Effective Cybersecurity Demands Involvement From Everyone at Your Bank


cybersecurity-7-10-18.pngCybersecurity is one of the most discussed risks facing financial services companies today, but many organizations are taking too narrow an approach to combating cybercrime. These organizations make the mistake of placing responsibility for defending against the risks solely on their IT professionals.

As criminals continue to develop increasingly targeted attacks, institutions must tackle cybersecurity from an enterprise-wide perspective that goes further than mere regulatory compliance. Cybersecurity can no longer be the function of a single department–executives must see that it is embedded throughout the enterprise, from the branch to the boardroom.

Common Cybersecurity Gaps
Even institutions that have invested funding, allocated resources, built perimeters, and complied with regulations can fall prey to a single point of cybersecurity failure. Some of the recent major attacks have resulted, at least in part, from one of the following fail points:

  • Poor governance
  • Weak passwords
  • Inaccurate monitoring or unattended security information and event monitoring functions
  • Inadequate system patching procedures
  • Lack of cyberintelligence (external information gathered on known attacks)
  • Insufficient training
  • Lack of incident response planning

Notably, vulnerabilities such as weak passwords and insufficient training involve more than just IT staff. Organizations that involve all departments empower their employees and think daily about how their actions protect or expose the organization, and translates into multiple points of control. Strong governance is, of course, essential to achieving such an embedded mindset.

The Need for a Tailored Approach
Many financial services organizations have responded to cyberthreats by investing heavily in costly, one-size-fits-all technology systems. They rely on traditional controls for protection, like firewalls, encryption, anti-virus software, and multifactor authentication. These components are helpful and most often are necessary; however, many institutions require more tailored controls and processes. Instead, organizations should adopt enterprise-wide cybersecurity programs commensurate to their particular risks and sensitive assets.

For example, it’s common for a financial service organization to provide employee training on cyber risks. But standardized, “off-the-shelf” training does not consider the varying degrees of risk across the staff population. For training to be meaningful, it must be customized to different employees’ roles and access to data.

To develop such training, as well as other appropriate controls, an organization will need to identify the assets it wishes to protect and the associated access points. Each department or business unit that maintains sensitive information must catalog the information and classify the sensitivity of each asset, taking into account the organization’s risk appetite (the acceptable level of risk exposure). The departments then should identify all methods of access to each asset, as well as the parties with such access, and quantify the resulting risk.

Only when armed with this information can a financial services organization tailor appropriate controls and properly allocate resources against the related cyberthreats. For example, most organizations do not need to treat data across the enterprise equally. Rather, they can define unique security controls for the most sensitive data. Similarly, it might be wise to institute the most comprehensive training in the departments with access to sensitive data, are customer-facing, or those who provide information to third parties on behalf of the organization.

Enterprise incident response is another area that calls for a more customized. An organization should identify employees best positioned to notice suspicious activity and ensure they know how to respond. IT employees who are monitoring account and system activity should be included in this process, but key stakeholders and employees who are client and third-party facing also should be involved. The organization also must have an appropriate response plan ready to execute when those on the front lines raise the red flag.

Critical Steps
To adopt an enterprise-wide cybersecurity program, financial services organizations should:

  1. Identify and prioritize sensitive assets.
  2. Design and implement tailored and global controls aligned with sensitive assets and their associated risks (including dual controls for especially sensitive areas).
  3. Ensure executives and the board are aware of and aligned to the tailored program, which includes making cybersecurity part of the overall strategy of the institution.
  4. Educate employees specific to their roles and the associated.
  5. Manage cybersecurity at the enterprise level and on employee devices.
  6. Continuously monitor significant areas and environmental changes.
  7. Keep software and systems up to date.

Multiplying the Benefits
Financial services organizations that take a broad view of cybersecurity establish more effective and cost-efficient controls. Moreover, organizations with all of their employees on the same page are more likely to enjoy improved performance.

When is the Ideal Time to Engage a Fintech Partner?


fintech-6-5-18.pngFintech startups excel at giving birth to new ideas—ideas that do not get shut down by IT departments worried about security or compliance, or legal departments worried about a lack of regulatory guidance, or finance departments worried about high costs and likelihood of failure. We use fintech startups and possibly your bank uses them, too.

When we started up our firm 16 years ago, you could count the number of banks “potentially interested” in our prospective service on two hands and the word “fintech” had not yet entered the lexicon. Today our company serves thousands of banks and processes billions of dollars in deposits every week.

