How Falling Consumer Discretionary Spending Impacts Bank C&I Books

Historically, when economies contract and weaken, consumers often earn less and limit their spending on essential products and services. These include rent or mortgage payments, groceries, household bills, transport and medical costs, to name a few. For example, during the 2007-09 financial recession, consumer spending experienced its most severe decline since World War II.

From conversations with our customers, as well as the experience of our own sizeable commercial and industrial loan book at OakNorth Bank in the UK, we know that many boards and regulators are trying to figure out how falling consumer discretionary spending may impact bank C&I books, and what can be done to mitigate this risk.

Consumer spending on entertainment, dining out, holidays, and luxury items means many businesses within more discretionary spending sectors, such as hotels, restaurants, bars and retail may be more vulnerable to economic downturns. However, it’s essential that commercial banks don’t make broad-brush assumptions about entire sectors. During economic downturns, consumer preferences can change. Some may opt for lower-cost alternatives, generic brands or items that offer better value for their money, negatively impacting the sales of premium or luxury retail, but positively impacting budget and low-cost retail. The same logic can be applied to other areas of discretionary spending: consumers may opt for a low-cost staycation such as camping or cycling, or a package holiday rather than flying abroad or staying in a hotel.

It’s important to note that the impact on consumer discretionary spending can also vary depending on the specific circumstances of each downturn. Government policies, shifts in consumer behavior and the overall structure of the economy play significant roles in shaping these trends. For instance, the Covid-19 pandemic led to a unique situation where some segments of consumer discretionary spending, such as travel and hospitality, were severely impacted due to lockdowns and travel restrictions. In contrast, others such as e-commerce and home entertainment saw increases as people shifted their spending patterns. These shifts in consumer behavior seen throughout the pandemic provide clear evidence of the need for a borrower-level understanding of risk.

Managing the risk in a C&I book during an economic downturn, especially when borrowers are vulnerable to decreases in consumer discretionary spending, requires a proactive and strategic approach. To mitigate these challenges, commercial lenders can look to take the following measures:

  • Assessment of borrower viability. Conduct a thorough assessment of borrowers’ financial health and ability to weather economic challenges. This should include reviewing borrowers’ financial statements, cash flow projections and other relevant information to gauge their resilience to decreased consumer discretionary spending.
  • Strengthen underwriting standards. Strengthening underwriting standards to ensure new loans are granted only to borrowers with solid creditworthiness and the ability to withstand economic pressures will improve the performance of a lender’s C&I loan book in a downturn.
  • Stress testing. Lenders can perform stress tests on their C&I loan portfolios to assess and model the potential impact of various economic scenarios, including significant decreases in consumer discretionary spending. Furthermore, they can analyze how different economic conditions could affect borrowers’ repayment capabilities and the overall health of their loan book.
  • Regular monitoring. Proactive monitoring and setting early warning indicators, can help commercial banks identify risk sooner, and take the necessary steps to mitigate it.

Magazine Exclusive: Credit Storm

The following feature appeared in the fourth quarter 2023 edition of Bank Director magazine. It and other stories are available to magazine subscribers and members of Bank Director’s Bank Services Program. Learn more about subscribing here.

In 2022, when it became evident that inflation wasn’t transitory after all, and the Federal Reserve began raising rates, Mike Kubacki, the chairman of $6.5 billion Lakeland Financial Corp., had a realization.

“Mike looked around the boardroom and said, ‘I may be the only person in this room that has ever actually been involved in business during an extreme inflationary environment, in combination with a rising rate environment.’ And he was correct,” recalls David Findlay, the CEO of Lakeland and its subsidiary, Lake City Bank in Warsaw, Indiana.

Few in banking today have experienced the one-two punch of high interest rates and high inflation last seen in the early 1980s, when the prime lending rate peaked at 21.5%. At 71, Kubacki is the oldest member of Lakeland’s board. He started his career at Chicago-based Northern Trust Corp. in 1973, working there for more than two decades before joining Lakeland as its CEO in 1998.

In some ways, it’s like the U.S. is back in the 1980s again. But today’s environment differs vastly from those days as well. The years since the 2007-08 financial crisis have featured extremely low interest rates compared to historic norms. That’s fueled lending activity, but the recent shift in Fed policy has curtailed demand and promises to have a lagging effect on credit quality. “We haven’t yet seen the full effect of all the rate hikes from the Federal Reserve,” says Brandon Koeser, a financial services senior analyst at RSM US. “I think we’re at the early stages of what’s likely going to be a multiyear period” of prolonged credit deterioration.

Some banks will struggle, due in part to a lack of experience in loan workouts. But those that act quickly and stay on top of borrowers may survive the looming credit storm better than others.

Kubacki said he’s optimistic about the bank’s ability to weather the current environment, recalls Findlay. After all, he’s been through it before. But the Lakeland chair’s comment in the boardroom sparked a deeper discussion around credit underwriting, says Findlay.

The bank doesn’t soften its underwriting standards in good times, nor does it tighten them in weaker conditions. But they’re factoring in a more challenged operating environment as they approve and monitor loans, and they’re strengthening stress testing. “We’re being very cautious as we enter into new relationships with prospects,” he says, “and being equally as cautious with existing clients” in certain sectors.

After years of easy money, “all the segments of the market are facing higher interest rates, and that’s a problem,” explains Matt Anderson, managing director at Trepp. Commercial real estate borrowers are extremely dependent on debt, around $1 trillion of which will mature in 2023-24, according to the data analytics firm. Banks hold roughly half of U.S. CRE debt. The combination of high leverage with high rates, coming as banks tighten up underwriting, could make it tough for borrowers.

