Notching Customer, Employee Wins Through Process Automation

Financial institutions are committed to improving digital banking services and enabled more digital capabilities over the past year out of necessity — but there is more transformation to be done.

In their haste to meet customers’ and employees’ needs, many banks overlooked opportunities in back-office processes that are critical to providing excellent customer service, such as operating an efficient Regulation E (Reg E) dispute tracking process along with other processes that can ease employee challenges with regulatory compliance issues.

To enable bank staff to better serve customers, financial institutions must automate their back-office dispute tracking processes. One way to do is through implementing process automation solutions that offer workflows to direct the disputes appropriately, a single storage location for all supporting documentation and automating mundane tasks, such as generating letters and updating general ledger accounts. Implementing this kind of automation enables banks to simplify and streamline their input of disputes, ensuring that all critical information is captured accurately and dispute intake is handled consistently. This allows banks to provide consistent engagement and faster response to their customers.

Back-office automation strengthens a bank’s regulatory compliance and customer engagement. Awaiting outcomes from back-office processes can be extremely frustrating to customers — these moments are often tied to high-stress situations, such as having their cards used fraudulently. Banks should consider how manual, error-prone dispute tracking processes negatively affect the customer experience. Institutions also gain the crucial visibility that supports their decision-making and improves compliance with regulations, mitigating the risk and cost of non-compliance.

Process automation can also eliminate the stress that impacts account holders during this process. Having back-office automation with enhanced workflows and centralized documentation allows banks to return provisional credit more quickly and minimizes errors and delays. Instead of missing deadlines and making mistakes that erode customer confidence and cause audit exceptions, back-office employees meet deadlines and process disputes consistently and accurately, avoiding fines and additional work to remedy errors.

Automation can also improve back-office productivity by enhancing visibility. Clear visibility is created when a back-office employee can immediately track documentation and data when it is needed, at any stage in the process. During an audit, an employee may need to retrieve the date that a customer filed a Reg E dispute or to prove proper credit was applied. Without the appropriate tools, such as a single dashboard for dispute tracking and one platform for all supporting documentation, employees waste time searching paper files, spreadsheets and emails to piece together the required information. A workflow automation platform means a full audit trail with supporting documentation is readily available, optimizing everyone’s time.

For example, automation at Watkinsville, Georgia-based Oconee State Bank enables employees to efficiently complete tasks and focus their attention on serving their customers without being slowed down by complicated processes. The bank reduced the amount of time it took to file consumer disputes by more than 80% through process automation.

With 12 branches across Illinois and Indiana, First Bank, based in Carmi, Illinois, reduced claim processing time by more than 50% and experienced positive impacts from its digital dispute process. Dispute processes that can be easily tracked enable bank executives to clear audits and gain greater visibility into risk and compliance across their institution.

The visibility banks gain through automation improves their decision-making. Hard-to-access information and lack of visibility can be especially defeating when managing risk and compliance. Not only does incorrect or unavailable information open the door for human error, but it can also lead to financial loss. In areas like Reg E dispute tracking, this financial loss can be a result of not identifying a fraudulent dispute or trends of fraudulent charges. Process automation helps by supporting a methodical approach to reducing fraud and increasing visibility of high-risk merchants and customers.

This kind of attentive review during the Reg E process can help banks reduce the amount of undetected fraud and lower their write-off threshold, which is the pre-established amount set by an individual financial institution, under which any dispute is automatically written off as a financial loss. These thresholds are traditionally set with the back office staff’s bandwidth in mind; with more free time, banks can lower this threshold and avoid automatic losses. For instance, after implementing an automated, Reg E dispute tracking solution, Happy State Bank, the bank unit of Canyon, Texas-based Happy Bancshares, was able to lower its write-off threshold from $100 to $50 per dispute.

Tackling process automation can help banks compete and win while improving the level of service provided to customers. This technology empowers staff to be more responsive and alert to trends, enabling better decision-making and saving both cost and time. Implementing process automation allows banks to differentiate themselves from their competitors by providing consistent engagement and faster responses to customers. Process automation is the key to optimizing efficiency within any financial institution.

The High Cost of the Suspicious Activity Report

Bank boards know all too well about the reputational toll and hefty fines from lapses in regulatory compliance. But governance usually doesn’t tend to drill down into specific practice areas and their finer-grained costs.