We have found through experience that fintechs have a particular kind of life cycle, which is really a continuum, but which, for discussion’s sake, can be broken down into four stages: the Garage, Initial Growth, Rapid Growth, and Maturity. How a bank interacts with a fintech in each of these stages can help it to manage the level of risk it wants to bear, how much work it will have to expend, and how much value it might realize from that engagement. The big question, then, is when to engage.

Stage One: The Garage
This is the proof-of-concept stage. The reward for working with a garage stage company is potentially enormous. However, the overwhelming number of garage stage fintechs fail. Banks probably do not want to consider engagement at this stage unless the bank has a) an extremely experienced CIO, b) a robust risk-management system, and c) access to experienced legal talent. Also, most garage stage fintechs lack a culture of regulatory compliance, and they may also lack a secure environment around systems and data.

Stage Two: Initial Growth
Initial Growth stage fintechs are beginning to grow and acquire customers. They usually have compliance systems in place (although they are often weak and almost certainly lack adequate testing). Most of these companies will also have SOC reports. Do not think, however, that this means the fintech is necessarily buttoned up. Such reports merely help you perform your own due diligence, which will necessarily dig much deeper. But if your bank has the right skills, including the strong CIO, risk-management and legal expertise mentioned above, the initial growth stage can also be a very rewarding point to get involved with a fintech.

Stage Three: Rapid Growth
These firms are moving swiftly but are still short of sustained profitability. On the other hand, they can offer great competitive advantages for early bank adopters. The bank benefits from the experiences of earlier customers while avoiding most of the risks of working with earlier stage companies. A key benefit of working with these more mature types of fintechs is the likely presence of a formal cybersecurity program that incorporates recurring network penetration tests, vulnerability management and whitehat hacking.

Stage Four: Maturity
The mature fintech is a consistently profitable business that may have been around for a decade or more and has top people, products and processes. Security is a top priority at these institutions with most participating in the Financial Services Information Sharing and Analysis Center and the FBI’s InfraGard Program. There is much less risk working with a mature fintech than with younger companies. One possible downside to working with a mature fintech is that they can only seem truly interested in their clients’ challenges at contract renewal time.

So there is no easy answer to the question of when to engage. Fintech companies at every stage have much to offer. Whether a relationship with a particular firm is right for your bank depends on its capabilities and risk tolerances—and what you are looking for in a partner. The best course in all cases is to perform deep due diligence on any potential fintech partner and check its references with other bank customers.

Bank Director’s Bank Compensation & Talent Conference to Highlight Culture


culture-10-23-17.pngCorporate culture will be on center stage at Bank Director’s 2017 Bank Compensation & Talent Conference, which begins on Monday, October 23, at The Ritz-Carlton Amelia Island in Florida with peer exchanges and a workshop. On Tuesday and Wednesday, October 24-25, the main conference takes place with presentations on incentive compensation, leadership development, business strategy and insights from bank CEOs and directors.

Culture is an important but under-examined topic in banking because of the connection between the culture of a company and its financial performance and regulatory compliance track record. To understand that, look no further than the fraudulent account opening scandal at Wells Fargo & Co. This was clearly a cultural issue, where a large number of people in the retail bank were willing to break the law just to elevate their own compensation, or keep their jobs.

The opening general session on Tuesday, “Culture Eats Compensation for Breakfast,” will examine the importance of culture in a bank’s performance, and how its compensation philosophy and practices can reinforce culture. A second general session on Tuesday, “Creating a Company That Scales,” will look at how bank management teams with experience acquiring other banks are able to take the cultures of two banks and successfully integrate them to get the full value of the acquisition.

One of the most important responsibilities of the board is to make sure the bank is doing a good job of managing its talent, from the CEO’s office down to middle management. A session titled “The Board’s Role in Leadership Development” will review some best practices for bringing talented people into the organization and then making sure they have an opportunity to grow and expand. Managing the CEO succession process is especially important given the key role that individual plays in the bank.

Other general sessions scheduled on Tuesday and Wednesday include “All Business Models Are Not Created Equal,” will look at how three factors—the increased use of technology, the continued popularity of online and mobile channels, and the changing demographics of banking’s customer base—are impacting the talent selection process. The impact that disruptive market forces like financial technology is having on how banks interact and attract customers and recruit talent will be explored Wednesday in the general session titled “Managing Disruption & Compensating for Innovation.”

Four Tips for Choosing a Bank Partner


partnership.png

In January, I shared four tips for banks to consider when considering whether to enter into a new fintech partnership. How about the other half of that relationship? If you work for a fintech company, let me give you my perspective as a banker who has worked with many of them.

