5 Things Banks Can Do Right Now to Protect Older Customers

Your bank’s most valuable customers are also its most vulnerable.

Americans born before 1965 hold 65% of bank deposits in the U.S., according to the American Bankers Association 2021 Older Americans Benchmarking Report. They are also routinely targeted by criminals: Adults ages 60 and older reported losing more than $600 million to fraud in 2020 alone, according to the Federal Trade Commission.

Banks’ role in protecting these customers is quickly becoming codified into law. More than half of states mandate that financial institution’s report suspected elder financial exploitation to local law enforcement, adult protective services or both.

However, banks need to go further to keep older adults’ money safe. Not only will these efforts help retain the large asset base of these valuable customers, but it can drive engagement with their younger family members who are involved in aging loved ones’ financial matters. Banks can do five things to support and protect their older adult customers.

1. Train employees to detect and report elder financial exploitation.
Although most banks train employees to spot elder financial exploitation, there’s confusion around reporting suspected exploitation due to privacy concerns, according to the Consumer Financial Protection Bureau. And when banks do file reports, they often aren’t filed directly with law enforcement or state Adult Protective Services agencies.

Executives must ensure their bank has clear guidelines for employees on reporting suspected exploitation. Training employees to detect and report fraud can help reduce the amount of money lost to exploitation. A study by AARP and the Virginia Tech Center for Gerontology found that bank tellers who underwent AARP’s BankSafe training reported five times as many suspicious incidents and saved older customers 16 times as much money as untrained tellers did.

2. Use senior-specific technology to monitor for fraud and financial mistakes.
Standard bank alerts don’t go far enough to protect against elder fraud. Banks should offer a financial protection service that:

  • Recognizes senior-specific risks such as unusual transfers, unfamiliar merchants and transactions that could be related to scams.
  • Monitors accounts to determine what is “normal” for each individual.
    Detects changes in transactional behavior and notifies customers of suspicious activity and their own money mistakes.
  • Bank Director identified companies and services, like Carefull, that can offer added protection by analyzing checking, savings and credit card accounts around the clock, creating alerts when encountering signs of fraud and other issues that impact older adults’ finances, such as duplicate or missed payments, behavior change and more.

3. Ensure older customers have trusted contacts.
The CFPB recommends that financial institutions enable older account holders to designate a trusted contact. If your bank isn’t already providing this service, it should. Technology gives banks a way to empower users to add trusted contacts to their accounts or grant varying levels of view-only permissions. This helps banks ensure that their customers’ trusted contacts are informed about any potential suspicious activity. It’s also a way for banks to connect with those contacts and potentially bring them on as new customers.

4. Create content to educate older customers.
Banks should inform older customers how to safeguard their financial well-being. This includes alerting them to scams and providing time-sensitive planning support, video courses and webinars about avoiding fraud.

Banks must also provide older customers with information about planning for incapacity, including the institution’s policy for naming a power of attorney. And banks must accept legally drafted power of attorney documents without creating unnecessary hurdles. Having a policy here allows for this balance.

5. Create an ongoing engagement strategy with older customers.
The days of banks simply shifting older adults to “senior checking accounts” are fading. Banks should take a more active role in engaging with older customers. Failing to do so increases the risk that this valuable customer base could fall victim to fraud, which AARP estimates totals about $50 billion annually.

Banks need a strategy to combine training, technology and content to generate ongoing senior engagement. Working with a trusted partner that has a proven track record of helping banks engage and protect older customers could be the key to implementing this sort of holistic approach.

A Proactive Approach to Risk Adjusted Performance Management

Banks need to assess their lending practices to get a clear view of how the financial climate, and emerging economic uncertainty, will impact their corporate clients and the growth and performance of their business.

To do that, they need to fully understand their exposure to interest-rate and liquidity risk, and proactively manage their balance sheets to maintain growth and enhance profitability. They need to analyze their lending practices, identifying sources of funding and qualifying loan targets to ensure proper loan management. All of this necessarily entails a re-evaluation of their internal systems’ ability to respond to changes that can impact balance-sheet risk and returns. And many banks have concluded that legacy point solutions are not up to demands from the risk and finance departments to model numerous business and risk scenarios.

For these banks, the solution is an overhaul: combining the modeling capabilities of asset and liability management systems with the governance and reach of planning systems and the analytical power of advanced business intelligence tools.