An ounce of prevention, though less expensive than the proverbial cure, still runs pretty high in Bank Secrecy Act and anti-money laundering (BSA/AML) compliance programs. Directors might want to ask for a more-detailed picture from their bank’s AML team at the next board meeting. Not just to follow up on the damage-control response to the FinCEN Files media spectacle, but also in terms of profit and loss and team morale issues.

Suspicious activity reports (SARs) can get very expensive. We conservatively estimate that about $180 million in annual BSA/AML analyst salaries in the U.S. goes just to preparing the SAR form. But there’s also a huge opportunity to do better for society.

What are SARs? Some might say they are a headache-inducing form that demands a whole lot of painstaking and tedious detail, and then never quite fulfills its ultimate purpose of stopping criminals. Unfortunately, there’s a lot of truth to that description. What should — and could — SARs be?

  • An essential tool for fighting crime.
  • An effective communication channel for AML collaboration.
  • An invaluable resource for law enforcement to identify, track, and prosecute criminals.

At the risk of overstating the obvious, not every “suspicious” activity leads to criminal activity. Though banks do have the power to block the flow of funds, financial crime regulators (in the U.S., that’s the Financial Crimes Enforcement Network, or FinCEN) and jurisdictional law enforcement (such as district attorneys) hold the authority to go after the criminals. A bank’s primary responsibility in AML is to provide relevant information from the financial vantage point.

The level of detail can make all the difference in the usefulness of these reports. A complete and accurate SAR, filed with ample, highly relevant information, provides texture and nuance for regulators to make strong decisions about which cases deserve the attention of law enforcement. Prosecutors can then use information from SARs to build criminal cases. A future with somewhat fewer illicit arms sales or much less human trafficking could hinge on a few form fields.

The status quo for most bank AML compliance programs entails a substantial amount of manual inputs. Lacking automation, providing more high quality detail in SARs demands more time. U.S. financial institutions filed 2.3 million SARs in 2019. An AML analyst can command, on average, an annual salary of $75,000. These figures, plus some other industry-specific estimates and general human resources conventions, fed into my calculation above for the total annual SARs tab for U.S. financial institutions. And that $180 million figure doesn’t even account for the nine out of 10 investigations that don’t lead to a SAR filing — yet typically do result in more monitoring.

Manual processes, even with the best intentions of highly skilled AML teams, are inherently prone to human error. I also suspect these professionals would rather focus on the aspects of their work that demand the subtle discernment of human judgement. Some of the lowest-hanging fruit for using technology in AML investigations include automation that can:

  • Populate the SAR form with case information.
  • Organize case data from fragmented sources across the bank and vendors.
  • Visualize trends in the case to spot strange behaviors.
  • Quickly separate false positives from true positives.
  • Capture the insights of investigators as structured data, creating clean data that can be used for analytics and machine learning.
  • Validate and quickly transmit the SAR to expedite information flow.
  • Securely store the case information for future analytics and audits.
  • Keep casework across the team thorough and efficient.

Investigating and reporting suspicious financial activity is both an enormous expense for banks and a systemically important resource for protecting society. It’s worth investing in automation technology that will make a bank’s BSA/AML compliance program more efficient and effective.

How a specific bank might move forward in leveraging compliance automation technology will vary on a wide range of factors. Adopting this sort of technology isn’t an all-or-nothing proposition. A careful analysis of a bank’s AML practice area can identify minor changes that are likely to have an outsize impact in the fight against crime.

Effective Cybersecurity Demands Involvement From Everyone at Your Bank

cybersecurity-7-10-18.pngCybersecurity is one of the most discussed risks facing financial services companies today, but many organizations are taking too narrow an approach to combating cybercrime. These organizations make the mistake of placing responsibility for defending against the risks solely on their IT professionals.

As criminals continue to develop increasingly targeted attacks, institutions must tackle cybersecurity from an enterprise-wide perspective that goes further than mere regulatory compliance. Cybersecurity can no longer be the function of a single department–executives must see that it is embedded throughout the enterprise, from the branch to the boardroom.

Common Cybersecurity Gaps
Even institutions that have invested funding, allocated resources, built perimeters, and complied with regulations can fall prey to a single point of cybersecurity failure. Some of the recent major attacks have resulted, at least in part, from one of the following fail points:

  • Poor governance
  • Weak passwords
  • Inaccurate monitoring or unattended security information and event monitoring functions
  • Inadequate system patching procedures
  • Lack of cyberintelligence (external information gathered on known attacks)
  • Insufficient training
  • Lack of incident response planning

Notably, vulnerabilities such as weak passwords and insufficient training involve more than just IT staff. Organizations that involve all departments empower their employees and think daily about how their actions protect or expose the organization, and translates into multiple points of control. Strong governance is, of course, essential to achieving such an embedded mindset.

