Two Distinct Duties: Holding Company vs. Bank Boards

It wasn’t too long ago that banks were restricted from conducting business outside their home state.  But some institutions found a workaround: Bank holding companies offered a way to operate in multiple states, leading Congress to pass the Bank Holding Company Act of 1956. Regulators also wanted to limit banks’ ability to own nonbank firms like a manufacturing company or retailer, which could have allowed them to influence borrowers to patronize those subsidiaries or use deposits to make loans to those businesses, according to Joe Mahon of the Federal Reserve Bank of Minneapolis. 

Interstate banking has been the norm since the 1980s, and the Bank Holding Company Act has been modified several times since its 1956 passage. But generally, the law clarifies the purpose of a bank holding company and gives the Federal Reserve broad powers to supervise these companies. 

Recently, with the failure of Silicon Valley Bank, questions have been raised about a holding company’s role as a source of financial strength. The Santa Clara, California-based bank’s holding company, SVB Financial Group, remained in operation as of Sept. 7, 2023. 

But even in normal circumstances, a holding company presents distinct governance considerations for boards. 

Why Have a Bank Holding Company?
A bank holding company’s primary purpose is to hold stock, or ownership, in a bank. 

Banks don’t have to be held by a holding company — notable examples of banks without holding companies include Little Rock, Arkansas-based Bank OZK, with $31 billion in assets, and $87 billion Zions Bancorp., in Salt Lake City, which merged its holding company into its bank in 2018. Zions said at the time that the consolidation would improve efficiency and cut down on duplicative regulatory examinations. 

A holding company structure eases an organization’s ability to borrow or raise money, and “inject it down into the bank,” says Andrew Gibbs, a senior vice president at Mercer Capital who leads the advisory firm’s deposit institutions group. Equity plans, including employee stock ownership programs, could be easier to manage via a holding company. For smaller banks below $15 billion in assets, it also changes what counts as regulatory capital.

“One of the benefits of bank holding company status is the ability to count securities like trust preferred securities as regulatory capital,” says Gibbs. Zions and Bank OZK didn’t receive those capital advantages due to their size.

A holding company structure also allows a bank to engage in a broader array of activities. “A bank holding company can invest in any kind of company, so long as it holds less than 5% of voting stock of that company,” says Samantha Kirby, partner and co-chair of the banking and consumer financial services practice at Goodwin Procter. Those investments can include fintechs. In Bank Director’s 2023 Bank M&A Survey, conducted last fall, 9% of bank executives and board members reported that their organization had directly invested in fintech companies in 2021-22. 

If a bank holding company wants to offer a broader selection of financial services, such as investment banking or insurance, the board can elect to become a financial holding company, a separate designation created in 1999 via the Gramm–Leach–Bliley Act. 

A bank holding company can also serve as a financial source of strength for the bank, referencing a doctrine that was reinforced in Section 616 of the Dodd-Frank Act, which amended the Bank Holding Company Act. Put simply, the holding company should provide financial support to its insured bank subsidiary “in the event of the financial distress” of that institution. 

James Stevens, a Georgia-based partner at Troutman Pepper, witnessed a number of bank failures in that state during the 2008 financial crisis. Bank holding companies were expected to ensure their subsidiary bank had enough capital to survive. “If a subsidiary bank needs capital, and the bank holding company has additional capital that could be injected into the bank, it is supposed to push that capital into the bank under the source of strength doctrine,” he says. “If a bank holding company doesn’t do that, its board could be subject to criticism from regulators.”

Investors often prefer that capital be held at the holding company rather than at the bank. Gibbs explains that pulling capital out of the bank generally requires regulatory approval, so large capital activities — like dividends — are best handled at the holding company level. “It’s generally easier to keep [capital] at the holding company, and then you don’t need to deal with [the] regulatory process to extract it from the bank, if the bank has too much capital.”

Know Your Role
Both holding company and bank boards have the same fiduciary duties to shareholders, says Kirby, meaning the directors of both boards have a legal and ethical responsibility to act in the best interests of the company’s owners. That said, bank and holding company boards have distinct responsibilities, and directors should have a “clear understanding of whether they are serving on the bank board or on the holding company board, or both,” she says. It sounds basic, but sometimes that line isn’t clear.

Often, the boards mirror one another, but it’s not uncommon for a member or two to serve on just one of the boards. For example, it’s fairly routine for a private equity investor to only serve on the holding company board where they can focus on the overall direction of the company. And sometimes, the holding company and bank boards could be two entirely different groups. 

According to Bank Director’s 2023 Compensation Survey, holding companies and banks tend to have the same number of members, at a median of 10. Bank boards meet a little more frequently, at a median 12 times a year versus 10 meetings for the holding company board.

