Current Compliance Priorities in Bank Regulatory Exams

Updated examination practices, published guidance and public statements from federal banking agencies can provide insights for banks into where regulators are likely to focus their efforts in coming months. Of particular focus are safety and soundness concerns and consumer protection compliance priorities.

Safety and Soundness Concerns
Although they are familiar topics to most bank leaders, several safety and soundness matters merit particular attention.

  • Bank Secrecy Act/anti-money laundering (BSA/AML) laws. After the Federal Financial Institutions Examination Council updated its BSA/AML examination manual in 2021, recent subsequent enforcement actions issued by regulators clearly indicate that BSA/AML compliance remains a high supervisory priority. Banks should expect continued pressure to modernize their compliance programs to counteract increasingly sophisticated financial crime and money laundering schemes.
  • In November 2021, banking agencies issued new rules requiring prompt reporting of cyberattacks; compliance was required by May 2022. Regulators also continue to press for multifactor authentication for online account access, increased vigilance against ransomware payments and greater attention to risk management in cloud environments.
  • Third-party risk management. The industry recently completed its first cycle of exams after regulators issued new interagency guidance last fall on how banks should conduct due diligence for fintech relationships. This remains a high supervisory priority, given the widespread use of fintechs as technology providers. Final interagency guidance on third-party risk, expected before the end of 2022, likely will ramp up regulatory activities in this area even further.
  • Commercial real estate loan concentrations. In summer 2022, the Federal Deposit Insurance Corp. observed in its “Supervisory Insights” that CRE asset quality remains high, but it cautioned that shifts in demand and the end of pandemic-related assistance could affect the segment’s performance. Executives should anticipate a continued focus on CRE concentrations in coming exams.

In addition to those perennial concerns, several other current priorities are attracting regulatory scrutiny.

  • Crypto and digital assets. The Federal Reserve, the Office of the Comptroller of the Currency, and the FDIC have each issued requirements that banks notify their primary regulator prior to engaging in any crypto and digital asset-related activities. The agencies have also indicated they plan to issue further coordinated guidance on the rapidly emerging crypto and digital asset sector.
  • Climate-related risk. After the Financial Stability Oversight Council identified climate change as an emerging threat to financial stability in October 2021, banking agencies began developing climate-related risk management standards. The OCC and FDIC have issued draft principles for public comment that would initially apply to banks over $100 billion in assets. All agencies have indicated climate financial risk will remain a supervisory priority.
  • Merger review. In response to congressional pressure and a July 2021 presidential executive order, banking agencies are expected to begin reviewing the regulatory framework governing bank mergers soon.

Consumer Protection Compliance Priorities
Banks can expect the Consumer Financial Protection Bureau (CFPB) to sharpen its focus in several high-profile consumer protection areas.

  • Fair lending and unfair, deceptive, or abusive acts and practices (UDAAP). In March 2022, the CFPB updated its UDAAP exam manual and announced supervisory changes that focus on banks’ decision-making in advertising, pricing, and other activities. Expect further scrutiny — and possible complications if fintech partners resist sharing information that might reveal proprietary underwriting and pricing models.
  • Overdraft fees. Recent public statements suggest the CFPB is intensifying its scrutiny of overdraft and other fees, with an eye toward evaluating whether they might be unlawful. Banks should be prepared for additional CFPB statements, initiatives and monitoring in this area.
  • Community Reinvestment Act (CRA) reform. In May 2022, the Fed, FDIC, and OCC announced a proposed update of CRA regulations, with the goal of expanding access to banking services in underserved communities while updating the 1970s-era rules to reflect today’s mobile and online banking models. For its part, the CFPB has proposed new Section 1071 data collection rules for lenders, with the intention of tracking and improving small businesses’ access to credit.
  • Regulation E issues. A recurring issue in recent examinations involves noncompliance with notification and provisional credit requirements when customers dispute credit or debit card transactions. The Electronic Fund Transfer Act and Regulation E rules are detailed and explicit, so banks would be wise to review their disputed transaction practices carefully to avoid inadvertently falling short.

As regulator priorities continue to evolve, boards and executive teams should monitor developments closely in order to stay informed and respond effectively as new issues arise.

Regulatory Crackdown on Deposit Insurance Misrepresentation

Federal banking regulators have recently given clear warnings to banks and fintechs about customer disclosures and the significant risk of customer confusion when it comes to customers’ deposit insurance status.

On July 28, 2022, the Federal Deposit Insurance Corporation and the Federal Reserve issued a joint letter to the crypto brokerage firm Voyager Digital, demanding that it cease and desist from making false and misleading statements about Voyager’s deposit insurance status, in violation of the Federal Deposit Insurance Act, and demanded immediate corrective action.