As part of this approach, banks no longer limit asset liability management to regulatory compliance. They are moving beyond compliance, toward creating business value though flexible scenario modeling for a holistic view of the risk factors impacting the future performance of the business.

To benefit from this kind of proactive approach to risk-adjusted profitability management, banks need to implement several key capabilities. These include methodologies and processes for interest-rate management and balance-sheet optimization for fast and efficient advanced scenario modeling. Banks also the analytical power to rapidly evaluate the results and options available to them. Finally, banks need to act on this analysis. This requires them to put in place the information tooling needed to enable frontline staff to execute the selected options, as well as processes and metrics that allow management to assess the impact of any given measure.

As they move toward a holistic risk-adjusted performance management platform, bankers should ask themselves the following questions:

  • What factors are impacting earnings and liquidity within the changing environment?
  • Is the bank incorporating input from market-facing staff related to growth, spreads and potential losses?
  • Is the bank taking a credit hit? If so, how much?
  • Is the bank managing based on its current balance-sheet composition, without considering future events? Is it counting on cash flows that might disappear?
  • Are the bank’s system capable of handling different interest-rate scenarios, including high volatility and negative rates? Can the bank measure the impact of these scenarios on liquidity and earnings?
  • Is the bank’s current asset liability management solution supporting decisions that will maximize stakeholder value?

Any solution should combine three key attributes. First is that it should include an asset/liability management system capable of quickly computing multiple scenarios from the bottom up. Second, the solution needs to include business analytical tools to compare and contrast the rapid reaction plans for prioritization and execution. And finally, it needs a risk-adjusted performance management (RAPM) tool to measure and manage the results.

Attempting to build a solution in-house with this breadth of capabilities can itself be a risky business. Banks often cobble together a fragmented solution, since legacy point systems are typically focused on addressing just one aspect or requirement. This approach lacks a comprehensive or holistic view of the bank’s true risk position. Indeed, manual processes based on spreadsheets of general ledger data may provide a current view of the business, but fail to model for unforeseen risks or changing behaviors. The result can be a disconnect between the bank’s view of the risks it faces and the true factors impacting the bank’s performance going forward.

On top of that, dealing with multiple systems and suppliers introduces its own risk into the situation, including miscommunication, lack of clarity over ownership of key functions and poor interoperability that can potentially disrupt work flows. The bank may need to maintain multiple project teams with various specializations and vendor points of contacts for multiple individual suppliers, introducing complexity and expense.

That’s why banks increasingly are turning toward a more integrated approach combining risk, compliance and analytics to meet the challenge of risk-adjusted performance management. Adopting a consolidated platform can give banks the consistency and agility to gain a true view of their risk situation. The result is a realistic, holistic view of the bank’s business trajectory, accessible and managed through a single point of contact, ensuring consistency of approach and operational efficiency.

Revisiting Funds Transfer Pricing Post-LIBOR

The end of 2021 also brought with it the planned discontinuation of the London Interbank Offered Rate, or LIBOR, the long-running and globally popular benchmark rate.

Banks in a post-LIBOR world that have been using the LIBOR/interest rate swap curve as the basis for their funds transfer pricing (FTP) will have to replace the benchmark as it is phases out. This also may be a good time for banks using other indices, like FHLB advances and brokered deposits, and evaluate the effectiveness of their methodologies for serving their intended purpose. In both situations, newly available interest rate index curves can contribute to a better option for FTP.

The interest rate curve derived from the LIBOR/swap curve is the interest rate component of FTP at most large banks. It usually is combined with a liquidity transfer price curve to form a composite FTP curve. Mid-sized and smaller banks often use the FHLB advance curve, which is sometimes combined with brokered deposit rates to produce their composite FTP curve. These alternative approaches for calculating FTP do not result in identical curves. As such, having different FTP curves among banks has clear go-to-market implications.

Most large banks are adopting SOFR (secured overnight funding rate) as their replacement benchmark rate for LIBOR to use when indexing floating rate loans and for hedging. SOFR is based on actual borrowing transactions secured by Treasury securities. It is reflective of a risk-free rate and not bank cost of funds, so financial institutions must add a compensating spread to SOFR to align with LIBOR.

Many mid-tier banks are gravitating to Ameribor and the Bloomberg short-term bank yield (BSBY) index, which provide rates based on an aggregation of unsecured bank funding transactions. These indices create a combined interest sensitivity and liquidity interest rate curve; the interest rate and liquidity implications cannot be decomposed for, say, differentiating a 3-month loan from a 5-year loan that reprices every three months.

