Is Basel III Good for Banking?

There are a lot of complaints about the complexity of the new Basel III rules, which increase minimum capital ratios, establish a new set of risk weights for certain assets and increase liquidity requirements. All banks and thrifts, plus thrift holding companies, are subject to the new rules. Bank holding companies also are included, unless they have assets of fewer than $500 million. But will the new rules be good for banking, when all is said and done? Bank Director asked a panel of experts to weigh in on the new rules, which were finalized earlier this year.

Is Basel III good for banking?

Peter-Weinstock.jpgMore and more, I find myself to be in [Federal Deposit Insurance Corp. Vice Chairman] Tom Hoenig’s camp. Regulations have become monstrously complex. The Basel III regulations are more than 900 pages. If the question is whether higher minimum capital ratios and liquidity requirements make sense, I would say sure, but 900 pages? Beyond the complexity, there is considerable administrative burden even for community banks. I laugh when I read what amount of time regulators say is needed to comply with new regulations. They must all be masters of Evelyn Wood’s Reading Dynamics. I needed over two weekends just to read the first 280 pages of regulation.

— Peter Weinstock, Hunton & Williams LLP

Jonathan-Hightower.jpgBasel III is good for banking in that it directs the industry back into the more conservative role of a traditional financial intermediary rather than the high growth, boom or bust mentality that was so pervasive in the industry in the early to mid-2000s. The Basel III rules, in a general sense, promote more modest risk-taking by banks. The rules also moderate growth through limiting leverage for those institutions that have more aggressive asset mixes. By doing this, the rules will help curb competition that is strictly based upon which institution is willing to take the most risk. Hopefully, these rules will lead the industry back into an environment in which the most successful institutions are the smartest, not just the most aggressive.

— Jonathan Hightower, Bryan Cave LLP

Lamson_Don.pngYes and no. People generally accept that banks should have had more capital prior to the recent financial crisis, but Basel III has clear weaknesses. The problem lies in recognizing that overly complex rules and prohibitively high capital levels can be incompatible with increasing economic activity or at least contribute to driving borrowers to the shadow banking environment. The key is to understand the interrelationship of new requirements in addition to Basel III, both national and international, both imposed by Dodd-Frank and independently by bank regulators, to recognize that the cumulative effect of those rules may be more onerous than at first supposed.

— Donald Lamson, Shearman & Sterling LLP

Luigi-DeGhenghi.jpgIt’s a mixed bag. Since all U.S. banks will be required to hold more capital, especially common equity, than under the existing rules, they will be more likely to absorb significant losses and thus may be less likely to fail. However, in order to raise or maintain additional common equity, banks still have to deliver attractive returns to their shareholders. The cost of additional capital, plus the compliance burden arising from more complex rules, makes it too early to tell whether banks will succeed without cutting back on the availability of credit. The Basel III rules also create disincentives for smaller U.S. banks to expand through M&A transactions instead of organic growth. That could act as a brake on consolidation and affect the competitive landscape between banks of different sizes.

— Luigi L. De Ghenghi, Davis Polk & Wardwell LLP

Zaunbrecher_Susan.jpgThe application and implementation of Basel III to community banks is unnecessary. Community banks were not the cause of the troubles leading up to the Great Recession. Then, as now, most healthy community banks have more capital than will be required in 2015. When deemed necessary for safety and soundness, troubled institutions often have increased capital ratios imposed on them by their regulators. This has not changed, nor should it. Basel III may have the undesired effect of driving more consolidation of healthy community banks because they will not be able to profitably keep up with increased regulatory compliance costs, new CFPB rules, information technology advances, along with maintaining higher capital standards. This will be our loss.

— Susan B. Zaunbrecher, Dinsmore & Shohl LLP

Robert-Monroe.jpgWe believe Basel III will be good for banking, so long as the rules are clearly set out. Basel III will require banks to maintain higher capital levels, even though there are changes to what can be included in Tier 1 capital.