The Need for a Tailored Approach
Many financial services organizations have responded to cyberthreats by investing heavily in costly, one-size-fits-all technology systems. They rely on traditional controls for protection, like firewalls, encryption, anti-virus software, and multifactor authentication. These components are helpful and most often are necessary; however, many institutions require more tailored controls and processes. Instead, organizations should adopt enterprise-wide cybersecurity programs commensurate to their particular risks and sensitive assets.

For example, it’s common for a financial service organization to provide employee training on cyber risks. But standardized, “off-the-shelf” training does not consider the varying degrees of risk across the staff population. For training to be meaningful, it must be customized to different employees’ roles and access to data.

To develop such training, as well as other appropriate controls, an organization will need to identify the assets it wishes to protect and the associated access points. Each department or business unit that maintains sensitive information must catalog the information and classify the sensitivity of each asset, taking into account the organization’s risk appetite (the acceptable level of risk exposure). The departments then should identify all methods of access to each asset, as well as the parties with such access, and quantify the resulting risk.

Only when armed with this information can a financial services organization tailor appropriate controls and properly allocate resources against the related cyberthreats. For example, most organizations do not need to treat data across the enterprise equally. Rather, they can define unique security controls for the most sensitive data. Similarly, it might be wise to institute the most comprehensive training in the departments with access to sensitive data, are customer-facing, or those who provide information to third parties on behalf of the organization.

Enterprise incident response is another area that calls for a more customized. An organization should identify employees best positioned to notice suspicious activity and ensure they know how to respond. IT employees who are monitoring account and system activity should be included in this process, but key stakeholders and employees who are client and third-party facing also should be involved. The organization also must have an appropriate response plan ready to execute when those on the front lines raise the red flag.

Critical Steps
To adopt an enterprise-wide cybersecurity program, financial services organizations should:

  1. Identify and prioritize sensitive assets.
  2. Design and implement tailored and global controls aligned with sensitive assets and their associated risks (including dual controls for especially sensitive areas).
  3. Ensure executives and the board are aware of and aligned to the tailored program, which includes making cybersecurity part of the overall strategy of the institution.
  4. Educate employees specific to their roles and the associated.
  5. Manage cybersecurity at the enterprise level and on employee devices.
  6. Continuously monitor significant areas and environmental changes.
  7. Keep software and systems up to date.

Multiplying the Benefits
Financial services organizations that take a broad view of cybersecurity establish more effective and cost-efficient controls. Moreover, organizations with all of their employees on the same page are more likely to enjoy improved performance.

When is the Ideal Time to Engage a Fintech Partner?

fintech-6-5-18.pngFintech startups excel at giving birth to new ideas—ideas that do not get shut down by IT departments worried about security or compliance, or legal departments worried about a lack of regulatory guidance, or finance departments worried about high costs and likelihood of failure. We use fintech startups and possibly your bank uses them, too.

When we started up our firm 16 years ago, you could count the number of banks “potentially interested” in our prospective service on two hands and the word “fintech” had not yet entered the lexicon. Today our company serves thousands of banks and processes billions of dollars in deposits every week.

We have found through experience that fintechs have a particular kind of life cycle, which is really a continuum, but which, for discussion’s sake, can be broken down into four stages: the Garage, Initial Growth, Rapid Growth, and Maturity. How a bank interacts with a fintech in each of these stages can help it to manage the level of risk it wants to bear, how much work it will have to expend, and how much value it might realize from that engagement. The big question, then, is when to engage.

Stage One: The Garage
This is the proof-of-concept stage. The reward for working with a garage stage company is potentially enormous. However, the overwhelming number of garage stage fintechs fail. Banks probably do not want to consider engagement at this stage unless the bank has a) an extremely experienced CIO, b) a robust risk-management system, and c) access to experienced legal talent. Also, most garage stage fintechs lack a culture of regulatory compliance, and they may also lack a secure environment around systems and data.