An effective FTP measure must at least:

  • Accurately reflect the interest rate environment.
  • Appropriately reflect a bank’s market cost of funding in varying economic markets.
  • Be able to separate interest rate and liquidity components for floating rate and indeterminant maturity instruments.

These three principles alone set a high bar for a replacement rate for LIBOR and for how it is applied. They also highlight the challenges of using a single index for both interest rate and liquidity FTP. None of the new indices — SOFR, Ameribor or BSBY — meets these basic FTP principles by themselves; neither can FHLB advances or brokered deposits.

How should a bank proceed? If we take a building block approach to this problem, then we want to consider what the potential building blocks are that can contribute to meeting these principles.

SOFR is intended to accurately reflect the interest rate environment, and using Treasury-secured transactions seems to meet that objective. The addition of a fixed risk-neutral premium to SOFR provides an interest rate index like the LIBOR/swap curve.

Conversely, FHLB advances and brokered deposits are composite curves that represent bank collateralized or insured wholesale funding costs. They capture composite interest sensitivity and liquidity but lack any form of credit risk for term funding. This works fine under some conditions, but may put these banks at a pricing disadvantage for gathering core deposits relative to banks that value liquidity more highly.

Both Ameribor and BSBY are designed to provide a term structure of bank credit sensitive interest rates representative of bank unsecured financing costs. Effectively, these indices provide a composite FTP curve capturing interest sensitivity, liquidity and credit sensitivity. However, because they are composite indices, interest sensitivity and liquidity cannot be decomposed and measured separately. Floating rate and indeterminant-maturity transactions will be difficult to correctly value, since term structure and interest sensitivity are independent.

Using some of these elements as building blocks, a fully-specified FTP curve that separately captures interest sensitivity, liquidity and credit sensitivity can be built which meets the three criteria set above. As shown in the graphic, banks can create a robust FTP curve by combining SOFR, a risk-neutral premium and Ameribor or BSBY. An FTP measure generated from these elements sends appropriate signals on valuation, pricing and performance in all interest rate and economic environments.

The phasing out of LIBOR and the introduction of alternative indices for FTP is forcing banks to review the fundamental components of FTP. As described, banks are not using one approach to calculate FTP; the results of these different approaches have significant go-to-market implications that need to be evaluated at the most senior levels of management.

Defending Your Bank Against Cybercrime

Fraudsters always look for the path of least resistance.

Recently, the most vulnerable targets have been government funded pandemic relief programs. According to recent research from several academics, 15% of Paycheck Protection Program loans were fraudulent in the 18 months leading to August 2021, totaling $76 billion. And the U.S. Department of Labor reported $87 billion in unemployment benefit scams during that same period.

As Covid-19 relief programs wind down, fraudsters are redirecting their focus from government-backed programs to bank customers and employees. The latter half of 2021 saw an uptick in traditional types of cybercrime: identity fraud, ransomware, social engineering and money laundering. So, what can a bank do to keep itself safe?

Arm employees and customers with knowledge.
Share resources and stories to help employees and customers understand the risk of cybercrime, defend their devices and detect suspicious activity. Employees are the first line of defense; it only takes one breach to compromise an institution. Provide training programs to educate staff about the different types of financial crimes and detection mechanisms. In addition, take steps to heighten customers’ awareness of fraud trends through campaigns and educational programs. For example, it is important that employees and customers know how to verify host files and certificates, determine the difference between  valid and scam websites, store confidential information and private data on their devices and set-up their devices on different network servers to minimize damage in case of an attack.

Build financial crime programs.
Investing in fraud, anti-money laundering and cybersecurity tools without a long-term strategic plan is a futile and expensive proposition. It’s common for organizations to have strategic initiatives for digital delivery channels and customer experience, but lack a financial crimes strategy. Many financial institutions do not realize they need one until it is too late: they suffer a large loss that could have been prevented. Banks should first identify, evaluate and classify assets and risks and then build a program as part of the long-term business strategy rather than a disconnected component. This approach helps to recognize an institution’s vulnerabilities and launch the most effective defensive strategy.

