Three Tips to Manage Third-Party Cybersecurity Risk

Third-party vendors enable community banks to deliver essential products and services to consumers, but they can also be a weak link in their cybersecurity strategy.

The events of 2020 have made it imperative for banks to focus on protecting their employees, consumers and valuable assets — making cybersecurity a persistent priority for executive management. Ransomware has escalated at an alarming rate, leading community banks to engage even more with managed security service providers to strengthen their cybersecurity strategies. Given the critical nature of omnipresent cybersecurity and the continuous dependency on third-party providers, here are some practical tips for managing third-party risk in your cybersecurity strategy.

1. Collaborate Across Your Institution
It’s common to have a dedicated vendor management team or department at community banks, but it’s important to avoid a silo mentality when dealing with risk. Know your bank’s risk appetite and make sure everyone involved in risk management knows it as well.

Evaluate third parties against that appetite. Vendor assessments are critical to ensure your business will reap the benefits of the services you expect to receive.

Document third-party products and services in your environment. Update operational, IT and cybersecurity policies, as well as business continuity plans to include your vendors, outlining their roles and responsibilities — especially in the event of an outage, incident, or disaster.

2. Due Diligence is Key
Ensure your bank has a detailed process for evaluating third parties prior to signing contracts. One good way to prevent a third-party cyber incident is to ensure third parties have strong cybersecurity programs. The Federal Financial Institutions Examination Council states, “Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.”

Establish how your bank’s data is handled to protect the privacy of your employees and customers. Who owns the data and who has access to it? How long will data be retained? What happens to data if you terminate your contract? Make sure the bank documents data ownership and management in its third-party contracts. A data breach caused by a third party can endanger customer privacy and violate data privacy laws, including the General Data Protection Regulation and California Consumer Privacy Act.

3. Trust but Verify
It’s important to ensure that services continue to perform as expected after determining the need for third-party services and conducting due diligence to ensure the best fit. The phrase “trust but verify,” while originally used in a political context, is often used to describe this practice in vendor management.

Periodically review the bank’s vendors to ensure they’re meeting the obligations set in the Service Level Agreements (SLAs), which can help address issues before an incident can occur. If appropriate, the board should consider engaging an independent provider to audit, monitor or alert of any issues that could impact the vendor’s ability to meet their SLA.

Banks should consider supporting their vendor management strategy with technology solutions that can:

  1. Track vendors, subsidiaries, relationship owners, documentation and contacts.
  2. Perform vendor due diligence and analyze criticality, usage and spend.
  3. Deliver surveys and risk assessments to external third-party contacts.
  4. Manage contract review and renewals.
  5. Coordinate with legal, procurement, compliance and other functions.
  6. Monitor key vendor metrics via personalized dashboards and dynamic reports.

Third-party risk is an important component of any bank’s cybersecurity strategy and should align with its enterprise risk management and information security programs. Using a common risk framework that includes vendor management will promote collaboration, integration and visibility across the bank. Ultimately, the result is a reliable and consistent process that can help you protect and service your customers.

Complacency Becomes a Major Risk

One word seems to encapsulate concerns about banker attitudes’ toward risk in 2022: complacency.

As the economy slowly — and haltingly — normalizes from the impact of the coronavirus pandemic, bankers must ensure they hew to risk management fundamentals as they navigate the next part of the business cycle. Boards and executives must remain vigilant against embedded and emerging credit risks, and carefully consider how they will respond to slow loan growth, according to prepared remarks from presenters at Bank Director’s Bank Audit & Risk Committees Conference, which opens this week at the Swissotel Chicago. Regulators, too, want executives and directors to shift out of crisis mode back to the essentials of risk management. In other words, complacency might be the biggest danger facing bank boards and executives going into 2022.

The combination of government stimulus and bailouts, coupled with the regulatory respite during the worst of the pandemic, is “a formula for complacency” as the industry enters the next phase of the business cycle, says David Ruffin, principal at IntelliCredit, a division of QwickRate that helps financial institutions with credit risk management and loan review. Credit losses remained stable throughout the pandemic, but bankers must stay vigilant, as that could change.

“There is an inevitability that more shakeouts occur,” Ruffin says. A number of service and hospitality industries are still struggling with labor shortages and inconsistent demand. The retail sector is grappling with the accelerated shift to online purchasing and it is too soon to say how office and commercial real estate will perform long term. It’s paramount that bankers use rigorous assessments of loan performance and borrower viability to stay abreast of any changes.