Some areas of CRE, such as industrial and multifamily, will face this environment from a more sound foundation, making it easier for borrowers to weather higher rates. “For apartments, demand has been strong,” says Anderson. “Rent growth, it’s gone through ups and downs, but it’s been positive.” But nonresidential commercial — lodging, office, retail — exhibits real challenges. Delinquencies at banks have risen across all three categories since the first quarter 2020 to the same period in 2023, according to Trepp: from 0.8% to 8%, for lodging; 1.2% to 3.7%, for retail; and 0.6% to 2.7%, for office. More than $700 billion in nonresidential commercial loans will mature in 2023-24. Banks hold $417 billion of that debt.

Bankers worry about office loans the most. “Banks in particular are combing through their office portfolios very carefully,” says Anderson. “They’re treating every office loan as something that needs analysis.” The pandemic sent workers home, where many stayed, changing office use across the country and particularly in downtown, metro areas. The financial impact of those changes on borrowers has been mitigated by long leases with five or 10 year terms. Those are coming up for renewal. “We easily have a few more years of adjustment,” says Anderson, as companies reconsider how much space they need.

The same work dynamics impacting offices trickles over to other areas of nonresidential, commercial loans. Workers are less likely to frequent the same stores and restaurants that flourished during 9 to 5, Monday through Friday hours in the office. Lodging continues to recover from declines during the early days of the pandemic, says Anderson, but business travel remains down.

Banks should watch this ripple effect, says Trang Sumpter, a director in the financial services consulting practice at Moss Adams LLP. “Cash flow is definitely a concern,” she says. Tenants are asking for rent deferments or concessions, which impact landlords’ ability to repay their loans. Some institutions “are starting to see more downgrades in their loan portfolio,” she says, though the signs, in the form of charge-offs and other metrics, have been slow to appear.

Amid these concerns, in June the prudential regulators — the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp. and the Fed, as well as the National Credit Union Administration — issued a final policy statement on CRE workouts and accommodations to help “creditworthy borrowers during times of financial stress,” updating previous guidance from 2009. The 90-page document features multiple examples of CRE workouts, starting with a scenario examining an office building negatively affected by remote work. The guidance details how institutions can avoid criticism by their regulators in workouts through actions such as analyzing the borrower’s global debt service coverage, which measures whether the client has enough cash flow to repay debts.

It’s a sign from the regulators that “good faith attempts” to work with CRE borrowers won’t be subject to broad criticism about risk management, says David Ruffin, principal at the credit risk technology firm IntelliCredit. “The regulators will give them credit for jumping on it and being assertive about it.”

Underwriting has improved substantially since the passage of the Dodd-Frank Act in 2010, Ruffin adds, but it’s what happens after the loan gets booked where banks now fall short. And there’s a lot that bankers can do before a loan falls into delinquency.

Jeff Rose — now the CEO of Ambank Holdings in Davenport, Iowa — spent his early career doing workouts in Texas. The state saw a massive wave of failures in the late 1980s, tied to the ups and downs of the oil and gas sector. It’s why we use the Texas ratio metric today, which identifies problem banks by dividing nonperforming assets by the bank’s tangible common equity and loan loss reserves.

The higher the number, the more troubled the bank.

Rose learned to act quickly when a loan was headed for trouble, to determine how to minimize loss. The bank will often take additional collateral in restructuring a loan, for example. Banks that wait to act won’t have that opportunity. “If you are late to the party, there may be nothing else to grab,” he says.

Ambank’s subsidiary, $532 million American Bank & Trust Co., made a lot of loans in 2018-19 at low interest rates, around 3% or 4%. Now, those rates have roughly doubled, and he needs to know if those borrowers could be in trouble. “They may be current on payments,” he says, but if “they’re not generating enough cash flow to cover their debt service, you need to probably downgrade” the loan.

Like many community banks, American Bank & Trust and Lake City Bank leverage stress testing to identify potential problem spots in the loan portfolio. Sumpter recommends numerous stress testing variables, including interest rates and loan types as well as concentrations. “Community banks tend to focus on relationships,” she says. Consider a client with multiple loans, for instance. “If that one borrower goes bad, they’ve got this huge credit exposure to that one relationship.”

Geography, cash flow and capitalization — or cap — rates should also factor into stress testing. Cap rates calculate the expected return on investment for a property by dividing the property’s annual net operating income by its appraised value. Banks should be mindful that a property’s value may have changed since the loan was made.

Rose considers clients’ cap rates and occupancy levels as well as available financial information. But many community bank borrowers lack audited financial statements, so tax returns, prepared by a certified public accountant, are typically the best source for a clear financial picture of the client. Unfortunately, many CRE and commercial and industrial (C&I) clients haven’t filed tax returns for 2022 due to extensions, he says, making that information outdated.

“We’re not going to get the 2023 tax returns for another 15 months. We need to know where our borrowers are well before that,” says Rose. “Based upon what we know, we extrapolate the prior year and say, ‘OK, our borrower’s interest expense in 2021 was x. It is probably going to be 1.5x in 2022’” based on the Fed’s rate hikes. From there, Rose and his team can gauge their expectations for the borrower in 2023.

Staying on top of the data and working with the borrower gives lenders the necessary information to help the client and protect the bank. If costs are going up, American Bank & Trust could suggest that the client raise rental rates, for example. If several units are vacant, the bank could recommend that the borrower lower the rent. If the value of the property has declined, the borrower could petition for property taxes to be reassessed and potentially lowered — benefiting the bank in the event it has to foreclose on the property.

“Having that type of communication and discussion with our borrower is not only going to be of value to our customer, but it’s going to provide us with information so we know how to accurately risk rate the credit and decide if we even want to renew the credit,” says Rose. “We’re even going to our borrowers now that have loans maturing later this year and next year, and saying, ‘Would you like to lock in for the next five years, effective today?’” The bank can also offer a hedge for the customer against future rate increases.