Invest in modern defense technologies.
Encryptions, patching software, firewalls, multi-factor authentication and real-time monitoring systems are all part of the complex, multifaceted defense that mitigates the risk of an attack. There’s not a single solution that can do it all. For instance, early breach detection mechanisms act as a strong defense, sending alerts and implementing backup and recovery programs in the event of an attack. Artificial intelligence and machine learning technologies can go on the offense, analyzing customer behavior, tracking transactions and reporting on deviations from usual behavior in real-time. Adding workflows to automated alerts allows accountholders to be involved with challenging transactions, reducing the risk for errors down the line. The foundation of any security program is continuous monitoring and evaluation of vulnerabilities, defense technologies and risk plans.

Test your incident response plan.
It is vital to test the resiliency of plans with simulated fraud or cybersecurity attacks. Don’t underestimate the chaos that a breach will cause. Everyone at the bank, from directors and the C-suite to the branch managers, must understand and be comfortable with their role in mitigating loss.

Banks spend plenty of resources building sticky customer relationships, but fraud immediately breaks that bond. A research paper by Carnegie Mellon University found that 37% of customers leave their financial institution after experiencing fraud. When a customer account is compromised, the user needs to completely modify the information on that account, including direct deposits and utility payments. The lack of trust in their financial institution, coupled with the need to rebuild their account from scratch, pushes customers to shop for another institution.

As new technologies emerge and the financial services industry becomes increasingly digitalized, the risk of financial fraud also grows. Fraudsters are constantly evolving their strategies to take advantage of new vulnerabilities. To keep safe, banks need a top-down management approach that focuses on education, long-term defense programs, modern technologies and continuous testing. Customers expect a high level of security and fraud protection from their financial institution; if they don’t get it, they will look elsewhere. In order to grow and retain their customer base, banks need to have an upper hand in the war on bank fraud.

Use Cases, Best Practices For Working With Fintechs

Bank leadership teams often come under pressure to quickly establish new fintech relationships in response to current market and competitive trends.

The rewards of these increasingly popular collaborations can be substantial, but so can the associated risks. To balance these risks and rewards, bank boards and senior executives should understand the typical use-case scenarios that make such collaborations appealing, as well as the critical success factors that make them work.

Like any partnership, a successful bank-fintech collaboration begins with recognizing that each partner has something the other needs. For fintechs, that “something” is generally access to payment rails and the broader financial system — and in some cases, direct funding and access to a bank’s customer base. For banks, such partnerships can make it possible to implement advanced technological capabilities that would be impractical or cost-prohibitive to develop internally.

At a high level, bank-fintech partnerships generally fall into two broad categories:

1. Customer-facing collaborations. Among the more common use cases in this category are new digital interfaces, such as banking-as-a-service platforms and targeted online offerings such as deposit services, lending or credit products, and personal and commercial financial management tools.

In some collaborations, banks install software developed by fintech to automate or otherwise enhance their interactions with customers. In others, banks allow fintech partners to interact directly with bank customers using their own brand to provide specialized services such as payment processing or peer-to-peer transactions. In all such relationships, banks must be alert to the heightened third-party risks — including reputational risk — that result when a fintech partner is perceived as an extension of the bank. The bank also maintains ultimate accountability for consumer protection, financial crimes compliance and other similar issues that could expose it to significant harm.

2. Infrastructure and operational collaborations. In these partnerships, banks work with fintechs to streamline internal processes, enhance regulatory monitoring or compliance systems, or develop other technical infrastructure to upgrade core platforms or support systems such as customer onboarding tools. In addition to improving operational efficiency and accuracy, such partnerships also can enable banks to expand their product offerings and improve the customer experience.

Although each situation is unique, successful bank-fintech partnerships generally share some important attributes, including:

  • Strategic and cultural alignment. Each organization enters the collaboration for its own reasons, but the partnership’s business plan must support both parties’ strategic objectives. It’s necessary that both parties have a compatible cultural fit and complementary views of how the collaboration will create value and produce positive customer outcomes. They must clearly define the roles and contributions and be willing to engage in significant transparency and data sharing on compatible technology platforms.
  • Operational capacity, resilience and compatibility. Both parties’ back-office systems must have sufficient capacity to handle the increased data capture and data processing demands they will face. Bank systems typically incorporate strict controls; fintech processes often are more flexible. This disparity can present additional risks to the bank, particularly in high-volume transactions. Common shortcomings include inadequate capacity to handle customer inquiries, disputes, error resolution and complaints. As a leading bank’s chief operating officer noted at a recent Bank Director FinXTech event, improper handling of Regulation E errors in a banking-as-a-service relationship is one of the quickest ways to put a bank’s charter at risk.
  • Integrated risk management and compliance. Although the chartered bank in a bank-fintech partnership inevitably carries the larger share of the regulatory compliance risk, both organizations should be deliberate in embedding risk management and compliance considerations into their new workflows and processes. A centralized governance, risk, and compliance platform can be of immense value in this effort. Banks should be particularly vigilant regarding information security, data privacy, consumer protection, financial crimes compliance and dispute or complaints management.

