How Subchapter S Issues Could Snag a Sale


acquisitions-5-2-19.pngNearly 2,000 banks in the U.S. have elected Subchapter S tax treatment as a way of enhancing shareholder value since 1997, the first year they were permitted to make the election. Consequently, many banks have more than 20 years of operating history as an S corporation.

However, this history is presenting increasingly frequent challenges during acquisition due diligence. Acquirers of S corporations are placing greater emphasis on due diligence to ensure that the target made a valid initial Subchapter S election and continuously maintained eligibility since the election. Common issues arising during due diligence typically fall into two categories:

  • Failure to maintain stock transfer and shareholder records with sufficient specificity to demonstrate continuous eligibility as an S corporation.
  • Failure by certain trust shareholders to timely make required Qualified Subchapter S Trust (QSST) or Electing Small Business Trust (ESBT) elections.

A target’s inability to affirmatively demonstrate its initial or continuing eligibility as an S corporation creates a risk for the acquirer. The target’s S election could be disregarded after the deal closes, subjecting the acquirer to corporate-level tax liability with respect to the target for all prior periods that are within the statute of limitations. This risk assessment may impact the purchase price or the willingness of the buyer to proceed with the transaction. In addition, the target could become exposed to corporate tax liability, depending on the extent of the compliance issues revealed during due diligence, unless remediated.

Accordingly, it is important for S corporation banks to ensure that their elections are continuously maintained and that they retain appropriate documentation to demonstrate compliance. An S corporation bank should retain all records associated with the initial election, including all shareholder consents and IRS election forms. S corporation banks should also maintain detailed stock transfer records to enable the substantiation of continuous shareholder eligibility.

Prior to registering a stock transfer to a trust, S corporation banks should request and retain copies of all governing trust instruments, as well as any required IRS elections.

It is also advisable to have the bank’s legal counsel review these trust instruments to confirm eligibility status and any required elections. Banks that are relying on the family aggregation rules to stay below the 100 shareholder limitation should also keep records supporting the family aggregation analysis.

While S corporation banks have realized significant economic benefits through the elimination of double taxation of corporate earnings, maintaining strong recordkeeping practices is a critical element in protecting and maximizing franchise value, especially during an acquisition. Any S corporation bank that is contemplating selling in the foreseeable future should consider conducting a preemptive review of its Subchapter S compliance and take any steps necessary to remediate adverse findings or secure missing documentation prior to exploring a sale.

One Tool To Get a Better Grasp on Cybersecurity Risk Oversight


cybersecurity-11-26-18.pngAs new types of risk – and new regulatory requirements – are introduced, bank directors play an instrumental role in making sure the executive team is properly addressing cybersecurity risks.

This can be an especially challenging responsibility as it is rare for board members to have the technical background or expertise to appropriately assess an entity’s cybersecurity risk management program without external resources. In many instances, directors find themselves in the uncomfortable position of relying primarily on management reports or the advice of third-party providers to meet their oversight responsibilities.

Annual scorecards from management and vulnerability assessments from third-party providers have value, but can make it difficult to compare and assess risk management programs with confidence.

To address this challenge, boards can consult new guides that offer ways to explore and dig into potential cyber risk management issues and other technical matters.

The Center for Audit Quality (CAQ), recently released a new publication, “Cybersecurity Risk Management Oversight: A Tool for Board Members.” The tool, like other emerging frameworks, is designed to help board members probe more deeply, challenge management assertions from a position of knowledge and understanding, and make more informed use of independent auditors.

Asking the right questions
In addition to offering board members a high-level overview of cybersecurity risk management issues and board responsibilities, the tool offers a series of probing questions board members can use as they engage in discussions about cybersecurity risks and disclosures with management and with independent financial auditors.

The questions are organized into four groups:

  1. Understanding how the financial statement auditor considers cybersecurity risk. These questions help board members understand the auditor’s approach to cybersecurity-related risks, and how such risks get addressed in the audit process.
  2. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures. These questions help board members explore compliance with current SEC guidance, as well as other regulatory and disclosure requirements.
  3. Understanding management’s approach to cybersecurity risk management. These questions look beyond financial reporting and compliance, and begin to probe broader cybersecurity-related issues, including the governing framework, policies, processes, and controls the bank has in place to manage and mitigate cybersecurity risk.
  4. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management. These questions help board members learn about additional offerings CPA firms can provide to assist them, and what factors to consider when engaging outside auditors to perform readiness assessments and examinations.