Even before the Fed began raising interest rates, Findlay and his team at Lake City Bank were examining inflation’s impact on clients. Could an increase in costs be passed on to the client’s customer?

“Raw product input costs are significantly higher for the great majority of our manufacturers, as well as our companies involved in commercial real estate, between lumber and steel and oil-based products,” says Findlay. “That inflationary impact on costs of goods sold becomes part of the analysis and looking at the leverage that goes into a deal.” For CRE borrowers, that can mean analyzing loan to cost and lowering the loan to appraised value on projects, requiring more equity in the deal. The bank has “de minimis” exposure to commercial office real estate or commercial retail, according to Findlay, around 2% of the total loan portfolio. Losses remain low — just one charge off per year in 2022 and 2021, each tied to a single commercial loan.

So far, deteriorating credit quality for the industry appears to be “very one-off driven, which as an outsider makes it hard to pinpoint a specific bank or a specific market,” says Terry McEvoy, a managing director at Stephens who covers Lakeland.

Compared to past downturns, banks have more information they can leverage to understand customer relationships and various trends. The data required to comply with the current expected credit loss, or CECL, accounting standard could benefit banks, but Sumpter advises bankers to trust their instincts. “With the new CECL requirements, for some banks, they’re able to lower their allowance reserves,” she says. But just because a bank can lower its allowance doesn’t mean that it should. “That’s the part where the subjectivity comes in,” Sumpter says. “They really need to think about the risk of their portfolio as well as the composition and not just go by [the numbers].”

An early career in loan workouts was a “great education” in building relationships and minimizing risk, says Rose. But after years of pristine credit quality, the industry has fewer and fewer experienced workout pros. Many lenders didn’t even experience the 2008 financial crisis, much less the turmoil of the ‘80. And the once-prolific credit training programs offered by the industry disappeared long ago.

“The pipeline of new commercial lenders and future executives for community banks is running out,” Rose says. “I’m going to a lot of retirement parties these days for bankers who are younger than me.” He’s working to identify potential lenders and analysts at his bank who can be educated to work with borrowers through troubled loans.

A workout artist has a special touch, says Rose. He isn’t looking for a “tough banker” who will simply foreclose on a property — though sometimes that must be done. Instead, he wants an empathic professional who can foster a relationship with a problem borrower.

“You have to really know their business,” he says. The stress may be temporary for some clients, and the bank may want to continue the relationship on the other side. But getting there could take anywhere from six months to more than a year.

On Aug. 8, 2023, several lenders saw their ratings lowered by Moody’s, which cited exposure to CRE loans and expectations that asset quality will deteriorate. Banks including JPMorgan Chase & Co. and Capital One Financial Corp. have been trying to sell office debt, according to an August 2023 Bloomberg article — preferring to take a loss on the loan sale rather than deal with foreclosed property.

A foreclosure can be a huge distraction for a bank, says Rose. “If you ever get to a point where you foreclose or repossess a property … get rid of it as quickly as you can.”

For troubled credits, “the first loss is your best loss,” says Jon Winick, CEO of Clark Street Capital, which specializes in loan sales. He sees competitive pricing for loans, with plenty of bidders lining up to buy. “There’s a very strong secondary market,” he says, adding that selling a loan can help banks manage around a lack of workout expertise.

Lake City Bank isn’t staffing up for a potential downturn, says Findlay. They’re staffing for growth. “We’re adding new commercial lenders,” says Findlay, which means hiring more credit analysts and administrators. The bank maintains a consistent ratio of support staff for lenders, with one credit analyst for every three commercial bankers, and one loan administrator for every four.

The Indiana bank grew total loans by 10% to $4.9 billion in the second quarter compared to the same quarter last year. Its CRE portfolio focuses on three areas, including multifamily, primarily in Indianapolis, and health care, by financing physician-owned buildings. These types of offices, classified as owner-occupied CRE because the tenant is also the owner, tend to be stable.

Warehouse logistics distribution financing is another important piece of the loan portfolio, thriving due to the digital commerce boom and the recent construction of distribution centers in Fort Wayne, Elkhart and Indianapolis.

“We lend money into commercial real estate business lines that we’re familiar with and are comfortable with,” says Findlay. “If we have an existing client who has a good project, we’ll consider financing it, but we’re not out pursuing commercial office space or commercial retail space.”

Findlay doesn’t have a reduced appetite for lending, but he’s certainly aware of its impact on profitability due to higher interest rates. Compared to the second quarter 2022, Lakeland Financial’s funding costs in the second quarter 2023 were 205 basis points higher, rising from 0.32% to 2.37%. The FDIC reported a similar increase for all insured institutions over the same period, with the cost of funds climbing 131 basis points to 2.05%.

“Sometimes you have to manage through a tighter net interest margin,” Findlay says. “We haven’t contracted our appetite for lending, and we don’t intend to.” Lakeland Financial’s net interest margin actually ticked up slightly year-over-year, at 3.28% as of the second quarter.

That appetite contrasts with the Federal Reserve’s July 2023 Senior Loan Officer Survey on Bank Lending Practices, which found tightened underwriting standards and reduced demand across loan types, including commercial real estate and C&I.

Rose has seen some disbelief from borrowers that rates are as high as they are. “I can’t make you a 5.5% loan or a 6% loan; it’s now 750 or seven and a quarter, it might even start with an eight,” he says. “There’s still some institutions that are doing those lower rate deals. We’re letting them walk.”

Findlay sees similar challenges in getting customers to switch lenders due to long-term loans made in the low rate environment. He recently met with a prospective client who said, “‘I’d love to switch to you guys but I can’t, because of the fixed rate loans on my books today that you can’t replicate rate on,’” he recalls. “In a lower interest rate environment, we could … give the prospect a competitive rate.”