The letter stated that Voyager made false and misleading statements online, including its website, mobile app and social media accounts. These statements said or suggested that: Voyager is FDIC-insured, customers who invested with the Voyager cryptocurrency platform would receive FDIC insurance coverage for all funds provided to, and held by, Voyager, and the FDIC would insure customers against the failure of Voyager itself.

Contemporaneously with the letter, the FDIC issued an advisory to insured depository institutions regarding deposit insurance and dealings with crypto companies. The advisory addressed the following concerns:

  1. Risk of consumer confusion or harm arising from crypto assets offered by, through or in connection with insured banks. This risk is elevated when a nonbank entity offers crypto assets to the nonbank’s customers, while offering an insured bank’s deposit products.
  2. Inaccurate representations about deposit insurance by nonbanks, including crypto companies, may confuse the nonbank’s customers and cause them to mistakenly believe they are protected against any type of loss.
  3. Customers can be confused about when FDIC insurance applies and what products are covered by FDIC insurance.
  4. Legal risk of insured banks if a crypto company or other third-party partner of the bank makes misrepresentations about the nature and scope of deposit insurance.
  5. Potential liquidity risks to insured banks if customers move funds due to misrepresentations and customer confusion.

The advisory also includes the following risk management and governance considerations for insured banks:

  1. Assess, manage and control risks arising from all third-party relationships, including those with crypto companies.
  2. Measure and control the risks to the insured bank, it should confirm and monitor that these crypto companies do not misrepresent the availability of deposit insurance and should take appropriate action to address any such misrepresentations.
  3. Communications on deposit insurance must be clear and conspicuous.
  4. Insured banks can reduce customer confusion and harm by reviewing and regularly monitoring the nonbank’s marketing material and related disclosures for accuracy and clarity.
  5. Insured banks should have appropriate risk management policies and procedures to ensure that any services provided by, or deposits received from, any third-party, including a crypto company, effectively manage risks and comply with all laws and regulations.
  6. The FDIC’s rules and regulations can apply to nonbanks, such as crypto companies.

At a time when crypto companies are increasingly criticized for courting perceived excessive risk and insufficient transparency in their business practices, the FDIC and other banking agencies are moving to ensure that these companies’ practices do not threaten the banking industry or its customers. On Aug. 19, the FDIC issued letters demanding that five crypto companies cease and desist from making false and misleading statements about their FDIC deposit insurance status and take immediate corrective action.

In addition to the FDIC’s suggestions in its advisory, we suggest both banks and fintech vendors consider the following measures to protect against regulatory criticism or enforcement:

  1. Banks should build the right to review and approve all communications to bank customers into their vendor contracts and joint venture agreements with fintechs and should revisit existing contracts to determine if any adjustments are needed.
  2. Banks should consult with legal counsel as to current and expected regulatory requirements and examination attitudes with respect to banking as a service arrangements.
  3. Fintechs should engage with experienced bank regulatory counsel about the risks inherent in their business and contractual arrangements with insured banks by which the services of the fintech is offered to bank customers.
  4. Banks should conduct appropriate diligence as to their fintech partners’ compliance framework and record.

Additionally, should a bank’s fintech partner go bankrupt, the bank should obtain clarity — to the extent that it’s unclear — as to whether funds on deposit at the bank are property of the bankruptcy estate or property of a non-debtor person or entity; in this case, the fintech’s customers. If funds on deposit are property of non-debtor parties, the bank should be prepared to address such party’s claims, including by obtaining bankruptcy court approval regarding the disposition of such funds on deposit. Additionally, the bank may have claims against the bankrupt fintech entity, including claims for indemnity, and should understand the priority and any setoff rights related to such claims.

Fed Account Guidance Yields More Confusion

In seeking answers from the Federal Reserve Board and one of the regional banks, a crypto fintech’s lawsuit may have forced the regulator to issue guidance on how other companies can gain access to the nation’s vaunted payment rails. 

At issue are which companies are eligible to request master accounts at the 12 Federal Reserve Banks, and in turn, how the Reserve Banks should consider those requests. Central to this debate — and the timing of this guidance — is the Custodia lawsuit.

The day after the Board released the guidance, it asked a judge to dismiss a lawsuit from Custodia, a company that holds a special purpose depository institutions charter from the Wyoming Department of Banking. Custodia, which focuses on digital asset banking, custody and payment solutions, applied for a master account from the Federal Reserve Bank of Kansas City in October 2020, and sued both the Kansas City Fed and the Board this year to force a decision; the Board cited the final guidelines in its justifications for a dismissal. 

“Honestly, it makes the guidelines seem like they were written, in part, to get courts to give [the Board] more deference when it winds up in litigation,” says Julie Hill, a law professor at the University of Alabama who has written about Fed account access. 