Starting the conversation
The CAQ says the cybersecurity oversight tool is not intended to be a comprehensive, all-inclusive list of questions for board members to ask. It also cautions against using the questions as a checklist for board members to use.

Rather, board members should look at the questions as conversation starters, examples of the types of issues they should raise with management and financial statement auditors. The purpose of the questions is to spark a dialogue to clarify responsibilities and generate a conversation and help board members develop a better understanding of how the company is managing its cybersecurity risks.

Expanding CPAs’ capabilities
As noted, one group of questions is designed to help board members learn more about other cybersecurity assurance services offered by CPA firms. One example of such services is the new System and Organization Controls (SOC) for Cybersecurity examination developed by the AICPA.

The information within the report provides management, directors or clients a description of the organization’s cybersecurity risk management program and an independent opinion on the effectiveness of the controls in place.

As concerns over cybersecurity risks in banking continue to intensify, directors will find it increasingly necessary to be capable of effectively challenging executive management and financial auditors. This tool is one guide alongside other evolving frameworks and services, that can help boards fulfill their responsibilities while also adding significant value to the bank and its shareholders.

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance


cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.

How Banks Can Increase Cybersecurity Risk Management


cybersecurity-5-6-16.pngIn mid-2015, executives at a bank in Russia awoke one morning to discover that the institution had lost millions of rubles overnight through a series of unauthorized withdrawals made through the automated teller machines of other banks. Earlier in the year, the Russian ruble experienced a volatile 14-minute long swing in the exchange rate that resulted in one financial institution’s reported loss of $3.2 million due to trades. Another well-coordinated attack in 2013 resulted in a loss of $45 million taken from ATM locations around the world when hackers eliminated the cash-withdrawal limits for 12 debit card accounts.

Such attacks are not limited to Russian banks; hackers and other cyber criminals are threatening the security of financial institutions around the world. The rise in cyber threats puts a spotlight on the vulnerability of the IT systems at many financial institutions—and intensifies the need to implement more robust security procedures to protect institutional assets.

A comprehensive assessment of an institution’s cybersecurity environment would have gone a long way towards establishing appropriate technology governance and protecting the assets of those Russian banks.

Targeting the Weakest Link
The most common and effective form of cyberattack is social engineering—that is, contacting personnel by email or phone and duping them into disclosing confidential information that can subsequently be used to gain access to systems and data. Alternatively, emails can be opened by employees who unwittingly release customized and often quite sophisticated malware (the software used by hackers to infiltrate IT systems).

Financial institutions are clearly not immune to such attacks and the opportunities and attempts for unauthorized access have increased. Yet some security mechanisms such as firewalls are no longer enough to protect an institution from modern threats. Although in some cases they thwart cyberattacks, outdated banking processes and systems are commonly the weak link exploited in these scenarios.

Implement a Risk-Based Approach
Most banks would claim they have a rich risk-assessment process, and to an extent, this may be true. But the focus is often primarily on business risk, not cybersecurity, and therein lies the issue. As a result, areas of weakness such as interconnection to ATMs may be overlooked. In addition, most banks have limited personnel and security resources dedicated to IT so, despite being attacked virtually every day, they cannot react to all alerts. Moreover, a bank’s internal enterprise risk management group may not be familiar with current risks or trained to respond to advanced threats.

IT investments will be based in part on whether or not the institution has been compromised historically; if management thinks a breach won’t happen, they probably won’t invest heavily in cybersecurity. Larger banks may have the resources to absorb the costs caused by a cybersecurity attack, but that is not true for all financial institutions.

There are a number of steps that financial institutions can take in order to mitigate IT security risks:

  • User awareness training: One of the most effective actions that any organization can take to reduce the risk of successful security attacks is employee and customer education. Strong awareness and education processes are critical actions to take to minimize the risks that social engineering poses. Training will differ, depending on the roles and responsibilities of the users, but an educated workforce and customer base are strong defenses against attacks.
  • Review and apply controls using a risk-based approach: To be truly effective, a risk assessment must get down into the weeds. A robust compliance program will evaluate—and periodically re-evaluate—threats in the entire universe of the banking system.
  • Identify weaknesses: If the bank doesn’t examine the weaknesses in their systems, the hackers will. There is a reason why the hackers used the ATMs owned by one bank to steal money from another institution—they knew that most systems would give them a few hours’ lead time before their withdrawals were reported. Understanding this weakness and implementing mitigating controls such as alerts could have at least minimized the damage inflicted by such an attack.
  • Add controls: Management must develop and implement controls that are designed to keep incidents from occurring and serve as a deterrent against unauthorized access. That said, it should also be assumed that these controls will eventually fail at some point. Therefore, detective controls will help to monitor and alert an organization of any malicious or unauthorized activity, including malicious activity—taken knowingly or not—by employees. In addition, corrective controls can help limit the scope of an incident and contain unauthorized activity.

