Dusting Off Your Asset/Liability Management Policies

Written by

Directors reviewing their bank’s asset/liability management policy in the wake of recent bank failures should avoid merely reacting to the latest crisis.

Managing the balance sheet has come under a microscope since a run on deposits brought down Silicon Valley Bank, the banking subsidiary of SVB Financial Group, and Signature Bank, leading regulators to close the two large institutions. While most community banks do not have the same deposit concentrations that caused these banks to fail, bank boards should ask their own questions about their organization’s asset/liability strategies.

A bank’s asset/liability management policy spells out how it will manage a mismatch between its assets and liabilities that could arise from changing interest rates or liquidity requirements. It essentially provides the bank with guidelines for managing interest rate risk and liquidity risk, and it should be reviewed by the board on an annual basis.

“With both Silicon Valley Bank and Signature Bank, you had business models that were totally different from a regular bank, whether it’s a community bank, or a regional or even a super regional, the composition of their asset portfolios, the composition of their funding sources, were really different,” says Frank “Rusty” Conner, a partner at the law firm Covington & Burling. “Anytime you have a semi-crisis or crisis like we’ve had, you’re going to reassess things.”

Conner identifies three key flaws at play today that mirror the savings and loan crisis of the 1980s and 90s: an over-concentration in certain assets, a mismatch between the maturities of assets and liabilities, and waiting too long to recognize losses.

Those are all lessons that directors should consider when they revisit their bank’s asset/liability management policies and programs, he says.“Is there any vulnerability in our policies that relates to concentration or mismatch, or failing to address losses early?”

In order to do that, directors need to understand their bank’s policies well enough to ask intelligent and challenging questions of the bank’s management. The board may or may not have that particular subject matter expertise on its risk, audit or asset/liability committee, or in general, says Brian Nappi, a managing director with Crowe LLP.

“I don’t think there’s a deficiency in policies per se,” he adds. “It’s the execution.”

Nappi recommends that boards seek to “connect the dots” between their company’s business strategy and how that could fare in a changing interest rate environment.

Conner raises a similar point, questioning why some banks had so much money invested in government securities when the Federal Reserve was telegraphing its intent to eventually raise interest rates.

“That whole issue just looks so clear in hindsight now, and maybe that’s unfair,” he says. “But why is it that we didn’t anticipate that, and are we in a better position today to anticipate similar types of developments in the future?”

Boards could consider bringing in an outside expert to review the asset/liability management policy, says Brandon Koeser, a senior analyst with RSM US. A fresh set of eyes, such as an accounting firm, consultant or even a law firm, can help the board understand if its framework is generally in line with other institutions of its size and whether it’s keeping pace with changes in the broader economy.

“You also want to think about the [asset/liability management] program itself, separate from the policy, and how often you’re actually going through and reviewing to make sure that it’s keeping pace with change,” Koeser adds.

Steps to Take: Revisiting the Asset/Liability Management Policy

  • Establish and understand risk limits.
  • Consider how to handle policy exceptions.
  • Define executive authority for interest rate risk management.
  • Outline reports the board needs to monitor interest rate risk.
  • Establish the frequency for receiving those reports.
  • Evaluate liquidity risk exposure to adverse scenarios.
  • Understand key assumptions in liquidity stress testing models.
  • Review guidelines around the composition of assets and liabilities.
  • Monitor investment activities and performance of securities.
  • Review contingency funding plans.

Directors should also ask management about any liquidity stress testing the bank may be engaging in. Do directors fully understand the key assumptions in the bank’s stress testing models, and do they grasp how those key assumptions could change potential outcomes?

And if executives tell the board that the bank’s balance sheet can withstand a 30% run off of deposits in a short period of time, directors shouldn’t be satisfied with that answer, says Matt Pieniazek, CEO of Darling Consulting Group, a firm that specializes in asset/liability management. The board should press management to understand exactly how bad losses would need to be to break the bank.

“Directors don’t know enough to ask the question sometimes. They’re afraid to show their stress testing breaking the bank,” he says. “They need to have the opposite mindset. You need to understand exactly what it would take to break the bank. What would it take to create a liquidity crisis? How bad would it have to get?”

