Recalibrating Bank Stress Tests to a New Reality

Any bank that stress tested its loan portfolios prior to the Covid-19 pandemic probably used a worst-case scenario that wasn’t nearly as bad as the economic reality of the last five months.

Stress tests are an analysis of a bank’s loans or revenue stream against a variety of adverse computer-generated scenarios. The results help management teams and their boards of directors gauge whether the bank has adequate reserves and capital to withstand loan losses of various magnitudes. One challenge for banks today that incorporate stress tests into their risk management approach is the lack of relevant historical data. There is little modern precedent for what has befallen the U.S. economy since March, when most of the country went into lockdown to try to flatten the pandemic’s infection rate. The shutdowns tipped the U.S. economy into its steepest decline since the Great Depression.

Does stress testing still have value as a risk management tool, given that we’re navigating in uncharted economic waters?

“I would argue absolutely,” says Jay Gallagher, deputy comptroller for systemic risk identification support and specialty supervision at the Office of the Comptroller of the Currency. “It is not meant to be an exercise in perfection. It’s meant to say within the realm of possibility, these are the scenarios or variables we want to test against. Could we live with what the outcome is?”

The Dodd-Frank Act required banks with assets of $10 billion or greater to run annual stress tests, known as DFAST tests, and report the results to their primary federal regulator. The requirement threshold was raised to $100 billion in 2018, although Gallagher believes that most nationally chartered banks supervised by the OCC still do some form of stress testing.

They see value in the exercise and not having the regulatory framework around it makes it even more nimble for them to focus on what’s really important to them as opposed to checking all the boxes from a regulatory exercise,” says Gallagher. “We still see a lot of banks that used to have to do DFAST still use a lot of the key tenets in their risk management programs.”

Amalgamated Bank, a $5.8 billion state chartered bank headquartered in New York, has been stress testing its loan portfolios on an individual and macro level for several years even though it sits well below the regulatory threshold. For the first time ever, the bank decided to bring in an outside firm to do its own analysis, including peer comparisons.

President and CEO Keith Mestrich says it is as much a business planning tool as much as it is a risk mitigation tool. It gives executives insight into its loan mix and plays an important role in decisions that Amalgamated makes about credit and capital.

It tells you, are you going to have enough capital to withstand a storm if the worst case scenario comes true and we see these loss rates,” he says. “And if not, do you need to go out and raise additional capital or take some other measures to get some risk off the balance sheet, even if you take a pretty significant haircut on it?”

Banks that stress test have been forced to recalibrate and update their economic assumptions in the face of the economy’s sharp decline, as well as the government’s response. The unemployment rate spiked to 14.7% in April before dropping to 11.1% in June when the economy began to reopen, according to the Bureau of Labor Statistics. But the number of Covid-19 cases in the U.S. has surged past 3 million and several Western and Southern states are experiencing big increases in their infection rates, raising the possibility that unemployment might spike again if businesses are forced to close for a second time.

“I feel like the unemployment numbers are probably the most important ones, but they’re always set off by how the Covid cases go,” says Rick Childs, a partner at the consulting firm Crowe. “To the extent that we don’t get [the virus] back under control, and it takes longer to develop a vaccine and/or effective treatment options for it, I think they’ll always be in competition with each other.”

Another significant difference between the Great Recession and the current situation is the unparalleled level of fiscal support the U.S. Congress has provided to businesses, local governments and individuals through the $2 trillion CARES Act. It is unclear another round of fiscal support will be forthcoming later this year, which could also drive up the unemployment rate and lead to more business failures. These and other variables complicate the process of trying to construct a stress test model, since there aren’t clear precedents to rely on in modern economic history.

Stress testing clearly still has value despite these challenges, but Childs says it’s also important that banks stay close to their borrowers. “Knowing what’s happening with your customer base is probably going to be more important in terms of helping you make decisions,” he says.

How Risk Culture Drives a Sound Third-Party Risk Management Program


risk-10-1-18.pngRisk culture plays a role in every conversation and decision within a financial institution, and it is the key determinant as to whether a bank performs in a manner consistent with its mission and core values. Risk culture is a set of encouraged, acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk.

Third-party risk management (TPRM) is a fairly new discipline that has evolved over the past few years from legacy processes of vendor or supplier management functions previously used by companies to manage processes or functions outsourced to third parties. A “third-party” now refers to any business arrangement between two organizations.

The interagency regulatory guidance (The Federal Reserve Board, OCC, FFIEC and CFPB) says a bank cannot outsource the responsibility for managing risk to a third-party especially when additional risks are created. These risks may relate to executing the process or managing the relationship.