Outside of the lawsuit, the guidance speaks to the interest that fintechs and companies with novel bank charters have shown in opening Fed accounts. A Fed account comes with access to the payment rails; the entire banking as a service (BaaS) business line is premised on banks serving as intermediaries and account holders for fintechs to send and store customer money. 

If the path to applying for a master account becomes clearer, institutions with novel banking charters could bypass bank partnerships, and request and operate these accounts directly. But experts tell Bank Director that the Aug. 15 guidance codifies existing practices while offering little insight into how nonbanks can get these accounts — leaving most fintechs and bank partners where they started. 

Companies that want Fed accounts request access from one of the 12 Reserve Banks, depending on which district the company is located in. The final guidance that the Federal Reserve Board issued is directed to those Reserve Banks; its involvement in these regional banks’ decision-making indicates that the Board is trying make these decisions consistent across regions and may be involved in individual requests as well, experts say.

The Fed’s guidance includes six principles that the regional Reserve Banks should use when evaluating these requests, along with a three-tiered review framework for the amount of due diligence and scrutiny that the Reserve Banks should apply to requests submitted by different types of institutions. 

But observers still see shortcomings in the guidance. Several experts pointed out that the guidance doesn’t address which companies are eligible to apply, which is the first hurdle nonbanks must address before requesting an account. It was one of the most frequently asked questions that companies submitted to the regulator, says Matthew Bisanz, a partner in Mayer Brown’s financial services regulatory and enforcement practice. 

The guidance retains the “substantial discretion” that Reserve Banks have in deciding approvals, meaning that institutions still do not have a clear path to account access, according to a Mayer Brown client note. The process is so unclear that these accounts are granted via requests rather than applications that regulators would normally employ, Hill points out.

Observers are waiting to see how the guidance figures into the Custodia case. Hill says that Custodia is an interesting test case; the company is in a strong position to request an account and addresses many of the regulator’s stated risk concerns. It has an ABA routing number and applied to become a member of the Kansas City Fed, which could advance it from tier three to tier two in the review framework. The company also accepts U.S. dollar deposits but does not have FDIC deposit insurance, which is one factor in the tier one considerations.

What’s Next
Hill says the next step for the Reserve Banks is potentially getting together to develop a sort of operating procedure, which could make the request and decision-making process more consistent across regions. And fintechs that might be interested in a novel bank charter may want to reach out to sympathetic lawmakers in Congress and explain their cause. Custodia and other crypto companies have found a champion in Sen. Cynthia Lummis, R-Wyo., and an ally in Sen. Pat Toomey, R-Pa., both of whom have raised concerns with the Fed and could author legislation that is more accommodative to novel banking charters that the Fed would need to follow. 

In the meantime, companies that want a Fed account and aren’t interested in becoming bank holding companies or partnering with a BaaS bank may find themselves in limbo for a while. Bisanz points out that in litigation, the Fed cited a case that said delays of three to five years are not unreasonable; Custodia brought its lawsuit to expedite a decision. For novel banks, waiting years for a decision may as well mean the death of a business model. 

“There is no guarantee of an application under these guidelines, and there is no guarantee of a decision,” Bisanz says. “Nothing in these guidelines says that the Reserve Banks will act expeditiously. People should read the guidelines, consider applying — but also be ready to sit tight.”

Preparing for Institutional Risks as Cryptocurrencies Expand

Two words that highlight why digital assets — in particular, cryptocurrencies — are a valuable addition to the financial services ecosystem are “speed” and “access.” However, banks and other organizations that transact in cryptocurrency need to be aware of, and prepare for, unique risks inherent to the digital asset ecosystem.

The technology that supports cryptocurrencies has accelerated the speed of clearing financial transactions. Over the last 25 years, financial institution technology has progressed significantly, but transfers can take several days to clear; international wire transfers take even longer. Cryptocurrency transaction clearing is immediate.

Cryptocurrencies are also increasingly adopted by individuals who have been previously unbanked or “underbanked” and have had difficulty accessing traditional banking systems. Transaction speed, customer experience and an expanding market of digital asset users make cryptocurrencies attractive for more institutions and organizations to adopt, but they need to think about and prepare for a number of risks.

Current State of Regulation
One of the reasons the traditional banking industry is trusted by the public is because of the regulatory environment. Regulations, including those within the Bank Secrecy Act (BSA), outline the customer identification program and know-your-customer requirements for onboarding new customers. While the cryptocurrency ecosystem is often panned for its perceived lack of regulation, there are layers of regulation that some crypto companies must comply with. For example, the BSA applies to money transmitters, like crypto exchanges. U.S. Securities and Exchange Commission Chair Gary Gensler recently noted, when prompted about large crypto exchanges, “It’s a question of whether they’re registered or they’re operating outside of the law and I’ll leave it at that.”

