Loan Review Best Practices: Key to Combating Credit Risk

Despite current benign credit metrics, there’s a growing industry-wide sentiment that credit stress looms ahead.

There’s a proven correlation between early detection of emerging credit risk and reduced losses. Effective and efficient loan reviews can help your institution better understand the portfolio and identify potential risk exposures. Now is the time for banks to ensure their loan review, either in-house or external, can proactively identify potential credit weaknesses, gain deep knowledge about the subsegments of the portfolio, learn where the vulnerabilities exist and act to mitigate risk at the earliest opportunity. It’s time to emulate a whole new set of loan review best practices:

1. Trust your reviews to professionals with deep credit experience — not just junior CPAs.
Your reviewers should be seasoned experts that are skilled in the qualitative and quantitative axioms of credit, with hands-on experience in lending and risk management. Because their experience will drive better reviews and deliverables, it’s a good idea to ask for biographies of people assigned to your institution.

2. Confirm your review includes paralegal professionals to conduct separate documentation reviews.
It is essential that your loan reviews include specialists with technical expertise in regulatory and legal compliance, lending policy adherence, policies, collateral conveyances, servicing rules, among others — working in tandem with seasoned credit professionals.

3. Insist on smart, informed sampling.
To uncover vulnerabilities in specific segments of the portfolio, rely on a selection process that helps you choose very informed samples indicating possible emerging risk.

4. Quantify both pre- and cleared documentation, credit and policy exceptions.
In the best of times, many loan reviews show almost no bottom-line degradation in loan quality for the portfolio as a whole. On close examination, you may find significant numbers of technical and credit exceptions indicating that the quality of your lending process itself may need to be tweaked.

5. Understand your own bank’s DNA.
In this complex economic environment, it is imperative for institutions to analyze their own idiosyncratic loan data. Arm your loan review team with the ability to automatically drill down into the portfolio and easily examine trends and borrower types to inform risk gradings, assess industry and concentration risk, along with other variables. Seasoned reviewers will be incredibly valuable in this area.

6. Observe pricing based on risk grades, collateral valuations and loan vintages.
Loans originating around the same time and credits that tend to migrate as a group tend to share common risk characteristics. Isolating and analyzing those credits can answer the important question, “Are you being paid for the risk you’re taking?”

7. Pair loan reviews with companion stress testing.
Regulators are encouraging stress tests as a way for banks to learn where their risk may be embedded. Companioning the tests with loan reviews is a productive way to gain this knowledge. Start at the portfolio level and do loan-level tests where indicated.

8. Transparently report and clear exceptions in real time.
Banks can benefit from using fintech’s efficiency to remove huge amounts of time, team meetings and staff intrusions from the traditional process of reviewing loans. An online loan review solution gives teams a way to see exception activities and clearances as they happen.

9. Comply with workout plan requirements prescribed by interagency regulators.
Banks typically design workout plans to rehabilitate a troubled credit or to maximize the collected repayment. Regulators now require institutions to examine these plans independently as a standard loan review procedure that reflects a healthy degree of objectivity.

10. Deliver comprehensive management reports and appropriate high-level board reports with public/peer data.
Management should receive prompt and thorough loan review reports; board members should receive high-level reports with appropriate, but less detailed, information. Public data or analyses of your institution’s performance as compared to peers should accompany this reporting.

11. Conduct loan reviews as a highly collaborative and consultative exercise — counter to “just another audit.”
An effective loan review is not an internal audit experience. It’s an advisory process, and this approach is extremely important to its ultimate success. Substantive dialogue among participants with differences of opinion is key to favorable outcomes for the institution.

12. Take advantage of a technology platform to automate every possible aspect of the loan review process.
Best practices call for the efficiency that comes with automating the loan review process to the maximum extent possible, without sacrificing substance or quality. Technology enables faster and more complete early detection of vulnerabilities.

Loan reviews are critical to an institution’s risk-management strategy. It’s a one-two punch: Deeply qualified reviewers combined with automated technology that delivers a more efficient, less intrusive loan review process that will help combat the looming credit stress ahead.

Commercial Real Estate Threatens to Crack Current Calm

While credit quality at banks remains high, it may not stay there. 

At the end of the year, noncurrent and net charge-off rates at the nation’s banks had “increased modestly,” but they and other credit quality metrics remained below their pre-pandemic levels, according to the Federal Deposit Insurance Corp. However, rising interest rates have made credit more expensive for borrowers with floating rate loans or loans that have a rate reset built into the duration. 

Commercial real estate, or CRE, is of particular focus for banks, given changes to some types of CRE markets since the start of the pandemic, namely office and retail real estate markets. Rising interest rates have increased the monthly debt service costs for some CRE borrowers. An estimated $270.4 billion in commercial mortgages held at banks will mature in 2023, according to a March report from Trepp, a data and analytics firm. 

“If you’ve been able to increase your rents and your cash flow, then you should be able to offset the impact of higher financing costs,” says Jon Winick, CEO of Clark Street Capital, a firm that helps lenders sell loans. “But when the cash flow stays the same or gets worse and there’s a dramatically higher payment, you can run into problems.”