Stage Two: Initial Growth
Initial Growth stage fintechs are beginning to grow and acquire customers. They usually have compliance systems in place (although they are often weak and almost certainly lack adequate testing). Most of these companies will also have SOC reports. Do not think, however, that this means the fintech is necessarily buttoned up. Such reports merely help you perform your own due diligence, which will necessarily dig much deeper. But if your bank has the right skills, including the strong CIO, risk-management and legal expertise mentioned above, the initial growth stage can also be a very rewarding point to get involved with a fintech.

Stage Three: Rapid Growth
These firms are moving swiftly but are still short of sustained profitability. On the other hand, they can offer great competitive advantages for early bank adopters. The bank benefits from the experiences of earlier customers while avoiding most of the risks of working with earlier stage companies. A key benefit of working with these more mature types of fintechs is the likely presence of a formal cybersecurity program that incorporates recurring network penetration tests, vulnerability management and whitehat hacking.

Stage Four: Maturity
The mature fintech is a consistently profitable business that may have been around for a decade or more and has top people, products and processes. Security is a top priority at these institutions with most participating in the Financial Services Information Sharing and Analysis Center and the FBI’s InfraGard Program. There is much less risk working with a mature fintech than with younger companies. One possible downside to working with a mature fintech is that they can only seem truly interested in their clients’ challenges at contract renewal time.

So there is no easy answer to the question of when to engage. Fintech companies at every stage have much to offer. Whether a relationship with a particular firm is right for your bank depends on its capabilities and risk tolerances—and what you are looking for in a partner. The best course in all cases is to perform deep due diligence on any potential fintech partner and check its references with other bank customers.

Bank Director’s Bank Compensation & Talent Conference to Highlight Culture

culture-10-23-17.pngCorporate culture will be on center stage at Bank Director’s 2017 Bank Compensation & Talent Conference, which begins on Monday, October 23, at The Ritz-Carlton Amelia Island in Florida with peer exchanges and a workshop. On Tuesday and Wednesday, October 24-25, the main conference takes place with presentations on incentive compensation, leadership development, business strategy and insights from bank CEOs and directors.

Culture is an important but under-examined topic in banking because of the connection between the culture of a company and its financial performance and regulatory compliance track record. To understand that, look no further than the fraudulent account opening scandal at Wells Fargo & Co. This was clearly a cultural issue, where a large number of people in the retail bank were willing to break the law just to elevate their own compensation, or keep their jobs.

The opening general session on Tuesday, “Culture Eats Compensation for Breakfast,” will examine the importance of culture in a bank’s performance, and how its compensation philosophy and practices can reinforce culture. A second general session on Tuesday, “Creating a Company That Scales,” will look at how bank management teams with experience acquiring other banks are able to take the cultures of two banks and successfully integrate them to get the full value of the acquisition.

One of the most important responsibilities of the board is to make sure the bank is doing a good job of managing its talent, from the CEO’s office down to middle management. A session titled “The Board’s Role in Leadership Development” will review some best practices for bringing talented people into the organization and then making sure they have an opportunity to grow and expand. Managing the CEO succession process is especially important given the key role that individual plays in the bank.

Other general sessions scheduled on Tuesday and Wednesday include “All Business Models Are Not Created Equal,” will look at how three factors—the increased use of technology, the continued popularity of online and mobile channels, and the changing demographics of banking’s customer base—are impacting the talent selection process. The impact that disruptive market forces like financial technology is having on how banks interact and attract customers and recruit talent will be explored Wednesday in the general session titled “Managing Disruption & Compensating for Innovation.”

Four Tips for Choosing a Bank Partner


In January, I shared four tips for banks to consider when considering whether to enter into a new fintech partnership. How about the other half of that relationship? If you work for a fintech company, let me give you my perspective as a banker who has worked with many of them.

Cultural Alignment: This is probably one of the most important considerations for both parties. If you’re in the early stages of growth, you’re probably used to making decisions quickly, collaboratively and doing it without much red tape. For that reason, you probably consider most bankers to be seem slow-moving by comparison. First, I’d say that understanding the regulatory environment in which banks operate may alleviate some frustration. (There are often good reasons for banks to operate with caution. See tip number four, compliance buy-in, from my January article.) However, that doesn’t mean you should settle for a partner that doesn’t understand your culture—or worse yet, has established one that is at odds with yours. Look for a bank that’s responsive, allows you access to key decision makers, is open-minded to your ideas and commits itself to finding ways to make things work.