The bank board should focus on the bank’s activities — put simply, strategies, policies and risks related to the bank’s business of making loans and taking deposits. “Bank regulators will not find it acceptable if the bank holding company is the one that’s managing the risk,” says Stevens. “Same thing with audit and compliance management, and the scope of internal audit. … They want the bank board to be focused on those things.”  

Stevens describes the structure as one that’s “bottom up,” as the bank board makes important decisions about the business, and the holding company makes higher level decisions about strategy — capital allocation and deployment, or prospective M&A activity. “What’s the risk management framework? What’s our internal audit going to look like? Who has lending authority?” says Stevens. “That stuff has got to be at the bank.” 

The holding company typically can add or remove directors from the bank board. “The process and authority depend on the articles and bylaws of the bank,” says Stevens, “but generally the bank holding company, as the sole shareholder of the bank, has the power to change the composition of the bank board.”

Separate Agendas, Minutes
No matter the makeup of the holding company and bank boards, both Kirby and Stevens say it’s important that deliberations — which board is taking action on what — are clearly documented. 

Ideally, the bank board and the holding company board would have two distinct agendas, and two sets of minutes. 

Stevens sometimes sees mirrored boards make joint resolutions. But he says it can get complicated when the two boards aren’t composed of the same directors. “You have to be thoughtful, if you have separate groups, that you’ve got the right people in the room to make the decisions that impact those fundamental banking decisions.”

That isn’t to say that members of the holding company board won’t sit in on the bank board meeting, or vice versa, says Kirby. But, when it comes time for formal action, that should be taken by the appropriate board.

Revisit Your Structure
Choosing to adopt a bank or financial holding company structure — or not — should be a decision informed by the bank’s strategy. Kirby recommends that this be part of the board’s annual strategic discussions. Consider whether the bank has the right structure to pursue its strategic goals and facilitate its growth. 

While the difference between the two boards, holding company and bank, may appear trivial, getting governance right makes a difference on regulatory examinations. The board’s effectiveness factors into a bank’s CAMELS rating, short for capital adequacy, asset quality, management, earnings, liquidity and sensitivity to market risk. The board falls under the management pillar. 

“You want to have this buttoned up, and [you] don’t want to get criticized for it,” says Stevens. “If you’re being examined, and you’re on the cusp of being a three or a four, you don’t want the corporate governance issue to move you from a three to a four CAMELS rating. … It’s not a place for boards to be creative and make mistakes.”  

Additional Resources
Bank Director’s 2023 Compensation Survey, sponsored by Chartwell Partners, surveyed 289 independent directors, CEOs, human resources officers and other executives of U.S. banks below $100 billion in assets to understand how they’re addressing talent challenges, succession planning and CEO performance. Compensation data for directors, non-executive chairs and CEOs for fiscal year 2022 was also collected from the proxy statements of 102 public banks. Members of the Bank Services Program have exclusive access to the complete results of the survey, which was conducted in March and April 2023.

Bank Director’s 2023 Bank M&A Survey, sponsored by Crowe LLP, surveyed 250 independent directors, CEOs, chief financial officers and other senior executives of U.S. banks below $100 billion in assets to examine current growth strategies, particularly M&A. Members of the Bank Services Program can access the complete results of the survey, which was conducted in September 2022.

The Big Debate: Should Bank Boards Approve Loans?

A majority of banks approve individual loans at the board level, but should they?  

Bank Director’s 2023 Governance Best Practices Survey indicates that while the practice remains common, fewer boards approve individual loans compared to just a few years ago. Sixty-four percent of responding directors and CEOs say their board approves individual loans, either as a whole or via a board-level committee, while 36% say the board approves loan policies or limits. Four years ago, 77% of respondents to Bank Director’s 2019 Risk Survey said their board approved individual loans.

In an environment that’s characterized by economic uncertainty and sluggish loan demand, does this additional layer of review create more risk? Or does it provide a level of assurance that the credit will hold up, should the economy tip into a recession? 

”There’s no firm rule that says a board should be or should not be involved in this decision,” says Brandon Koeser, a senior analyst at the consulting firm RSM US LLP. 

Boards at banks below $10 billion in assets are more likely to be directly involved in approving individual loans. Those loans may be less complex, and board members may be more likely to know the borrower’s character. While it’s valuable to have former lenders in the boardroom who can review loan packages, it can also help to include perspectives from directors with other types of business experience.  

“A lender is going to approach a loan differently than someone who may have been in the actual borrower’s shoes or may still be in a borrower’s shoes,” says Koeser. “They might even give management additional questions to think through when they’re going through that decision.”