Some buildings are producing less income, in the form of leases or rent, and their values have declined. Office and traditional retail valuations may have fallen up to 40% from their purchase price, creating loan-to-value ratios that exceed 100%, Chris Nichols, director of capital markets for SouthState Bank, pointed out in a recent article. SouthState Bank is a unit of Winter Haven, Florida-based SouthState Corp., which has $44 billion in assets. If rates stay at their mid-April levels, some office building borrowers whose rates renew in the next two years could see interest rates grow 350 to 450 basis points from their initial level, Nichols writes, citing Morgan Stanley data.  

JPMorgan & Co.’s Chairman and CEO Jamie Dimon said during the bank’s first quarter 2023 earnings call that he is advising clients to fix exposure to floating rates or address refinance risk.

“People need to be prepared for the potential of higher rates for longer,” he said.

Banks are the largest category of CRE lenders and made 38.6% of all CRE loans, according to Moody’s Analytics. Within that, 9.6% of those loans are made by community banks with $1 billion to $10 billion in assets. CRE exposure is highest among banks of that size, making up over 24% of total assets at the 829 banks that have between $1 billion and $10 billion in assets. It’s high for smaller banks too, constituting about 18.3% of total assets for banks with $100 million to $1 billion in assets. 

“Not surprisingly, we’re seeing delinquency rates for office loans starting to increase. … [It’s] still moderately low, but you can see the trend has been rising,” says Matthew Anderson, managing director of applied data and research at Trepp, speaking both about year-end bank data and more current info about the commercial mortgage-backed securities market. He’s also seen banks begin increasing their credit risk ratings for CRE segments, notably in the office sector.

Bank boards and management teams will want to avoid credit surprises and be prepared to act to address losses. Anderson recommends directors at banks with meaningful CRE exposure start getting a handle on the portfolio, the borrowers and the different markets where the bank has exposure. They should also make sure their risk ratings on CRE credits are up-to-date so the bank can identify potential problem credits and workout strategies ahead of borrower defaults. 

They will also want to consider their institution’s capacity for working out troubled credits and explore what kind of pricing they could get for loans on the secondary market. While banks may have more capital to absorb losses, Winick says they may not have the staffing to manage a large and rapid increase in troubled credits. 

Working ahead of potential increases in credit losses is especially important for banks with a concentration in the space, which the FDIC defines as CRE that makes up more than 300% of a bank’s total capital or construction loans in excess of 100% of total capital.

“If a bank has a CRE concentration, they’re definitely going to get more scrutiny from the regulators,” Anderson says. “Any regulator worth their salt is going to be asking pointed questions about office exposure, and then beyond that, interest rate exposure and refinancing risk for all forms of real estate.”

Risk issues like these will be covered during Bank Director’s Bank Audit & Risk Conference in Chicago June 12-14, 2023.

Keys to Serving ‘Risky’ Businesses

Most banks focus on taking deposits, making loans and providing many other services for their retail and commercial customer channels. Recently, some institutions have opened their doors to riskier businesses — in particular, cannabis businesses. Banks that navigate those spaces successfully can offer lessons to other banks.

Failing to Prepare Is Preparing to Fail
The first and most important theme is extreme preparation. Before actually providing services to risky businesses of any kind, banks need to consider and prepare for the enhanced expectations of regulators and shareholders. Banks also need to appreciate where they may stand with the regulators, addressing any outstanding issues before going further.

Ahead of any conversation with regulators, bank executives should develop plans that cover the institution’s staffing, existing and future expertise, development of policies and procedures, compliance considerations, use of third parties, regulatory notices or approvals, market dynamics, growth expectations and ongoing risk management.

Regulators will want to understand how serving risky businesses fits into the bank’s strategic plans and will expect the board to have robust discussions that are especially focused on risk management. Regulators are particularly skeptical of new business lines that increase risk to the bank, its customers and ultimately, the deposit insurance fund. Bank executives should anticipate receiving heightened scrutiny of their plans for serving risky businesses.

Talk to Your Regulators
Talking to regulators about servicing risky businesses is really a bank’s second step. First, the bank needs to prepare to talk to them.

Executives and the board will need to do their homework to support their reasoning and analysis; they will need to demonstrate to regulators what the institution has already done and plans to do from a compliance, risk management and operational perspective.

Regulators will want to see details fleshed out in as much specificity as possible. Due to the increased risk and expectations in these areas, they may take the position that expanding into these business lines represents a change in the general character of the bank’s business, which may require specific filings or approvals from regulators. In any event, it is critical that executives have discussions with regulators before going to market.

Robust, Ongoing Risk Management
The third theme is robust and ongoing risk management. Risk management is a key element of bank examinations, often hammered home by examiners who want to provide a clear signal of their expectations. This is especially true with any bank seeking to provide services in riskier business areas.

It’s not enough to dust off old policies and add in the applicable key words for the new business. Banks need to tailor their policies and procedures to the specific businesses they’re looking to serve, including the flexibility for growth.