Strategic Fit:If you’re able to “check the box” on cultural alignment, you’ll want to consider strategic plans. Make sure you understand a few critical issues: How does this relationship fit into your strategic plan? Do you understand how the bank sees your service or technology fitting into its strategic goals? Exploring these questions helps lay the foundation for a mutually beneficial partnership. If you’re setting out to create a specific product or service, go past the initial implementation phase and consider sharing roadmaps with your potential bank partner. Just as it is important for us to understand where you’re looking to take your company over the next six to 24 months, it is important for you to know where the bank is headed and understand our approach to executing projects—both with the partnership and with other key initiatives.

Compliance Expertise: Look for a partner that not only has deep knowledge of the regulatory field, but is willing to work with you to navigate it. Having the compliance talk early on allows you to test if the bank is one that can help you avoid potential compliance headaches down the line, is willing to help develop alternatives where appropriate, and is genuinely invested in the success of the partnership.

Business Terms: If you have found a bank partner that is both culturally and strategically aligned with your company and has the right mindset when it comes to risk management, the discussions around business terms—while critically important—should fall into place rather easily. Beware of a contentious, back-and-forth negotiation; at this point both organizations should be in agreement around what success looks like. While it is important for you to establish an agreement that allows you to achieve your goals, remember that is exactly what your bank partner is looking for as well. Having a “we’re in this together” mentality also helps. You have a great idea to bring to market and an innovative team to make it happen. Your bank partner provides industry experience, a charter, access to a balance sheet and FDIC coverage—all of which will be valuable (and depending on your business plan, potentially necessary) contributions that will prove to be even more important down the road.

Keeping a few of these concepts in mind as you approach your next business development meeting with a potential bank partner will increase the likelihood that you will have a successful experience.

Looking to Save Money on Compliance? Here’s How

compliance-1-13-17.pngCompliance in the financial services industry is absolutely necessary but absolutely time-consuming as well. For community banks in particular, pragmatic evolution of the way compliance is handled is absolutely critical for survival in a highly competitive and increasingly complex market.

Recent estimates suggest that over 300 million pages of regulatory documents will be published by 2020 and over 600 legislative initiatives need to be cataloged by a medium-sized institution. Just the scale and pace of the changing rules that community banks need to comprehend, let alone the implications, is paralyzing to say the least. Therefore, the necessity for resource-efficient compliance solutions in the coming years is expected to skyrocket—professionals suggest that the global demand for regulatory compliance and governance software is expected to reach $118.7 billion by 2020.

While compliance certainly looks very expensive, non-compliance blows even a bigger hole in the budget of any company. In fact, financial institutions in the U.S. alone have paid over $160 billion in fines for non-compliance.

Regtech, or regulation technology, refers to a set of companies and solutions that address regulatory challenges across industries, including financial services, through innovative technology. There are about 6,000 technology companies flooding the market with innovative solutions in financial services alone, arguably one of the most complex industries anywhere.

These firms provide access to simpler regulations through a SaaS (software as a service) model, supporting clients in developing the necessary reports and eliminating the need for additional expenditures on consultancy firms and expert services.

As opposed to legacy systems, regtech is agile and ever-evolving by nature. The industry brings together next-generation technologies—blockchain, AI (artificial intelligence), cloud computing, API (application programming interface), biometrics, robo-advisors, etc.—to enable financial institutions, most importantly smaller ones, to operate at a new level of efficiency and release resources for innovation.

Enhanced KYC Efficiency
Almost every financial institution has to have a robust know-your-customer (KYC) identification program in place and perform ongoing tracking and monitoring of customer transactions. All of this includes multiple detailed compliance rules.

To overcome this difficulty, regtech solutions automate those processes to an extent, thereby reducing the cost of managing compliance. Moreover, regtech solutions tailored specifically for online verification bring down the time and total cost of on-boarding, thus enhancing the customer experience.

Substantial Compliance Cost Reduction
Costs are a real problem in the compliance space, and the relative cost of compliance substantially increases with the decreasing size of the financial institution. While banks with assets ranging from $1 billion to $10 billion reported total compliance costs averaging 2.9 percent of their noninterest expenses, banks with less than $100 million in assets reported costs averaging 8.7 percent of their noninterest expenses.

Cost reduction in the compliance department has far-reaching implications. A community bank-focused survey, conducted at the end of last year, indicated that regulatory compliance accounted for 11 percent of their personnel expenses, 16 percent of data processing expenses, 20 percent of legal expenses, 38 percent of accounting and auditing expenses and 48 percent of consulting expenses. Being a technology-driven rather than manual response to a problem, regtech significantly drives down all the above-mentioned expenses, almost eliminating some of them.