Bankers that remain complacent may encounter heightened scrutiny from regulators. Guarding against complacency was the first bullet point and a new item on the Office of the Comptroller of the Currency’s supervisory operating plan for fiscal year 2022, which was released in mid-October. Examiners are instructed to focus on “strategic and operational planning” for bank safety and soundness, especially as it concerns capital, the allowance, net interest margins and earnings.

“Examiners should ensure banks remain vigilant when considering growth and new profit opportunities and will assess management’s and the board’s understanding of the impact of new activities on the bank’s financial performance, strategic planning process, and risk profile,” the OCC wrote.

“Frankly, I’m delighted that the regulators are using the term ‘complacency,’” Ruffin says. “That’s exactly where I think some of the traps are being set: Being too complacent.”

Gary Bronstein, a partner at the law firm Kilpatrick Townsend & Stockton, also connected the risk of banker complacency to credit — but in underwriting new loans. Banks are under immense pressure to grow loans, as the Paycheck Protection Program winds down and margins suffer under a mountain of deposits. Tepid demand has led to competition, which could lead bankers to lower credit underwriting standards or take other risks, he says.

“It may not be apparent today — it may be later that it becomes more apparent — but those kinds of risks ought to be carefully looked at by the board, as part of their oversight process,” he says.

For their part, OCC examiners will be evaluating how banks are managing credit risk in light of “changes in market condition, termination of pandemic-related forbearance, uncertainties in the economy, and the lasting impacts of the Covid-19 pandemic,” along with underwriting for signs of easing structure or terms.

The good news for banks is that loan loss allowances remain high compared to historical levels and that could mitigate the impact of increasing charge-offs, points out David Heneke, principal at the audit, tax and consulting firm CliftonLarsonAllen. Banks could even grow into their allowances if they find quality borrowers. And just because they didn’t book massive losses during the earliest days of the pandemic doesn’t mean there aren’t lessons for banks to learn, he adds. Financial institutions will want to carefully consider their ongoing concentration risk in certain industries, explore data analytics capabilities to glean greater insights about customer profitability and bank performance and continue investing in digital capabilities to reflect customers’ changed transaction habits.

ESG Disclosure on the Horizon for Financial Institutions

Over the last several years, investors, regulators and other stakeholders have sought an increase of environmental, social and governance (ESG) disclosures by public companies.

The U.S. Securities and Exchange Commission (SEC) has taken a cautious approach to developing uniform ESG disclosure requirements, but made a series of public statements and took preliminary steps this year indicating that it may soon enhance its climate-related disclosure requirements for all public companies, including financial institutions. To that end, the SEC’s spring 2021 agenda included four ESG-related rulemakings in the proposed rule stage, noting October 2021 for a climate-related disclosure proposed rule. The SEC is also sifting through an array of comments on its March 15 solicitation of input on how the Commission should fashion new climate disclosure requirements.

Recent speeches by Chair Gary Gensler and Commissioners Allison Herren Lee and Elad Roisman highlight some of the key elements of disclosure likely under consideration by the staff, as well as their personal priorities in this area. Commissioner Lee has asserted that the SEC has full rulemaking authority to require any disclosures in the public interest and for the protection of investors. She noted that an issue also having a social or political concern or component does not foreclose its materiality. Commissioner Lee has also commented on the disclosure of gender and diversity data and on boards’ roles in considering ESG matters.

Commissioner Roisman has noted that standardized ESG disclosures are very difficult to craft and that some ESG data is inherently imprecise, relies on continually evolving assumptions and can be calculated in multiple different ways. Commissioner Roisman has advocated for the SEC to tailor disclosure requirements, and phase in and extend the implementation period for ESG disclosures. Meanwhile, Chair Gensler has also asked the SEC staff to look at potential requirements for registrants that have made forward-looking climate commitments, the factors that should underlie the claims of funds marketing themselves as “sustainable, green, or ‘ESG’” and fund-naming conventions, and enhancements to transparency to improve diversity and inclusion practices within the asset management industry.