Proceed Cautiously
Banks should guard against rushing into bank-fintech relationships merely to pursue the newest trend or product offering. Rather, boards and senior executives should require that any relationship begins with a clear definition of the specific issues the partnership will address or the strategic objective it will achieve. In addition, as regulators outlined in recent guidance regarding bank and fintech partnerships, the proposed collaboration should be subject to the full range of due diligence controls that would apply to any third-party relationship.

Successful fintech collaborations can help banks expand their product offerings in support of long-term growth objectives and meet customers’ growing expectations for innovative and responsive new services.

The Most Important Aspect of Third-Party Risk Management

Third-party risk management, or TPRM, is a perpetual hot topic in banking and financial services.

Banks are outsourcing and using third parties for a range of products, services and activities as the financial services landscape becomes more digital and distributed. A common refrain among regulators is that “you can outsource the activity, but you can’t outsource the responsibility.” Banks can engage third parties to do what they can’t or don’t want to do, but are still on the hook as if they were providing the product or service directly. This continues to be a common area of focus for examiners and has been identified as an area for potential enforcement actions in the future.

Given the continuing intense focus on third party activities and oversight, one word comes to mind as the most critical component of TPRM compliance: structure. Structure is critical in the development of a TPRM program, including each of its component parts.

Why is it so critical? Structure promotes consistency. Consistency supports compliance. Compliance mitigates risk and liability.

Banks with a consistent approach to TPRM conduct risk assessments more easily, plan for third party engagements, complete comprehensive due diligence, adequately document the relationship in a written agreement and monitor the relationship on an ongoing basis. Consistency, through structure, ultimately promotes compliance.

Structure will become increasingly important in TPRM compliance, given that the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency issued proposed interagency guidance on TPRM last summer. While the guidance has not been finalized as of this publication, the concepts and substantive components have been in play for some time; indeed, they are based largely on the OCC’s 2013 guidance and FAQs on the topic.

Generally, the proposed guidance contemplates a “framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.” Like other areas of risk management, this framework should be tailored based on the risks involved and the size and complexity of the banking organization. Fortunately, interagency guidance will enhance the consistency of the regulatory examination of TPRM compliance across banks of all sizes and charter-types.

The proposed guidance outlines the general TPRM “life cycle” and identifies a number of principles for each of the following stages: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination. The first three stages of this TPRM life cycle benefit the most from a structured approach. These three stages have more stated principles and expectations outlined by the banking agencies, which can be broken down effectively through a properly structured TPRM program.

So, when looking at improvements to any TPRM program, I suggest bank executives and boards start with structure. Going forward, they should consider the structure of the overall program, the structure of each of the stages of the life cycle outlined by the banking agencies and the structure of compliance function as it relates to TPRM. An effective strategy includes implementing a tailored structure at each stage. If executives can accomplished that, they can streamline compliance and make it more consistent throughout the program. Structure provides certainty as to internal roles and responsibilities, and promotes a consistent approach to working with third parties.

New Synergies in Risk Management for 2022

The past two years have created massive, life changing challenges for just about everyone on the planet — and bank managers and board members are certainly no exception. While the public has been dealing with the Covid-19 nightmare, remote work challenges, child and elder care woes, and concerns about family physical and mental health, bank leadership has had to deal with increased internal risks (operational, cyber, staffing) and external ones (rapid market changes, stressed industries, and a lack of traditional financial measurements, since many businesses did not produce audited financial statements during much of 2020).

As we enter 2022, no one knows for certain how, or if, all of those daunting issues will be resolved. In recent statements, the banking regulatory agencies are suggesting cautious optimism in 2022, though they are wary of complacency and loosening credit underwriting standards. One of the key forces that drive innovation and change in the world is a crisis, and if nothing else, 2020 and 2021 have seen rapid change and massive innovation, including in banking. With this backdrop, let’s look at some of the related developments and some new trends in credit risk management that will likely take place in 2022.