Some bankers say the additional board oversight benefits their organization in other ways, by giving directors a clearer window into the risks and opportunities the bank faces. And while it may be more work for lenders, it also allows those bankers to look at the deal several times before it’s finalized. 

At Decatur County Bank, the $270 million subsidiary of Decatur Bancshares in Decaturville, Tennessee, the board approves individual loans over a certain size, says CEO Jay England. Many of the bank’s board members have at least a decade of experience in approving loans, and the board recently added a former banking regulator to its membership. Those directors’ collective experience provides valuable oversight for larger deals, he says.  

Lending has historically been one of the riskiest activities banks engage in and approving loans as a director carries some degree of risk itself. In the aftermath of the 2008 financial crisis, a number of bank directors and officers at failed banks were sued by the Federal Deposit Insurance Corp. for loans they had approved that later went bad. 

If directors could be held liable for bad loans, England says, they “should be getting a look at the decisions we’re making.” 

But that doesn’t mean there isn’t room for some improvement. The bank revamped its lending and approval process several years ago, he says. As part of that, it adopted a board portal. Bankers upload loan packages into that portal so board members can review them on their own time in between meetings. 

The $1.5 billion Cooperative Bank of Cape Cod moved away from loan approvals by the board as part of an overall shift toward an enterprise risk management structure, says Lisa Oliver, CEO and chair of the Hyannis, Massachusetts-based bank. It created an internal loan committee staffed by bank officers — including the chief credit officer, chief risk officer, chief financial officer and chief strategy officer, along with Oliver as CEO — to approve credits and undertake a deeper analysis of the bank’s credit portfolios, trends, policies and risk tolerances.  

At the board level, the bank folded its loan, finance and IT committee functions into one enterprise risk management committee. That committee’s responsibilities around credit include monitoring portfolios for concentration risk, and reviewing each of the bank’s lending areas for trends in delinquencies, nonaccrual rates and net charge-offs. 

Loans up to $2.5 million are approved by the bank’s chief credit officer. Loan relationships over $2.5 million are sent to the bank’s internal loan committee for approval, and relationships over 15% of the bank’s total capital move to the board for ratification, says Oliver. In this context, the committee isn’t digging into the merits of a deal to approve a specific credit. Rather, the board sees an executive summary of the loan to evaluate its impact on concentration risk limits, risk rating levels and construction loan limits. 

Reading one single loan package can take 45 minutes to an hour for a seasoned credit professional, and Oliver says that moving to this structure has freed up board members’ time and resources to focus on the larger picture of risk management and strategy. 

“Everyone’s time is valuable. I don’t want my board to have to spend time reading these deals,” Oliver says. “What I need to do is elevate them out of management, which is really approving loans, and get them into their seat as risk oversight: approving policies, understanding trends, looking at concentrations and developing risk appetites.” 

Governance issues like these will be covered during Bank Director’s Bank Board Training Forum in Nashville Sept. 11-12, 2023.

Article updated on Sept. 15, 2023, to clarify approvals at Cooperative Bank of Cape Cod.

Reviewing Recent Bank Guidance on Third-Party Risk

Financial institutions are increasingly ramping up partnerships with third-party organizations that offer technologies that promulgate efficiencies or add new banking products to drive revenues.

As these partnerships increase, the risk to the banking system is also increasing. In June, the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve and the Office of the Comptroller of the Currency released finalized interagency guidance over third-party risk management practices that financial institutions must consider when entering into business arrangements with third parties.

Two notable differences from the guidance initially proposed in 2021 are the need for financial institutions to establish a complete inventory of all third-party relationships and a call out of relationships with fintech organizations that interact directly with an institution’s customers.

The principles-based guidance allows institutions to look at their third-party relationships using a risk-based approach. Higher-risk activities, including critical activities, should receive more comprehensive and diligent oversight from management. Smaller community and regional banks will likely have more work to do to follow this guidance, which will be particularly relevant for institutions with significant fintech relationships.

The guidance provides five key points that institutions should integrate into their risk management procedures over the entire life cycle of a business arrangement with a third party.

1. Planning: Before conducting business with a third party, banks must create a plan to determine the type of risk and related complexities involved. Once the institution identifies such risks, it can design and establish necessary mitigation techniques.

The guidance specified that to understand the risks associated with a third party, an institution should carefully consider the following in the planning process:

  • The strategic purpose of the arrangement.
  • Benefits and risks of the relationship.
  • The volume of transactions involved.
  • Related direct and indirect costs.
  • The impact of the relationship on employees and customers.
  • The physical and information security implications.
  • Monitoring the third party’s compliance with laws and regulations.
  • Ongoing oversight of the relationship.
  • Potential contingency plans.