What many banks already understand is that regulators want to see a risk management framework that is tailored not only for the existing business, but more importantly, a framework developed to address the growth plans of the business lines. The framework needs to be robust in its current state and from a forward-looking standpoint: Is your bank’s risk management framework appropriate for today and tomorrow?

Patience
The final theme should come as no surprise: Patience is paramount for banks as they plan to engage with risky businesses. There is an extended timeline to work through; it will probably take longer than expected to work through details with regulators and seek necessary approvals. And it will certainly take time to develop and exercise the appropriate risk management framework that is flexible enough to address not only the current business, but also what the line of business might look like in the future.

These four themes are critical for any bank board and management team to consider and appreciate if they’re interested in working with risky businesses. Given the heightened risk, these conversations need to start in the boardroom, but there are many opportunities for those banks willing to put in the time and effort. These business lines are clearly not for every institution, but these themes apply to almost any new line of business — whether or not it might be considered risky.

This piece was originally published in the second quarter 2023 issue of Bank Director magazine.

Will Regulators’ Actions Stem Deposit Runs, Banking Crisis?

Bank regulators rolled out several tools from their tool kit to try to stem a financial crisis this week, but problems remain. 

The joint announcements followed the Friday closure of Silicon Valley Bank and the surprise Sunday evening closure of Signature Bank. 

Santa Clara, California-based Silicon Valley Bank had $209 billion in assets and $175 billion in deposits at the end of 2022 and went into FDIC receivership on March 10; New York-based Signature Bank had $110 billion in assets and $88.6 billion in deposits at the end of 2022 and went into receivership on March 12. Both banks failed without an acquiring institution and the FDIC has set up bridge banks to facilitate their wind downs.

Bank regulators determined both closures qualified for “systemic risk exemptions” that allowed the Federal Deposit Insurance Corp. to cover all the deposits for the failed banks. Currently, deposit insurance covers up to $250,000; both banks focused mainly on businesses, which carry sizable account balances. About 94% of Silicon Valley’s deposits were uninsured, and 90% of Signature’s deposits were over that threshold, according to a March 14 article from S&P Global Market Intelligence.

The systemic risk exemption means regulators can act without Congressional approval in limited situations to provide insurance to the entire account balance, says Ed Mills, managing director of Washington policy at the investment bank Raymond James

The bank regulators also announced a special funding facility, which would help banks ensure they have access to adequate liquidity to meet the demands of their depositors. The facility, called the Bank Term Funding Program or BTFP, will offer wholesale funding loans with a duration of up to one year to eligible depository institutions that can pledge U.S. Treasuries, agency debt and mortgage-backed securities and other qualifying assets as collateral. The combined measures attempt to stymie further deposit runs and solve for the issue that felled Silicon Valley and Signature: a liquidity crunch. 

In a normal operating environment, banks would sell bonds from their available-for-sale securities portfolio to keep up with liquidity demands, whether that’s deposit outflows or additional lending opportunities. Rising rates over the last five quarters means that aggregate unrealized losses in securities portfolios grew to $620 billion at the end of 2022losses many banks want to avoid recording. In the case of Silicon Valley, depositors began to pull their money after the bank announced on March 8 it would restructure its $21 billion available-for-sale securities portfolio, booking a $1.8 billion loss and requiring a $2 billion capital raise. 

“The BTFP will be an additional source of liquidity [borrowed] against high-quality securities, eliminating an institution’s need to quickly sell those securities in times of stress,” the Federal Reserve said in its release on the facility. Importantly, the pledged collateral, such as U.S. Treasurys, will be valued at par. That is the “most beneficial portion” of the program and eliminates the discount many of these securities carry given their lower yields, Mills says. 

The hope is that banks pledge their underwater bonds to increase their liquidity should deposits begin to leave their institution. One concern, then, is that banks hesitate to use it as a sign of weakness, Mills says. But he says, “conversations about impacts to earnings and impacts to reputation are secondary to solvency.”

Former Comptroller of the Currency Gene Ludwig tells Bank Director that he appreciates the steps the regulators took, and of President Joe Biden’s messaging that accompanied Sunday’s actions. 

“I realized that for the regulators, because of the speed and the need to react quickly and over a weekend, there was a lot of wood to chop,” he says. “ It takes time, but I think they reacted with vigor.”

Although he wasn’t at the FDIC, Ludwig’s career touches on the importance of deposit coverage. In addition to serving as comptroller in the 1990s, he founded and later sold IntraFi, a reciprocal deposit network. He encourages banks to at least establish lines to the BTFP, since the application and transfers can take time.

It remains to be seen whether regulator actions will be enough to assuage depositors and the broader public. Banks have reportedly borrowed $11.9 billion from the new facility and another $152.8 billion from the discount window, according to a Bloomberg article published the afternoon of March 16. However, the facilities don’t fully address the problem that most banks are carrying substantial unrealized losses in their bond books — which may only continue to grow if the Federal Open Market Committee continues increasing rates.

“This announcement was about stemming the immediate systemic concerns, but it absolutely did not solve all of the banks’ woes,” Mills says.