One significant industry change preceded Covid, and that was another acronym that started with a “C,” which was CECL. The story behind the current expected credit losses accounting standard is long and tedious — but a by-product of that rule for most bankers was a newfound understanding of the value of their portfolio’s credit data and how that data ties directly to reserves, risk and profitability. Thanks to CECL’s requirement for vast amounts of historical data, including credit attributes like collateral types, delinquency, payments and segmentation, many banks invested a lot of time and resource gathering, inventorying and cleaning up their credit data for CECL compliance. A result of this activity was that like never before more banks have more information about their loan portfolios, borrowers and their historical and current behavior.

During the time that CECL implementations started, Covid hit and bank managers were challenged with remote work requirements along with addressing PPP and other fast-moving emergency credit programs — creating a need for innovation and automation. Many areas of the bank were suddenly faced with new processes, operations and technology tools that were unplanned. A result of this accelerated change was that areas like commercial lending, credit and loan review were forced to adopt new innovative ways to work. While some of these areas may return to “the old normal,” many will retain most, if not all, of the new improved processes and tools that were needed to survive the challenges of the Covid crisis.

Those two developments, along with a growing understanding of the importance of credit concentration management, are driving new opportunities and synergies in credit risk management in 2022. The concept of credit concentration management is not a new one in banking. Even before the Great Recession of 2007-2009, the agencies made it clear that concentrations could be “bank killers,” with subprime lending and investor-owned commercial real estate (CRE) clear priorities. But now, the combination of more readily available, relevant credit concentration data and new tools and automation have made it significantly easier for banks of all sizes to proactively manage their concentrations.

A very obvious but valuable case study on the importance of concentration management is going on right now at the start of 2022 within the retail, office and the hospitality industry segments. Suddenly understanding exposure to these industries and property type segments is a high priority. Unlike the past, this time banks are much better positioned with improved data, tools and a more automated approach. The next use case to look at in 2022 is portfolio concentrations based on exposure to acute environmental threats like forest fires, hurricanes and flooding. That will likely be an early first step as more banks incorporate the environmental, social and governance framework into their risk management programs.

Another often neglected, proactive credit risk management process that has gotten a lot more attention during the past two years is portfolio stress testing, or “shocking segments of the portfolio.” This practice was used widely in banking during the end of the Great Recession to effectively monitor CRE risk, but by 2015, most smaller banks performed only annual tests, most of which were not looked at as having much, if any, strategic value. Part of the issue was that the banks simply weren’t collecting enough credit data to perform meaningful testing, and there was a sense that money for stress testing tools could be better spent elsewhere.

Now with additional risk management tools and better data, stressing concentrations simply makes sense and is achievable for most banks. New stress testing programs for concentrations like restaurants and business hotels are the norm, while more comprehensive, and strategic programs are starting to be put in place in banks of all sizes.

As we look back at the years of the Covid crisis, it is only natural to think of the disruption, challenges and uncertainty that banks faced, some of which are still being faced today. But thanks to the forces that drove the challenges in 2020 and 2021, bankers rapidly embraced automation and performed proactive credit data management leveraging innovative practices. Banks need to seize those opportunities and continue to enhance their risk management processes, not letting those benefits pass them by. A 2022 with this more synergistic approach to credit risk management may make the future a little bit brighter for bank management.

Three Tips to Manage Third-Party Cybersecurity Risk

Third-party vendors enable community banks to deliver essential products and services to consumers, but they can also be a weak link in their cybersecurity strategy.

The events of 2020 have made it imperative for banks to focus on protecting their employees, consumers and valuable assets — making cybersecurity a persistent priority for executive management. Ransomware has escalated at an alarming rate, leading community banks to engage even more with managed security service providers to strengthen their cybersecurity strategies. Given the critical nature of omnipresent cybersecurity and the continuous dependency on third-party providers, here are some practical tips for managing third-party risk in your cybersecurity strategy.

1. Collaborate Across Your Institution
It’s common to have a dedicated vendor management team or department at community banks, but it’s important to avoid a silo mentality when dealing with risk. Know your bank’s risk appetite and make sure everyone involved in risk management knows it as well.

Evaluate third parties against that appetite. Vendor assessments are critical to ensure your business will reap the benefits of the services you expect to receive.

Document third-party products and services in your environment. Update operational, IT and cybersecurity policies, as well as business continuity plans to include your vendors, outlining their roles and responsibilities — especially in the event of an outage, incident, or disaster.