The recent Center for Financial Professionals (CFP) Third Party Risk Management survey “Third Party Risk: A Journey Towards Maturity” underpinned the issue around risk culture given the resourcing dilemma that most organizations face. Getting top-down support and buy-in was an issue posed by respondents in the survey. One respondent stated, “The greatest challenge ahead is to incorporate third party risk management goals into the goals of the first line of defense.” Another respondent stated, “Challenges will be to embed this into the organization, including [the] establishment of roles and responsibilities.” In particular, TPRM teams found it challenging to get buy-in from the first line of defense for the management of cyber risk and concentration risk.

Effective TPRM can only be achieved when there is a risk-centric tone, at the top, middle and bottom, across all layers of the company. Clear lines of authority within a three-lines-of-defense model are critical to achieving the appropriate level of embeddedness, where accountabilities and preferred risk management behaviors are clearly defined and reinforced.

Root cause analyses on third-party incidents and risk events (inclusive of near-misses) should be better used by organizations to reinforce training and lessons learned as it relates to duties performed by the third party. Risk event reporting and root cause analysis allows leadership to identify and understand why a third party incident occurred, identifies trends with non-performance of service-level agreements with the third party, and ensures appropriate action is taken to prevent repeat occurrences as it relates to training, education or communication deficiencies.

Risk culture is paramount to achieving benefits from the value proposition of an effective and sustainable TPRM program, and also satisfies regulators’ use test benchmarks.

Roles and responsibilities must be clearly defined and integrated within a “hub and spoke” model for the second-line TPRM function, the first line third-party relationship managers and its risk partners. Clearly, there is a need for financial institutions to (1) implement a robust training and communication plan to socialize TPRM program standards, and (2) ensure first-line relationships and business owners have been provided training.

Risk culture mechanisms that facilitate clear, concise communication are fundamental components for a successful TPRM program – empowering all parties to fulfill responsibilities in an efficient, effective fashion. The challenge of managing cultural and personnel change components cannot be underestimated. As a result, the involvement of human resources, as a risk partner, is critical to a successful resource model. With respect to cultural change, a bank should observe and assess behaviors with current third-party arrangements. The levels of professionalism and responsibility exhibited by key stakeholders in existing third-party arrangements may indicate how much TPRM orientation or realignment is required.

Key success factors to build a robust risk culture across TPRM include:

  • Clear roles and responsibilities across the three lines of defense and risk partners within the “hub and spoke” model for risk oversight.
  • Greater consistency of practices with regards to treatment of third parties. Eliminate silos.
  • Increase understanding of TPRM activities and policy requirements across the relationship owners and risk partners.

Indicators of a sound TPRM culture and program include:

  • Tone from the top, middle and bottom – the board and senior management set the core values and expectations for the company around effective TPRM processes from the top down; and front-line business relationship manager behavior is consistent from the bottom-up with those values and expectations. 
  • Accountability and ownership – all stakeholders know and understand core values and expectations, as well as enforcement implications for misconduct. 
  • Credible and effective challenge – logic check for overall TPRM framework elements, whereby (1) decision-makers consider a range of views, (2) practices are tested and (3) open discussion is encouraged.
  • Incentives – rewarding behaviors that support the core values and expectations.

Setting a proper risk culture across the company is indeed the foundation to building a sound TPRM program. In other words, you need to walk before you can run.

OCC Fintech Charter: Considerations for Banks


fintech-4-12-17.pngThe Office of the Comptroller of the Currency (OCC) recently announced it would move forward with a plan to grant special purpose national bank charters to qualifying financial technology companies. The OCC has solicited comments on the proposal, which it will evaluate to determine whether to formally adopt the process for granting fintech charters. If adopted, companies granted such a charter would become national banks regulated by the OCC, with the attendant regulatory obligations and oversight, and would no longer need to partner with traditional banks to take advantage of preemption of certain state laws. As noted by the OCC Chief Counsel Amy Friend, the first charter may be granted in the first half of 2017.

General Requirements
Under the proposed rule, for a company to qualify for a fintech charter, it must have the appropriate corporate structure, engage solely in bank-permissible activities and adhere to certain regulatory requirements.

Generally, national bank charters subject their holders to specific standards and federal oversight such that the firm can conduct business nationally. Because the proposed fintech charter would be granted under the National Bank Act (NBA), fintech companies would need to adhere to the statute’s governance requirements. For example, a fintech firm chartered by the OCC would need to have a minimum of five board members.