The double digit interest rates of the 1980s remain fresh in Rose’s memory, and he’s preparing his lenders for “higher for longer” until the Fed wins its inflation war. “When a firefighter puts out a fire, they don’t just leave. They stick around and make sure that the fire is all the way out,” he says. “[The Fed will] get inflation to where they want it to be, but then they’re not going to necessarily turn off the spigot.”

That means the pressures on CRE could take months or even years to resolve. “That’s the $1.2 trillion question,” says Anderson.

Proposed Legislation Expands Enforcement Authority Against Bank Officers, Directors

The RECOUP Act (S.2190), which passed the Senate Banking Committee in June by a bipartisan 21-2 vote, would greatly expand the federal bank agencies’ authority to remove and permanently ban officers from the banking industry if it becomes law.

While styled as a bill to hold executives accountable for conduct that leads to a bank failure — a direct legislative response to the failures this spring — the act also includes changes to the agencies’ long-standing prohibition authority that would permit far more flexibility as to how and when they bring these cases. Importantly, these aspects of the bill would not only affect directors and officers of banks that are likely to, or have, failed.

Current law allows federal banking agencies to prohibit a director or officer from serving in the banking industry only if they satisfy a narrow set of elements. Because the consequences of this action are very harsh — it is known as the “death penalty” within the industry — the legal bar for these elements is appropriately high. The act would change these standards, and who is subject to a potential industry ban, in a few important ways.

The act creates a subset of prohibition actions specifically against “senior executives.” This newly defined term refers to individuals who have “oversight authority for managing the overall governance, operations, risk, or finances” of a bank or holding company. It includes the president, CEO, chief operating officer, chief financial officer, chief risk officer, chief legal officer, board chairman and any inside director.

The act would allow agencies to prohibit a “senior executive” from working in the industry for a failure to “carry out the responsibilities” for governance, operations, or risk or financial management. In addition, the act would allow agencies to prohibit a “senior executive” on a showing that he or she demonstrated “gross negligence” in the performance of his or her duties. Most importantly, these phrases and standards are not defined by the act. What may constitute “gross negligence” under the act could be interpreted in a variety of ways depending on the subject matter; if a state law standard is utilized, it may differ from state to state.

The existing statute has been subject to decades of litigation in administrative and federal courts. Through this process, the law’s terms have taken on meaning, as precedent cases provide useful guideposts for evaluating individuals’ conduct. Unlike the existing standards, however, the act’s new standards will be left in large part to regulatory discretion. The agencies will have substantial room to shape the meaning of these terms through enforcement actions.

The existing law also allows for the immediate removal of individuals from their positions in certain limited circumstances, such as intentional violations of the Bank Secrecy Act or conviction for certain criminal offenses. The RECOUP Act would add three new circumstances that the agencies could rely on to remove a “senior executive:”

  • Grossly negligent, reckless or willful breaches of fiduciary duty.
  • Failure to “appropriately implement” financial, risk or supervisory reporting or information systems or controls.
  • Failure to oversee operations of such a system or controls.

As with other new terms, “appropriately implement” and “oversee” are not further defined in the act and would similarly be left to regulatory discretion, applied through individual removal actions.

For these reasons, the RECOUP Act would significantly extend the range of conduct subject to prohibition and removal actions. The high bar for taking these actions may be meaningfully lowered, facilitating the agencies’ ability to threaten these actions for alleged misconduct. Even if the action is not ultimately successful or if a banker wants his or her day in court to challenge an agency action, the public notice of a proposed prohibition could effectively end a banker’s career. The threat of a prohibition may also provide the agencies with additional negotiating leverage.

A lowered statutory threshold may also act as a catalyst for more agency investigations. Even if a bank agency brings a lesser action or no action, these sprawling investigations consume a vast amount of bank resources and can drain the attention of a bank’s leadership for years.

Importantly, these statutory changes impact potential cases against directors and officers of any bank — not just failed banks — despite the genesis for the act being the swift downfall and closure of several regional banks and the public outcry focused on those banks’ executives.

The act’s focus on individual accountability is not altogether new. Federal regulators, including the bank agencies, have noted the potential for enforcement actions against bank directors and officers with increasing frequency. For example, the Office of the Comptroller of the Currency highlighted that the agency may bring enforcement actions against individuals who “caused or contributed” to persistent weaknesses at a bank in its recently issued appendix to its enforcement action policy. This inclusion signals that the OCC continues to actively consider whether individuals should be held accountable for a bank’s deficiencies when it pursues actions against the institution.

While it remains to be seen whether the RECOUP Act will be signed into law, all bank directors and officers should be aware of the potential changes and understand how their decisions and actions may be viewed by their regulators in the future.

Reviewing Recent Bank Guidance on Third-Party Risk

Financial institutions are increasingly ramping up partnerships with third-party organizations that offer technologies that promulgate efficiencies or add new banking products to drive revenues.

As these partnerships increase, the risk to the banking system is also increasing. In June, the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve and the Office of the Comptroller of the Currency released finalized interagency guidance over third-party risk management practices that financial institutions must consider when entering into business arrangements with third parties.

Two notable differences from the guidance initially proposed in 2021 are the need for financial institutions to establish a complete inventory of all third-party relationships and a call out of relationships with fintech organizations that interact directly with an institution’s customers.

The principles-based guidance allows institutions to look at their third-party relationships using a risk-based approach. Higher-risk activities, including critical activities, should receive more comprehensive and diligent oversight from management. Smaller community and regional banks will likely have more work to do to follow this guidance, which will be particularly relevant for institutions with significant fintech relationships.

The guidance provides five key points that institutions should integrate into their risk management procedures over the entire life cycle of a business arrangement with a third party.