Agility, Flexibility and Learning
Normally cloud-based, regtech solutions are agile, which leads to great flexibility and speed of reporting, ensuring a high level of control over information. Application of AI in regtech enriches it with the ability to keep organizations up-to-date on the evolving regulatory environment, thus reducing the risk of non-compliance-case expenses.

Machine learning can identify complex, nonlinear patterns in large data sets and create more accurate risk models. Among the other benefits brought by AI into regtech are handling customer protection and complaints, monitoring of behavior and internal culture in organizations, KYC regulations, real-time monitoring of new regulatory requirements and modification, among other benefits. Banks can use regtech for stress testing, as well as to monitor for fraud and cybersecurity problems.

Security and Reduced Deployment Time
Data encryption and real-time monitoring capabilities make regtech solutions secure. Regtech also speeds up the implementation of compliance initiatives, thus enabling businesses to focus instead on business goals. Being cloud-based, regtech enables organizations to manage and backup data remotely, having it secured at the same time.

Being multi-purpose by design, the regtech ecosystem is highly diverse. There are over 100 companies in the space addressing various specific needs, including CrowdBounder, Suade, Ayasdi and Neurensic.

Given all the benefits listed above and many more, regtech has an astonishing return on investment. Experts in the field suggest that investments in regulatory software can lead to an ROI of more than 600 percent with a payback period of fewer than three years.

Manage Risk More Effectively

risk-management-1-9-17.pngIn today’s connected, interrelated world of finance, it’s hard for bankers to see all the complex relationships between different groups of customers—perhaps some are subsidiaries of larger firms, guarantors of third-party loans, or investors in the same funds. Whatever their nature, these hidden links can multiply the risk of lending by exposing you to more risk than you’re prepared to assume.

One of the missing links that worsened the 2008 financial crisis was the inability of financial institutions to accurately connect exposures to the responsible entity. In some cases, the same entity was recorded twice in the system under different names. In some cases, the ownership or credit relationship among entities was not defined, and in others, manual data entry errors distorted the entity identity or its hierarchical relationships.

A uniquely defined entity aids in risk management by helping banks know who is carrying risk for them and allows organizations to capture operational efficiencies. In a sense, banks build their entire organizations around entities. For instance, a retail and commercial bank will have separate business divisions that look after different groups. Once these entities are known and structured within their hierarchies and groups, banking organizations apply risk calculations along these hierarchies to get an accurate view of the risk contribution of an entity. Good entity management confers a host of benefits on the bank:

Improved Operational Efficiency
Being able to construct a full view of the entity rather than seeing it from the perspective of a single account could deliver substantial cost reductions by helping banks avoid large scale duplication in the recording and maintaining of customer data. Creating an entity record in the system involves manually inputting entity details such as entity name, country of operations, tax ID number, chief executive and so on. Moreover, this information has to be updated on a regular basis, exposing the records to greater manual errors.

Accurate Risk Aggregation
When aggregating limits for risk appetite calculations, banks need to make sure that the appropriate entities’ data is included in the calculations to avoid misrepresentation, undercounting, or even double-counting. Entity-to-entity and facility-to-entity risk aggregation calculations used to allocate risk to the correct owner depend on this unique entity definition.

Counterparty Risk Management
Collateral and guarantees are risk mitigants that help reduce the credit risk of a particular borrowing transaction with an entity. This is achieved primarily by offering the bank an alternative or secondary source of repayment should the borrowing entity be unable to pay back a loan by itself. Looking at the entire deal structuring process, identifying who owns the collateral and who is providing the guarantee becomes critical for effective risk mitigation.

Entity Risk Grades
Typically, company financial statements are important inputs to the calculation of an entity risk grade, which in turn is used to calculate capital allocation against loans made to entities. Hence, it’s important to ensure that the correct financials for the entity are being used. In larger organizations, entities are linked together in a complex hierarchical relationship with intertwined risk. These situations may mean that the entire group shares common risk, resulting in the risk grade of one entity being distributed to other entities across the hierarchy.

Data Privacy and Security
From a regulatory perspective, banks have to demonstrate the integrity of their data, showing that no unauthorized person has access to the data or an opportunity to change it. In cases of sensitive, restricted deals, banks have to ensure that the access of any employee outside the deal team is prohibited. In other words, banks need a system where they can manage user access to entities along with the actions those users can take on those entities.