Significance for Financial Institutions
In the financial services industry, the risks associated with climate change encompass more than merely operational risk. They can include physical risk, transition risk, enterprise risk, regulatory risk, internal control risk and valuation risk. Financial institutions will need to consider how their climate risk disclosures harmonize with their enterprise risk management, internal controls and valuation methodologies. Further, they will need to have internal controls around the gathering of such valuation inputs, data and assumptions. Financial institutions therefore should consider how changes to the ESG disclosure requirements affect, and are consistent with, other aspects of their overall corporate governance.

Likewise, financial institutions should also consider how human capital disclosures align with enterprise risk management. Registrants will not only need to ensure that the collection of quantitative diversity data results in accurate disclosure, but also how diversity disclosures might affect reputational risk and whether any corporate governance changes may be needed to mitigate those concerns.

We recommend that financial institutions consider the following:

  • Expect to include a risk factor addressing climate change risks, and for the robustness and scope of that risk factor to increase.
  • Consider disclosing how to achieve goals set by public pledges, as well as whether the mechanisms to measure progress against such goals are in place.
  • Expect ESG disclosure requirements to become more prescriptive and for quantitative ESG disclosures to become more sophisticated. Prepare to identify the appropriate sources of information in a manner subject to customary internal controls.
  • Establish a strong corporate governance framework to evaluate ESG risks throughout your organization, including how your board will engage with such risks.
  • Incorporate ESG disclosures into disclosure controls and procedures.
  • Consider whether and how to align executive compensation with relevant ESG metrics and other strategic goals.

An M&A Checklist for BOLI, Compensation Programs

As bank M&A activity continues to pick up, it is crucial that buyers and sellers understand the implications of any transaction on bank-owned life insurance portfolios, as well as any associated nonqualified deferred compensation (NQDC) programs, to mitigate potential negative tax consequences.

Identify and Review Target Bank’s BOLI Holdings
The first step is for buyers to identify the total cash surrender value of sellers’ BOLI portfolio and its percentage of regulatory capital. The buyer should identify the types of products held and the amount held in each of the three common BOLI product types:

  • General account
  • Hybrid separate account
  • Separate account (registered or private placement)

In addition to evaluating historical and current policy performance, the buyer should also obtain and evaluate carrier financial and credit rating information for all products, as well as underlying investment fund information for any separate account products.

Accounting and Tax Considerations
From an accounting standpoint, the buyer should ensure that the BOLI has been both properly accounted for in accordance with GAAP (ASC 325-30) and reported in the call reports, with related disclosures of product types and risk weighting. Further, if the policies are associated with a post-retirement split-dollar or survivor income plan, the buyer should ensure that the liabilities have been properly accrued for.

The structure of the transaction as a stock sale or asset sale is critical when assessing the tax implications. In general, with a stock sale, there is no taxable transaction with regard to BOLI — assets and liabilities “carry over” to the buyer. With an asset sale (or a stock sale with election to treat as asset sale), the seller will recognize the accumulated gain in the policies and the buyer will assume the policies with a stepped-up basis.

Regardless of the type of transaction, the buyer needs to evaluate and address the Transfer for Value (TFV) and Reportable Policy Sale (RPS) issues. Policies deemed “transferred for value” or a “reportable policy sale” will result in taxable death benefits. Prior to the Tax Cuts and Jobs Act, the transfer for value analysis was fairly simple: In a stock transaction, the “carryover basis” exception applies to all policies, whether or not the insured individual remained actively employed. In an asset sale, policies on insureds who will be officers or shareholders of the acquiring bank will meet an exception.

The Jobs Act enacted the notion of “reportable policy sales,” which complicated the tax analysis, especially for stock-based transactions now requiring much more detailed analysis of the type of transaction and entity types (C Corp vs S Corp). It is important to note that the RPS rules are in addition to the TFV rule.

Review Risk Management of BOLI
The Interagency Statement on the Purchase and Risk Management of BOLI (OCC 2004-56) establishes requirements for banks to properly document both their pre-purchase due diligence, as well as an annual review of their BOLI programs. The buyer will want to ensure this documentation is in good order. Significant risk considerations include carrier credit quality, policy performance, employment status of insureds, 1035 exchange restrictions or fees and the tax impact of any policy surrenders. Banks should pay particular attention to ensuring that policies are performing efficiently as well as the availability of opportunities to improve policy performance.