Does that mean that crypto is regulated as strictly as financial institutions? No, but regulation is progressing. President Joe Biden’s March 2022 executive order included a provision requesting the Financial Stability Oversight Council (FSOC) convene and report on the risks of digital assets to the financial system and propose any regulatory modifications needed to mitigate the risks posed to the financial system by cryptocurrency. Treasury Secretary Janet Yellen, who has been tasked with convening the FSOC, has been a vocal proponent of crypto regulation.

The Treasury Department also released a fact sheet outlining how the United States would work with foreign governments in regulating digital assets.

What does that mean for crypto companies? Considering digital assets were mentioned over 40 times in the FSOC 2021 Annual Report, and since the total market cap of crypto has fallen from $3 trillion in November 2021 to $900 billion as of June 28, 2022, it’s likely regulators will propose new requirements.

Risk Management
Emerging or evolving regulation over large exchanges may not be the panacea that enables financial institutions the carte blanche access to offer all cryptocurrency products. However, it is a step toward being able to offer new products or access to products within the confines of a regulatory framework, and it creates a standard against which banks can measure their offerings.

However, risks remain. Retail banking customers still interact with virtual asset service providers that operate under innocuous-sounding names and decentralized crypto exchanges run by decentralized autonomous organizations (DAOs) without the corporate governance or regulatory requirements of financial institutions. As regulation evolves, institutions wishing to participate in this market will still be responsible for monitoring and mitigation activities. The good news is that as these risks have evolved, so have the tools used to monitor and mitigate them.

When it comes to risk, adding a new category of services requires changes throughout the organization that include people, process and technology. The digital asset ecosystem requires a different skill set than traditional banking and capital markets. The lexicon is different, the technology is different and the market is more volatile. Trusted information sources have transitioned from global business publications to social media. Institutions looking to participate are going to need to partner with different service providers to help facilitate programs, build infrastructure and provide access to the knowledge, skills and expertise to be successful. These institutions are also going to need to reassess their strategy, how and where digital assets fit, the organization’s new risks resulting from this strategic shift and how they plan to mitigate those risks.

The crypto market has garnered the attention of the current presidential administration, the regulatory environment is continuing to evolve, retail participation continues to increase and the technology supporting the marketplace has the potential to become more efficient than traditional infrastructure. Banks that aren’t assessing their strategy as it relates to digital asset risk will be left behind. Institutions planning on participating should understand the people, process and technology needed to execute their strategy, as well as the potential risks to the organization. Regardless, the cryptocurrency marketplace has given institutions and those charged with governing them a lot to consider.

How High Inflation, High Rates Will Impact Banking

In the latest episode of The Slant Podcast, former Comptroller of the Currency Gene Ludwig believes the combination of high inflation and rising interest rates present unique risks to the banking industry. Ludwig expects that higher interest rates will lead to more expensive borrowing for many businesses while also increasing their operating costs. This could ultimately result in “real credit risk problems that we haven’t seen for some time.”

While the banking industry is well capitalized and asset quality levels are still high, Ludwig says the combination of high inflation and rising interest rates will be a challenge for younger bankers who have never experienced an environment like this before.

Ludwig knows a lot about banking, but his journey after leaving the Comptroller of the Currency’s office has been an interesting one. After completing his five-year term as comptroller in 1998, Ludwig could have returned to his old law firm of Covington & Burling LLP and resumed his legal practice. Looking back on it, he says he was motivated by two things. One was to put “food on the table” for his family because he left the comptroller’s office “with negative net worth – [and] it was negative by a lot.”

His other motivation was to find ways of fixing people’s problems from a broader perspective than the law sometimes allows. “I love the practice of law,’’ he says. “It’s intellectually satisfying.” But from his perspective, the law is just one way to solve a problem. Ludwig says he was looking for a way to “solve problems more broadly and bring in lawyers when they’re needed.” This led to a prolonged burst of entrepreneurial activity in which Ludwig established several firms in the financial services space. His best known venture is probably the Promontory Financial Group, a regulatory consulting firm that he eventually sold to IBM.

Ludwig’s most recent initiative is the Ludwig Institute for Shared Economic Prosperity, which he started in 2019. Ludwig believes the American dream has vanished for many median- and low-income families, and the institute has developed a new metric which makes a more accurate assessment of how inflation is hurting those families than traditional measurements such as the Consumer Price Index — which he says drastically understates the impact.

Ludwig hopes the Institute’s work gives policymakers in Washington, D.C., a clearer sense of how desperate the situation is for millions of American families and leads to positive action.

This episode, and all past episodes of The Slant Podcast, are available on Bank DirectorSpotify and Apple Music.