2. Due Diligence is Key
Ensure your bank has a detailed process for evaluating third parties prior to signing contracts. One good way to prevent a third-party cyber incident is to ensure third parties have strong cybersecurity programs. The Federal Financial Institutions Examination Council states, “Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.”

Establish how your bank’s data is handled to protect the privacy of your employees and customers. Who owns the data and who has access to it? How long will data be retained? What happens to data if you terminate your contract? Make sure the bank documents data ownership and management in its third-party contracts. A data breach caused by a third party can endanger customer privacy and violate data privacy laws, including the General Data Protection Regulation and California Consumer Privacy Act.

3. Trust but Verify
It’s important to ensure that services continue to perform as expected after determining the need for third-party services and conducting due diligence to ensure the best fit. The phrase “trust but verify,” while originally used in a political context, is often used to describe this practice in vendor management.

Periodically review the bank’s vendors to ensure they’re meeting the obligations set in the Service Level Agreements (SLAs), which can help address issues before an incident can occur. If appropriate, the board should consider engaging an independent provider to audit, monitor or alert of any issues that could impact the vendor’s ability to meet their SLA.

Banks should consider supporting their vendor management strategy with technology solutions that can:

  1. Track vendors, subsidiaries, relationship owners, documentation and contacts.
  2. Perform vendor due diligence and analyze criticality, usage and spend.
  3. Deliver surveys and risk assessments to external third-party contacts.
  4. Manage contract review and renewals.
  5. Coordinate with legal, procurement, compliance and other functions.
  6. Monitor key vendor metrics via personalized dashboards and dynamic reports.

Third-party risk is an important component of any bank’s cybersecurity strategy and should align with its enterprise risk management and information security programs. Using a common risk framework that includes vendor management will promote collaboration, integration and visibility across the bank. Ultimately, the result is a reliable and consistent process that can help you protect and service your customers.

Complacency Becomes a Major Risk

One word seems to encapsulate concerns about banker attitudes’ toward risk in 2022: complacency.

As the economy slowly — and haltingly — normalizes from the impact of the coronavirus pandemic, bankers must ensure they hew to risk management fundamentals as they navigate the next part of the business cycle. Boards and executives must remain vigilant against embedded and emerging credit risks, and carefully consider how they will respond to slow loan growth, according to prepared remarks from presenters at Bank Director’s Bank Audit & Risk Committees Conference, which opens this week at the Swissotel Chicago. Regulators, too, want executives and directors to shift out of crisis mode back to the essentials of risk management. In other words, complacency might be the biggest danger facing bank boards and executives going into 2022.

The combination of government stimulus and bailouts, coupled with the regulatory respite during the worst of the pandemic, is “a formula for complacency” as the industry enters the next phase of the business cycle, says David Ruffin, principal at IntelliCredit, a division of QwickRate that helps financial institutions with credit risk management and loan review. Credit losses remained stable throughout the pandemic, but bankers must stay vigilant, as that could change.

“There is an inevitability that more shakeouts occur,” Ruffin says. A number of service and hospitality industries are still struggling with labor shortages and inconsistent demand. The retail sector is grappling with the accelerated shift to online purchasing and it is too soon to say how office and commercial real estate will perform long term. It’s paramount that bankers use rigorous assessments of loan performance and borrower viability to stay abreast of any changes.

Bankers that remain complacent may encounter heightened scrutiny from regulators. Guarding against complacency was the first bullet point and a new item on the Office of the Comptroller of the Currency’s supervisory operating plan for fiscal year 2022, which was released in mid-October. Examiners are instructed to focus on “strategic and operational planning” for bank safety and soundness, especially as it concerns capital, the allowance, net interest margins and earnings.

“Examiners should ensure banks remain vigilant when considering growth and new profit opportunities and will assess management’s and the board’s understanding of the impact of new activities on the bank’s financial performance, strategic planning process, and risk profile,” the OCC wrote.

“Frankly, I’m delighted that the regulators are using the term ‘complacency,’” Ruffin says. “That’s exactly where I think some of the traps are being set: Being too complacent.”

Gary Bronstein, a partner at the law firm Kilpatrick Townsend & Stockton, also connected the risk of banker complacency to credit — but in underwriting new loans. Banks are under immense pressure to grow loans, as the Paycheck Protection Program winds down and margins suffer under a mountain of deposits. Tepid demand has led to competition, which could lead bankers to lower credit underwriting standards or take other risks, he says.