Demonstrating Regulatory Compliance
Know-your-customer regulations are in effect in all advanced economies and require that banks identify every customer to satisfy anti-money laundering rules, sanctions, fraud and other financial crime measures. The Basel Committee on Banking Supervision (BCBS) regulations also drive demand for identification. Leverage, liquidity and many other ratios calculated under different Basel regimes assume that the banks have properly identified entities.

Reporting on Transactions
Banks are required to prove that their records are accurate even when the actual borrower may be buried under a complex web of entity relationships and hierarchies. The principles for effective risk data aggregation and risk reporting are set out in BCBS 239, which requires accurate, true and clean data broken down along several dimensions. A unique entity identifier stored within the database makes it possible to query and report at the required level of granularity.

For more on this topic, see our white paper.

What You Don’t Know About Network Defenses Can Definitely Hurt You


Hackers have many avenues to choose from when it comes to attacking your organization, the most obvious of which is breaking in from the outside, or attacking your network’s perimeter. But they also can choose to attack from the inside-out by targeting your employees and internal weaknesses.

Cyber criminals use tactics like password attacks, session hijacking, exploiting application vulnerabilities and leveraging malware to gain unauthorized access to your network. Once inside, they steal, delete or distort confidential data, and often alter or disable security features to enable larger future attacks and avoid detection.

As revealed in Verizon’s 2016 Data Breach Investigations Report—a yearly study composed of findings from law enforcement agencies, forensic services firms and other entities—external threat perpetrators have been responsible for at least 75 percent of confirmed data breaches in each of the last six years.

To help protect your network, all employees—from the top down—should learn to spot the signs of a possible attack or breach, from suspicious emails and system modifications to unusual network glitches.

Here are some examples of the possible tools in an attacker’s arsenal:

  • Session hijacking: occurs when an attacker hijacks a network session shared by two systems by masquerading as one of them.
  • Password cracking: involves identifying the password of a user or administrator to gain system access.
  • Denial of Service (DoS) attacks: bombard a system, causing it to crash or deny access to legitimate users.
  • Web-application attacks: hackers exploit weaknesses and/or security flaws in a web application, possibly leading to the compromise of the host device or internal network.
  • Malware: includes ransomware that encrypts your files on the network drives and demands payment of a “ransom” to decrypt them; rootkits that embed themselves in your computer’s software, replacing legitimate software or hiding malicious ones; and remote access trojans (RATs), disguised as legitimate programs, but giving attackers an open door into your network.

Toughen Your Defenses with Vulnerability Assessments and Penetration Testing
Two crucial types of security testing offer financial institutions the best protection against these threats: vulnerability assessments and penetration testing. One is focused on finding as many vulnerabilities as possible, while the other can reveal the impact of an attack rather than theorizing about it, and also ensure that controls work as expected.

A vulnerability assessment is designed to yield a prioritized list of the environment’s vulnerabilities, and works best for institutions that already understand they are not where they should be in terms of security. However, recent guidance outlines the importance of regularly performing vulnerability assessments on your network. The scope, in industry terms, is breadth over depth.

This type of assessment, which helps ensure compliance with Gramm-Leach-Bliley Act data guidelines, can be performed using a remote scanning device—configured by a certified provider—that is plugged into an organization’s network. The device scans the entire network, including hardware and software, and performs internal vulnerability, patch management and port-scanning functions.

The provider can then analyze the data and prepare a detailed report with recommendations for securing your network.

By contrast, a penetration test’s ethical hackers seek to achieve a specific, attacker-simulated goal. A typical goal could be to gain access to the internal network and compromise a privileged account, or obtain the contents of the customer database. The test determines whether a mature security posture can withstand an intrusion attempt from a hacker. Here, the scope is depth over breadth.

A thorough penetration test consists of these elements:

  • Reconnaissance: Entails learning about the target using little or no interaction with their systems. This compares to a burglar watching a neighborhood to determine the patterns of its residents as well as their types of possessions and whether they have security systems. Reconnaissance includes Internet searches, website reviews, IP block information and domain name system (DNS) interrogation.
  • Scanning: The first major contact with the target’s systems, which involves looking for potential openings. This is likened to a burglar rattling doorknobs and checking for unlocked windows. Scanning includes network mapping, port scanning, operating system (OS) fingerprinting, service detection and vulnerability scanning.
  • Gaining Access: This is where the hacker comes in, with an attempt to compromise the system. This step is similar to the burglar breaking into the home using the most vulnerable door or window. Gaining access features password and web application attacks and the exploitation of vulnerable software and configuration flaws.
  • Maintaining Access and Covering Your Tracks: Performed only upon successful penetration into the institution’s network. It should be noted that many organizations forego these steps because they involve manipulating systems, applications and files.