With so much at stake—potential financial losses, compromised brand reputations, access to operational capital and possible regulatory violations—taking action is a business imperative.

The Five Critical Attributes of Effective Cybersecurity Risk Management


risk-manangement-3-15-16.pngThe size, complexity and ever-evolving nature of cyberattacks mean there’s no one-size-fits-all way to respond. Whatever your organization’s plan to mitigate the risk of data breaches, to be effective, it must encompass the five attributes discussed here.

Attribute One: An Effective Framework
An effective, appropriate framework is an essential place to start. The centerpiece of any cybersecurity risk management program, a cybersecurity framework is a standard designed to assist with managing the confidentiality, integrity and availability of data and critical infrastructure.

Many frameworks are now in use in various industries (some common ones include the National Institute of Standards and Technology Cybersecurity Framework, International Organization for Standardization, and ISACA’s COBIT). Regardless of which framework an organization chooses for managing its cybersecurity program, the framework will need to be adapted and fine-tuned to reflect the organization’s size and the nature of the data being protected. The point here is not to advocate for one framework over another; rather, the point is that choosing and implementing a framework is an essential first step in guarding against cybersecurity threats and launching a cybersecurity risk management program.

Attribute Two: End-to-End Scope
The second critical attribute of a cybersecurity program is its scope. An effective program must be comprehensive, or end to end, in scope—that is, the program must address all the critical elements that need to be protected in the institution.

To understand your full scope, you must “follow the data” and identify everywhere sensitive data is created, stored or transmitted. Beyond the immediate system, there might be many unknown data stores, including cloud services and third-party vendors.

Attribute Three: Thorough Risk Assessment and Threat Modeling
Because no institution has unlimited resources to devote to cybersecurity, the multiplying array of threats means risk assessment and prioritization are essential. By monitoring emerging threats and assessing both their likelihood and the damage they could cause, the cybersecurity team can develop a decision heat map that plots the potential risk against the cost and effort that would be required to protect against it.

Attribute Four: Proactive Incident Response Planning
For much of its history, the cybersecurity industry focused on preventing attacks. But today, although prevention remains crucial, the focus is shifting away from prevention alone and is turning instead to being prepared for the worst. Although breach prevention remains paramount, preparing for the worst case is becoming equally important. Preparing an incident response plan—and updating it regularly—is a minimum first step.

Once an incident has occurred, a bank can follow the typical incident response plan, which encompasses certain fundamental steps, including the following:

  • Inventory and understand the data to be protected.
  • Inventory and classify incidents.
  • Understand known threats and monitor new ones.
  • Identify the stakeholders and incident response team—corporate communications, legal, compliance, lines of business, IT and external forensics partners.
  • Set up a command center.
  • Develop and implement a containment and investigation strategy.
  • Develop and implement an evidence preservation strategy.
  • Develop and implement a communication plan for customers, media, regulators and other stakeholders.
  • Conduct a post-mortem and apply lessons learned.

Attribute Five: Dedicated Cybersecurity Resources
The final critical attribute of a cybersecurity initiative is having sufficient resources dedicated to the effort—in particular, a designated cybersecurity team. Many organizations have not yet given adequate attention to this requirement, often neglecting to assign appropriate roles and responsibilities or failing to establish the necessary governance structures called for in the framework being used.

In most companies, the IT team’s day-to-day attention is focused primarily on keeping the system up and running—an understandable priority. After all, service interruptions are noticed immediately and the effects are apparent to almost everyone. On the other hand, security lapses or breaches are less visible than service interruptions—at least at first—and the benefits of prevention and incident planning are not nearly as obvious.

The cybersecurity effort should be led by an experienced team leader for whom IT security is his or her primary duty rather than a secondary function squeezed in among other priorities. If the company is too small to afford a cybersecurity staff member, consider retaining a professional cybersecurity firm to implement the IT security function in order to develop appropriate prevention and response plans.