1. Planning: Before conducting business with a third party, banks must create a plan to determine the type of risk and related complexities involved. Once the institution identifies such risks, it can design and establish necessary mitigation techniques.

The guidance specified that to understand the risks associated with a third party, an institution should carefully consider the following in the planning process:

  • The strategic purpose of the arrangement.
  • Benefits and risks of the relationship.
  • The volume of transactions involved.
  • Related direct and indirect costs.
  • The impact of the relationship on employees and customers.
  • The physical and information security implications.
  • Monitoring the third party’s compliance with laws and regulations.
  • Ongoing oversight of the relationship.
  • Potential contingency plans.

Once an institution fully evaluates all factors, it can build a risk matrix to visualize whether the exposure involved in the relationship would be within the institution’s risk tolerance levels.

2. Due diligence: The new guidance states that the level of due diligence an institution needs to perform on a third party should be proportionate to the risk associated with the potential relationship. Where the arrangement points to greater complexities or higher risk to the bank, the bank should deploy more thorough due diligence procedures. No matter the arrangement, institutions need to evaluate their ability to identify, assess, monitor and mitigate risks that arise.

If a financial institution is unable to perform the appropriate due diligence on a prospective third party without proper alternatives identified to support the relationship, the bank may likely need to forego the relationship.

3. Contract negotiation: Important to any third-party relationship is negotiating a contract that allows the bank to perform continuous and effective risk management practices. If there is difficulty in negotiating these aspects with the third party, the institution needs to analyze the related risk and weigh whether it is acceptable to enter into a relationship.

Importantly, the board of directors should be aware of negotiations to dispel its oversight responsibilities, whether through direct involvement or updates from an approved negotiating delegate.

4. Ongoing monitoring: Ongoing monitoring is imperative as institutions navigate a rapidly changing banking environment. Establishing different techniques or mechanisms to track the risk landscape and determine the emerging risks are just as important to monitoring as a cadence of regular reviews over current risks.

The agencies did not outline “any specific approach to ongoing monitoring. Rather, the guidance continues to state that a banking organization’s ongoing monitoring, like other third-party risk management processes, should be appropriate for the risks associated with each third-party relationship, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships.”

5. Termination: Lastly, if an institution has decided the relationship has run its course, an efficient and timely termination is beneficial. The institution should consider transitioning any service provided through the relationship to another third party or bringing it in-house.

The regulators also highlighted three critical governance practices for such relationships.

  • Oversight and accountability: The board of directors is ultimately responsible for the oversight of third-party risk management. This includes providing management with guidance on the risk appetite to enter into third-party relationships, as well as approving management policies and procedures.
  • Independent reviews: The guidance calls out the need for independent, periodic reviews that assess the adequacy of the risk management process, as well as management’s processes, procedures and controls for adequacy and effective operation.
  • Documentation and reporting: Institutions will need to thoroughly document their third-party risk management processes, procedures and outcomes of related independent reviews.

Risk management necessitates perpetual enhancement. As institutions continue to partner with third parties to offer new capabilities, remaining vigilant by incorporating the five key points from the guidance is essential. These techniques help safeguard the stability, trust and sustainability of the financial services industry.

A version of this article originally appeared on RSM US.

What Boards Should Know About the Bank Secrecy Act

All financial institutions are subject to the Bank Secrecy Act, the primary anti-money laundering law in the U.S., but compliance programs vary widely depending on a particular bank’s size and complexity. Boards in particular are responsible for overseeing their bank’s BSA/AML compliance program and ensuring a culture of compliance throughout the organization, says Ashley Farrell, director in the risk advisory practice at Baker Tilly. And weak compliance can have serious implications for a bank.

To learn more, see Unit 33: BSA/AML Compliance Primer in Bank Director’s Online Training Series.

No Relief for Small Banks in Regulators’ Third-Party Risk Management Guidance

Although the spring banking crisis loomed large at Bank Director’s Bank Audit & Risk Conference, panelists flagged another emerging area of focus for regulators: third-party risk management. 

On June 6, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve finalized their interagency third-party risk management guidance, which was first proposed in 2021. The recent publication outlines regulators’ expectations for how banks approach vendors and partnerships, especially with financial technology companies. On June 13, less than a week after its release, panelists at the Chicago event warned more than 200 bankers in attendance, many of whom represent community banks, that the wide-ranging guidance is broad and makes no exemption for bank asset size. The new document replaces and updates the guidance different federal regulators have issued over the years and creates one set of expectations.

“The environment is going to get tougher [for banks], but the biggest thing is stricter enforcement of existing regulation,” said Brandon Koeser, financial services senior analyst at RSM US. He listed “capital, liquidity, credit and partnerships” as the four areas of examiner focus. 

The 2023 guidance came out in response to banks’ increasing use of third parties for quicker and more efficient access to new technologies, human capital, products, services and markets, for example. But using third parties comes with risk.   

Regulators are concerned that using third parties can increase complexity, complicate oversight of bank activities, introduce new risks or increase existing risks in areas like operations, compliance and strategy. “This guidance they put out applies to all third-party relationships, regardless if they’re formal and under contract or if they’re informal relationships. It applies to your vendors, your consultants, your payment processing services partners and fintech partners,” said Erik Walsh, counsel at Arnold & Porter. He added that it makes no carve outs for asset size or complexity.

Walsh says that banks need to identify all their relationships and begin putting into place “properly tailored risk management” that covers the lifecycle of the relationship — from internal planning before searching for a partner to relationship termination. He warned that this can be a “long and complicated” process that raises questions for smaller banks, and that some in the audience could be wondering, “How am I supposed to comply with this guidance?”

Walsh added that the third-party guidance does not have the force of a regulation or a statute but added “no one should let their guard down” and that regulators are “setting supervisory expectations.” He told the audience that third-party relationship oversight and governance starts with the board creating a risk appetite that’s communicated to the management team. Directors also need to set expectations around risk assessments of third parties, including the rigor and methodology of the assessment.  