Cultural Alignment: This is probably one of the most important considerations for both parties. If you’re in the early stages of growth, you’re probably used to making decisions quickly, collaboratively and doing it without much red tape. For that reason, you probably consider most bankers to be seem slow-moving by comparison. First, I’d say that understanding the regulatory environment in which banks operate may alleviate some frustration. (There are often good reasons for banks to operate with caution. See tip number four, compliance buy-in, from my January article.) However, that doesn’t mean you should settle for a partner that doesn’t understand your culture—or worse yet, has established one that is at odds with yours. Look for a bank that’s responsive, allows you access to key decision makers, is open-minded to your ideas and commits itself to finding ways to make things work.

Strategic Fit:If you’re able to “check the box” on cultural alignment, you’ll want to consider strategic plans. Make sure you understand a few critical issues: How does this relationship fit into your strategic plan? Do you understand how the bank sees your service or technology fitting into its strategic goals? Exploring these questions helps lay the foundation for a mutually beneficial partnership. If you’re setting out to create a specific product or service, go past the initial implementation phase and consider sharing roadmaps with your potential bank partner. Just as it is important for us to understand where you’re looking to take your company over the next six to 24 months, it is important for you to know where the bank is headed and understand our approach to executing projects—both with the partnership and with other key initiatives.

Compliance Expertise: Look for a partner that not only has deep knowledge of the regulatory field, but is willing to work with you to navigate it. Having the compliance talk early on allows you to test if the bank is one that can help you avoid potential compliance headaches down the line, is willing to help develop alternatives where appropriate, and is genuinely invested in the success of the partnership.

Business Terms: If you have found a bank partner that is both culturally and strategically aligned with your company and has the right mindset when it comes to risk management, the discussions around business terms—while critically important—should fall into place rather easily. Beware of a contentious, back-and-forth negotiation; at this point both organizations should be in agreement around what success looks like. While it is important for you to establish an agreement that allows you to achieve your goals, remember that is exactly what your bank partner is looking for as well. Having a “we’re in this together” mentality also helps. You have a great idea to bring to market and an innovative team to make it happen. Your bank partner provides industry experience, a charter, access to a balance sheet and FDIC coverage—all of which will be valuable (and depending on your business plan, potentially necessary) contributions that will prove to be even more important down the road.

Keeping a few of these concepts in mind as you approach your next business development meeting with a potential bank partner will increase the likelihood that you will have a successful experience.

Looking to Save Money on Compliance? Here’s How


compliance-1-13-17.pngCompliance in the financial services industry is absolutely necessary but absolutely time-consuming as well. For community banks in particular, pragmatic evolution of the way compliance is handled is absolutely critical for survival in a highly competitive and increasingly complex market.

Recent estimates suggest that over 300 million pages of regulatory documents will be published by 2020 and over 600 legislative initiatives need to be cataloged by a medium-sized institution. Just the scale and pace of the changing rules that community banks need to comprehend, let alone the implications, is paralyzing to say the least. Therefore, the necessity for resource-efficient compliance solutions in the coming years is expected to skyrocket—professionals suggest that the global demand for regulatory compliance and governance software is expected to reach $118.7 billion by 2020.

While compliance certainly looks very expensive, non-compliance blows even a bigger hole in the budget of any company. In fact, financial institutions in the U.S. alone have paid over $160 billion in fines for non-compliance.

Regtech, or regulation technology, refers to a set of companies and solutions that address regulatory challenges across industries, including financial services, through innovative technology. There are about 6,000 technology companies flooding the market with innovative solutions in financial services alone, arguably one of the most complex industries anywhere.

These firms provide access to simpler regulations through a SaaS (software as a service) model, supporting clients in developing the necessary reports and eliminating the need for additional expenditures on consultancy firms and expert services.

As opposed to legacy systems, regtech is agile and ever-evolving by nature. The industry brings together next-generation technologies—blockchain, AI (artificial intelligence), cloud computing, API (application programming interface), biometrics, robo-advisors, etc.—to enable financial institutions, most importantly smaller ones, to operate at a new level of efficiency and release resources for innovation.

Enhanced KYC Efficiency
Almost every financial institution has to have a robust know-your-customer (KYC) identification program in place and perform ongoing tracking and monitoring of customer transactions. All of this includes multiple detailed compliance rules.

To overcome this difficulty, regtech solutions automate those processes to an extent, thereby reducing the cost of managing compliance. Moreover, regtech solutions tailored specifically for online verification bring down the time and total cost of on-boarding, thus enhancing the customer experience.

Substantial Compliance Cost Reduction
Costs are a real problem in the compliance space, and the relative cost of compliance substantially increases with the decreasing size of the financial institution. While banks with assets ranging from $1 billion to $10 billion reported total compliance costs averaging 2.9 percent of their noninterest expenses, banks with less than $100 million in assets reported costs averaging 8.7 percent of their noninterest expenses.