The Audit Committee: Help Them Help You


audit-committee-11-19-15.pngAn effective audit committee is a critical component of a financial institution’s corporate governance, but such a committee is not the result of an accident. It is formed through a deliberate process that includes appointing qualified individuals, providing adequate resources and offering other appropriate support.

The Right People
Every effective team begins with an effective leader to serve as chairperson. To fill that role for the audit committee, the board must select an independent director who, at a minimum, possesses an understanding of U.S. generally accepted accounting principles and the importance of internal controls. The audit chairperson should have a sense of the pressure points where the institution might be particularly vulnerable to fraud. Often, board members are business owners, managers in other organizations, or educators and will need help to acquire the requisite skill sets to lead or participate on the audit committee.

The Right Resources
With accounting standards, regulatory compliance requirements and risk factors continuing to change at a rapid pace, boards need to commit time and money to keep the chairperson and the audit committee up to speed. New accounting rules revisit some long-standing techniques in order to establish a more transparent level of reporting. Also, the introduction of the Consumer Financial Protection Bureau (CFPB) added complexity to regulatory compliance, and a bank that runs afoul of the new rules could suffer substantial harm to its reputation. In addition, technology and customer demands for access to services through nontraditional channels add risks never contemplated 10 years ago.

To help the audit committee stay current, the board should provide it access to outside training on these and other relevant areas. Boards also can obtain valuable guidance by monitoring the activities at other banks. Their publicized experiences (for example, in alerts from the Office of the Comptroller of the Currency) can serve as a road map of areas that require regular attention from the audit committee. Audit committee members must be intimately familiar not just with their own bank—but also with the banking industry as a whole.

The Right Support
Although it is management’s responsibility to establish processes and controls to manage risk, it is the audit committee’s responsibility to confirm that such processes and controls are established and monitored. The internal audit group, already charged with risk assessment and monitoring, can play an important role in satisfying this responsibility.

As with the audit committee, the success of internal audit hinges on the training and experience of the team members and on the provision of necessary resources. The importance of these elements increases significantly when the bank’s management is responsible for reporting on the design and effectiveness of the internal controls over financial reporting, as is required of publicly traded companies, because management must attest that controls are well-designed and operating effectively and is held responsible if its attestation proves false.

Bear in mind that a bank’s growth often is not mirrored in changes in internal audit. As a result, issues can go unidentified. Even if new issues are appropriately identified, the review cycles will be prolonged if internal audit has insufficient personnel. When the board looks strategically at the organization, it must align the expansion of the business with the risk mitigation process—including internal audit resources. Even the most capable audit committee will prove ineffective without a well-armed internal audit team.

The board also should recognize that its attitude and that of management toward internal audit frequently contributes to its success (or lack thereof). Leadership should address findings on a timely basis, and the board and audit committee should monitor the responsiveness of corrective action, especially for those issues flagged as higher risk. If management is dismissive of findings, and the audit committee or board is disinterested in follow-up, the value of the internal audit role will erode quickly.

The Right Approach
Board members are elected to oversee the activities of their bank, and the audit committee is an integral part of that oversight. It is in the board’s—and the bank’s—best interest to provide both the audit committee and internal audit with the training and resources necessary to execute their responsibilities.

Maintaining Internal Audit Independence Regardless of Structure


Whether your bank uses an in–house, an outsourced or co-sourced internal audit function, the internal audit program must be independent. And no matter the arrangement, management and the board have a degree of responsibility for internal audit’s efficacy—as such, they must accept ownership of this function even where it is fully outsourced.

As part of this, national chartered banks need to comply with the requirements issued by the Office of the Comptroller of the Currency (OCC) in October 2013 entitled “Third Party Relationships: Risk Management Guidance,” which deals with the selection and ongoing oversight of all critical third-party relationships, including outsourced or co-sourced internal audit arrangements. Although the guidance is addressed to national banks, it also establishes a best practices approach for state chartered banks that are supervised by the Federal Reserve or Federal Deposit Insurance Corp. The OCC guidance stipulates that banks must implement effective risk management processes to actively manage outsourced vendors, and that the roles and responsibilities for overseeing and managing all third-party relationships be specific and clearly defined. Therefore, whether the bank outsources or co-sources all or parts of an internal audit program, it does not diminish the responsibility of its board of directors and senior management with respect to overseeing and managing the program.