3 M&A Risks to Consider

One crucial component of the merger and acquisitions process is due diligence, which needs to be performed efficiently within a limited amount of time as opportunities arise. Senior management is primarily responsible for this task, but may need assistance from key areas such as compliance, and often uses third-party support. If your bank is considering an acquisition, consider these three risks and document them as part of your due diligence.

1. Credit Risk
Potential acquirers must perform rigorous due diligence on the target bank’s credit portfolio — it’s imperative to the success of any merger. Executives at the acquiring bank need to understand the loan portfolio, including the types of credits offered, underwriting practices and problem loan management. This includes reviewing sample credits, including the top borrowers, adversely classified loans, watch list loans, loans to insiders and a sample of loans of each collateral type, if possible.

While there is no required portfolio coverage for due diligence, executives should have a flavor for the lending practices at the target bank.

2. Financial Risk
As part of due diligence, executives need to gain an understanding of the balance sheet and income statement at the target bank. Consider:

As 2022 unfolds, the Federal Reserve indicated it will continue increasing rates in an attempt to reduce inflation, which has created significant unrealized losses in many bond portfolios. This is after many banks invested the flux of cash generated by pandemic-era programs into their bond portfolios in an effort to achieve some return throughout 2021.

Consider the impact this could have on bond portfolios in acquisitions, including the value in a sale of the full portfolio, the long-term market rate forecast or even hedging strategies.

Review significant on- and off-balance sheet liabilities, including major contracts such as the core system contract, employment contracts, equity plans or stock options. These contracts could result in additional liabilities for the acquiring bank.

Acquirers will need an independent valuation of the target bank, including an estimate of the goodwill, core deposit intangibles, fair value adjustments to loans and other fair value adjustments that will be considered as part of the transaction. This valuation should be fluid, starting with the preliminary stages of the merger discussions, and evolving and refining as the merger proceeds.

Executives should prepare pro forma and projected financial statements to depict what the combined organization will look like at the merger date and going forward. In addition, those financial statements should determine the rate of return on the acquisition and the earn-back period.

3. Reputational Risk
Many banks are heavily involved and invested in their local communities, including deep and long-standing relationships with many bank customers. The art of combining two institutions and selling the “new” institution to the existing customers takes planning and care.

In addition, the employees and branches of the target bank are part of that same community. If the transaction includes retaining all employees and branches, communicate that as part of the press releases. If necessary, consider stay bonuses to retain the talent of the target bank. The new combined entity will want to uphold a positive and strong reputation throughout the community.

Bonus: Cyber Risk
Here’s a bonus tip to consider during your due diligence process: Cyber risk continues to be top of mind for advisors and regulators alike. As part of the transaction, assess the target bank’s information technology environment. That includes reviewing any external reports or assessments, and understanding any findings and the related remediation. In addition, identify material gaps or issues in due diligence so the bank is not surprised by additional costs at merger consummation.

If mergers and acquisitions are part of your bank’s strategic plan, having a proper plan in place to direct due diligence can help you execute the transaction seamlessly and with success. Put together an internal team that can help you review those risks or explore external options to assist.

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader.

Staff Shortages Snarl Fraud Oversight

For some community banks, workforce attrition and hiring pressures could be adding an extra layer of difficulty to their ability to combat fraud. 

Concurrent with the Great Resignation, financial institutions have been fending off fraud of all kinds, from spear phishing attacks to account takeovers to check fraud, sometimes with a digital twist. In response, boards should understand where their organizations might be vulnerable and what kinds of proactive measures they might take. 

“That intersection of increasing fraud attacks with the strain on the workforce — I would say that is the biggest thing that we are seeing our clients struggle with,” says Vikas Agarwal, financial crimes unit leader at PwC. 

Specialized anti-fraud talent is in high demand, and prospective employees can command higher wages than they could before.

Seventy-eight percent of the senior executives and directors who responded to Bank Director’s 2022 Compensation Survey in March and April say that it’s been harder to attract and retain talent in the past year. Forty-one percent indicate that their bank increased risk and compliance staffing in 2021, and 29% expect to fill more of these positions in the year ahead. 

Attrition in the risk and compliance functions can eventually lead to a backlog of alerts to work through, experts say. 

“With turnover, you lose institutional knowledge and some efficiencies with how to run a risk and compliance department. As you have turnover, backlogs may build up,” says Kevin Toomey, a partner with the law firm Arnold & Porter. “Backlogs are a scary concept for banks, but also for the boards of banks. It could mean that not everything is running like a well-oiled machine.”  

