable resources for your company and contribute to your personal development.

The banking segment will likely see more action than the rest of the economy. In the future we will probably witness the following:

  • The adoption of a new fintech charter
  • A relaxation of the regulatory burden
  • Improved bank earnings, helped in part by rising interest rates
  • Increased customer expectations

Individuals and organizations that embrace the industry as a community and foster relationships will have a competitive advantage.

Why Dramatic Change in Banking is Hard
Many of the products and services that banks offer are mature, even bordering on commodity status. Technology advances we see in our industry tend to fall into a few categories:

  • How banks deliver products (channel)
  • Customer insights and recommendations (managing their money better)
  • Ease of doing business (speed, simplicity and service)
  • Tweaks to traditional business models (sources of funding, hyper-focused segmentation)
  • Operational improvements (automated processes, enhanced security and improved regulatory compliance processes, to name three)

Many of the platforms we used today are in the process of being either rewritten or replaced. According to one vendor, the life cycle of fintech moving forward will be five years or less on average.

The technology that the vast majority of financial institutions use today is a result of decisions spanning over many years and engagements with a lot of vendors—typically from dozens to hundreds of relationships.

Media, fintech executives and investors have a tendency to focus on new and shiny technology without an appreciation of how hard it is to run a technology company in the financial industry, much less what it takes to achieve long-term success.

Agents For Change
Vendors looking to grow their businesses seek focused education and networking opportunities. Organizations such as the Association for Financial Technology, or AFT, enable vendors to learn about technologies, which organizations are doing well, and gain industry insights that help provide a perspective for decision-making. This particular fintech community includes companies of all sizes that have implementations in virtually every U.S. financial institution.

Ultimately, people do business with people, and fintech advances won’t happen until two people or two companies agree on a shared vision. Finding your community, and being a good citizen within it, will enable you to grow professionally and help your company succeed and make a positive impact.

Additional resource: “What You Need to Know About AFT Fall Summit 2016” by Kelly Williams.

Can Watson Solve the Bank Regulatory Riddle?

Written by


puzzle-1.png

You have probably seen recent television commercials where “Watson,” IBM Corp.’s vaunted supercomputer, chats with Stephen King about novels and Bob Dylan about songwriting. And perhaps you remember a few years ago when Watson defeated two highly accomplished past winners of the game show Jeopardy! in a three-way competition. Well, IBM is now focusing Watson’s considerable talents on bank regulatory compliance.

In September, IBM announced that they were buying the consulting firm Promontory Financial Group, which is based In Washington, D.C., and was founded in 2001 by former Comptroller of the Currency Eugene Ludwig. Promontory is considered one of the leading firms providing banks with the information needed to navigate the increasingly intricate web of regulations at all levels of government. Over the years, Ludwig has hired many former regulatory officials, some of whom headed regulatory agencies and financial companies around the world. IBM is not just going to fold Promontory into its financial services practice, however. The company is thinking much bigger than that.

IBM is going to have Promontory’s 600-plus professionals turn Watson into the world’s foremost expert on financial institution regulatory compliance. Watson will then be able to expand its base of knowledge in real time as new regulations are created and studying various scenarios and situation that have developed in real world practice. Bridget van Kralingen, senior vice president, IBM Industry Platforms, described the company’s expectations for the project saying, “What Watson is doing to transform oncology by working with the world’s leading oncologists, we will now do for regulation, risk and compliance. Promontory’s experts are unsurpassed in this field. They will teach Watson and Watson, in turn, will extend and enhance their expertise.”

This can be a game changer if it works as expected. Regulatory compliance costs are growing, and there is no sign that this trend will ever reverse. In the press release announcing the acquisition, the two companies cited a report from global consulting firm McKenzie that found “More than 20,000 new regulatory requirements were created last year alone, and the complete catalog of regulations is projected to exceed 300 million pages by 2020, rapidly outstripping the capacity of humans to keep up. Today, the cost of managing the regulatory environment represents more than 10 percent of all operational spending of major banks, for a total of $270 billion per year.”

Regulatory compliance is a very hands-on process in its current form. Humans have to dig through the data, read the reports and figure out how the new information impacts their institution. If Watson can reduce the human element of compliance, then costs will come down. This could be a huge benefit to community banks as regulatory costs, which account for a disproportionally larger percentage of their overall costs than larger banks. Some of these smaller institutions have thrown in the towel and sold their bank to larger competitors rather than try and keep up with an ever-growing burden and costs of compliance.

Ludwig addressed the potential for the use of artificial intelligence combined with his firm’s existing broad level of knowledge to reduce costs for small banks. “For community and regional banks, this is a potential lifeline,” he said in an interview. “For many banks, it is an enormous burden just to keep up. Watson offers the opportunity to have a world-class partner.”

One of the keys to making this combination work is the fact that Watson is already a known entity that has had a lot of success since “going on” Jeopardy! in 2011. Watson is being used to improve clinical diagnosis and cancer treatment in the medical world, help track water usage in drought plagued parts of California and generate product suggestions for several retailers.

Those who worry that tech giants like IBM are not going to be nimble enough to keep up with the sexy, fast changing world of fintech simply do not understand the banking industry. Bankers don’t care about being on the cutting edge of technology as much as they do having technology and technology providers that are dependable. They want vendors with strong reputations that will have the staff and expertise to deal with problems that crop up at 2 a.m. on a Sunday. In banking, reputation is everything and protecting their reputation is much more important than having a sexy technology.

This combination offers them the chance to have both. Banks that might be reluctant to use compliance programs driven by artificial intelligence from a younger, more nimble fintech firm are going to find it much easier to accept the proven technology of Watson and the support provided by an industry giant like IBM. If the combination of Promontory’s in-depth knowledge basis and Watson’s artificial intelligence do in fact reduce the time used and money spent on regulatory compliance, this will be a tough combination to beat.