Even though there’s no safe harbor or carve out for small banks, Arnold & Porter Partner Robert Azarow pointed out that regulators recognize that community institutions face challenges and limitations as they manage these relationships. For instance, they may have a harder time conducting thorough due diligence or contractual negotiations with fintechs. The guidance adds that third parties “may not have a long operational history, may not allow on-site visits, or may not share (or be permitted to share) information,” which can complicate a bank’s due diligence or oversight. Still, Azarow said risk assessments and ratings can help banks understand the potential consequences that arise from these relationships, like a vendor not delivering the promised good or service or a data breach that impacts the organization.

Walsh added that the guidance, although new, has already received criticism from inside and out of the agencies. “[W]hile detailed, I understand that this third–party risk management guidance nonetheless remains principles-based and risk-based. … That said, given the importance of the issue and the length of the guidance, I would support developing a separate resource guide for community banks as soon as practicable,” said Jonathan McKernan, an FDIC director, in a statement.

Federal Reserve Governor Michelle Bowman dissented, in part because of what she sees as gaps in the guidance that will lead to implementation challenges at banks.

“My expectation is that community banks will find the new guidance challenging to implement,” she said in her June 6 dissent. “In fact, our own Federal Reserve regional bank supervisors have indicated that we should provide additional resources for community banks upon implementation to provide appropriate expectations and ensure that small banks understand and can effectively use the guidance to inform their third-party risk management processes.”

Loan Review Best Practices: Key to Combating Credit Risk

Despite current benign credit metrics, there’s a growing industry-wide sentiment that credit stress looms ahead.

There’s a proven correlation between early detection of emerging credit risk and reduced losses. Effective and efficient loan reviews can help your institution better understand the portfolio and identify potential risk exposures. Now is the time for banks to ensure their loan review, either in-house or external, can proactively identify potential credit weaknesses, gain deep knowledge about the subsegments of the portfolio, learn where the vulnerabilities exist and act to mitigate risk at the earliest opportunity. It’s time to emulate a whole new set of loan review best practices:

1. Trust your reviews to professionals with deep credit experience — not just junior CPAs.
Your reviewers should be seasoned experts that are skilled in the qualitative and quantitative axioms of credit, with hands-on experience in lending and risk management. Because their experience will drive better reviews and deliverables, it’s a good idea to ask for biographies of people assigned to your institution.

2. Confirm your review includes paralegal professionals to conduct separate documentation reviews.
It is essential that your loan reviews include specialists with technical expertise in regulatory and legal compliance, lending policy adherence, policies, collateral conveyances, servicing rules, among others — working in tandem with seasoned credit professionals.

3. Insist on smart, informed sampling.
To uncover vulnerabilities in specific segments of the portfolio, rely on a selection process that helps you choose very informed samples indicating possible emerging risk.

4. Quantify both pre- and cleared documentation, credit and policy exceptions.
In the best of times, many loan reviews show almost no bottom-line degradation in loan quality for the portfolio as a whole. On close examination, you may find significant numbers of technical and credit exceptions indicating that the quality of your lending process itself may need to be tweaked.

5. Understand your own bank’s DNA.
In this complex economic environment, it is imperative for institutions to analyze their own idiosyncratic loan data. Arm your loan review team with the ability to automatically drill down into the portfolio and easily examine trends and borrower types to inform risk gradings, assess industry and concentration risk, along with other variables. Seasoned reviewers will be incredibly valuable in this area.

6. Observe pricing based on risk grades, collateral valuations and loan vintages.
Loans originating around the same time and credits that tend to migrate as a group tend to share common risk characteristics. Isolating and analyzing those credits can answer the important question, “Are you being paid for the risk you’re taking?”

7. Pair loan reviews with companion stress testing.
Regulators are encouraging stress tests as a way for banks to learn where their risk may be embedded. Companioning the tests with loan reviews is a productive way to gain this knowledge. Start at the portfolio level and do loan-level tests where indicated.

8. Transparently report and clear exceptions in real time.
Banks can benefit from using fintech’s efficiency to remove huge amounts of time, team meetings and staff intrusions from the traditional process of reviewing loans. An online loan review solution gives teams a way to see exception activities and clearances as they happen.

9. Comply with workout plan requirements prescribed by interagency regulators.
Banks typically design workout plans to rehabilitate a troubled credit or to maximize the collected repayment. Regulators now require institutions to examine these plans independently as a standard loan review procedure that reflects a healthy degree of objectivity.

10. Deliver comprehensive management reports and appropriate high-level board reports with public/peer data.
Management should receive prompt and thorough loan review reports; board members should receive high-level reports with appropriate, but less detailed, information. Public data or analyses of your institution’s performance as compared to peers should accompany this reporting.

11. Conduct loan reviews as a highly collaborative and consultative exercise — counter to “just another audit.”
An effective loan review is not an internal audit experience. It’s an advisory process, and this approach is extremely important to its ultimate success. Substantive dialogue among participants with differences of opinion is key to favorable outcomes for the institution.

12. Take advantage of a technology platform to automate every possible aspect of the loan review process.
Best practices call for the efficiency that comes with automating the loan review process to the maximum extent possible, without sacrificing substance or quality. Technology enables faster and more complete early detection of vulnerabilities.

Loan reviews are critical to an institution’s risk-management strategy. It’s a one-two punch: Deeply qualified reviewers combined with automated technology that delivers a more efficient, less intrusive loan review process that will help combat the looming credit stress ahead.

Commercial Real Estate Threatens to Crack Current Calm

While credit quality at banks remains high, it may not stay there. 