Higher turnover could also make an institution more vulnerable to phishing and spear phishing attacks, says Ron Hulshizer, managing director at the accounting firm FORVIS. Those are both types of email impersonation attacks, used to install malware or gain access to information; spear phishing tends to be targeted to a specific individual. Noting that his firm has seen an increase in ransomware and extortion attacks against banks, Hulshizer says phishing attempts often give fraudsters a foot in the door.  

“It’s typically a phishing email that comes in, somebody falls for something, eventually, [and] the really bad malware gets installed,” he says. “Then it starts doing its thing and destroying files.”  

Scams, account takeovers and synthetic identity fraud are among the more common forms of fraud that community banks are dealing with right now. A LexisNexis Risk Solutions study published earlier this year identified synthetic ID as a big driver of fraud losses and also noted a rise in phishing scams during the pandemic. Scams have gotten particularly sophisticated, says Christina Williams, financial crimes consulting manager at the accounting and consulting technology firm Crowe. In some cases, she says, scammers have spoofed a financial institution’s 800-number to fool customers into giving up information that is then used to gain account access. 

But fraud seldom ever goes extinct, and some financial institutions have seen a resurgence in various types of check fraud since the pandemic began. Many businesses still rely on paper checks and physical mailboxes, both of which can be compromised, says Williams. Remote deposit capture tools can also be vulnerable to check fraud. Williams says that in some cases, fraudsters have been able to make a phony deposit using the image of a check on another device. Often, the scammer will stick to amounts under $1,000 or $5,000 to avoid triggering a review before the fraudster is able to withdraw the money. 

“A lot of the automated systems don’t necessarily pick up on it,” Williams says, emphasizing the importance of having adequate staff to carry out those reviews. “The fraudsters are aware of this; they still are trying to operate under dollar amounts where they believe there won’t be a secondary review.” 

Debit card fraud has also been a perennial pain point for community banks, Hulshizer says. 

Though the board doesn’t need to get involved in day-to-day fraud oversight, directors should know enough to ask the right questions of senior management. In the first place, that means understanding the organization’s baseline: how many and what type of fraud attempts does it experience in a given period, and how much of that fraud is stopped? 

“Do they understand, month to month, is it trending up or is it trending down?” says Agarwal. “Oftentimes, we find that people don’t have simple metrics that help them gauge if their risk to fraud is increasing as an institution or decreasing.” 

Agarwal adds that it’s worth asking whether the bank can contract a third-party firm in the event of a staffing shortage. 

Boards can ask whether management is looking into any new fraud-mitigating technologies, like biometric features meant to curb password fraud, says Hulshizer. 

And make sure that existing technology is regularly updated. “When technology gets old, over time, it ends up not being supported,” Hulshizer says. “When we do audits, we’ll find old operating systems that Microsoft no longer supports.”  

Not only should directors ask about trends in fraud and risk, but they should also be prepared to question senior management about trends in the bank’s staffing and resources, says Toomey. 

“What directors were asking a year ago may be different than what they’re asking 6 months from now,” says Toomey. “And to effectively exercise their oversight responsibilities, they need to start asking these questions now, to assure that their bank isn’t one of the ones that you read about in the papers.” 

5 Things Banks Can Do Right Now to Protect Older Customers

Your bank’s most valuable customers are also its most vulnerable.

Americans born before 1965 hold 65% of bank deposits in the U.S., according to the American Bankers Association 2021 Older Americans Benchmarking Report. They are also routinely targeted by criminals: Adults ages 60 and older reported losing more than $600 million to fraud in 2020 alone, according to the Federal Trade Commission.

Banks’ role in protecting these customers is quickly becoming codified into law. More than half of states mandate that financial institution’s report suspected elder financial exploitation to local law enforcement, adult protective services or both.

However, banks need to go further to keep older adults’ money safe. Not only will these efforts help retain the large asset base of these valuable customers, but it can drive engagement with their younger family members who are involved in aging loved ones’ financial matters. Banks can do five things to support and protect their older adult customers.

1. Train employees to detect and report elder financial exploitation.
Although most banks train employees to spot elder financial exploitation, there’s confusion around reporting suspected exploitation due to privacy concerns, according to the Consumer Financial Protection Bureau. And when banks do file reports, they often aren’t filed directly with law enforcement or state Adult Protective Services agencies.

Executives must ensure their bank has clear guidelines for employees on reporting suspected exploitation. Training employees to detect and report fraud can help reduce the amount of money lost to exploitation. A study by AARP and the Virginia Tech Center for Gerontology found that bank tellers who underwent AARP’s BankSafe training reported five times as many suspicious incidents and saved older customers 16 times as much money as untrained tellers did.