Cost reduction in the compliance department has far-reaching implications. A community bank-focused survey, conducted at the end of last year, indicated that regulatory compliance accounted for 11 percent of their personnel expenses, 16 percent of data processing expenses, 20 percent of legal expenses, 38 percent of accounting and auditing expenses and 48 percent of consulting expenses. Being a technology-driven rather than manual response to a problem, regtech significantly drives down all the above-mentioned expenses, almost eliminating some of them.

Agility, Flexibility and Learning
Normally cloud-based, regtech solutions are agile, which leads to great flexibility and speed of reporting, ensuring a high level of control over information. Application of AI in regtech enriches it with the ability to keep organizations up-to-date on the evolving regulatory environment, thus reducing the risk of non-compliance-case expenses.

Machine learning can identify complex, nonlinear patterns in large data sets and create more accurate risk models. Among the other benefits brought by AI into regtech are handling customer protection and complaints, monitoring of behavior and internal culture in organizations, KYC regulations, real-time monitoring of new regulatory requirements and modification, among other benefits. Banks can use regtech for stress testing, as well as to monitor for fraud and cybersecurity problems.

Security and Reduced Deployment Time
Data encryption and real-time monitoring capabilities make regtech solutions secure. Regtech also speeds up the implementation of compliance initiatives, thus enabling businesses to focus instead on business goals. Being cloud-based, regtech enables organizations to manage and backup data remotely, having it secured at the same time.

Being multi-purpose by design, the regtech ecosystem is highly diverse. There are over 100 companies in the space addressing various specific needs, including CrowdBounder, Suade, Ayasdi and Neurensic.

Given all the benefits listed above and many more, regtech has an astonishing return on investment. Experts in the field suggest that investments in regulatory software can lead to an ROI of more than 600 percent with a payback period of fewer than three years.

Manage Risk More Effectively


risk-management-1-9-17.pngIn today’s connected, interrelated world of finance, it’s hard for bankers to see all the complex relationships between different groups of customers—perhaps some are subsidiaries of larger firms, guarantors of third-party loans, or investors in the same funds. Whatever their nature, these hidden links can multiply the risk of lending by exposing you to more risk than you’re prepared to assume.

One of the missing links that worsened the 2008 financial crisis was the inability of financial institutions to accurately connect exposures to the responsible entity. In some cases, the same entity was recorded twice in the system under different names. In some cases, the ownership or credit relationship among entities was not defined, and in others, manual data entry errors distorted the entity identity or its hierarchical relationships.

A uniquely defined entity aids in risk management by helping banks know who is carrying risk for them and allows organizations to capture operational efficiencies. In a sense, banks build their entire organizations around entities. For instance, a retail and commercial bank will have separate business divisions that look after different groups. Once these entities are known and structured within their hierarchies and groups, banking organizations apply risk calculations along these hierarchies to get an accurate view of the risk contribution of an entity. Good entity management confers a host of benefits on the bank:

Improved Operational Efficiency
Being able to construct a full view of the entity rather than seeing it from the perspective of a single account could deliver substantial cost reductions by helping banks avoid large scale duplication in the recording and maintaining of customer data. Creating an entity record in the system involves manually inputting entity details such as entity name, country of operations, tax ID number, chief executive and so on. Moreover, this information has to be updated on a regular basis, exposing the records to greater manual errors.

Accurate Risk Aggregation
When aggregating limits for risk appetite calculations, banks need to make sure that the appropriate entities’ data is included in the calculations to avoid misrepresentation, undercounting, or even double-counting. Entity-to-entity and facility-to-entity risk aggregation calculations used to allocate risk to the correct owner depend on this unique entity definition.

Counterparty Risk Management
Collateral and guarantees are risk mitigants that help reduce the credit risk of a particular borrowing transaction with an entity. This is achieved primarily by offering the bank an alternative or secondary source of repayment should the borrowing entity be unable to pay back a loan by itself. Looking at the entire deal structuring process, identifying who owns the collateral and who is providing the guarantee becomes critical for effective risk mitigation.

Entity Risk Grades
Typically, company financial statements are important inputs to the calculation of an entity risk grade, which in turn is used to calculate capital allocation against loans made to entities. Hence, it’s important to ensure that the correct financials for the entity are being used. In larger organizations, entities are linked together in a complex hierarchical relationship with intertwined risk. These situations may mean that the entire group shares common risk, resulting in the risk grade of one entity being distributed to other entities across the hierarchy.