Once an institution fully evaluates all factors, it can build a risk matrix to visualize whether the exposure involved in the relationship would be within the institution’s risk tolerance levels.

2. Due diligence: The new guidance states that the level of due diligence an institution needs to perform on a third party should be proportionate to the risk associated with the potential relationship. Where the arrangement points to greater complexities or higher risk to the bank, the bank should deploy more thorough due diligence procedures. No matter the arrangement, institutions need to evaluate their ability to identify, assess, monitor and mitigate risks that arise.

If a financial institution is unable to perform the appropriate due diligence on a prospective third party without proper alternatives identified to support the relationship, the bank may likely need to forego the relationship.

3. Contract negotiation: Important to any third-party relationship is negotiating a contract that allows the bank to perform continuous and effective risk management practices. If there is difficulty in negotiating these aspects with the third party, the institution needs to analyze the related risk and weigh whether it is acceptable to enter into a relationship.

Importantly, the board of directors should be aware of negotiations to dispel its oversight responsibilities, whether through direct involvement or updates from an approved negotiating delegate.

4. Ongoing monitoring: Ongoing monitoring is imperative as institutions navigate a rapidly changing banking environment. Establishing different techniques or mechanisms to track the risk landscape and determine the emerging risks are just as important to monitoring as a cadence of regular reviews over current risks.

The agencies did not outline “any specific approach to ongoing monitoring. Rather, the guidance continues to state that a banking organization’s ongoing monitoring, like other third-party risk management processes, should be appropriate for the risks associated with each third-party relationship, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships.”

5. Termination: Lastly, if an institution has decided the relationship has run its course, an efficient and timely termination is beneficial. The institution should consider transitioning any service provided through the relationship to another third party or bringing it in-house.

Governance
The regulators also highlighted three critical governance practices for such relationships.

  • Oversight and accountability: The board of directors is ultimately responsible for the oversight of third-party risk management. This includes providing management with guidance on the risk appetite to enter into third-party relationships, as well as approving management policies and procedures.
  • Independent reviews: The guidance calls out the need for independent, periodic reviews that assess the adequacy of the risk management process, as well as management’s processes, procedures and controls for adequacy and effective operation.
  • Documentation and reporting: Institutions will need to thoroughly document their third-party risk management processes, procedures and outcomes of related independent reviews.

Risk management necessitates perpetual enhancement. As institutions continue to partner with third parties to offer new capabilities, remaining vigilant by incorporating the five key points from the guidance is essential. These techniques help safeguard the stability, trust and sustainability of the financial services industry.

A version of this article originally appeared on RSM US.

Managing Interest Rate Risk With Stronger Governance

Many banks were caught off guard by the rapid pace of interest rate hikes over the past year. Now that the initial shock has hit, bank directors are questioning how to manage interest rate risk better and prepare for disruptions.

While rising rates are part of market cycles, rates rarely increase at their recent velocity. Between March 2022 and June 2023, the federal funds rate rose from 0.25% to 5.25%, a 500-basis point increase in less than 15 months.

A High Velocity Rise Caught Bank Leaders Off Guard
Not since the 1970s have rates increased at this pace in such a short time frame. Even in the cycle preceding the 2008 financial crisis, rates rose from 1% in 2004 to 5.25% in 2006 over 24 months. The latest interest rate hikes are steeper — and come at a time when banks were already awash in cash and liquidity. With excess cash, less loan demand and no place to park their money in recent years, many banks purchased securities, which historically have been a safe bet in such times.

But few boards were prepared for rates to increase so quickly. Since March 2022, continual increases in the federal funds rate have reduced the value of banks’ fixed-rate assets and shortened the maturity of their deposits. Two bank collapses in March 2023 demonstrated how quickly interest rate risk can grow into a liquidity risk and reputation risk.

Bank Directors Can Focus on Strong Governance, Risk Mitigation
Now that they have experienced an unprecedented event, bank directors are questioning what they can do to prepare for future interest rate shocks. But banks don’t necessarily need new risk management strategies. What they should do now is use the risk-mitigating levers available to them and act with strong governance.

Most banks already have asset-liability management committees that meet quarterly to stress test the balance sheet with instantaneous shocks, ramps and nonparallel yield curves. While going through the motions every quarter might appease regulators, it won’t prepare banks for black swan events. Banks need to hold these stress-testing meetings more frequently and make them more than compliance exercises.