In addition, fintech charter holders only would be permitted to engage in activities authorized by OCC regulations and associated interpretations. These activities can include, among others, lending money, issuing debit cards and facilitating payments, but also investment advisory services and certain brokerage activities. If a given activity is not clearly permitted by the OCC, the firm could seek permission from the OCC, which grants approval of new activities on a case-by-case basis. Beyond OCC regulations, the new charter would impose other laws on a chartered fintech firm, such as the Bank Secrecy Act and related anti-money laundering laws, as well as certain enhanced prudential standards under the Dodd-Frank Act if applicable.

Moreover, a fintech charter holder will be required to meet various supervisory requirements, including that it maintain a business plan documenting its activities, such as with respect to financial inclusion; have a governance structure that reflects the expertise, financial acumen and risk management necessary in light of the proposed business lines; effectively manage compliance risks, such as consumer protection and anti-money laundering; and address potential recovery and resolution. In addition, a fintech firm would need to maintain capital and liquidity commensurate with the risk and complexity of the proposed businesses, including any off-balance sheet activities.

Despite the many requirements the OCC is likely to impose when granting a fintech charter, fintech-chartered companies would have the advantage of no longer being required to register with or become licensed in each state where they conduct business. As enjoyed by national banks, the fintech charter generally would give a company the benefit of preemption under the NBA. Among other features, this would allow the exportation of interest rates from a bank’s home state to other states regardless of the home state’s usury restrictions.

Various stakeholders have reacted to the proposal with differing views. For example, the New York Department of Financial Services submitted a comment letter opposing the proposal and arguing that state regulators are the best equipped to regulate the fintech industry. Others in the industry have voiced their support.

Considerations for Existing Banks
Banks may see fewer partnerships with fintech companies as a result of the fintech charter because NBA preemption means that fintech firms no longer need a bank to obtain the advantage of state law preemption.

The fintech charter holders would not have a material competitive advantage with respect to banks because they are subject to the full panoply of OCC regulation and supervision.

Banks may consider seeking their own fintech charter, perhaps through an affiliate, if particular business lines might benefit or if they are currently chartered in one or only a few states in order to expand their national presence.

Is Trump Good for Fintech, or Bad?


trump.png

There has been an enormous sense of anticipation flooding through the community and regional banks since the election. President-elect Donald Trump’s opposition to the Dodd-Frank Act, which has created a stifling regulatory environment, is well known and bankers feel that relief is on the way. By contrast, the election results have produced a sense of consternation and concern among the financial technology companies that are trying to partner and compete with community and regional banks. The regulatory picture is much more confusing under a Trump Administration for these enterprises.

One reason for this is that fintech regulation was far from a settled issue before the election. The regulatory framework for fintech is not in place to any significant degree. In many cases, it will take new regulations to allow many of the fintech lenders and payment companies to expand their operations, and that’s a problem. Trump is opposed to new financial regulations of any sort, and it may be difficult to get the new framework in place during his term in office. Rather than pass new federal legislation, he is likely to leave the matter in the hands of the state legislatures and that will not benefit fintech companies.

The creation of a limited purpose national fintech charter as proposed by the Office of the Comptroller of the Currency is an attempt to make it easier for these companies to operate and not have to deal with regulatory agencies on a state-by-state basis. But in my opinion, there won’t be that many fintech companies that are willing and able to handle the responsibilities of a national charter, so this will provide limited relief to the industry. I also will not be shocked to see the concept of a limited purpose charter unwound early in a Trump Administration as bankers have been huge supporters of the incoming president and in my experience, the average bank is not shy about asking for favors.

Fintech firms are also big supporters of net neutrality since it gives them open and even access to bandwidth to offer services to users. Trump is not a supporter, and neither are the ranking members of the GOP in the Senate and the House of Representatives. Republican lawmakers have already put forth a bill to end net neutrality that I think will pass early in the next session of Congress and I expect Trump to sign it when it reaches his desk.

Immigration policies will also be a potential negative for fintech companies. Immigrants make up a significant percentage of the skilled workforce within the financial technology industry, and anything that makes to harder for them to get here and stay here is going to create a talent challenge for the companies in that space. Fintech companies that focus on payments could be hurt as well since many of the people that Trump wants to deport use these systems to send money to family back home, and that volume could drop substantially.

The biggest threat to fintech firms from the new administration will likely come from the repeal or reduction of Dodd-Frank. A lot of the opportunities that fintech companies are pursuing were created by the handcuffs placed on banks by that legislation. If the handcuffs come off under the Trump Administration, then fintech lenders and payment companies will find that they now have to go head to head with the likes of JP Morgan Chase & Co., Citigroup and Bank of America Corp., and that will be no easy task.