Data Privacy and Security
From a regulatory perspective, banks have to demonstrate the integrity of their data, showing that no unauthorized person has access to the data or an opportunity to change it. In cases of sensitive, restricted deals, banks have to ensure that the access of any employee outside the deal team is prohibited. In other words, banks need a system where they can manage user access to entities along with the actions those users can take on those entities.

Demonstrating Regulatory Compliance
Know-your-customer regulations are in effect in all advanced economies and require that banks identify every customer to satisfy anti-money laundering rules, sanctions, fraud and other financial crime measures. The Basel Committee on Banking Supervision (BCBS) regulations also drive demand for identification. Leverage, liquidity and many other ratios calculated under different Basel regimes assume that the banks have properly identified entities.

Reporting on Transactions
Banks are required to prove that their records are accurate even when the actual borrower may be buried under a complex web of entity relationships and hierarchies. The principles for effective risk data aggregation and risk reporting are set out in BCBS 239, which requires accurate, true and clean data broken down along several dimensions. A unique entity identifier stored within the database makes it possible to query and report at the required level of granularity.

For more on this topic, see our white paper.

What You Don’t Know About Network Defenses Can Definitely Hurt You


defense.png

Hackers have many avenues to choose from when it comes to attacking your organization, the most obvious of which is breaking in from the outside, or attacking your network’s perimeter. But they also can choose to attack from the inside-out by targeting your employees and internal weaknesses.

Cyber criminals use tactics like password attacks, session hijacking, exploiting application vulnerabilities and leveraging malware to gain unauthorized access to your network. Once inside, they steal, delete or distort confidential data, and often alter or disable security features to enable larger future attacks and avoid detection.

As revealed in Verizon’s 2016 Data Breach Investigations Report—a yearly study composed of findings from law enforcement agencies, forensic services firms and other entities—external threat perpetrators have been responsible for at least 75 percent of confirmed data breaches in each of the last six years.

To help protect your network, all employees—from the top down—should learn to spot the signs of a possible attack or breach, from suspicious emails and system modifications to unusual network glitches.

Here are some examples of the possible tools in an attacker’s arsenal:

  • Session hijacking: occurs when an attacker hijacks a network session shared by two systems by masquerading as one of them.
  • Password cracking: involves identifying the password of a user or administrator to gain system access.
  • Denial of Service (DoS) attacks: bombard a system, causing it to crash or deny access to legitimate users.
  • Web-application attacks: hackers exploit weaknesses and/or security flaws in a web application, possibly leading to the compromise of the host device or internal network.
  • Malware: includes ransomware that encrypts your files on the network drives and demands payment of a “ransom” to decrypt them; rootkits that embed themselves in your computer’s software, replacing legitimate software or hiding malicious ones; and remote access trojans (RATs), disguised as legitimate programs, but giving attackers an open door into your network.

Toughen Your Defenses with Vulnerability Assessments and Penetration Testing
Two crucial types of security testing offer financial institutions the best protection against these threats: vulnerability assessments and penetration testing. One is focused on finding as many vulnerabilities as possible, while the other can reveal the impact of an attack rather than theorizing about it, and also ensure that controls work as expected.

A vulnerability assessment is designed to yield a prioritized list of the environment’s vulnerabilities, and works best for institutions that already understand they are not where they should be in terms of security. However, recent guidance outlines the importance of regularly performing vulnerability assessments on your network. The scope, in industry terms, is breadth over depth.

This type of assessment, which helps ensure compliance with Gramm-Leach-Bliley Act data guidelines, can be performed using a remote scanning device—configured by a certified provider—that is plugged into an organization’s network. The device scans the entire network, including hardware and software, and performs internal vulnerability, patch management and port-scanning functions.

The provider can then analyze the data and prepare a detailed report with recommendations for securing your network.

By contrast, a penetration test’s ethical hackers seek to achieve a specific, attacker-simulated goal. A typical goal could be to gain access to the internal network and compromise a privileged account, or obtain the contents of the customer database. The test determines whether a mature security posture can withstand an intrusion attempt from a hacker. Here, the scope is depth over breadth.