In addition, bank directors should review assumptions used in their asset-liability management report packages. Some directors take these assumptions at face value without questioning how they were calculated or if they reflect reality. Yet the output of a model is only as good as the integrity of its underlying conventions or specifications.

Additional Strategies Require a Focus on Execution
Repricing products, changing product mix or employing derivatives can be other effective tools for managing risk. But again, the key is in execution. Some banks fear alienating customers or the community by repricing or changing products that are safer for the bank but might not be preferred by the customer. For example, some institutions prefer to book fixed-rate loans to meet customer demand, even though floating-rate loans might help the bank better manage risk.

While derivatives can add risk if not properly understood and managed, they can be a highly effective tool to manage interest rate risk if used early in the cycle. Once rate changes are underway, a derivative might no longer be helpful or might be cost-prohibitive.

Even as the Federal Reserve contemplates its next move, bank directors can look at the recent past as a learning experience and an opportunity to better prepare for the future.

2023 Governance Best Practices Survey: Complete Results

Bank Director’s 2023 Governance Best Practices Survey, sponsored by Barack Ferrazzano‘s Financial Institutions Group, surveys 195 independent directors, chairs and CEOs of U.S. banks under $100 billion of assets. Topics explored this year include risk oversight, director liability and board and composition.

The results find that the vast majority of bank board members and CEOs believe their board proactively addresses the risks and opportunities facing their institutions, and that issues and challenges are adequately reflected in the board’s agenda. But a lack of various skill sets and knowledge could mean the board is ill-equipped to ask questions about key risks or business opportunities at a time when the operating environment looks increasingly tough.

The survey, which regularly explores the fundamentals of board performance, was conducted in April and May 2023. Members of the Bank Services program have exclusive access to the full results, including breakouts by asset category and ownership structure.

Click here to view the complete results.

Key Findings

Focus On Asset/Liability Management
A majority of respondents (83%) say their board revisited its asset/liability management policy over the past 12 months. Almost all (93%) believe their board is somewhat or very effective at monitoring asset/liability risk.

Stamp Of Approval
Sixty-four percent — primarily representing banks below $10 billion in assets — say their board approves individual loans, either as an entity or via a board-level committee, while 36% say their board approves policies and limits but not individual loans.

Finding New Board Members
Fifty-six percent say their board or governance/nominating committee cultivates an active pool of potential board candidates, while over a third (34%) say it does not. When asked what their board does to attract new potential directors, many share in anonymous comments that they rely on personal networks or referrals from existing board members.

Turnover In The Boardroom
Almost half (49%) say that one or two new directors have joined their board since January 2020, while 22% say that three or four new directors joined in that time. Twenty percent say that no new directors have joined their board in that three-year period.

Dialing Up Diversity
More than half (57%) of respondents say their board has three or more diverse directors, as defined by gender, race or ethnicity — up slightly from last year’s survey. Another 36% this year say their board has one or two directors who fit that definition.

Zooming In
Eighty-three percent of all respondents say their board has established guidelines around virtual meeting attendance.

Governance issues like these will be covered during Bank Director’s Bank Board Training Forum in Nashville Sept. 11-12, 2023.

2023 Governance Best Practices Survey Results: Equipping the Board for a Tough Environment

The vast majority of bank board members and CEOs believe their board proactively addresses the risks and opportunities facing their institutions, and that issues and challenges are adequately reflected in the board’s agenda. But a lack of various skill sets and knowledge could mean the board is ill-equipped to ask questions about key risks or business opportunities at a time when the operating environment looks increasingly tough.

Many boards, particularly at smaller banks, could be lacking expertise in critical areas that may be needed to address today’s challenges, according to Bank Director’s 2023 Governance Best Practices Survey, sponsored by Barack Ferrazzano’s Financial Institutions Group. Many respondents representing banks below $1 billion in assets see gaps in board-level expertise around risk, regulations and technology. Overall, just a third say their board possesses cybersecurity expertise, while 95% say their board has finance and accounting experience.

Given the nature of the industry, accounting and audit expertise aren’t likely to be overrepresented on bank boards, says Robert Fleetwood, a partner in the Financial Institutions Group at Barack Ferrazzano.“The risk of not having specific technology or cyber expertise is that you don’t have someone overseeing management that understands the lingo and knows if what’s getting done is appropriate,” he adds. “You’re gonna have a board that might not have a true understanding of the possible significance of [data breaches or email hacks] and the practical effects of how to fix it if there is an issue.”

Respondents feel confident about their board’s ability to monitor risk, with 94% calling their board very or somewhat effective at executing that responsibility. When asked about duties specific to risk oversight, 81% say the board reviews, approves and monitors the bank’s risk limits, and 73% say they hold management accountable for adhering to the risk governance framework. Two-thirds say their board reviews and approves the bank’s risk appetite statement, which defines the level and types of risk a bank will take on.