The regulatory environment for financial technology was murky before the election, and it is even more so today. While we can expect the combination of a Trump Presidency and GOP-controlled Congress to be pro-business, we can also expect them to be very pro-traditional banking. That will be a big negative for fintech companies that had hoped to compete with the banks in the future.

While many expect fintech to be a major disruptor of the banking industry and some even think it will replace banking, I don’t expect that to happen—especially if banks end up with a more favorable regulatory environment. The fintech firms that prosper under a Trump Administration will be those that can partner with a bank to offer financial products and services to bank customers in a more efficient and profitable manner.

What to Know About the New Fintech Charter


fintech-12-13-16.pngDon’t expect an onslaught of fintech companies rushing to become banks. The recent announcement that the Office of the Comptroller of the Currency would begin accepting applications for special purpose national bank charters from fintech companies was met with gloom from some in the banking industry, and optimistic rejoicing from others.

For now, the impact on banking and innovation seems unclear, but the hurdles to obtaining a national banking charter will be significant, and include compliance with many of the same regulations that apply to other national banks, possibly dissuading many startup fintech companies from even wanting one. On the other hand, larger or more established players may find it worth the added regulatory costs to boost their marketing and attractiveness to investors, says Cliff Stanford, an attorney at Alston & Bird. Plus, fintech firms can avoid the mélange of state-by-state banking rules and regulations by opting for a national banking charter instead. So don’t be surprised if a Wal-Mart, Apple or Google decides to get a banking license, along with some other, less well known names. The online marketplace lender OnDeck has already said it was open to the possibility of a national bank charter.

The OCC is offering fintech companies the same charter many credit card companies and trust companies have. Basically, the institution has to become a member of the Federal Reserve, and is regulated as a national bank with the same capital standards and liquidity requirements as others. The company has to provide a detailed plan of what products and services it intends to offer, a potential hurdle for a nimble start-up culture more accustomed to experimentation than regulation. “They will have a high bar to meet and they might not be able to meet those requirements,” Stanford says.

However, if the special purpose bank doesn’t accept deposits, it won’t need to comply with the same regulations as banks insured by the Federal Deposit Insurance Corp., which means it is exempt from the Community Reinvestment Act (CRA). Although nondepository institutions would not have to comply with the CRA, the OCC described requirements to make sure the fintech companies follow a plan of inclusion, basically making sure they don’t discriminate, and promote their products to the underserved or small businesses. This has caused some consternation among community banks.

“Why should a tiny bank have to comply with CRA and a big national bank across America does not have to comply?’’ says C.R. “Rusty” Cloutier, the CEO of MidSouth Bancorp, a $1.9 billion asset bank holding company in Lafayette, Louisiana. “If they want a bank charter, that’s fine. Let’s just make sure they play by the same rules.”

The Independent Community Bankers of America, a trade group, put out a press release saying it had “grave” concerns about what it called a “limited” bank charter. “We don’t want a charter that disadvantages one set of financial institutions,’’ says Paul Merski, an executive vice president at the ICBA. “We aren’t against innovation. But we want to make sure some institutions aren’t put at a disadvantage.”

Richard Fischer, an attorney in Washington, D.C., who represents banks, says he doesn’t think a fintech charter is a threat to banks. The Wal-Marts and Apples of the world will do what they want to do, whether or not they have a bank charter. Wal-Mart, which abandoned attempts to get a special purpose banking charter in 2007, already has a sizeable set of financial services, although it partners with banks that do have a charter, such as Green Dot Corp. in Pasadena, California.

Could a new fintech charter lead to fewer bank partnerships with fintech companies, as the fintech companies can cut out the need for a bank? Possibly. But it could also lead to more bank partnerships, as some banks, especially small or midsized banks, become more comfortable with the risk involved in doing business with a fintech company that has a national banking charter.

Jimmy Lenz, the director of technology risk at Wells Fargo Wealth and Investment Management, a division of Wells Fargo & Co., says he’s optimistic that a charter could create more products and services.

“I don’t see this cutting the pie into smaller slices,’’ he says. “I think they will be cutting a bigger pie. I don’t see the banks coming out on the short end of this.” Others said that the competition to banks coming from fintech companies already exists, and won’t go away if you don’t offer a federal charter for fintech companies. “The competition is already there,’’ Stanford says.

What To Know About the New Fintech Charter


fintech-fxt.png

Don’t expect an onslaught of fintech companies rushing to become banks. The recent announcement that the Office of the Comptroller of the Currency would begin accepting applications for special purpose national bank charters from fintech companies was met with gloom from some in the banking industry, and optimistic rejoicing from others.