A thorough penetration test consists of these elements:

  • Reconnaissance: Entails learning about the target using little or no interaction with their systems. This compares to a burglar watching a neighborhood to determine the patterns of its residents as well as their types of possessions and whether they have security systems. Reconnaissance includes Internet searches, website reviews, IP block information and domain name system (DNS) interrogation.
  • Scanning: The first major contact with the target’s systems, which involves looking for potential openings. This is likened to a burglar rattling doorknobs and checking for unlocked windows. Scanning includes network mapping, port scanning, operating system (OS) fingerprinting, service detection and vulnerability scanning.
  • Gaining Access: This is where the hacker comes in, with an attempt to compromise the system. This step is similar to the burglar breaking into the home using the most vulnerable door or window. Gaining access features password and web application attacks and the exploitation of vulnerable software and configuration flaws.
  • Maintaining Access and Covering Your Tracks: Performed only upon successful penetration into the institution’s network. It should be noted that many organizations forego these steps because they involve manipulating systems, applications and files.

It is crucial for your financial institution to maintain cyber-resilient networks and systems. The costs of disrupted business, reduced customer confidence, fines and lower profitability resulting from an attack are simply too great.

Does the Future of Community Banking Rest on Technology?


technology-9-2-16.pngIn Bank Director’s 2016 Technology Survey, the participants identified the following as the greatest business concerns in terms of the growth and profitability of their banks: regulatory compliance (59 percent), becoming more efficient (38 percent), competition from other banks (30 percent), regulations from the Consumer Financial Protection Bureau (28 percent), weak economic growth in their market (28 percent) and the ability to implement new technology (27 percent).

It’s hardly a surprise that regulatory compliance was the top concern of the 199 survey participants, a group that included bank CEOs, board chairs, independent directors, chief financial officers and senior technology executives. Fifty-eight percent of the respondents represent banks with $1 billion in assets or less, and this group has been disproportionately impacted by the significant increase in regulations that has occurred since the 2008 to 2009 financial crisis. In many respects, this is actually a money problem—hence the respondents’ concern about the impact of regulation on their profitability. While banks of all sizes have seen their compliance costs go up, small banks lack the scale or revenue base to absorb those higher costs as efficiently as large ones can.

Most of these issues are actually interrelated. The increased regulatory burden is one of several reasons why banks need to become more efficient, since this would help ease the pressure on their profitability from higher compliance costs. And one of the ways in which they will become more efficient will be through the implementation of new technology. For example, as banks place greater emphasis on digital distribution, in response to customer demand, they will be able to reduce the number of branches they have—which will lead to significant cost savings. Weak economic demand is one reason why banks worry about competition from other banks. Banking has become a zero sum game in the current economy, with everyone scratching and clawing to get what they can.

Another possible answer to this question was competition from nonbank entities, and only 22 percent of the respondents chose this as one of their top three concerns. However, when we asked later in the survey to identify the nonbank competitors that worried them the most, online marketplace lenders received the most votes, at 48 percent. And when we asked them how they felt about competition from these online lenders, 60 percent said they should be more highly regulated and 41 percent worried that these lenders could siphon off loans from their banks.

There is a definite theme that emerges from these questions. The survey participants are worried about the higher cost of regulation and its impact on the profitability of their banks. A majority of them also believe it’s unfair that banks are more heavily regulated than marketplace lenders, which are hardly regulated at all and yet compete with banks for business. Of course, banks are also experiencing lots of competition from other banks, as well as their old nemesis the credit unions. But the rise of marketplace lenders as a competitive threat is especially troublesome because it’s been enabled by advances in technology that banks are scrambling to keep pace with.

I am one who believes that marketplace lenders are here to stay. Individual companies will wax and wane, but the underlying dynamic that supports them—data driven loan underwriting technology—is growing in usage. And it’s beginning to go mainstream. Goldman Sachs, the gold-plated investment bank, has launched a marketplace lending operation called Marcus that will compete with the likes of Lending Club and SoFi for unsecured consumer loans. And JP Morgan Chase & Co., the country’s largest bank, has teamed up with On Deck Capital to target the small business loan market.

My sense is that most community banks under $1 billion in assets have yet to feel the full effects of competition from marketplace lenders because they are tightly focused on commercial real estate and C&I lending opportunities in their local markets, while marketplace lenders have focused mostly on unsecured personal and small business loans. But for how long? I’d be very surprised if data-driven underwriting technology doesn’t begin to find a place in the CRE and C&I loan markets as well because the efficiency advantages are too great to ignore.

There is some talk that marketplace lenders should be regulated just like the banks, and the Office of the Comptroller of the Currency has even raised the possibility of a federal charter for nonbank marketplace lenders. That might create more of a level playing field when it comes to the regulatory burden issue, but financial reform moves slowly in Washington, so I wouldn’t expect the feds to ride to the industry’s rescue anytime soon. I think community banks will have to solve this problem on their own, primarily through the implementation of new technology that will significantly improve their efficiency.

Only 27 percent of the survey respondents included technology as one of their three greatest business concerns, but it should have been at the top of the list.