So the question becomes how best to manage outsourced or co-sourced internal audit relationships while optimizing the independence that is necessary for boards and audit committees in the fulfillment of their responsibilities.

Banks are deploying a variety of approaches driven by organizational structure, cost or culture. Sometimes these are successful, but they often fall short of regulatory expectations.

It is possible to achieve a quality internal audit program as long as the board and management adhere to a number of key principals and are truly committed to having an internal control environment that helps the bank manage its risks.

Our firm has helped hundreds of banks implement effective internal audit programs in both full outsourced and co-sourced scenarios. Some of the elements that we have found most critical to building an effective program include:

Corporate Governance: Corporate governance and the tone at the top is the foundation of an effective program. This entails setting up a structure that includes direct reporting to the chairman of the audit committee while, at the same time, having appropriate internal management oversight. Often that oversight resides with the chief risk officer of the bank. However, we have observed successful programs that use compliance officers or an in-house internal auditor. Independence is derived from board and management commitment, setting the tone and culture within the bank.

Internal Audit Risk Assessment and Audit Plan: The success of an internal audit program is highly dependent on identifying the risk profile of the bank and developing an appropriate audit plan that addresses those risks. Just a few of the areas complicating today’s bank risk environment include  information security and technology driven service delivery channels, consumer compliance and BSA/AML compliance requirements and interest rate risk management.

Experienced and Qualified Internal Audit Team: A successful internal audit program is simply not possible without deploying the right expertise and experience to audit the different aspects of a bank’s business and compliance requirements.

A successful internal audit program is often accomplished by seeking an outsourced or co-sourced solution which, based on regulatory guidance, management is responsible for managing. However, independence does not need to be compromised—particularly if the bank culture and tone at the top are committed to an independent risk-based internal audit program.

Buyer Beware: How Banks Can Avoid a Transaction Disaster


acquisition-10-26-15.pngMergers and acquisitions are exciting: they make the news, they show a position of strength to competitors, and most deals promise benefits for customers, employees and shareholders. Transactions have the same kind of excitement one might experience when buying a car. And like buying the car, that new car smell, or in this case, the allure of growth and synergies, can wear off quickly once you realize all of the work required to successfully integrate two institutions. Worse still is the feeling you have bought a lemon. There are, however, strategies that banks can employ before an integration to make sure they are getting a good deal.

Ensure You Have the Right, Experienced Resources
There is a reason that most professional services firms have an M&A practice: mergers and acquisitions are hard. In the middle market, it is even more important to look at current staff or partners that can support integration and bring the much needed experience to the table. No other industry is as complex as banking in terms of converting systems and processes. Banks require a unique set of skills to navigate the complexities of core systems, online banking, debit/credit cards, treasury management and lending.

Conduct an Operational and Technical Assessment of Your Target
Looking at the operational and technical complexities before a deal is made will improve the chances of a successful integration. Assess the scalability and interoperability of your technology and process landscape (as well as the target’s landscape) so that you can identify risks to the integration early and put together a mitigation plan quickly. All too often, middle market transactions focus only on diligence conducted by bankers, lawyers and accountants. Operational and technology diligence are de-prioritized.

Knowing how much car you can afford before even thinking about a deal puts you ahead of other bidders in terms of understanding how a target will fit into your garage. An operational and technical assessment provides the opportunity to understand and potentially implement systems, processes and products that will create a scalable and flexible operating model.

Evaluate Third Party Relationships
Understanding how your service providers can flex (or not) is critical to understanding the level of effort and cost of integration, along with the risks that need to be mitigated. Do your vendors have dedicated conversion teams? Are you the largest client of your core provider? Is there information available from your peers on the pros and cons of particular solutions in terms of integration? What are the service areas that could be improved through an acquisition?

Know Your Customer
Don’t forget the customer. Most transactions are driven by the desire to grow an institution’s customer base. But, in the frenzy of bringing two institutions together, customers often take a backseat to other integration priorities. Reacting to problems once customers start to leave is too late—the damage is already done. You will continue to hemorrhage customers while you course correct. Consider how well you know your customers before a deal is on the table. Do you have a way to make sure the customer’s voice is heard? Mapping the customer impact during diligence will prepare you to monitor (and hopefully improve) customer experience through the integration.