For now, the impact on banking and innovation seems unclear, but the hurdles to obtaining a national banking charter will be significant, and include compliance with many of the same regulations that apply to other national banks, possibly dissuading many startup fintech companies from even wanting one. On the other hand, larger or more established players may find it worth the added regulatory costs to boost their marketing and attractiveness to investors, says Cliff Stanford, an attorney at Alston & Bird. Plus, fintech firms can avoid the m?©lange of state-by-state banking rules and regulations by opting for a national banking charter instead. So don’t be surprised if a Wal-Mart, Apple or Google decides to get a banking license, along with some other, less well known names. The online marketplace lender OnDeck has already said it was open to the possibility of a national bank charter.

The OCC is offering fintech companies the same charter many credit card companies and trust companies have. Basically, the institution has to become a member of the Federal Reserve, and is regulated as a national bank with the same capital standards and liquidity requirements as others. The company has to provide a detailed plan of what products and services it intends to offer, a potential hurdle for a nimble start-up culture more accustomed to experimentation than regulation. “They will have a high bar to meet and they might not be able to meet those requirements,” Stanford says.

However, if the special purpose bank doesn’t accept deposits, it won’t need to comply with the same regulations as banks insured by the Federal Deposit Insurance Corp., which means it is exempt from the Community Reinvestment Act (CRA). Although nondepository institutions would not have to comply with the CRA, the OCC described requirements to make sure the fintech companies follow a plan of inclusion, basically making sure they don’t discriminate, and promote their products to the underserved or small businesses. This has caused some consternation among community banks.

“Why should a tiny bank have to comply with CRA and a big national bank across America does not have to comply?’’ says C.R. “Rusty” Cloutier, the CEO of MidSouth Bancorp, a $1.9 billion asset bank holding company in Lafayette, Louisiana. “If they want a bank charter, that’s fine. Let’s just make sure they play by the same rules.”

The Independent Community Bankers of America, a trade group, put out a press release saying it had “grave” concerns about what it called a “limited” bank charter. “We don’t want a charter that disadvantages one set of financial institutions,’’ says Paul Merski, an executive vice president at the ICBA. “We aren’t against innovation. But we want to make sure some institutions aren’t put at a disadvantage.”

Richard Fischer, an attorney in Washington, D.C., who represents banks, says he doesn’t think a fintech charter is a threat to banks. The Wal-Marts and Apples of the world will do what they want to do, whether or not they have a bank charter. Wal-Mart, which abandoned attempts to get a special purpose banking charter in 2007, already has a sizeable set of financial services, although it partners with banks that do have a charter, such as Green Dot Corp. in Pasadena, California.

Could a new fintech charter lead to fewer bank partnerships with fintech companies, as the fintech companies can cut out the need for a bank? Possibly. But it could also lead to more bank partnerships, as some banks, especially small or midsized banks, become more comfortable with the risk involved in doing business with a fintech company that has a national banking charter.

Jimmy Lenz, the director of technology risk at Wells Fargo Wealth and Investment Management, a division of Wells Fargo & Co., says he’s optimistic that a charter could create more products and services.

“I don’t see this cutting the pie into smaller slices,’’ he says. “I think they will be cutting a bigger pie. I don’t see the banks coming out on the short end of this.” Others said that the competition to banks coming from fintech companies already exists, and won’t go away if you don’t offer a federal charter for fintech companies. “The competition is already there,’’ Stanford says.

Why Growth Matters for CRE Concentration Risk


Community banks are contending with the increasing risk profile of and regulatory scrutiny around commercial real estate (CRE) concentrations. Indeed, the regulatory community telegraphed in December 2015 their intentions of focusing bank examinations on concentration management, and since then, the FDIC has noted an increase in matters requiring board attention (MRBAs) associated with concentrated loan exposures. Additionally, the Office of the Comptroller of the Currency raised its regulatory stance on CRE lending from “monitoring status” to “an area of additional emphasis.” To explain their renewed attention, the regulators cited intense loan growth, sharp rent-rate and valuation increases, competitive pressures and an easing in underwriting standards eerily similar to the lead-up to the Great Recession—during which many community bank failures were driven by construction & development (C&D) and CRE concentrations.

While there is evidence that this renewed attention has shifted many banks’ CRE underwriting stance to a net tightening position, this has yet to have a material impact on C&D and CRE loan outstandings. A trend analysis across all commercial and savings banks shows intense increases in both C&D and non-C&D regulatory CRE.