While the board can’t be expected to be experts on everything, a diversity of professional backgrounds can help the board as a whole ask better questions and provide a credible challenge to management. In anonymous comments, an independent director at a Midwest public bank offered this view: “Director expertise is essential.”

Key Findings:

Focus On Asset/Liability Management
A majority of respondents (83%) say their board revisited its asset/liability management policy over the past 12 months. Almost all (93%) believe their board is somewhat or very effective at monitoring asset/liability risk.

Stamp Of Approval
Sixty-four percent — primarily representing banks below $10 billion in assets — say their board approves individual loans, either as an entity or via a board-level committee, while 36% say their board approves policies and limits but not individual loans.

Finding New Board Members
Fifty-six percent say their board or governance/nominating committee cultivates an active pool of potential board candidates, while over a third (34%) say it does not. When asked what their board does to attract new potential directors, many share in anonymous comments that they rely on personal networks or referrals from existing board members.

Turnover In The Boardroom
Almost half (49%) say that one or two new directors have joined their board since January 2020, while 22% say that three or four new directors joined in that time. Twenty percent say that no new directors have joined their board in that three-year period.

Dialing Up Diversity
More than half (57%) of respondents say their board has three or more diverse directors, as defined by gender, race or ethnicity — up slightly from last year’s survey. Another 36% this year say their board has one or two directors who fit that definition.

Zooming In
Eighty-three percent of all respondents say their board has established guidelines around virtual meeting attendance.

To view the high-level findings, click here. Governance issues like these will be covered during Bank Director’s Bank Board Training Forum in Nashville Sept. 11-12, 2023.

Bank Services members can access a deeper exploration of the survey results. Members can click here to view the complete results, broken out by asset category and other relevant attributes. To find out how your bank can gain access to this exclusive report, contact [email protected].

No Relief for Small Banks in Regulators’ Third-Party Risk Management Guidance

Although the spring banking crisis loomed large at Bank Director’s Bank Audit & Risk Conference, panelists flagged another emerging area of focus for regulators: third-party risk management. 

On June 6, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve finalized their interagency third-party risk management guidance, which was first proposed in 2021. The recent publication outlines regulators’ expectations for how banks approach vendors and partnerships, especially with financial technology companies. On June 13, less than a week after its release, panelists at the Chicago event warned more than 200 bankers in attendance, many of whom represent community banks, that the wide-ranging guidance is broad and makes no exemption for bank asset size. The new document replaces and updates the guidance different federal regulators have issued over the years and creates one set of expectations.

“The environment is going to get tougher [for banks], but the biggest thing is stricter enforcement of existing regulation,” said Brandon Koeser, financial services senior analyst at RSM US. He listed “capital, liquidity, credit and partnerships” as the four areas of examiner focus. 

The 2023 guidance came out in response to banks’ increasing use of third parties for quicker and more efficient access to new technologies, human capital, products, services and markets, for example. But using third parties comes with risk.   

Regulators are concerned that using third parties can increase complexity, complicate oversight of bank activities, introduce new risks or increase existing risks in areas like operations, compliance and strategy. “This guidance they put out applies to all third-party relationships, regardless if they’re formal and under contract or if they’re informal relationships. It applies to your vendors, your consultants, your payment processing services partners and fintech partners,” said Erik Walsh, counsel at Arnold & Porter. He added that it makes no carve outs for asset size or complexity.

Walsh says that banks need to identify all their relationships and begin putting into place “properly tailored risk management” that covers the lifecycle of the relationship — from internal planning before searching for a partner to relationship termination. He warned that this can be a “long and complicated” process that raises questions for smaller banks, and that some in the audience could be wondering, “How am I supposed to comply with this guidance?”

Walsh added that the third-party guidance does not have the force of a regulation or a statute but added “no one should let their guard down” and that regulators are “setting supervisory expectations.” He told the audience that third-party relationship oversight and governance starts with the board creating a risk appetite that’s communicated to the management team. Directors also need to set expectations around risk assessments of third parties, including the rigor and methodology of the assessment.  

Even though there’s no safe harbor or carve out for small banks, Arnold & Porter Partner Robert Azarow pointed out that regulators recognize that community institutions face challenges and limitations as they manage these relationships. For instance, they may have a harder time conducting thorough due diligence or contractual negotiations with fintechs. The guidance adds that third parties “may not have a long operational history, may not allow on-site visits, or may not share (or be permitted to share) information,” which can complicate a bank’s due diligence or oversight. Still, Azarow said risk assessments and ratings can help banks understand the potential consequences that arise from these relationships, like a vendor not delivering the promised good or service or a data breach that impacts the organization.