Sometimes policies tend to be too rigid or not descriptive enough, adds Pieniazek.

“The purpose of policies is not to put straighBtjackets around people,” he says. “If you have to look to policies for guidance, you want to make sure that they have an appropriate amount of flexibility and not too much unnecessary restrictiveness.”

Many banks’ policy limits concerning the use of wholesale funding — such as Federal Home Loan Bank advances and brokered deposits — are too strict and unnecessarily constrained, Pieniazek says. “A lot of them will have limits, but they’re inadequate or the limits are not sufficient, both individually and in the aggregate.”

An example of this might be a policy that stipulates the bank can tap FHLB funding for up to 25% of its assets and the Federal Reserve discount window for up to 15% but restricts the bank from going above 35% in the aggregate.

Along those lines, directors should make sure management can identify all qualifying collateral the bank might use to borrow from the Federal Reserve or FHLB, taking into account collateral that may have been pledged elsewhere. And directors should revisit any overly rigid policies that could tie executives’ arms in a liquidity crunch. A policy stipulating that a bank will sell securities first may prove too inflexible if it means having to sell those securities at a loss, for instance.

A board will also want to understand whether its asset/liability management plan considers the life cycle of a possible bank run. In that kind of scenario, how much would the bank depend upon selling assets in order to meet those liquidity needs? And what’s the plan if some of its securities are underwater when that happens?

While the most recent banking crisis doesn’t necessarily mean bank boards need to overhaul their asset/liability management policies, they should at least review those policies with some key questions and lessons in mind.

“If your regulator comes in, and they see dust on the cover of the ALM policy,” says Koeser, “and they see that the liquidity stress test or scenario analysis aren’t appropriately incorporating shocks or stressors, it could be a difficult conversation to have with your regulator on why there weren’t changes.”

Additional Resources
Bank Director’s Board Structure Guidelines include a resource focused on ALCO Committee Structure. The Online Training Series includes units on managing interest rate risk and model validation. For more about stress testing to incorporate liquidity, read “Bank Failures Reveal Stress Testing Gaps.”

Getting Started With Third-Party Risk Management: Two Key Questions

Written by


risk-manangement-12-22-15.pngBanks often outsource technology services to third-party vendors. In light of increased regulatory attention and third-party involvement in day-to-day business operations, many bank boards and senior management teams are considering their approach to developing a third-party risk management program. A thoughtful approach based on an initial assessment of the bank’s current state can result in better risk management and compliance that aren’t overly burdensome. Addressing two important questions will help begin the process of successfully launching an effective third-party risk management program.

Does our bank have a full inventory of its contracts and agreements?
While most banks have some type of contract management system, many typically use low-tech storage facilities—like databases of scanned copies or even hard copies in file cabinets—from which data can’t be extracted. Such storage facilities rarely contain complete records of all executed contracts, and even simple data like contract renewal notification and expiration dates are not tagged or automated. In such environments, contract terms and conditions don’t keep pace with changes to regulations and the business environment, and financial reporting and accounting concepts, such as unrecorded liabilities, contingencies, and financial commitments, exist but may not be understood or monitored.

To address such drawbacks, banks should do a complete inventory of critical relationships to ensure that they have a complete inventory of current contracts. The contracts should meet current regulatory and business requirements, and data within the contracts should be metatagged, meaning tagged with coding in a web page so it can found with a search engine. Banks should consider establishing standard, required contract terms and using technology to track compliance. Increasingly, contracts are being moved into third-party risk management systems for a “single-book-of-record” view and improved risk management beyond basic compliance.

How do we identify all relevant third parties and manage the overall effort?
The potential universe of third parties in an organization can seem endless—from global companies to intercompany affiliates to mom-and-pop providers. On top of that, the potential universe of third parties is never constant. Companies regularly are onboarding and terminating third parties and expanding or reducing third-party services. While it is important to build data and artifacts (certificates of insurance, documentation of financial viability, or Service Organization Control reports, for example) that support a risk assessment at the third-party relationship level, it is easy to lose sight of the entire population of third-party relationships. Depending on how a bank defines third parties, that population could include franchisees, external salespeople and debt holders, among others. This is one area of risk management where completeness counts.