Identify and Review NQDC plans
Nonqualified deferred compensation plans can take several forms, including:

  • Voluntary deferred compensation programs
  • Defined benefit plans
  • Defined contributions plans
  • Director deferral or retirement plans
  • Split dollar
  • Other

All plans should be formally documented via plan documents and agreements. Buyers should ascertain that the plans comply with the requirements of Internal Revenue Code Section 409A and that the appropriate “top hat” filings have been made with the U.S. Department of Labor.

General Accounting and Tax Considerations
Liabilities associated with NQDC programs should be accounted for properly on the balance sheet. In evaluating the liabilities, banks should give consideration to the accounting method and the discount rates.

Reviewing historical payroll tax reporting related to the NQDC plans is critical to ensuring there are no hidden liabilities in the plan. Remediating improperly reported payroll taxes for NQDC plans can be both time consuming and expensive. Seek to resolve any reporting issues prior to the deal closure.

Change in Control Accounting and Tax Considerations
More often than not, NQDC plans provide for benefit acceleration in the event of a change in control (CIC), including benefit vesting and/or payments CIC. The trigger may be the CIC itself or a secondary “trigger,” such as termination of employment within a certain time period following a CIC. It is imperative that the buyer understand the financial statement impact of the CIC provisions within the programs.

In addition to the financial statement impact, C corps must also contend with what can be complicated taxation issues under Internal Revenue Code Section 280G, as well as any plan provisions addressing the tax issues of Section 280G. S corps are not subject to the provisions of Section 280G. For additional insight into the impacts of mergers on NQDC programs, see How Mergers Can Impact Deferred Compensation Plans Part I and How Mergers Can Impact Deferred Compensation Plans Part II. 

Insurance services provided through NFP Executive Benefits, LLC. (NFP EB), a subsidiary of NFP Corp. (NFP). Doing business in California as NFP Executive Benefits & Insurance Agency, LLC. (License #OH86767). Securities offered through Kestra Investment Services, LLC, member FINRA/SIPC. Kestra Investment Services, LLC is not affiliated with NFP or NFP EB.
Investor Disclosures: https://bit.ly/KF-Disclosures

Why a Solid Risk Management Framework Helps Manage Change

Who owns risk management at your bank?

If your bank limits that function to the teams that report to the chief risk officer, it’s fumbling on two fronts: It’s failing to drive accountability across every corner of the enterprise, and it’s conceding its edge in a marketplace that’s never been more competitive.

Recognizing that every employee owns a piece of this responsibility make risk management an equal offensive and defensive pose for your organization. This empowers your employees to move nimbly, strategically and decisively when the bank encounters change, whether it’s an external regulatory pressure or an internal opportunity to launch a new product or service. In either case, your team navigates through change by building on best operational practices, which, in the end, work to your advantage.

Getting the bank into that position doesn’t happen overnight; the vision starts with the actions of your senior leaders. They set the tone and establish expectations, but everyone plays a hands-on role. When management prioritizes an environment where people can work collaboratively and have transparency into related roles, they foster consistency across your change management process that minimizes risk.

The need for a risk-aware culture aligns precisely with the signals coming out of Washington, D.C., that the stakes are getting higher. The Consumer Financial Protection Bureau hinted early at increased regulatory scrutiny, advising that it would tighten the regulatory standards it had relaxed to allow banks to quickly respond to customers’ financial hardship in 2020.

In response to the competitive and regulatory environment, your bank’s risk management framework should incorporate four key elements:

  • Start with setting the ground rules for how the bank will govern its risk. Define its risk strategy, the role the board and management will play and the committees that compose that governance structure — and don’t forget to detail their decision-making authority, approval and escalation process across those bodies. This upfront work also should introduce robust systems for ongoing monitoring and risk reporting, establish standard parameters on how the bank identifies issues and create a basic roadmap to remediate issues when they come along.
  • Operating Model. Distinguish the roles and responsibilities for every associate, with a key focus on how they manage risk generated by the core activities in that business. By taking the time to ensure all individuals, in every line of defense, understand their expected contributions, your bank will be ahead of the game because your people can act quicker and efficiently when a change needs to happen.
  • Standard Framework, Definitions and Taxonomies. In basic terms, everyone across the enterprise needs to speak the same language and assign risk ratings the same way. Calibrating these elements at the onset builds confidence that your bank gives thoughtful attention to categorize risks into the right buckets. Standardization should include assessment scales and definitions of different risks and risk events, leading to easier risk aggregation and risk reporting that enables a holistic view of risk across the enterprise.
  • Risk Appetite. Nothing is more important than establishing how much risk your organization is willing to take on in its daily business. Missing the mark can impact your customers, bottom line and reputation. Optimally, bank leaders will reestablish this risk appetite annually, but black swan events such as the pandemic should prompt more timely reviews.