Mitigating Risk When Choosing a BOLI Carrier for Your Community Bank


BOLI-3-9-16.pngIf your community bank is considering revamping your benefits offerings, you’ve probably thought about Bank-Owned Life Insurance (BOLI). Purchasing BOLI is one of the lowest risk ways for banks to fund the cost of their benefits, and for a community bank struggling to compete with commercial banks for top talent, this may be a strategic financial decision. While BOLI is a long-term investment, it generates tax-free interest, making it extremely appealing to community banks. As with any investment, the decision to purchase a BOLI portfolio must be carefully considered so you can get the most return with as little risk as possible. Here are some ways to ensure you choose the right BOLI carrier and get the most out of your policy.

  1. Document every part of the process to ensure compliance. Regulations require careful attention, and national bank regulators provide a roadmap for the pre-purchase due diligence and ongoing risk management of BOLI. Before beginning the process of selecting a BOLI carrier, keep in mind that every step your community bank takes needs to be documented. From when you first purchase BOLI and throughout the life of your policy, documentation is absolutely critical for regulatory compliance, so you should frequently review reports of the performance of your BOLI assets. If any process isn’t documented, then in the eyes of regulators, it doesn’t exist. If you’re unsure of the proper protocol, working with a consultant who understands the regulatory process can help you with any issues that arise.
  2. Conduct a financial analysis of BOLI carriers. When choosing between BOLI carriers, you need to look at a variety of metrics to make the best decision. In the past, some banks’ decision making was reliant on ratings from independent agencies, and while ratings are still important, they are not the only thing you need to consider. By conducting a financial analysis of the carrier, you can get a clearer picture of whether the purchase will keep risk low while providing the yield your bank needs to fund competitive benefits. Here are financial metrics that can help you narrow down your options to a shortlist of low-risk choices:

    • Financial strength: Looking at the carrier’s balance sheet and income statement can help you determine the company’s financial strength, as can ratings from outside agencies.
    • Asset quality: By reviewing publicly available information about the carrier’s assets, you can identify any unusual trends and verify the carrier’s claims paying ability.
    • Risk-Based Capital: Review the carrier’s level of capital over time, compared to the regulatory required amount.
    • Investment philosophy: How does the carrier approach their investment portfolio; what techniques do they use for asset liability matching?
    • Experience in the BOLI market: How long has the carrier been active in the BOLI industry, and have they built a reputation for success in that time?
    • Ownership structure: Is there a parent company that could provide support in time of distress? Does the carrier have a stock or mutual ownership structure?
  3. If you need help, work with an executive benefits consultant. Choosing the right BOLI package for your community bank is an important decision and there are many compliance and regulatory issues that some banks just don’t feel comfortable navigating on their own. Working with an expert is the best way to make the most profitable, lowest-risk decision and to ensure regulatory compliance. Your consultant must understand the operating environment of your bank and your strategic interests in order to help you reach your financial goals and fund your benefits package. While selecting a BOLI carrier and deciding how to fund your purchase is complicated and may require outside help, it is an option that has enabled many community banks to offer more competitive benefits to employees.

Preparing Your Bank for Sale


bank-sale-2-18-16.pngIf your board is considering a sale of the institution, you’re not ready to sell if you’re not prepared to sell. There are a variety of issues that your board will need to consider if it wants to maximize the value of the bank’s franchise in a sale. Many, although not all of these considerations, involve the bank’s balance sheet. Other important issues include cutting overhead costs and dealing with regulatory compliance issues. Sal Inserra, an Atlanta-based partner for the accounting and consulting firm Crowe Horwath LLP, offered the following advice to Bank Director Editor in Chief Jack Milligan.

Take a hard look at impaired loans on your balance sheet.
When bank executives consider a sale and analyze the loan portfolio, they are not always looking at it from the perspective of a potential buyer. If there’s a problem customer, they have a sense of the potential collection on that impaired loan. When buyers come in cold, they don’t have that history. They are doing an antiseptic review. It is numbers on a page that lead to a conclusion. They’re not going to accept the backstory as a reason why they should pay more for the loan than they think they should. If you have another appraisal in hand that shows the value higher, they may give credence to that, but not as it relates to the sob story. From the buyer’s perspective, if a loan is leveraged with 100 percent loan-to-value with a five-year life, the prospective buyer will require accretion yield of 9 percent to be attractive given the risk. If the coupon on that loan is only 5 percent, the buyer is only going to pay 75 cents on the dollar to achieve their yield. You have to get past the subjective analysis and get more objective detail about that impaired loan. You need to get the most current financial information possible about that impaired loan and the borrower.