It is crucial for your financial institution to maintain cyber-resilient networks and systems. The costs of disrupted business, reduced customer confidence, fines and lower profitability resulting from an attack are simply too great.

Does the Future of Community Banking Rest on Technology?

technology-9-2-16.pngIn Bank Director’s 2016 Technology Survey, the participants identified the following as the greatest business concerns in terms of the growth and profitability of their banks: regulatory compliance (59 percent), becoming more efficient (38 percent), competition from other banks (30 percent), regulations from the Consumer Financial Protection Bureau (28 percent), weak economic growth in their market (28 percent) and the ability to implement new technology (27 percent).

It’s hardly a surprise that regulatory compliance was the top concern of the 199 survey participants, a group that included bank CEOs, board chairs, independent directors, chief financial officers and senior technology executives. Fifty-eight percent of the respondents represent banks with $1 billion in assets or less, and this group has been disproportionately impacted by the significant increase in regulations that has occurred since the 2008 to 2009 financial crisis. In many respects, this is actually a money problem—hence the respondents’ concern about the impact of regulation on their profitability. While banks of all sizes have seen their compliance costs go up, small banks lack the scale or revenue base to absorb those higher costs as efficiently as large ones can.

Most of these issues are actually interrelated. The increased regulatory burden is one of several reasons why banks need to become more efficient, since this would help ease the pressure on their profitability from higher compliance costs. And one of the ways in which they will become more efficient will be through the implementation of new technology. For example, as banks place greater emphasis on digital distribution, in response to customer demand, they will be able to reduce the number of branches they have—which will lead to significant cost savings. Weak economic demand is one reason why banks worry about competition from other banks. Banking has become a zero sum game in the current economy, with everyone scratching and clawing to get what they can.

Another possible answer to this question was competition from nonbank entities, and only 22 percent of the respondents chose this as one of their top three concerns. However, when we asked later in the survey to identify the nonbank competitors that worried them the most, online marketplace lenders received the most votes, at 48 percent. And when we asked them how they felt about competition from these online lenders, 60 percent said they should be more highly regulated and 41 percent worried that these lenders could siphon off loans from their banks.

There is a definite theme that emerges from these questions. The survey participants are worried about the higher cost of regulation and its impact on the profitability of their banks. A majority of them also believe it’s unfair that banks are more heavily regulated than marketplace lenders, which are hardly regulated at all and yet compete with banks for business. Of course, banks are also experiencing lots of competition from other banks, as well as their old nemesis the credit unions. But the rise of marketplace lenders as a competitive threat is especially troublesome because it’s been enabled by advances in technology that banks are scrambling to keep pace with.

I am one who believes that marketplace lenders are here to stay. Individual companies will wax and wane, but the underlying dynamic that supports them—data driven loan underwriting technology—is growing in usage. And it’s beginning to go mainstream. Goldman Sachs, the gold-plated investment bank, has launched a marketplace lending operation called Marcus that will compete with the likes of Lending Club and SoFi for unsecured consumer loans. And JP Morgan Chase & Co., the country’s largest bank, has teamed up with On Deck Capital to target the small business loan market.

My sense is that most community banks under $1 billion in assets have yet to feel the full effects of competition from marketplace lenders because they are tightly focused on commercial real estate and C&I lending opportunities in their local markets, while marketplace lenders have focused mostly on unsecured personal and small business loans. But for how long? I’d be very surprised if data-driven underwriting technology doesn’t begin to find a place in the CRE and C&I loan markets as well because the efficiency advantages are too great to ignore.

There is some talk that marketplace lenders should be regulated just like the banks, and the Office of the Comptroller of the Currency has even raised the possibility of a federal charter for nonbank marketplace lenders. That might create more of a level playing field when it comes to the regulatory burden issue, but financial reform moves slowly in Washington, so I wouldn’t expect the feds to ride to the industry’s rescue anytime soon. I think community banks will have to solve this problem on their own, primarily through the implementation of new technology that will significantly improve their efficiency.

Only 27 percent of the survey respondents included technology as one of their three greatest business concerns, but it should have been at the top of the list.