Growth Rates By Type of Asset for All Commercial and Savings InstitutionsCRE-loans-small.png

Note the sharp difference between C&D (red) and non-C&D Regulatory CRE (orange): the Great Recession saw a precipitous drop in C&D balances, but multifamily and other property (i.e., non-owner-occupied CRE) increased in total outstandings during and after the Great Recession with growth since the recession of 142.5 percent and 49.3 percent respectively.

It is constructive to highlight that growth rates—while sometimes overlooked—are explicitly part of the 2006 CRE regulatory guidelines. Those guidelines stipulate that an institution is only in excess of the CRE guideline if CRE as a percent of capital is greater than or equal to 300 percent and the institution’s CRE portfolio has increased by 50 percent or more during the prior three years.

The regulators have repeatedly pointed out that—unlike many other regulatory prescriptions and proscriptions—the CRE guidelines are not limits. The FDIC has noted that because “community banks typically serve a relatively small market area and generally specialize in a limited number of loan types, concentration risks are a part of doing business” and the OCC specifically caveated that the “guidance does not establish specific limits on CRE lending; rather, it describes sound risk management practices that will enable institutions to pursue CRE lending in a safe and sound manner.”

In this context, growth may be the most important element of the CRE guidelines because it quantifies the potential that portfolio size may outstrip the risk management infrastructure (spanning credit, capital, strategic, compliance and operational components) to support that lending. In cases of aggressive growth (whether you are above or below the other regulatory CRE criteria), it is that much more important to establish proactive and robust credit risk monitoring and management.

Luckily, as the CRE guidance is now quite mature, industry-wide best practices exist to aid in this exercise:

  1. Monitor the risk for all of your bank’s credit concentrations—not just CRE and C&D.
  2. Analyze and segment your entire portfolio by at least the “regulatory big three” of product, geography and industry. It is also constructive to slice-and-dice by vintage, underwriting bands, branch, etc.
  3. For each segment, calculate and monitor growth rates along with percent of risk-based capital and asset quality (and consider establishing management triggers and thresholds on these key risk indicators).
  4. Analyze your portfolio hierarchically so high-level trends are digestible for boards of directors while the detail can be drilled through so the results are tactically relevant to management and even individual loan officers. Banking is a relationship business, and risk analytics should lead to action that may start with a borrower conversation.
  5. Especially in the current relatively benign credit environment and in situations where loan growth may obfuscate asset quality deterioration, monitor leading indicators of risk like underwriting policy exceptions, loan review downgrades, covenant violations, valuation trends and average underwriting attributes.
  6. Perform portfolio and firm-wide loss stress testing to quantify the loss potential under hypothetical and severe conditions. Roll such stress test results through your balance sheet and income statement to assess the impact on earnings and capital adequacy.
  7. Where your portfolio analytics or portfolio-wide stress tests identify sensitive concentrations, perform loan-level stress testing.
  8. Incorporate credit concentration risk within your allowance for loan losses (ALLL)—remember that concentration risk is one of the nine subjective qualitative and environmental risk factors laid out by the 2006 Interagency Guidance on the ALLL and reaffirmed by FASB’s CECL standards update.

How Mobile’s Popularity is Disrupting the Regulators


mobile-regulators.png

The world is going mobile and dragging banking along with it kicking and screaming. I am something of an anachronism as I still go into the branch once in a while and still worry about using my phone to deposit a check. My adult children, on the other hand, use their phone for everything, including all of their banking. They bounce from store to store paying for everything from Starbucks to bar tabs using their phones without a second thought. Banks that want to capture and hold their business will have to be very good at mobile banking and mobile payments.

One of the biggest hurdles bankers face is that as unprepared as they were, the regulators were equally unprepared and are now playing catch up with regards to mobile payments. The regulatory picture today is fairly muddled with a mishmash of state and federal agencies offering guidance and opinions to mobile payment providers and consumers. There are gaps in the current laws where no regulations apply to parts of the process—and other situations where two or more rules apply to the same part of the process. As mobile banking and payments continue to grow, the regulators will be looking to create a more coherent regulatory structure and coordinate their inter-agency efforts to protect consumers at every stage of the process.

At a forum held by the Office of the Comptroller of the Currency in late June, Jo Ann Barefoot, a senior fellow at Harvard University, outlined the current regulatory situation. She told the packed room at the meeting that “Agencies are going to have to develop ways to work together, to be faster, to be flexible, to be collaborative with the industry. The disruption of the financial industry is going to disrupt the regulators, too. This is the most pervasively regulated industry to face tech-driven disruption. The regulators are going to be forced to change because of it.”

In a white paper released at the forum, “Supporting Responsible Innovation in the Federal Banking System: An OCC Perspective,” the OCC noted that “Supervision of the financial services industry involves regulatory authorities at the state, federal, and international levels. Exchanging ideas and discussing innovation with other regulators are important to promote a common understanding and consistent application of laws, regulations, and guidance. Such collaborative supervision can support responsible innovation in the financial services industry.”