Avoid bad leverage transactions as much as possible.
A bad leverage transaction sometimes occurs when the bank has excess deposits and invests in securities of different durations in an attempt to leverage the capital in the financial institution. Depending on how far out into the future the bank is leveraged, it could end up in a bad position where the assets are at a fixed rate, and the liabilities are at a variable rate. And because the bank is maximizing yield, as liabilities start creeping up, net interest margin can erode rather quickly. In the current market, unless the bank wants to go out four or five years or more on a bond and take some credit risk in something other than a U.S. Treasury security, the bank is going to have a pretty narrow net interest margin. Rather than buy low-earning securities, you might benefit your bank’s value by waiting for a buyer with a high loan-to-deposit ratio that needs additional funding. If the seller has excess funding that hasn’t been tied up, that could be a very lucrative purchase to a bank that needs the funding. But once the seller has tied that funding up in something with a narrow net interest margin, the buyer will have to unwind that in order to get value. And if the buyer has to take a hit to unwind that investment, it’s going to impact the seller’s value.

Manage excess capital on the balance sheet.
This is really about how you spin the story of selling the bank. Let’s say you have $50 million in capital. So if you sell for two times book value, you would get $100 million. But of that $50 million, let’s say that $10 million has not been deployed, so you’re not going to get two times $50 million. You’re going to get 1.60 times $50 million, which is $80 million. However, if the bank gets rid of that $10 million in excess capital by paying it out in dividends, it will receive $70 million, but because it is now working off a $40 million base, the bank reports a higher premium. Net cash is still $80 million when you consider the dividend.

Another approach would be to try to leverage up that excess capital. Where you may have turned down a loan before because the pricing wasn’t good, but it was still going to create a good margin and a decent return on investment, the bank may want to invest in the loan because at least it becomes an earning asset. This strategy will depend on what is available in the market.

Shed costly assets or debt before attempting to sell the bank.
Since the value of the bank is based on future earnings, if the bank is carrying some high cost debt, it’s going to impact future margins. Or if the bank has low yielding assets, that’s going to affect future margins. When buyers come in to price those assets and liabilities, they’re going to knock down the value of the bank. Most high cost debt has a prepayment penalty associated with it, so there’s a net cost to get out of that debt. But when it comes to low yielding assets, the bank can maximize net interest margin by getting rid of assets that are going to cause issues for future earnings.

Focus on cost control prior to a sale.
When it comes to cost control, the first thing to look at is the branch network. It’s no secret that branch activity continues to decrease as folks get more and more comfortable with digital banking. I love [author Brett King’s motto], “Banking is no longer somewhere you go, it’s something you do.” And the value of a seller’s branch network may be going down because the cost of maintaining those branches is still significant, not only from a hard cost standpoint but also with training staff, marketing and all the other costs of operating a branch. So take a hard look at those branches that buyers are going to consider exiting. If the bank can start narrowing those costs by closing some of those marginal branches, so that the buyer can see what the run rate is going forward, that will help improve value because the value is going to be driven on the multiple of future earnings.

The other thing I would focus on is staffing. A lot of banks have made big strides in technology, but they haven’t reevaluated their head counts. And they need to do a review of what is necessary to operate and deliver service. A phrase I hear a lot is, “We’re not going to change our head count, we’re going to grow into it.” And that doesn’t necessarily work because as you grow, it doesn’t mean the resources are going to be able to continue to help you get to the next level. So doing a critical analysis of head count is key. Those are the two major variables—branches and people—that when addressed can help you improve your efficiency.

Avoid entering into long-term contracts if you’re considering a sale.
The thing that just makes me scratch my head is when a board is thinking about selling the bank and a year before it pulls the trigger, it enters into a four- or five-year core processing contract. The cost associated with exiting a core processing contract, unless it happens to be the same company that they buyer uses, is incredible. I’ve seen millions of dollars spent to exit a core processing contract.

Factor regulatory compliance issues in a potential sale.
If the bank knows its potential acquirers, it knows its potential new regulators. The key issue is making sure that regulator knows the seller has its compliance house in order. The seller can put together an in-house review or use external resources to address the issues of that potential regulator. If I’m a $2 billion asset bank and it’s likely that I’m going to become part of an institution that’s over $10 billion in assets, I need to be focused on issues that the Consumer Financial Protection Bureau is focused on, because I know that my portfolio is going to be subject to a CFPB review. If I’m a $200 million asset bank and I’m going to merge into bank that’s in the $2 billion to $3 billion range, that may present a higher level of scrutiny. So knowing my potential acquirer allows for adequate preparation.