Too often, banks reinvent the wheel every time a change or demand comes along. As the industry eyes increasing regulatory pressure in the year ahead, driving and promoting a robust risk management culture is no longer a “nice to have” within your organization; it’s a “need to have.”

When you reset the role and ownership of risk management as a strategic pillar in your bank’s future growth and direction you minimize your bank’s risk and actually propel your company forward.

Banks looking to check out best practices and a strategic framework for creating their enterprise risk framework should check out my latest whitepaper, Turning a Solid Risk Framework Into a Competitive Advantage.

The Three C’s of Indirect Swaps

Twenty years ago, there were 8,000+ banks; today there are less than 5,000, but competition hasn’t slowed.

Not only are banks competing with other banks for loans, they are also competing for investor dollars. There’s pressure to grow and to do so profitably. It is more important than ever that banks compete for, and win, loans.

Competing for the most profitable relationships requires banks to meet borrower demand for long-term, fixed-rate debt. But that structure and term invites interest rate risk. What can banks do? What are their competitors doing?

Banks commonly use derivatives to meet customer demand for fixed-rate loans, but opt for different approaches. The majority of banks choose a traditional solution of offering swaps directly to borrowers; however, some community banks choose to work with correspondent banks that offer indirect swaps to their borrowers.

With indirect swaps, the correspondent bank enters an interest rate swap with the borrower — sometimes called a rate protection agreement. The borrower is party to a derivative transaction with the correspondent bank; the community bank is not a direct party to the swap.

Indirect swaps are presented as a simple solution for meeting customer demand for long-term fixed-rates, but community bankers should consider the three C’s of indirect swaps before using this type of product: credit, cost and customer.

Credit
A swap is a credit instrument that can be an asset or liability to the borrower, which means the correspondent bank requires security. The correspondent bank accomplishes this by requiring a senior position in the loan credit. In a borrower default, the correspondent bank has the first lien on the loan collateral.

In practice, the community bank makes the correspondent bank whole for the borrower’s swap liability. This means the community bank has an unrecognized contingent liability for each indirect swap.

Additionally, due to the credit nature of swaps, the correspondent bank must agree to the amount of proceeds, or the loan-to-value at which the bank lends. This has real-world implications for banks as they compete for loans.

Cost
While there are no out-of-pocket costs associated with putting the borrower into a swap with a correspondent bank, there are costs embedded in the swap rate that drives up the cost for the borrower and could potentially make the bank uncompetitive. These costs are often opaque — and can be significant.

Customer
A colleague of mine refers to indirect swaps as “swaps on a blind date.” It’s a funny but apt way of putting it. The borrower enters into a derivative with a correspondent bank that they have no relationship. And the borrower is accepting unsecured exposure as well: if the correspondent bank defaults and owes the borrower on the swap, they have no recourse except as an unsecured creditor.

A common theme of the three C’s is control. With indirect swaps, the community bank cedes control of the credit, they cede control of the cost of the swap and they cede control of the relationship with their customer. That’s why the majority of banks choose to offer swaps directly to their customers. Doing so allows them to manage the credit, including loan proceeds, and doesn’t subordinate the bank’s credit to a third party in the case of a workout. It allows the bank to own the pricing decision and control the cost of the swap to the borrower, making the bank’s loan pricing more competitive. It allows the bank to keep all aspects of the customer relationship within the institution.

Offering swaps to borrowers also opens the door for banks to use swaps as a balance sheet risk management tool. In this context, derivatives are an additional tool for the bank to manage interest rate risk holistically.

But what about the complexity of derivatives? How does an executive with little or no experience in derivatives educate the board and equip his/her team? How will swaps be managed? The majority of banks choose to partner with an independent third party to do the heavy lifting of educating, equipping, and managing a customer swaps program. A good partner will serve as an advisor and advocate, ensuring that the bank is fully compliant and utilizing best practices.