While the OCC has noted the massive potential benefits that mobile payments and other fintech innovations can offer to consumers, particularly those who were unbanked prior to the widespread development of mobile banking and payment programs, Comptroller Thomas Curry has cautioned against what he called “unnecessary risk for dubious benefit,” and called for responsible innovation that does not increase risks for customers or the banking system itself. Mobile payments programs that target the unbanked are particularly ripe for abuse and unnecessary risk.

The Consumer Financial Protection Bureau is also heavily involved in overseeing and regulating the mobile payments industry. The bureau noted that 87 to 90 percent of the adult population in the United States has a mobile phone and approximately 62 to 64 percent of consumers own smartphones. In 2014, 52 percent of consumers with a mobile phone used it to conduct banking or payment services. The number of users is continuing to grow at a rapid rate and the CFPB is concerned about the security of user data as well as the growing potential for discrimination and fraud.

CFPB Director Richard Cordray addressed these concerns recently when announcing fines and regulatory action against mobile payment provider Dwolla. “Consumers entrust digital payment companies with significant amounts of sensitive personal information,” Cordray said. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

The regulators, like the banks themselves, are latecomers to the mobile payments game. I fully expect them to catch up very quickly. The biggest challenge is going to be coordinating the various agencies that oversee elements of the regulatory process, and it looks as though the OCC is auditioning for that role following the June forum on mobile payments. Cyber security systems to keep customers data and personal information safe and secure is going to be a major focus of the regulatory process in the early stages of the coordinated regulatory efforts.

I also expect the CFPB to focus heavily on those mobile payment providers that were formerly unbanked. These tend to be lower income, less financially aware consumers that are more susceptible to fraud and abuse than those already in the banking system, and the bureau will aggressively monitor the marketing and sales practices of mobile payment providers marketing to these individuals.

The regulatory agencies are starting to catch up with the new world of banking and the mobile payment process will be more tightly controlled going forward.

Cybersecurity: Steps to Take Now


cybersecurity-7-1-16.pngThe Federal Financial Institutions Examination Council (FFIEC) and its member agencies are treating cybersecurity and the management of cybersecurity risks as a critical priority. Bank executives and board members should be aware of published guidelines that cover four key areas the FFIEC believes are most important:

  1. Governance: What are the bank’s policies and procedures? How does the bank establish and communicate expectations and conduct training? Is the entire organization, not just the IT department, involved in addressing cybersecurity risk? How would the institution react if something goes wrong?
  2. Threat intelligence: How does the institution monitor and remain aware of potential threats? What internal and external resources does the bank use to keep up-to-date on potential risks? What threat detection tools does the institution use? Does the bank participate in the FBI’s InfraGard and other intelligence sharing programs? How does the bank monitor and guard against unforeseen threats?
  3. Third-party relationships: As banks continue to outsource more non-core activities, the responsibility to manage cybersecurity with third party vendors is also increasing. Does the bank follow the Office of the Comptroller of the Currency (OCC) guidelines? Can the bank’s third parties pass the scrutiny of independent reviews (e.g., Service Organization Control (SOC 1, 2, 3) examinations)? It should be noted that the data breach at the retailer Target occurred a few years ago, at least in part, because of the activities of a third party vendor, and the FFIEC is focused on preventing that type of vulnerability within the banking system.
  4. Incident response: At last count, there were forty-six state laws and innumerable federal laws and regulations that address the reporting of data breaches of different types. Many of these laws and regulations differ in terms of when breaches must be reported and to whom. Determining if a breach actually occurred and how it occurred may add both time and complexity to the incident reporting process. A strong and effective incident response plan may help banks cut the time needed to manage and report the incident. It is critical that institutions have an incident response plan that can be successfully executed.

Federal legislation and additional regulatory scrutiny are surely on the horizon, as are state regulations that cover state-chartered institutions. For now, institutions should make these best practices a priority.