It’s also possible that those tailored actions may be insufficient for certain institutions that resemble Silicon Valley Bank or Signature Bank. Clifford Stanford, an Atlanta-based partner of law firm Alston & Bird and a former assistant general counsel at the Federal Reserve Bank of Atlanta, remembers how bank failures and weakness would come in waves of activity during the Great Recession and afterward. 

“There’s a lot of unknowns about who’s got what holes in their balance sheet and who’s sitting on what problems,” he says. “Every board of every bank should be asking their management right now: Do we have this problem? If we do have a risk, how are we hedging it? What sort of options do we have to backstop liquidity? What’s our plan?”

Are Regulatory Delays Overblown?

Nicolet Bankshares bought three banks during the last two years that doubled the size of the now $8.8 billion Green Bay, Wisconsin-based banking company. How hard was it to get regulatory approval? Well, if you ask CEO Mike Daniels, it was a breeze.

Despite all the talk of the tough regulatory environment for deal-making, not all banks experience problems, let alone delays. Nicolet’s latest acquisition, the purchase of $1.1 billion Charter Bankshares in Eau Claire, Wisconsin, took all of five months from announcement to conversion, including core conversion and changing branch signage.

“I hear deals are getting delayed, and you never know what the reason is,” says Daniels, who is speaking about mergers and acquisitions as part of a panel at Bank Director’s Acquire or Be Acquired conference in Phoenix this week. He attributes Nicolet’s ease of deal-making to lots of experience with conversions, good communications with its primary regulator, the Office of the Comptroller of the Currency, and an “outstanding” Community Reinvestment Act score. “We spend a lot of time with our primary regulator, the OCC, so they know what we’re thinking about,” he says. “We’re having those conversations before [deals] are announced.”

Are regulators taking longer to approve deals? “I’m in the mid-sized and smaller deal [market], and I’m not seeing that,” says Gary Bronstein, a partner in the law firm Kilpatrick Townsend in Washington, D.C. In fact, an S&P Global Market Intelligence analysis of all whole bank deals through August of 2022 found that the median time from announcement to close was 141 days from 2016 to 2019, ticking up to 145 days from 2020 through Aug. 22, 2022.

Attorneys say regulators are scrutinizing some bank M&A deals more than others, particularly for large banks. The median time to deal close for consolidating banks with less than $5 billion in combined assets was 136 days during the 2020-22 time period, compared to a median 168 days for consolidated banks with $10 billion to $100 billion in assets, according to S&P. Bronstein says in part, there’s pressure from Washington politicians to scrutinize such deals more carefully, including from U.S. Sen. Elizabeth Warren, D-Mass., who has tweeted that the growing size of the biggest banks is “putting our entire financial system at risk.” The biggest deals, exceeding $100 billion in assets, took 198 days to close in 2020-22.

President Joe Biden issued an executive order in June 2021 directing agencies to crack down on industry consolidation across the economy, including in banking, under the theory that consolidation and branch closures raise costs for consumers and small businesses, and harm access to credit.

Regulatory agencies haven’t proposed any specific rules yet, says Rob Azarow, a partner at the law firm Arnold & Porter, in part because Biden has been slow to nominate and then get Senate approval for permanent appointments to the heads of agencies.

Regulators scrutinize larger deals, especially deals creating institutions above $100 billion in assets, because of their heightened risk profiles. “It does take time to swallow those deals and to have regulators happy that you’ve done all the right things on integration and risk management,” Azarow says.

Smaller, plain vanilla transactions are less likely to draw as much scrutiny, says Abdul Mitha, a partner at the law firm Barack Ferrazzano Kirschbaum & Nagelberg in Chicago. Some issues will raise more concerns, however. Regulators are interested in the backgrounds of investor groups that want to buy banks, especially if they have a background in crypto or digital assets. Regulators are also looking for compliance weaknesses such as consumer complaints, fair lending problems or asset quality issues, so buyers will have to be thorough in their due diligence. “Regulators have asked for due diligence memos,” Mitha says. “They’re deep diving into due diligence more recently due to factors such as the economic environment.”

Bronstein concurs that regulators are asking more questions about fair lending in deals. The Consumer Financial Protection Bureau, which regulates banks above $10 billion in assets, is very much focused on consumer regulation and underserved communities, Bronstein says. So is the OCC and Federal Deposit Insurance Corp., which have traditionally focused on safety and soundness issues. They still do that as well, but fair lending has become a hot topic.

In the fall of 2022, the Fed signed off on a merger between two Texas banks, $6.7 billion Allegiance Bancshares and $4.3 billion CBTX, noting that the FDIC required the two institutions to come up with a plan to increase mortgage applications and lending to African American communities.

Still, the regulatory environment isn’t a major factor pulling down deal volume, the attorneys agreed. The economic environment, buyers’ worries about credit quality and low bank valuations have far greater impact. Buyers’ stock prices took a tumble in 2022, which makes it harder to come up with the currency to make a successful acquisition. Also, with bond prices falling, the FDIC reported that banks in aggregate took almost $690 billion in unrealized losses in their securities portfolio in the third quarter of 2022, which impacts tangible book values. Banks are wary of selling when they don’t think credit marks reflect the true value of their franchise, says Piper Sandler & Co.’s Mark Fitzgibbon, the head of financial institutions research.