Walsh added that the guidance, although new, has already received criticism from inside and out of the agencies. “[W]hile detailed, I understand that this third–party risk management guidance nonetheless remains principles-based and risk-based. … That said, given the importance of the issue and the length of the guidance, I would support developing a separate resource guide for community banks as soon as practicable,” said Jonathan McKernan, an FDIC director, in a statement.

Federal Reserve Governor Michelle Bowman dissented, in part because of what she sees as gaps in the guidance that will lead to implementation challenges at banks.

“My expectation is that community banks will find the new guidance challenging to implement,” she said in her June 6 dissent. “In fact, our own Federal Reserve regional bank supervisors have indicated that we should provide additional resources for community banks upon implementation to provide appropriate expectations and ensure that small banks understand and can effectively use the guidance to inform their third-party risk management processes.”

Reduce Lending Risk in the Omnichannel Environment

Credit risk and risk associated with digital origination and authentication have become top of mind for bank boards and executives. Banks that are able to optimize lending practices to give consumers faster and more efficient experiences and interactions throughout their digital lending journey are seeing greater pickup and success.

Today, many borrowers prefer application processes that accommodate both digital and staff-assisted capabilities when seeking a loan. To process loans in an omnichannel delivery ecosystem, banks are turning to lending options that have the ability to prospect, originate, underwrite, process and close secured and unsecured credit cards, lines of credit and installment loans.

Manually assessing an applicant, their collateral and whether the loan meets the bank’s compliance requirements and lending policies increases the risk of inconsistencies, oversights and unintended consequences. Automation provides institutions with consistent inputs, analysis, compliant processes and calculations, predetermined classifications, accurate risk-based pricing, consistent warnings for policy exceptions and predictable decisions and outcomes with greater speed and efficiency. It also improves the interpretation and analysis of the applicant, credit, debt obligations, collateral and the execution of the institution’s inclusion/exclusion policies, such as summing up debt totals and calculating ratios used in the underwriting process. It can calculate the proposed loan payment, annual percentage rate (APR), and ratios at the applicant, household, business, guarantor and loan levels. It can also calculate custom credit scores.

While banks receive many benefits from using digital channels to serve borrowers, they also face vulnerabilities and risks such as fraudulent applications and data privacy concerns. In addition, digital lending might require a bank to collaborate with numerous third-party fintechs, exposing both borrowers and the institution to new and heightened levels of risk.

Banks need more cost-effective processes and decision models to address qualification ratios associated with online lending. These models should employ analytics and automation that can decline, decision, and refer applications appropriately to maintain an institution’s profitability, mitigate risk and not overwhelm lenders.

Mitigating Credit Risk and Increasing Productivity
Technology simplifies the loan origination process for banks and customers by guiding customers through each step in the process. Technology and automation can eliminate errors and the need to rekey data, which streamlines operations and enables staff to focus on additional revenue-generating opportunities.

Institutions that would prefer to slowly test automated decisioning can start with automated decisioning for denials for applications that fall outside of loan policy. An instant denial allows loan teams to focus on profitable and better-qualified candidates. Decisioning analytics evaluate areas such as credit quality, borrower stability and collateral risk. A decision and rules engine applies industry standards, institution-specific rules and policies and custom attributes, such as credit report analysis, for automated decision support during the loan origination process.

Automated solutions can provide speedy decisions while meeting compliance standards. This can help boost employee productivity; the consolidated customer information and loan details provides a 360-degree view of the overall financial relationship and deal structure. Bank associates can manage and expand relationships and target product recommendations based on customer needs.

An Omnichannel Environment for Lending
The technology and analytics of an omnichannel environment gives banks a competitive advantage when it comes to loan origination. Applicants can shop and compare loan options, submit loan applications and receive real-time automated decisioning and status updates.

An omnichannel ecosystem provides seamless start, save and resume cross-channel application processing: customers can begin the research and application process on a mobile device, continue the application and upload documents on an alternate digital device, and engage live assistance from contact center or branch lending specialists without losing their progress. The technology can guide customers and staff members through each phase, improving customer engagement by triggering staff actions and automating workflows. Digital capabilities intertwined with human engagement increases staff productivity and efficiency through analytics and workflow.

The omnichannel approach balances technology and human resource allocation based on customer need and complexity. Technology automates business criteria to issue decisions in real time or have the loans manually reviewed by underwriters, if warranted. Applying decisioning analytics allows banks to strengthen governance, risk and compliance by establishing proof of process. An omnichannel delivery environment that drives the application and origination process gives banks a way to provide a seamless lending experience that meets customers’ needs.