— Bob Monroe, Stinson Morrison Hecker LLP

Stanford_Cliff.pngBasel III implementation risks pushing banks to pursue similar business strategies to manage their regulatory capital burdens (which contributed to the 2008-2009 systemic crisis as well). Regulators have pushed banks to adopt model risk management practices to ensure that each institution does not slavishly follow underwriting, valuation, or risk management models without routine and independent validation. However, these same model risk management principles have not been built into the Basel III standards themselves, which are static and risk similar effects.

— Cliff Stanford, Alston & Bird LLP

What Does a Cyber Policy Cover?

7-29-19-AHT-Insurance.pngA recent report by Prolexic Technologies documents that cyber attacks, including denial of service attacks, have increased by as much as 20 percent during the second quarter of 2013 compared to the first quarter. Partly in response to these increased attacks, the Securities Industry and Financial Markets Association conducted a voluntary test of the security systems of various financial institutions. During the week of July 13th, 50 banks of all sizes were going through the exercise to see how they would respond to coordinated cyber attacks against them. Add to this the exponential rise of mobile devices, and it is no wonder that bank boards are discussing cyber risk at an ever increasing rate.

Board Level Discussions

More and more often, my board presentations include a cyber-risk component. I am no longer surprised to hear directors question the protection of the bank’s non-tangible assets (such as client personal information) as much as they do the money in their vaults. The most common question I get from the board room is, “What can we do to minimize these new risks?” The first discussion is regarding an implementation of a detailed and outlined response plan in the event of a breach of network security. This plan should incorporate all of the people who touch cyber security including the chief security officer, CFO, GC, IT director, and Insurance broker/carrier. We then discuss people, process, technology, and insurance. Remember that hiring a top-notch chief security officer, implementing iron-clad processes around breach avoidance/response and purchasing the newest network security solutions will definitely put the bank at decreased risk of attack. But there is no silver bullet that can guarantee that the cyber criminals will not find a way to access your network. And as it is with all risk management, the way to encapsulate and mitigate that slice of liability exposure is through insurance. In the case of cyber exposure, the insurance product is typically referred to as network security and privacy liability or simply: cyber liability.

What is Covered by a Cyber Liability Policy

Believe it or not, this is actually not an easy question to answer. Unlike many other insurance products which cover one exposure, the typical cyber liability policy is almost like a restaurant menu where an insured has a lot of options as to what modules they want included in their policy. At a summary level, a cyber policy can include some or all of the following coverage:

Third Party Coverage (i.e. a lawsuit by a customer or other third party). This policy covers defense costs and ultimate settlement or damages relating to:

  • Network Security: Covers customers bringing suit arising from a breach in network security.
  • Privacy Liability: Covers claims from clients that typically arise from a release of their personal information through a non-cyber breach (i.e. dumpster dive, lost laptop, exposed customer list).
  • Media Liability: Gets involved when a party brings suit alleging online copyright infringement.
  • Regulatory: Provides coverage for governmental or regulatory claims arising from a data breach.

First Party Coverage. This policy reimburses the insured to make the company whole:

  • Crisis Management: Covers public relations services needed in response to a breach.
  • Breach Remediation: Covers costs for credit monitoring, forensics and restoration of data.
  • Notification Costs: Covers costs to notify all customers (as dictated by most state laws) of a breach. This continues to be the single largest frequency of covered cyber claims. One carrier estimates an average notification cost of $30 per customer.
  • Cyber Extortion: Potentially covers the investigation and actual extortion of breach or credible threat of a breach.
  • E-business Interruption: Covers the loss of income and extra expense resulting from a computer attack (after a waiting period).

Each of these components has a cost associated with them. Based on the coverage selected and the size of the bank (often measured in revenue and/or number of records managed), we see premiums range from $5,000 to $20,000 per $1 million of coverage. So, we recommend a level of due diligence between the broker and the bank to best determine the appropriate cyber coverage for that institution.