During integration, avoid focusing solely on cost synergies at the expense of customer experiences that could undermine revenue objectives. Whatever the changes, make sure communications to customers are clear, regular and transparent. You can never over communicate change to customers. Lastly, don’t assume that postponing changes is always best for customers. In many cases, making changes early and communicating them effectively will offer the most seamless customer experience across all channels (branches, digital, etc.).

Never Underestimate the Importance of Culture
It’s easy to sweep culture under the rug and consider it too soft and fuzzy for due diligence and integration. Many find it hard to put concrete metrics and plans around culture. Generational changes continue to change the way companies recruit, retain and operate—and that’s forcing companies to rethink their priorities in order to avoid costly turnover.

Having tools in place to implement change management is a best practice. This starts with knowing what your own cultural identity and management style is and what that means in terms of potential deals. If you’re into sports cars, don’t look at SUVs. By having your own cultural assessment up front, you can start analyzing cultural differences earlier in the process.

Assess Your M&A Readiness Before You Buy
If you want to successfully retain customers and key employees while achieving financial synergies, take the time to kick your own tires before looking at a new deal. An internal M&A readiness assessment is not only valuable if you are a buyer, but as a potential seller as well. An assessment will identify both deficiencies and differentiators in your operating model that a potential buyer will notice during due diligence. This knowledge gives you better negotiating power and can put you in the driver’s seat.

Lessons Learned From the Stress Tests


Stress-testing-9-24-15.pngIn the wake of the implementation of the Dodd-Frank Wall Street Reform and Consumer Protection Act stress test (DFAST) regulations, the term “stress test” has become a familiar part of the banking lexicon. The DFAST regulations require midsize banks—those with assets between $10 billion and $50 billion—to project the expected impact of three economic scenarios—baseline, adverse, and severely adverse—on their financial statements and capital ratios. Midsize financial institutions were required to report this year’s stress test results to their regulators by March 31, 2015, the second round of stress tests required for these banks.

Although the submission that was due in March was round two, most banks felt that it demanded just as much effort as the first round of stress tests.  Regulators focused more on process than results in round one and clearly stated that what was acceptable in the first submission would be insufficient for subsequent examinations. Little formal feedback is in so far, but what we have heard indicates that continuous improvement was definitely expected.

Model Mechanics
In the first round, most banks either used simplistic models or projections that did not capture their risks fully. Banks now are expected to develop enhanced models, and more significant portfolios are being modeled using bottom-up rather than top-down approaches. In assessing models, regulators are questioning assumptions and methodologies and looking for well documented, sound conceptual bases for the modeling choices made. Overly manual modeling processes also are being flagged as impractical for ad hoc use. The message is loud and clear: stress testing models are expected to be integrated into risk management practices.

Documentation
One common area for continued attention appears to be documentation. Whether it’s better organizing information to make it easier to follow the bank’s processes, improving validation documentation, writing user procedures, or better documenting the effective challenge process, the feedback received thus far reinforces that DFAST truly is a formal process. The documentation has to be sufficient for banks to manage, monitor and maintain the overall stress testing program. It also needs to be detailed enough to allow other users, including validators and regulators, to clearly understand the process.

Validation
Validation continues to be a big area of focus, and attention is being paid to both the timing and extent of validation activities. Timing is a critical review point, as the models are expected to be validated prior to the final stress test exercise. Validations have been criticized for having incomplete documentation, for failing to assess data lineage and quality, and for not being comprehensive. As modeling systems become more sophisticated, validations need to provide broader coverage. Validators—whether internal or third-party resources—must be experienced and competent, and they must deliver a sound validation in accordance with the agreed scope.

Sustainability
Banks have been encouraged to shore up organizational structures and procedures to keep their stress testing programs up-to-date and intact. With competition for quantitative resources at an all-time high, many are making choices about hiring statistical specialists and using contractors to keep on track. Banks are focusing on more automated processes, broader business participation, and more detailed user procedures to make sure the loss of one or two employees does not cause a program to fall apart completely.

Life in the DFAST Lane
As with most important business processes, effective DFAST risk management requires significant input from business management, risk management, and internal audit. A collaborative relationship among these three lines of defense results in the strongest DFAST processes. With reporting deadlines for the next cycle in 2016 being delayed from March 31 to July 31, banks have a bit of breathing room to assess the effectiveness and efficiency of their DFAST programs. Banks should use this extra time to further develop documentation, address highest priority issues, and continue to integrate stress testing into routine risk management practices.