Banking’s March Madness Postgame

After every significant banking crisis, it becomes clear what transpired and how it could have been avoided.

There are two key takeaways from the March bank failures that directors and their senior management team should capitalize on. They should put on a new set of lens and take a fresh look at:

  1. Enterprise risk management practices.
  2. Liquidity risk measurement and management.

What happened in March resulted mainly from a breakdown in management and governance. It is a reminder that risk management is highly interconnected among liquidity, interest rate, credit, capital and reputation risks. Risk management must be a mindset that permeates the entire institution, is owned by the c-suite and is understood by the board.

Here are a few things for directors to ponder while revisiting enterprise risk management governance:

  • Be realistic about potential risks. Listen to, and address, data-driven model outcomes. Refrain from influencing results to reflect a preferred narrative.
  • Understand key assumptions and their sensitivities. Assumptions matter.
  • Bring data to the surface and breathe life into it; value data analytics.
  • Accept that the days of “set it and forget it” policy limits and assumptions are over.
  • Revisit attitudes regarding validating risk management processes and models: Are they a check the box “exercise” or a strategically important activity?
  • Ask what could go wrong and what should we monitor? How thorough and realistic are preemptive and contingency strategies?
  • Acknowledge that stress testing is not for bad times — by then, it’s too late.
  • Cultivate an environment of productive, effective challenge.

Banks and their asset/liability management committees are under stronger regulatory microscopes. They will be asked to defend risk management culture, processes, risk assessments, strategies and overall risk governance. Be prepared.

Telling Your Liquidity Management Story
The March bank failures accentuated the critical importance of an effective liquidity management process — not just in theory, but in readiness practice. Your institution’s liquidity story matters.

Start with your liquidity definition. Most define liquidity by stating a few key ratios they monitor – but that’s not expressing one’s liquidity philosophy. Bankers struggle to put their liquidity definition into words, which can lead to an inadvertent focus on ratios that conflict with actual philosophy. This can result in suboptimal outcomes and unintended consequences. One definition banks could adopt is: “Liquidity is my bank’s ability to generate cash quickly, at a reasonable cost, without having to take losses.”

A bank can readily construct a productive framework around a meaningful definition. Given the notoriety around unrealized losses on assets and potentially volatile deposits, be clear that how the bank manages its liquidity does not depend on selling assets.

Construct a liquidity framework that supports this notion with four elements:

  1. Funding diversification.
  2. Concentration and policy limits.
  3. Collateral management.
  4. Stress testing and contingency planning.

Funding diversification should consider Federal Home Loan Bank, Federal Reserve programs, repurchase agreements (repos), brokered and listing service deposits and fed funds lines. The ability to manage larger relationships with insured deposit programs, such as reciprocal and one-way, FHLB letters of credit and customer repos is also an integral part of funding diversification. Make sure your institution tests all sources periodically and understand settlement timelines.

Funding concentrations must be on your radar. The board and executives need to establish policy limits for all wholesale deposit and borrowing sources, by type and in aggregate. There should also be limits that apply to specific customer deposit types such as public, specialty/niche, reciprocal and others. The bank should track and monitor uninsured deposits, especially those that are tied to broader, larger relationships, and reflect that in operating and contingency liquidity plans. Take a deep dive into your bank’s deposit data; there is a significant difference between doing a core deposit study and studying your deposits.

Collateral doesn’t matter unless it is readily available for use. Ensure all available qualifying loan and security collateral are pledged to the FHLB and Fed. Determine funding availability from each reliable source and monitor capacity relative to uninsured deposits, especially the aggregate of “whale” accounts.

Also, understand how each funding source could become restricted. Ensure your contingency liquidity management process captures this with well-defined stress tests that simulate how quickly, and to what degree, a liquidity crisis could materialize. Understand what it would take to break the bank’s liquidity, and ensure that key elements fueling this event are monitored and preemptive strategies are clearly identified.

Step back and look at your institution’s risk management policies, keeping in mind that they can become unnecessarily restrictive, despite good intentions. Avoid using “if, then” statements that force specific actions versus a thoughtful consideration of alternative actions. Your bank needs appropriately flexible policies with guardrails, not straightjackets.

The conversation on risk management and related governance at banks needs to change. Start with a fresh set of lens and a willingness to challenge established collective wisdom. Dividends will accrue to banks with the strongest risk management cultures and frameworks, with an appreciation for the important role of assumption sensitivity and overall stress testing. Ensure that clarity drives strategy — not fear.