An analysis by Piper Sandler & Co. shows deal volume dropped off a cliff in 2022, with 169 bank M&A transactions, compared to 205 the year before. But as a percentage of all banks, the drop looks less dramatic. The banks that sold or merged last year equated to 3.6% of total FDIC-insured institutions, close to the 15-year average of 3.4%.

“I would expect M&A activity to look more like 2022 in 2023, maybe a little lower if we were to go into a hard recession,” Fitzgibbon says. “You’d expect to see a lot of activity when we were coming out of that downturn.”

Issues in Selling to a Non-Traditional Buyer

We have seen a surge in the number of sales of smaller banks to non-traditional buyers, primarily financial technology companies and investor groups without an existing bank.

This has been driven by outside increased interest in obtaining a bank charter, the lack of natural bank buyers for smaller charters and, of course, money. Non-traditional buyers are typically willing to pay a substantially higher premium than banks and including them in an auction process may also generate pricing competition, resulting in a higher price for the seller even if it decides to sell to another bank. Additionally, buyers and sellers can structure these transactions as a purchase of equity, as opposed to the clunky and complicated purchase and assumption structure used by credit unions.

But there are also many challenges to completing a deal with a non-traditional buyer, including a longer regulatory approval process and less deal certainty. Before going down the road of entertaining a sale to a buyer like this, there are a few proactive steps you can take to increase your chances for success.

The Regulatory Approval Process
It is important to work with your legal counsel at the outset to understand the regulatory approval process and timing. They will have insights on which regulators are the toughest and how long the approval process may take.

If the potential buyer is a fintech company, it will need to file an application with the Federal Reserve to become a bank holding company. In our recent experience, applications filed with the Federal Reserve have taken longer, in part because of the increased oversight of the Board in Washington, but also because the Federal Reserve conducts a pre-transaction on-site examination of the fintech company to determine whether it has the policies and procedures in place to be a bank holding company. Spoiler alert: most of them don’t.

If the potential buyer is an individual, the individual will need to file a change in control application with the primary federal regulator for the bank. The statutory factors that regulators need to consider for this type of application are generally less rigorous than those for a bank holding company application. We have seen the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. show more openness to next-generation business plans, as they understand the need for banks to innovate.

Conduct “Reverse” Due Diligence
Find out more about the buyer. You would be surprised at what a simple internet search will uncover and you can bet that the regulators will do this when they receive an application. We have encouraged sellers take a step further and conduct background checks on individual buyers.

Ask the buyer what steps have been taken to prepare for the transaction. Has the investor had any preliminary meetings with the regulators? What advisors has the buyer hired, and do they have a strong track record in bank M&A? Does the buyer have adequate financial resources?

Understand the key aspects of the buyer’s proposed business plan. Is it approvable? Are the new products and services to be offered permissible banking services? A business plan that adds banking as a service is more likely to be approved than one that adds international payments or digital assets. Does the buyer have a strong management team with community bank experience? What impact will the business plan have on the community? Regulators will not approve an application if they think the charter is being stripped and a community is at risk of being abandoned. We have seen buyers offer donations to local charities and engage in community outreach to show the regulators their good intentions.

Negotiate Deal Protections in the Agreement
Additional provisions can be included in the definitive agreement to protect the selling bank. For example, request a deposit of earnest money upon signing that is forfeitable if the buyer does not obtain regulatory approval. Choose an appropriate drop-dead date for the transaction. Although this date should be realistic, it should also incentivize the buyer to move quickly. We have seen sellers offer buyers options to pay for extensions. The contract should also require the buyer to file the regulatory application promptly following signing and to keep the selling bank well informed about the regulatory approval process.

While a transaction with a non-traditional buyer may be more challenging, under the right circumstances it can present an appealing alternative for a bank looking to maximize its sale price in a cash transaction.

3 Common Insurance Gaps at Banks

Banks must take risk management seriously – and part of managing risk is properly insuring property and casualty risk. Below are the three critical, yet commonly overlooked, areas that institutions should be aware of in addressing their property and casualty insurance program.

1. Think Deeply About the Bank’s Entire Risk Profile
Banks are a complicated risk entity without a cookie-cutter insurance blueprint. The bank business model makes banks a natural target for criminal acts, while daily operations leaves the bank exposed to a host of liability claims. We have also recently seen an increase in regulatory scrutiny related to banks, especially banks’ cyber exposure. Another factor working against the bank is the lack of set standards, guidance and/or oversight of their insurance program. These factors combined make banks particularly complicated to insure competently.

It is imperative that banks consider the entirety of their risks in ensuring they have appropriate coverage and limits. Risk factors to consider include ownership structure, recent financial performance, geographic location, loss history, makeup of the board and management, business model and growth projections. When these factors are considered together, a bank can more completely insure its risks as many of the core coverage lines (and policy forms) are unique only to commercial banks.