2. Use senior-specific technology to monitor for fraud and financial mistakes.
Standard bank alerts don’t go far enough to protect against elder fraud. Banks should offer a financial protection service that:

  • Recognizes senior-specific risks such as unusual transfers, unfamiliar merchants and transactions that could be related to scams.
  • Monitors accounts to determine what is “normal” for each individual.
    Detects changes in transactional behavior and notifies customers of suspicious activity and their own money mistakes.
  • Bank Director identified companies and services, like Carefull, that can offer added protection by analyzing checking, savings and credit card accounts around the clock, creating alerts when encountering signs of fraud and other issues that impact older adults’ finances, such as duplicate or missed payments, behavior change and more.

3. Ensure older customers have trusted contacts.
The CFPB recommends that financial institutions enable older account holders to designate a trusted contact. If your bank isn’t already providing this service, it should. Technology gives banks a way to empower users to add trusted contacts to their accounts or grant varying levels of view-only permissions. This helps banks ensure that their customers’ trusted contacts are informed about any potential suspicious activity. It’s also a way for banks to connect with those contacts and potentially bring them on as new customers.

4. Create content to educate older customers.
Banks should inform older customers how to safeguard their financial well-being. This includes alerting them to scams and providing time-sensitive planning support, video courses and webinars about avoiding fraud.

Banks must also provide older customers with information about planning for incapacity, including the institution’s policy for naming a power of attorney. And banks must accept legally drafted power of attorney documents without creating unnecessary hurdles. Having a policy here allows for this balance.

5. Create an ongoing engagement strategy with older customers.
The days of banks simply shifting older adults to “senior checking accounts” are fading. Banks should take a more active role in engaging with older customers. Failing to do so increases the risk that this valuable customer base could fall victim to fraud, which AARP estimates totals about $50 billion annually.

Banks need a strategy to combine training, technology and content to generate ongoing senior engagement. Working with a trusted partner that has a proven track record of helping banks engage and protect older customers could be the key to implementing this sort of holistic approach.

A Proactive Approach to Risk Adjusted Performance Management

Banks need to assess their lending practices to get a clear view of how the financial climate, and emerging economic uncertainty, will impact their corporate clients and the growth and performance of their business.

To do that, they need to fully understand their exposure to interest-rate and liquidity risk, and proactively manage their balance sheets to maintain growth and enhance profitability. They need to analyze their lending practices, identifying sources of funding and qualifying loan targets to ensure proper loan management. All of this necessarily entails a re-evaluation of their internal systems’ ability to respond to changes that can impact balance-sheet risk and returns. And many banks have concluded that legacy point solutions are not up to demands from the risk and finance departments to model numerous business and risk scenarios.

For these banks, the solution is an overhaul: combining the modeling capabilities of asset and liability management systems with the governance and reach of planning systems and the analytical power of advanced business intelligence tools.

As part of this approach, banks no longer limit asset liability management to regulatory compliance. They are moving beyond compliance, toward creating business value though flexible scenario modeling for a holistic view of the risk factors impacting the future performance of the business.

To benefit from this kind of proactive approach to risk-adjusted profitability management, banks need to implement several key capabilities. These include methodologies and processes for interest-rate management and balance-sheet optimization for fast and efficient advanced scenario modeling. Banks also the analytical power to rapidly evaluate the results and options available to them. Finally, banks need to act on this analysis. This requires them to put in place the information tooling needed to enable frontline staff to execute the selected options, as well as processes and metrics that allow management to assess the impact of any given measure.

As they move toward a holistic risk-adjusted performance management platform, bankers should ask themselves the following questions:

  • What factors are impacting earnings and liquidity within the changing environment?
  • Is the bank incorporating input from market-facing staff related to growth, spreads and potential losses?
  • Is the bank taking a credit hit? If so, how much?
  • Is the bank managing based on its current balance-sheet composition, without considering future events? Is it counting on cash flows that might disappear?
  • Are the bank’s system capable of handling different interest-rate scenarios, including high volatility and negative rates? Can the bank measure the impact of these scenarios on liquidity and earnings?
  • Is the bank’s current asset liability management solution supporting decisions that will maximize stakeholder value?

Any solution should combine three key attributes. First is that it should include an asset/liability management system capable of quickly computing multiple scenarios from the bottom up. Second, the solution needs to include business analytical tools to compare and contrast the rapid reaction plans for prioritization and execution. And finally, it needs a risk-adjusted performance management (RAPM) tool to measure and manage the results.

Attempting to build a solution in-house with this breadth of capabilities can itself be a risky business. Banks often cobble together a fragmented solution, since legacy point systems are typically focused on addressing just one aspect or requirement. This approach lacks a comprehensive or holistic view of the bank’s true risk position. Indeed, manual processes based on spreadsheets of general ledger data may provide a current view of the business, but fail to model for unforeseen risks or changing behaviors. The result can be a disconnect between the bank’s view of the risks it faces and the true factors impacting the bank’s performance going forward.