  • Begin at the top: Build a security culture that encompasses all departments and operations. Cybersecurity isn’t an IT issue, compliance issue, or audit committee issue. It is an organizational issue.
  • Be aware: Understand the recommendations and guidance from the FFIEC and the role that the OCC and other agencies play in safeguarding the banking industry. Become familiar with the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).
  • Align strategies: Cybersecurity and risk management strategies shouldn’t be treated as stand-alone initiatives, but should be combined with general business practices as an integral part of an institution’s day-to-day operations.
  • Manage risks: Develop policies and procedures for monitoring, measuring, and mitigating risks—again, not just for IT employees, but for all departments and processes. Understand that risks can come from both inside (employees and vendors) and outside (hackers and cybercriminals). Also, understand, evaluate, and deploy the latest threat management tools.
  • Establish governance: Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organization, especially to senior management, and to regulatory agencies and industry organizations. Establish clear procedures and actions that include accountability.
  • Participate: Take part in government and industry information-sharing groups and learn from other institutions and government officials.
  • Conduct ongoing training: As always, the three critical components of risk management are people, processes and technology. Ongoing education and training for all employees is critical to an overall risk management and cybersecurity strategy. Even lower-level employees with minimal network access can be a point of vulnerability that a hacker or third party can exploit.

Institutions that don’t have the internal resources to develop and implement a risk management and cybersecurity strategy can use outside specialists to manage all or part of the process.

Cybersecurity once focused on fraud (i.e., how banks can avoid losing money). Now, the federal government seeks to protect the integrity of the nation’s banking system, a much larger task. Institutions of all sizes will be expected to make cybersecurity an integral part of their operations going forward.

What Banks Need to Do to Address Technological Change


technology-4-27-16.pngIn the past few years the fintech industry has grown exponentially. According to a recent Forbes article, the existing number of fintech start-ups globally are between 5,000 and 6,000, all seeking to take a slice of the financial services marketplace. The fintech industry broadly includes any new technology that touches the financial world, and in many ways, this industry redefines forever the notion of traditional banking. More specifically, fintech includes new payment systems and currencies such as bitcoin, service aggregators such as robo advisors, as well as mobile applications, data analytics and online lending platforms. The fintech industry can also be divided into collaborators and disruptors, those businesses that provide services to banks and those that are competitors for services and looking to displace banks. As new technologies and approaches to delivering financial services are adopted, community banks will be challenged to meet the future expectations of their customers as well as to assess the additional risks, costs, resources and supervisory concerns associated with providing new financial services and products in a highly regulated environment.

The largest commercial banks have recognized the future competitive impact on their business as fintech companies create new and efficient ways to deliver services to their customers. Bank of America, for example, recently announced a fintech initiative and plans to target the start-up market for potential acquisitions. The large banks have the advantage of scale, deep pockets and the luxury of making bets on new technologies. If not by acquisition, other banks are partnering with new players that have unique capabilities to offer products outside of traditional banking. While community banks are not new to the benefits of fintech, the advancement and number of new technologies and potential competitors have been difficult to keep up with and integrate into a traditional bank’s business model. On top of that, the fintech industry remains largely unregulated at the federal level, at least for now.

Competition, compliance and cost are the three critical factors that bank management and board members must assess in adopting new technologies or fending them off by trying to stick with traditional banking values. Good, old-fashioned service based on long-term banking relationships may become a thing of the past as the millennial generation grows older. Contactless banking by the end of this decade or sooner could rule the financial services industry. While in some small community banking markets, the traditional relationship model may survive, it is far from certain as the number of brick-and-mortar bank branches in the United States continues to decline.

Also falling under the fintech umbrella is the rapidly escalating online marketplace lending industry. While most banks may rationalize that these new alternative lending sources do not meet prudent credit standards in a regulated environment, the industry provides sources of consumer, business and real estate credit serving a diverse market in the billions. While the grass roots banking lobby has been around forever, longtime banks should take note that the fintech industry is also gaining support on Capitol Hill, as a group of Republicans are now preparing legislation coined the “Innovation Initiative” to facilitate the advancement and growth of fintech within the financial services industry.

Fortunately, the banking regulators are also supportive of innovation and the adoption of new technologies. The Comptroller of the Currency in March released a statement on its perspective on responsible innovation. As Comptroller Thomas Curry noted, “At the OCC, we are making certain that institutions with federal charters have a regulatory framework that is receptive to responsible innovation along with the supervision that supports it.” In an April speech, he confirmed the OCC’s commitment to innovation and acceptance of new technologies adopted by banks, provided safety and soundness standards are adhered to. The operative words here are responsible and supervision.

Innovation will come with a price, particularly for small and midsize community banks. Compliance costs as banks adopt new technologies will increase, with greater risk management responsibilities, effective corporate governance and advanced internal controls being required. Banks may find it necessary to hire dedicated in-house staff with Silicon Valley-type expertise, hire chief technology officers and perhaps even change the board’s composition to include members that have strong technology backgrounds. In the end, banks need to step up their technology learning curve, find ways to be competitive and choose new technologies that serve the banking needs and expectations of their customers as banking and fintech continues to converge.