At the end of the year, noncurrent and net charge-off rates at the nation’s banks had “increased modestly,” but they and other credit quality metrics remained below their pre-pandemic levels, according to the Federal Deposit Insurance Corp. However, rising interest rates have made credit more expensive for borrowers with floating rate loans or loans that have a rate reset built into the duration. 

Commercial real estate, or CRE, is of particular focus for banks, given changes to some types of CRE markets since the start of the pandemic, namely office and retail real estate markets. Rising interest rates have increased the monthly debt service costs for some CRE borrowers. An estimated $270.4 billion in commercial mortgages held at banks will mature in 2023, according to a March report from Trepp, a data and analytics firm. 

“If you’ve been able to increase your rents and your cash flow, then you should be able to offset the impact of higher financing costs,” says Jon Winick, CEO of Clark Street Capital, a firm that helps lenders sell loans. “But when the cash flow stays the same or gets worse and there’s a dramatically higher payment, you can run into problems.”

Some buildings are producing less income, in the form of leases or rent, and their values have declined. Office and traditional retail valuations may have fallen up to 40% from their purchase price, creating loan-to-value ratios that exceed 100%, Chris Nichols, director of capital markets for SouthState Bank, pointed out in a recent article. SouthState Bank is a unit of Winter Haven, Florida-based SouthState Corp., which has $44 billion in assets. If rates stay at their mid-April levels, some office building borrowers whose rates renew in the next two years could see interest rates grow 350 to 450 basis points from their initial level, Nichols writes, citing Morgan Stanley data.  

JPMorgan & Co.’s Chairman and CEO Jamie Dimon said during the bank’s first quarter 2023 earnings call that he is advising clients to fix exposure to floating rates or address refinance risk.

“People need to be prepared for the potential of higher rates for longer,” he said.

Banks are the largest category of CRE lenders and made 38.6% of all CRE loans, according to Moody’s Analytics. Within that, 9.6% of those loans are made by community banks with $1 billion to $10 billion in assets. CRE exposure is highest among banks of that size, making up over 24% of total assets at the 829 banks that have between $1 billion and $10 billion in assets. It’s high for smaller banks too, constituting about 18.3% of total assets for banks with $100 million to $1 billion in assets. 

“Not surprisingly, we’re seeing delinquency rates for office loans starting to increase. … [It’s] still moderately low, but you can see the trend has been rising,” says Matthew Anderson, managing director of applied data and research at Trepp, speaking both about year-end bank data and more current info about the commercial mortgage-backed securities market. He’s also seen banks begin increasing their credit risk ratings for CRE segments, notably in the office sector.

Bank boards and management teams will want to avoid credit surprises and be prepared to act to address losses. Anderson recommends directors at banks with meaningful CRE exposure start getting a handle on the portfolio, the borrowers and the different markets where the bank has exposure. They should also make sure their risk ratings on CRE credits are up-to-date so the bank can identify potential problem credits and workout strategies ahead of borrower defaults. 

They will also want to consider their institution’s capacity for working out troubled credits and explore what kind of pricing they could get for loans on the secondary market. While banks may have more capital to absorb losses, Winick says they may not have the staffing to manage a large and rapid increase in troubled credits. 

Working ahead of potential increases in credit losses is especially important for banks with a concentration in the space, which the FDIC defines as CRE that makes up more than 300% of a bank’s total capital or construction loans in excess of 100% of total capital.

“If a bank has a CRE concentration, they’re definitely going to get more scrutiny from the regulators,” Anderson says. “Any regulator worth their salt is going to be asking pointed questions about office exposure, and then beyond that, interest rate exposure and refinancing risk for all forms of real estate.”

Risk issues like these will be covered during Bank Director’s Bank Audit & Risk Conference in Chicago June 12-14, 2023.

Keys to Serving ‘Risky’ Businesses

Most banks focus on taking deposits, making loans and providing many other services for their retail and commercial customer channels. Recently, some institutions have opened their doors to riskier businesses — in particular, cannabis businesses. Banks that navigate those spaces successfully can offer lessons to other banks.

Failing to Prepare Is Preparing to Fail
The first and most important theme is extreme preparation. Before actually providing services to risky businesses of any kind, banks need to consider and prepare for the enhanced expectations of regulators and shareholders. Banks also need to appreciate where they may stand with the regulators, addressing any outstanding issues before going further.

Ahead of any conversation with regulators, bank executives should develop plans that cover the institution’s staffing, existing and future expertise, development of policies and procedures, compliance considerations, use of third parties, regulatory notices or approvals, market dynamics, growth expectations and ongoing risk management.

Regulators will want to understand how serving risky businesses fits into the bank’s strategic plans and will expect the board to have robust discussions that are especially focused on risk management. Regulators are particularly skeptical of new business lines that increase risk to the bank, its customers and ultimately, the deposit insurance fund. Bank executives should anticipate receiving heightened scrutiny of their plans for serving risky businesses.

Talk to Your Regulators
Talking to regulators about servicing risky businesses is really a bank’s second step. First, the bank needs to prepare to talk to them.

Executives and the board will need to do their homework to support their reasoning and analysis; they will need to demonstrate to regulators what the institution has already done and plans to do from a compliance, risk management and operational perspective.

Regulators will want to see details fleshed out in as much specificity as possible. Due to the increased risk and expectations in these areas, they may take the position that expanding into these business lines represents a change in the general character of the bank’s business, which may require specific filings or approvals from regulators. In any event, it is critical that executives have discussions with regulators before going to market.

Robust, Ongoing Risk Management
The third theme is robust and ongoing risk management. Risk management is a key element of bank examinations, often hammered home by examiners who want to provide a clear signal of their expectations. This is especially true with any bank seeking to provide services in riskier business areas.

It’s not enough to dust off old policies and add in the applicable key words for the new business. Banks need to tailor their policies and procedures to the specific businesses they’re looking to serve, including the flexibility for growth.