The New Regulatory Expectation for Cybersecurity Assessment: What Every Board Must Know & Should Do


cybersecurity-7-29-15.pngEarlier on June 11, 2015, while serving as a keynote speaker on cybersecurity at Bank Director’s Bank Audit and Risk Committees conference in Chicago, I predicted that the regulatory agencies would publish a new cybersecurity assessment methodology by the end of the month.

That prediction came true and the Federal Financial Institutions Examination Council (FFIEC) on June 30, 2015, released the cybersecurity assessment tool. Examiners will start to use the cybersecurity assessment later in the year and there is a regulatory expectation that every single financial institution, regardless of charter type, asset size or complexity, complete a self-assessment and keep it updated.

What Is the Cybersecurity Assessment?
The main purpose is to provide a financial institution with a self-assessment method that is measurable and repeatable to identify risk exposures and cybersecurity preparedness.

The first step is to identify the institution’s inherent risk level (least, minimal, moderate, significant or most) based on five categories of risk factors:

  • Technologies and connection types
  • Delivery channels
  • Online/mobile products and technology services
  • Organizational characteristics
  • External threats

The next step is to identify the cybersecurity maturity level (baseline, evolving, intermediate, advanced or innovative) for each of five domains:

  • Cyber risk management and oversight
  • Threat intelligence and collaboration
  • Cybersecurity controls
  • External dependency management 
  • Cyber incident management and resilience

FFIEC-image1.PNG Source: FFIEC

The next step is to identify the gaps and the target maturity level necessary for each of the five domains. The chart below depicts the risk/maturity relationship matrix and the “cybersecurity zone” in blue that each financial institution needs to attain and sustain in each domain:

FFIEC-image2.PNG Source: FFIEC

For example, if a financial institution with a moderate inherent risk level determines that its domain 3 or cybersecurity controls maturity level is baseline, then it will need to attain a target maturity level of evolving, intermediate or advanced  (i.e. it will need to get to the “cybersecurity zone”) and sustain it.  Staying at a baseline maturity level for the domain will be unacceptable given the moderate inherent risk level. In some cases, the institution may identify a maturity level below baseline, which will require immediate action.

The regulatory expectation is that once the initial cybersecurity assessment is completed, there will be an action plan identified to attain target maturity levels and to sustain it. Also the cybersecurity assessment will be updated and revaluated periodically as threats, vulnerabilities and operational environments change (e.g. launch of new products or services, new connections, etc.)

What Should the Board Do?
Examiners will be using the cybersecurity assessment to evaluate a financial institution’s risk level and cybersecurity preparedness and scoping examinations. Failing to complete the cybersecurity assessment and sustaining it may be deemed an unsafe and unsound practice and examiners will closely evaluate the board’s role and ultimately hold it accountable. Failing to complete an assessment may lead to unmitigated risks, a cyber disaster and a conclusion that the board failed to exercise its risk oversight and fiduciary duty.

Ultimately, the board is responsible for ensuring the organization completes the cybersecurity assessment and maintains a repeatable process to update it periodically. The cybersecurity assessment provides critical forward looking intelligence that the board should use to guide the organization to attain optimal cyber risk management performance, mitigate risks to a tolerable level and maximize shareholder value. The stakes are very high. Cybersecurity must remain top of mind and the board must lead.

Here are seven critical steps the board should take:

  1. Assign a target date for the completion of the cybersecurity assessment and reporting of results to the board, well in advance of the next examination. Provide necessary support to complete it properly and in a timely manner.
  2. Obtain independent review of cybersecurity assessment to validate results. Make sure there is proper support for inherent risk level and maturity level determinations. Pay extra attention to validation of baseline levels, because in reality, the bank may be below baseline.
  3. Review, approve and support action plan for addressing risk management and control weaknesses and attaining and sustaining target maturity levels.
  4. Make sure any levels below baseline are immediately addressed.
  5. Require that a repeatable and sustainable process be implemented so that the cybersecurity assessment is revaluated and updated periodically (based on board approved triggers) and results are reviewed with the board.
  6. Assign implementation of regular risk dashboard reporting to the board with leading, not lagging, key risk indicators mapped to the cybersecurity assessment.
  7. Require a cybersecurity assessment be completed as part of due diligence in a merger or acquisition and reviewed with the board.