On top of that, dealing with multiple systems and suppliers introduces its own risk into the situation, including miscommunication, lack of clarity over ownership of key functions and poor interoperability that can potentially disrupt work flows. The bank may need to maintain multiple project teams with various specializations and vendor points of contacts for multiple individual suppliers, introducing complexity and expense.

That’s why banks increasingly are turning toward a more integrated approach combining risk, compliance and analytics to meet the challenge of risk-adjusted performance management. Adopting a consolidated platform can give banks the consistency and agility to gain a true view of their risk situation. The result is a realistic, holistic view of the bank’s business trajectory, accessible and managed through a single point of contact, ensuring consistency of approach and operational efficiency.

Revisiting Funds Transfer Pricing Post-LIBOR

The end of 2021 also brought with it the planned discontinuation of the London Interbank Offered Rate, or LIBOR, the long-running and globally popular benchmark rate.

Banks in a post-LIBOR world that have been using the LIBOR/interest rate swap curve as the basis for their funds transfer pricing (FTP) will have to replace the benchmark as it is phases out. This also may be a good time for banks using other indices, like FHLB advances and brokered deposits, and evaluate the effectiveness of their methodologies for serving their intended purpose. In both situations, newly available interest rate index curves can contribute to a better option for FTP.

The interest rate curve derived from the LIBOR/swap curve is the interest rate component of FTP at most large banks. It usually is combined with a liquidity transfer price curve to form a composite FTP curve. Mid-sized and smaller banks often use the FHLB advance curve, which is sometimes combined with brokered deposit rates to produce their composite FTP curve. These alternative approaches for calculating FTP do not result in identical curves. As such, having different FTP curves among banks has clear go-to-market implications.

Most large banks are adopting SOFR (secured overnight funding rate) as their replacement benchmark rate for LIBOR to use when indexing floating rate loans and for hedging. SOFR is based on actual borrowing transactions secured by Treasury securities. It is reflective of a risk-free rate and not bank cost of funds, so financial institutions must add a compensating spread to SOFR to align with LIBOR.

Many mid-tier banks are gravitating to Ameribor and the Bloomberg short-term bank yield (BSBY) index, which provide rates based on an aggregation of unsecured bank funding transactions. These indices create a combined interest sensitivity and liquidity interest rate curve; the interest rate and liquidity implications cannot be decomposed for, say, differentiating a 3-month loan from a 5-year loan that reprices every three months.

An effective FTP measure must at least:

  • Accurately reflect the interest rate environment.
  • Appropriately reflect a bank’s market cost of funding in varying economic markets.
  • Be able to separate interest rate and liquidity components for floating rate and indeterminant maturity instruments.

These three principles alone set a high bar for a replacement rate for LIBOR and for how it is applied. They also highlight the challenges of using a single index for both interest rate and liquidity FTP. None of the new indices — SOFR, Ameribor or BSBY — meets these basic FTP principles by themselves; neither can FHLB advances or brokered deposits.

How should a bank proceed? If we take a building block approach to this problem, then we want to consider what the potential building blocks are that can contribute to meeting these principles.

SOFR is intended to accurately reflect the interest rate environment, and using Treasury-secured transactions seems to meet that objective. The addition of a fixed risk-neutral premium to SOFR provides an interest rate index like the LIBOR/swap curve.

Conversely, FHLB advances and brokered deposits are composite curves that represent bank collateralized or insured wholesale funding costs. They capture composite interest sensitivity and liquidity but lack any form of credit risk for term funding. This works fine under some conditions, but may put these banks at a pricing disadvantage for gathering core deposits relative to banks that value liquidity more highly.

Both Ameribor and BSBY are designed to provide a term structure of bank credit sensitive interest rates representative of bank unsecured financing costs. Effectively, these indices provide a composite FTP curve capturing interest sensitivity, liquidity and credit sensitivity. However, because they are composite indices, interest sensitivity and liquidity cannot be decomposed and measured separately. Floating rate and indeterminant-maturity transactions will be difficult to correctly value, since term structure and interest sensitivity are independent.

Using some of these elements as building blocks, a fully-specified FTP curve that separately captures interest sensitivity, liquidity and credit sensitivity can be built which meets the three criteria set above. As shown in the graphic, banks can create a robust FTP curve by combining SOFR, a risk-neutral premium and Ameribor or BSBY. An FTP measure generated from these elements sends appropriate signals on valuation, pricing and performance in all interest rate and economic environments.

The phasing out of LIBOR and the introduction of alternative indices for FTP is forcing banks to review the fundamental components of FTP. As described, banks are not using one approach to calculate FTP; the results of these different approaches have significant go-to-market implications that need to be evaluated at the most senior levels of management.