“It may not be apparent today — it may be later that it becomes more apparent — but those kinds of risks ought to be carefully looked at by the board, as part of their oversight process,” he says.

For their part, OCC examiners will be evaluating how banks are managing credit risk in light of “changes in market condition, termination of pandemic-related forbearance, uncertainties in the economy, and the lasting impacts of the Covid-19 pandemic,” along with underwriting for signs of easing structure or terms.

The good news for banks is that loan loss allowances remain high compared to historical levels and that could mitigate the impact of increasing charge-offs, points out David Heneke, principal at the audit, tax and consulting firm CliftonLarsonAllen. Banks could even grow into their allowances if they find quality borrowers. And just because they didn’t book massive losses during the earliest days of the pandemic doesn’t mean there aren’t lessons for banks to learn, he adds. Financial institutions will want to carefully consider their ongoing concentration risk in certain industries, explore data analytics capabilities to glean greater insights about customer profitability and bank performance and continue investing in digital capabilities to reflect customers’ changed transaction habits.

ESG Disclosure on the Horizon for Financial Institutions

Over the last several years, investors, regulators and other stakeholders have sought an increase of environmental, social and governance (ESG) disclosures by public companies.

The U.S. Securities and Exchange Commission (SEC) has taken a cautious approach to developing uniform ESG disclosure requirements, but made a series of public statements and took preliminary steps this year indicating that it may soon enhance its climate-related disclosure requirements for all public companies, including financial institutions. To that end, the SEC’s spring 2021 agenda included four ESG-related rulemakings in the proposed rule stage, noting October 2021 for a climate-related disclosure proposed rule. The SEC is also sifting through an array of comments on its March 15 solicitation of input on how the Commission should fashion new climate disclosure requirements.

Recent speeches by Chair Gary Gensler and Commissioners Allison Herren Lee and Elad Roisman highlight some of the key elements of disclosure likely under consideration by the staff, as well as their personal priorities in this area. Commissioner Lee has asserted that the SEC has full rulemaking authority to require any disclosures in the public interest and for the protection of investors. She noted that an issue also having a social or political concern or component does not foreclose its materiality. Commissioner Lee has also commented on the disclosure of gender and diversity data and on boards’ roles in considering ESG matters.

Commissioner Roisman has noted that standardized ESG disclosures are very difficult to craft and that some ESG data is inherently imprecise, relies on continually evolving assumptions and can be calculated in multiple different ways. Commissioner Roisman has advocated for the SEC to tailor disclosure requirements, and phase in and extend the implementation period for ESG disclosures. Meanwhile, Chair Gensler has also asked the SEC staff to look at potential requirements for registrants that have made forward-looking climate commitments, the factors that should underlie the claims of funds marketing themselves as “sustainable, green, or ‘ESG’” and fund-naming conventions, and enhancements to transparency to improve diversity and inclusion practices within the asset management industry.

Significance for Financial Institutions
In the financial services industry, the risks associated with climate change encompass more than merely operational risk. They can include physical risk, transition risk, enterprise risk, regulatory risk, internal control risk and valuation risk. Financial institutions will need to consider how their climate risk disclosures harmonize with their enterprise risk management, internal controls and valuation methodologies. Further, they will need to have internal controls around the gathering of such valuation inputs, data and assumptions. Financial institutions therefore should consider how changes to the ESG disclosure requirements affect, and are consistent with, other aspects of their overall corporate governance.

Likewise, financial institutions should also consider how human capital disclosures align with enterprise risk management. Registrants will not only need to ensure that the collection of quantitative diversity data results in accurate disclosure, but also how diversity disclosures might affect reputational risk and whether any corporate governance changes may be needed to mitigate those concerns.

We recommend that financial institutions consider the following:

  • Expect to include a risk factor addressing climate change risks, and for the robustness and scope of that risk factor to increase.
  • Consider disclosing how to achieve goals set by public pledges, as well as whether the mechanisms to measure progress against such goals are in place.
  • Expect ESG disclosure requirements to become more prescriptive and for quantitative ESG disclosures to become more sophisticated. Prepare to identify the appropriate sources of information in a manner subject to customary internal controls.
  • Establish a strong corporate governance framework to evaluate ESG risks throughout your organization, including how your board will engage with such risks.
  • Incorporate ESG disclosures into disclosure controls and procedures.
  • Consider whether and how to align executive compensation with relevant ESG metrics and other strategic goals.