What many banks already understand is that regulators want to see a risk management framework that is tailored not only for the existing business, but more importantly, a framework developed to address the growth plans of the business lines. The framework needs to be robust in its current state and from a forward-looking standpoint: Is your bank’s risk management framework appropriate for today and tomorrow?

The final theme should come as no surprise: Patience is paramount for banks as they plan to engage with risky businesses. There is an extended timeline to work through; it will probably take longer than expected to work through details with regulators and seek necessary approvals. And it will certainly take time to develop and exercise the appropriate risk management framework that is flexible enough to address not only the current business, but also what the line of business might look like in the future.

These four themes are critical for any bank board and management team to consider and appreciate if they’re interested in working with risky businesses. Given the heightened risk, these conversations need to start in the boardroom, but there are many opportunities for those banks willing to put in the time and effort. These business lines are clearly not for every institution, but these themes apply to almost any new line of business — whether or not it might be considered risky.

This piece was originally published in the second quarter 2023 issue of Bank Director magazine.

Will Regulators’ Actions Stem Deposit Runs, Banking Crisis?

Bank regulators rolled out several tools from their tool kit to try to stem a financial crisis this week, but problems remain. 

The joint announcements followed the Friday closure of Silicon Valley Bank and the surprise Sunday evening closure of Signature Bank. 

Santa Clara, California-based Silicon Valley Bank had $209 billion in assets and $175 billion in deposits at the end of 2022 and went into FDIC receivership on March 10; New York-based Signature Bank had $110 billion in assets and $88.6 billion in deposits at the end of 2022 and went into receivership on March 12. Both banks failed without an acquiring institution and the FDIC has set up bridge banks to facilitate their wind downs.

Bank regulators determined both closures qualified for “systemic risk exemptions” that allowed the Federal Deposit Insurance Corp. to cover all the deposits for the failed banks. Currently, deposit insurance covers up to $250,000; both banks focused mainly on businesses, which carry sizable account balances. About 94% of Silicon Valley’s deposits were uninsured, and 90% of Signature’s deposits were over that threshold, according to a March 14 article from S&P Global Market Intelligence.

The systemic risk exemption means regulators can act without Congressional approval in limited situations to provide insurance to the entire account balance, says Ed Mills, managing director of Washington policy at the investment bank Raymond James

The bank regulators also announced a special funding facility, which would help banks ensure they have access to adequate liquidity to meet the demands of their depositors. The facility, called the Bank Term Funding Program or BTFP, will offer wholesale funding loans with a duration of up to one year to eligible depository institutions that can pledge U.S. Treasuries, agency debt and mortgage-backed securities and other qualifying assets as collateral. The combined measures attempt to stymie further deposit runs and solve for the issue that felled Silicon Valley and Signature: a liquidity crunch. 

In a normal operating environment, banks would sell bonds from their available-for-sale securities portfolio to keep up with liquidity demands, whether that’s deposit outflows or additional lending opportunities. Rising rates over the last five quarters means that aggregate unrealized losses in securities portfolios grew to $620 billion at the end of 2022losses many banks want to avoid recording. In the case of Silicon Valley, depositors began to pull their money after the bank announced on March 8 it would restructure its $21 billion available-for-sale securities portfolio, booking a $1.8 billion loss and requiring a $2 billion capital raise. 

“The BTFP will be an additional source of liquidity [borrowed] against high-quality securities, eliminating an institution’s need to quickly sell those securities in times of stress,” the Federal Reserve said in its release on the facility. Importantly, the pledged collateral, such as U.S. Treasurys, will be valued at par. That is the “most beneficial portion” of the program and eliminates the discount many of these securities carry given their lower yields, Mills says. 

The hope is that banks pledge their underwater bonds to increase their liquidity should deposits begin to leave their institution. One concern, then, is that banks hesitate to use it as a sign of weakness, Mills says. But he says, “conversations about impacts to earnings and impacts to reputation are secondary to solvency.”

Former Comptroller of the Currency Gene Ludwig tells Bank Director that he appreciates the steps the regulators took, and of President Joe Biden’s messaging that accompanied Sunday’s actions. 

“I realized that for the regulators, because of the speed and the need to react quickly and over a weekend, there was a lot of wood to chop,” he says. “ It takes time, but I think they reacted with vigor.”

Although he wasn’t at the FDIC, Ludwig’s career touches on the importance of deposit coverage. In addition to serving as comptroller in the 1990s, he founded and later sold IntraFi, a reciprocal deposit network. He encourages banks to at least establish lines to the BTFP, since the application and transfers can take time.

It remains to be seen whether regulator actions will be enough to assuage depositors and the broader public. Banks have reportedly borrowed $11.9 billion from the new facility and another $152.8 billion from the discount window, according to a Bloomberg article published the afternoon of March 16. However, the facilities don’t fully address the problem that most banks are carrying substantial unrealized losses in their bond books — which may only continue to grow if the Federal Open Market Committee continues increasing rates.

“This announcement was about stemming the immediate systemic concerns, but it absolutely did not solve all of the banks’ woes,” Mills says.

It’s also possible that those tailored actions may be insufficient for certain institutions that resemble Silicon Valley Bank or Signature Bank. Clifford Stanford, an Atlanta-based partner of law firm Alston & Bird and a former assistant general counsel at the Federal Reserve Bank of Atlanta, remembers how bank failures and weakness would come in waves of activity during the Great Recession and afterward. 

“There’s a lot of unknowns about who’s got what holes in their balance sheet and who’s sitting on what problems,” he says. “Every board of every bank should be asking their management right now: Do we have this problem? If we do have a risk, how are we hedging it? What sort of options do we have to backstop liquidity? What’s our plan?”