To make such a project manageable, banks should create a strategy and roadmap to systematically identify third parties using an inclusive definition. Banks should invest in the initial data-gathering phase and make it an enterprise-wide endeavor. Effective sources of relevant information include surveys conducted by the various lines of business, contract facilities and databases, accounts-payable systems, and legal counsel. The process needs to be sustainable or the population soon will become invalid. Banks should conduct an initial review of third-party relationships by identifying categories and potential risk factors to assist with prioritizing the evaluation. The project strategy and roadmap should start with the third parties that pose a higher risk. The project roadmap should include necessary activities and the timing and resource needs related to existing and future third-party due diligence and assessments.

Moving Forward
As financial institutions work to effectively comply with the regulatory guidance and manage the risks associated with third-party relationships, creating a strategy and roadmap will help achieve compliance and avoid an overly burdensome process.

Are Your Board Communications Secure in a Changing Regulatory Landscape?

Written by


risk-assessment-process-7-15-15.pngAs recently as March 2015, Hillary Clinton’s use of private email on multiple devices while serving as secretary of state hit the media. Clinton commented, “. . . I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.”

Every board member can fall prey to the Clinton communication example—take the necessary steps to educate your board.

We continue to live in a changing business environment with a backdrop of increasing regulatory pressures and a heightened focus on improving board oversight and communication. Current guidance and regulatory policies and practices are designed to force improvement in risk management and compliance. Along with that comes the responsibility of how we securely communicate and exchange confidential information at the board and committee level.

Technology and security are playing an important role in this change as leadership demands more mobility, flexibility and speed. Armed with multiple mobile devices and an “on-the-go” attitude, some stakeholders, who may not have grown up in the world of IT, are constantly exposing company information to risk.

Practices for managing board communication suggest we may not be keeping up with the requirements for security and compliance.

Take into account the following:

The Organization

  • Think about how many board members are still receiving board and committee information in their personal email accounts. Then layer in the amount of changes and document version control that need to be communicated before the actual meeting. This information often is not encrypted.
  • Interactions with management and the board is continuous. Monthly, quarterly and annual meetings give the board and committee members an opportunity to review company performance, and provide a forum for governance. Information is still being printed, exposing huge amounts of confidential information as directors travel between meetings and between locations.
  • Unsecure dissemination of confidential documents from regulators, investors and management flows from administrators to the board.

The Individual

  • Critical documents are still being stored and shared on a variety of personal devices – computers, tablets and phones.
  • Directors and committee members are still sending their packets to their personal emails so they can print the materials, thereby breaching security.

What do you do?
Security issues continue to be on the front page of the news. How do you prevent a perfect storm from happening where directors with personal communication devices are not handling confidential information in a proper format? Below are four practical steps to address this.

Education: Board members should be educated on a periodic basis as to what their roles and requirements are, from a board and a bank perspective. If you are public, Securities and Exchange Commission regulations should also be reviewed often.

Process: To help prevent damage from occurring, it is also important to setup a process whereby the directors are getting the necessary information in a secure fashion. There should be sufficient documentation of the process in establishing and monitoring board members. Appropriate personnel, including risk-management and IT personnel, should have input.

Review: The risk department should conduct a review and test the entire process to ensure the loop is secure. This should include management, committee members and the entire board.

Evaluate: Evaluate the risk factors affecting the current process. How does it impact the organization overall?

As technology continues to evolve at breakneck speed, the race is on for leaders to move fast enough to deliver a secure environment. It is clear that not enough attention is being focused on the process that is necessary to foster this environment. Board members will need to think ahead before they communicate, and leaders will need to make sure director communications are secure. And there is no magic formula for creating this—it is an ongoing, “live” process that you will need to keep reviewing. While the process needs to constantly be monitored and refreshed, it also must reflect new behaviors and new preferences: look to the success of the Apple Watch. 

This real-time process will aim to keep you secure at all times. And that may end up in your favor as regulators may soon turn their focus to communication within the board room.