2. Cyber Exposure Needs to Be Addressed Under Three Separate Policies
When most banks hear cyber insurance, they think of their cyber liability policy. Most carriers consider this computer systems fraud and it is intended to respond to electronic claims when the bank’s funds are lost or stolen. A typical non-bank cyber liability policy will also include a crime component for electronic losses like fraudulent instruction and electronic funds transfer fraud.

However, there are additional coverages specifically available to banks for cyber loss. The second is the bank’s FI Bond. This is a broader policy and can carry much higher limits. Other coverages under the FI Bond include computer systems fraud such as hacker and virus destruction, as well as voice initiated transfer fraud. There is also an option to insure “social engineering” claims through the bond FI policy.

The third policy that may apply in a cyber loss is the bankers professional liability (BPL). If a bank does not carry social engineering on their bond and a customer’s account is hacked through its own system (opposed to the bank’s) the FI bond likely will not cover the customer’s stolen money. A BPL may provide coverage for depositor’s liability in this case.
Bank should make sure that all three of these policies have adequate limits, do not have overlapping coverage, and also do not leave any gaps in coverage.

3. The Areas of Greatest Exposure
Although cyber and D&O are often the first two areas of insurance a bank focuses, we believe more attention should be paid to the bankers professional liability policy. In the most basic sense, BPL covers the bank for losses arising from any service the bank provides to a customer, aside from lending activity. It’s often colloquially called Bankers E&O and is essentially broad form negligence coverage.
Conversely, lender liability is intended to cover that which BPL excludes: wrongful acts arising from a loan or lending activity. It is important that banks have lender liability included within the BPL.

There are two main reasons BPL/lender liability are important:
1. The most frequent claim for banks falls under the BPL/lender liability. In 2021, 51% of bank liability claims fell under BPL or lender liability. Cyber liability and D&O claims constituted 8% and 12% of claims, respectively.
2. Since they are usually insured under the same insuring agreement, they also usually share one limit. A borrower suit that turns into a paid claim would also erode the BPL limit.

Most peer group average BPL and lender liability limits are relatively low; it’s recommended that banks keep their limit at or slightly above average, at a minimum.

Given the complex factors above, how can you know if your bank is protected? Consider the following questions:

  • Are my financial institution and its officers protected from all the types of risk that could hurt us?
  • Do I have a partner I trust to complement my unique business and offer integrated solutions that offer the right amount of coverage?
  • How much time, productivity and fees does it cost the bank to have relationships with multiple brokers and advisors?

Insurance is complex. Threats to the security of your financial organization are ubiquitous. You should have an expert to help you navigate the process and build a tailored solution for your institution.

Current Compliance Priorities in Bank Regulatory Exams

Updated examination practices, published guidance and public statements from federal banking agencies can provide insights for banks into where regulators are likely to focus their efforts in coming months. Of particular focus are safety and soundness concerns and consumer protection compliance priorities.

Safety and Soundness Concerns
Although they are familiar topics to most bank leaders, several safety and soundness matters merit particular attention.

  • Bank Secrecy Act/anti-money laundering (BSA/AML) laws. After the Federal Financial Institutions Examination Council updated its BSA/AML examination manual in 2021, recent subsequent enforcement actions issued by regulators clearly indicate that BSA/AML compliance remains a high supervisory priority. Banks should expect continued pressure to modernize their compliance programs to counteract increasingly sophisticated financial crime and money laundering schemes.
  • In November 2021, banking agencies issued new rules requiring prompt reporting of cyberattacks; compliance was required by May 2022. Regulators also continue to press for multifactor authentication for online account access, increased vigilance against ransomware payments and greater attention to risk management in cloud environments.
  • Third-party risk management. The industry recently completed its first cycle of exams after regulators issued new interagency guidance last fall on how banks should conduct due diligence for fintech relationships. This remains a high supervisory priority, given the widespread use of fintechs as technology providers. Final interagency guidance on third-party risk, expected before the end of 2022, likely will ramp up regulatory activities in this area even further.
  • Commercial real estate loan concentrations. In summer 2022, the Federal Deposit Insurance Corp. observed in its “Supervisory Insights” that CRE asset quality remains high, but it cautioned that shifts in demand and the end of pandemic-related assistance could affect the segment’s performance. Executives should anticipate a continued focus on CRE concentrations in coming exams.

In addition to those perennial concerns, several other current priorities are attracting regulatory scrutiny.

  • Crypto and digital assets. The Federal Reserve, the Office of the Comptroller of the Currency, and the FDIC have each issued requirements that banks notify their primary regulator prior to engaging in any crypto and digital asset-related activities. The agencies have also indicated they plan to issue further coordinated guidance on the rapidly emerging crypto and digital asset sector.
  • Climate-related risk. After the Financial Stability Oversight Council identified climate change as an emerging threat to financial stability in October 2021, banking agencies began developing climate-related risk management standards. The OCC and FDIC have issued draft principles for public comment that would initially apply to banks over $100 billion in assets. All agencies have indicated climate financial risk will remain a supervisory priority.
  • Merger review. In response to congressional pressure and a July 2021 presidential executive order, banking agencies are expected to begin reviewing the regulatory framework governing bank mergers soon.

Consumer Protection Compliance Priorities
Banks can expect the Consumer Financial Protection Bureau (CFPB) to sharpen its focus in several high-profile consumer protection areas.

  • Fair lending and unfair, deceptive, or abusive acts and practices (UDAAP). In March 2022, the CFPB updated its UDAAP exam manual and announced supervisory changes that focus on banks’ decision-making in advertising, pricing, and other activities. Expect further scrutiny — and possible complications if fintech partners resist sharing information that might reveal proprietary underwriting and pricing models.
  • Overdraft fees. Recent public statements suggest the CFPB is intensifying its scrutiny of overdraft and other fees, with an eye toward evaluating whether they might be unlawful. Banks should be prepared for additional CFPB statements, initiatives and monitoring in this area.
  • Community Reinvestment Act (CRA) reform. In May 2022, the Fed, FDIC, and OCC announced a proposed update of CRA regulations, with the goal of expanding access to banking services in underserved communities while updating the 1970s-era rules to reflect today’s mobile and online banking models. For its part, the CFPB has proposed new Section 1071 data collection rules for lenders, with the intention of tracking and improving small businesses’ access to credit.
  • Regulation E issues. A recurring issue in recent examinations involves noncompliance with notification and provisional credit requirements when customers dispute credit or debit card transactions. The Electronic Fund Transfer Act and Regulation E rules are detailed and explicit, so banks would be wise to review their disputed transaction practices carefully to avoid inadvertently falling short.

As regulator priorities continue to evolve, boards and executive teams should monitor developments closely in order to stay informed and respond effectively as new issues arise.

Regulatory Crackdown on Deposit Insurance Misrepresentation

Federal banking regulators have recently given clear warnings to banks and fintechs about customer disclosures and the significant risk of customer confusion when it comes to customers’ deposit insurance status.

On July 28, 2022, the Federal Deposit Insurance Corporation and the Federal Reserve issued a joint letter to the crypto brokerage firm Voyager Digital, demanding that it cease and desist from making false and misleading statements about Voyager’s deposit insurance status, in violation of the Federal Deposit Insurance Act, and demanded immediate corrective action.

The letter stated that Voyager made false and misleading statements online, including its website, mobile app and social media accounts. These statements said or suggested that: Voyager is FDIC-insured, customers who invested with the Voyager cryptocurrency platform would receive FDIC insurance coverage for all funds provided to, and held by, Voyager, and the FDIC would insure customers against the failure of Voyager itself.

Contemporaneously with the letter, the FDIC issued an advisory to insured depository institutions regarding deposit insurance and dealings with crypto companies. The advisory addressed the following concerns:

  1. Risk of consumer confusion or harm arising from crypto assets offered by, through or in connection with insured banks. This risk is elevated when a nonbank entity offers crypto assets to the nonbank’s customers, while offering an insured bank’s deposit products.
  2. Inaccurate representations about deposit insurance by nonbanks, including crypto companies, may confuse the nonbank’s customers and cause them to mistakenly believe they are protected against any type of loss.
  3. Customers can be confused about when FDIC insurance applies and what products are covered by FDIC insurance.
  4. Legal risk of insured banks if a crypto company or other third-party partner of the bank makes misrepresentations about the nature and scope of deposit insurance.
  5. Potential liquidity risks to insured banks if customers move funds due to misrepresentations and customer confusion.

The advisory also includes the following risk management and governance considerations for insured banks:

  1. Assess, manage and control risks arising from all third-party relationships, including those with crypto companies.
  2. Measure and control the risks to the insured bank, it should confirm and monitor that these crypto companies do not misrepresent the availability of deposit insurance and should take appropriate action to address any such misrepresentations.
  3. Communications on deposit insurance must be clear and conspicuous.
  4. Insured banks can reduce customer confusion and harm by reviewing and regularly monitoring the nonbank’s marketing material and related disclosures for accuracy and clarity.
  5. Insured banks should have appropriate risk management policies and procedures to ensure that any services provided by, or deposits received from, any third-party, including a crypto company, effectively manage risks and comply with all laws and regulations.
  6. The FDIC’s rules and regulations can apply to nonbanks, such as crypto companies.

At a time when crypto companies are increasingly criticized for courting perceived excessive risk and insufficient transparency in their business practices, the FDIC and other banking agencies are moving to ensure that these companies’ practices do not threaten the banking industry or its customers. On Aug. 19, the FDIC issued letters demanding that five crypto companies cease and desist from making false and misleading statements about their FDIC deposit insurance status and take immediate corrective action.

In addition to the FDIC’s suggestions in its advisory, we suggest both banks and fintech vendors consider the following measures to protect against regulatory criticism or enforcement:

  1. Banks should build the right to review and approve all communications to bank customers into their vendor contracts and joint venture agreements with fintechs and should revisit existing contracts to determine if any adjustments are needed.
  2. Banks should consult with legal counsel as to current and expected regulatory requirements and examination attitudes with respect to banking as a service arrangements.
  3. Fintechs should engage with experienced bank regulatory counsel about the risks inherent in their business and contractual arrangements with insured banks by which the services of the fintech is offered to bank customers.
  4. Banks should conduct appropriate diligence as to their fintech partners’ compliance framework and record.

Additionally, should a bank’s fintech partner go bankrupt, the bank should obtain clarity — to the extent that it’s unclear — as to whether funds on deposit at the bank are property of the bankruptcy estate or property of a non-debtor person or entity; in this case, the fintech’s customers. If funds on deposit are property of non-debtor parties, the bank should be prepared to address such party’s claims, including by obtaining bankruptcy court approval regarding the disposition of such funds on deposit. Additionally, the bank may have claims against the bankrupt fintech entity, including claims for indemnity, and should understand the priority and any setoff rights related to such claims.

Fed Account Guidance Yields More Confusion

In seeking answers from the Federal Reserve Board and one of the regional banks, a crypto fintech’s lawsuit may have forced the regulator to issue guidance on how other companies can gain access to the nation’s vaunted payment rails. 

At issue are which companies are eligible to request master accounts at the 12 Federal Reserve Banks, and in turn, how the Reserve Banks should consider those requests. Central to this debate — and the timing of this guidance — is the Custodia lawsuit.

The day after the Board released the guidance, it asked a judge to dismiss a lawsuit from Custodia, a company that holds a special purpose depository institutions charter from the Wyoming Department of Banking. Custodia, which focuses on digital asset banking, custody and payment solutions, applied for a master account from the Federal Reserve Bank of Kansas City in October 2020, and sued both the Kansas City Fed and the Board this year to force a decision; the Board cited the final guidelines in its justifications for a dismissal. 

“Honestly, it makes the guidelines seem like they were written, in part, to get courts to give [the Board] more deference when it winds up in litigation,” says Julie Hill, a law professor at the University of Alabama who has written about Fed account access. 

Outside of the lawsuit, the guidance speaks to the interest that fintechs and companies with novel bank charters have shown in opening Fed accounts. A Fed account comes with access to the payment rails; the entire banking as a service (BaaS) business line is premised on banks serving as intermediaries and account holders for fintechs to send and store customer money. 

If the path to applying for a master account becomes clearer, institutions with novel banking charters could bypass bank partnerships, and request and operate these accounts directly. But experts tell Bank Director that the Aug. 15 guidance codifies existing practices while offering little insight into how nonbanks can get these accounts — leaving most fintechs and bank partners where they started. 

Companies that want Fed accounts request access from one of the 12 Reserve Banks, depending on which district the company is located in. The final guidance that the Federal Reserve Board issued is directed to those Reserve Banks; its involvement in these regional banks’ decision-making indicates that the Board is trying make these decisions consistent across regions and may be involved in individual requests as well, experts say.

The Fed’s guidance includes six principles that the regional Reserve Banks should use when evaluating these requests, along with a three-tiered review framework for the amount of due diligence and scrutiny that the Reserve Banks should apply to requests submitted by different types of institutions. 

But observers still see shortcomings in the guidance. Several experts pointed out that the guidance doesn’t address which companies are eligible to apply, which is the first hurdle nonbanks must address before requesting an account. It was one of the most frequently asked questions that companies submitted to the regulator, says Matthew Bisanz, a partner in Mayer Brown’s financial services regulatory and enforcement practice. 

The guidance retains the “substantial discretion” that Reserve Banks have in deciding approvals, meaning that institutions still do not have a clear path to account access, according to a Mayer Brown client note. The process is so unclear that these accounts are granted via requests rather than applications that regulators would normally employ, Hill points out.

Observers are waiting to see how the guidance figures into the Custodia case. Hill says that Custodia is an interesting test case; the company is in a strong position to request an account and addresses many of the regulator’s stated risk concerns. It has an ABA routing number and applied to become a member of the Kansas City Fed, which could advance it from tier three to tier two in the review framework. The company also accepts U.S. dollar deposits but does not have FDIC deposit insurance, which is one factor in the tier one considerations.

What’s Next
Hill says the next step for the Reserve Banks is potentially getting together to develop a sort of operating procedure, which could make the request and decision-making process more consistent across regions. And fintechs that might be interested in a novel bank charter may want to reach out to sympathetic lawmakers in Congress and explain their cause. Custodia and other crypto companies have found a champion in Sen. Cynthia Lummis, R-Wyo., and an ally in Sen. Pat Toomey, R-Pa., both of whom have raised concerns with the Fed and could author legislation that is more accommodative to novel banking charters that the Fed would need to follow. 

In the meantime, companies that want a Fed account and aren’t interested in becoming bank holding companies or partnering with a BaaS bank may find themselves in limbo for a while. Bisanz points out that in litigation, the Fed cited a case that said delays of three to five years are not unreasonable; Custodia brought its lawsuit to expedite a decision. For novel banks, waiting years for a decision may as well mean the death of a business model. 

“There is no guarantee of an application under these guidelines, and there is no guarantee of a decision,” Bisanz says. “Nothing in these guidelines says that the Reserve Banks will act expeditiously. People should read the guidelines, consider applying — but also be ready to sit tight.”