Indirect swaps may be simple — but a traditional solution of offering swaps directly to borrowers is a better way to meet customer demand for long-term fixed-rate loans.

Developing a Digital-First Approach to Risk Management

The world has leaned further and further into the digital realm, largely thanks to a younger, more tech-dependent generation.

The Covid-19 pandemic accelerated a years-long push toward online and mobile banking use. Does your institution have a true digital banking strategy to deliver simple and secure digital banking services to your customers? As the primary channel through which customers conduct nearly all their banking activities, digital is your bank now.

But as more consumers turn to digital channels, cybercriminals are following suit — as demonstrated by increasing incidents of fraud and unauthorized account access. To mitigate cybersecurity threats and protect your customers, your bank’s risk management strategy now requires a digital-first approach.

Risk Management in Digital Banking
Even though customers demand digital transformation, delivering frictionless experiences comes with certain inherent challenges and risks. Once you identify these hurdles, you can mitigate them so that your institution can move forward.

The most pressing digital banking risk management issues fall into two categories: overcoming organizational challenges and mitigating regulatory risks. Each of them has several considerations and variables your institution should consider.

Overcoming Organizational Challenges

Outdated corporate culture: Entrenched processes and perspectives can stall your digital transformation. Promoting a more forward-thinking culture must start at the top and flow down in order for the entire institution to embrace change. Confirm your bank’s risk management personnel are onboard, and involve them from the beginning to ensure a secure and safe transformation.

Refocusing of key positions: Some of your bank’s key positions may change in response to digital transformation. Digitization may shift the focus of some, but these positions are still critical to the institution’s success. For example, instead of manually performing tasks, employees working in an operations department may begin focusing on automating processes for the institution.

Resistance to change: Many institutions have executives that will champion progress, while others are resistant to the changes required to adopt a digital-first approach. Identify the champions at your institution and empower them to lead your digital transformation.

Lack of innovative thought leadership: It will take true out-of-the-box thinking to digitally compete with the big banks and emerging fintech companies. Encourage that kind of modern thinking within your institution.

Misguided beliefs: Quash any notions that a mobile banking app is the only component of a digital strategy, or that a digital-first approach means that personalization is no longer needed. Back-end operations and internal processes must fully support a digital environment that effectively identifies and fulfills individual customer needs based on their actions and behaviors — without adding friction to the customer experience.

Mitigating Regulatory Risks

Digital compliance and cybersecurity: Banks operating in a digital environment must still comply with all applicable laws and regulations. This includes paying attention to uniquely digital processes that are covered under specific rules, such as electronically signing documents per the E-Sign Act. To mitigate risk, institutions should invest in technology designed to ensure compliance and strengthen cybersecurity.

Third-party risk management: Many banks are outsourcing all or part of their digital strategy to fintechs and other third-party vendors out of necessity. But institutions are still ultimately responsible for all functions, whether they are performed internally or externally. A robust vendor management program is key to avoiding unqualified third-party providers. A provider must understand applicable regulatory requirements, be able to adhere to them and guarantee compliance.

Fraud and identity theft: The increase in banking without face-to-face interaction can increase the risk of synthetic identity fraud, traditional identity theft and account takeovers. Your bank should meet these challenges by reviewing and strengthening your Bank Secrecy Act/anti-money laundering (BSA/AML), know your customer (KYC), customer due diligence (CDD), cybersecurity and other relevant compliance programs. Digitizing internal processes will result in more available data as well as the ability to use AI to monitor customer behaviors and efficiently identify potential fraud.

While digitization can increase certain risks for banks that undertake such a transformation, enabling enhanced digital banking risk management to secure digital channels, mitigate risk and deliver a frictionless customer experience is worth the effort.

Enhancing Risk & Compliance

Financial institutions increasingly seek to use technology to efficiently and effectively mitigate risk and comply with regulations. Bank leaders will need the right solutions to meet these objectives, given the amount of data to make sense of as organizations include risk as part of their decision-making process. Microsoft’s Sandeep Mangaraj explains how banks should explore these issues with Emily McCormick, Bank Director’s vice president of research. They discuss:

  • How Risk Management is Evolving
  • Adopting AI Solutions
  • Planning for the Future

Beware Third-Quarter Credit Risk

Could credit quality finally crack in the third quarter?

Banks spent the summer and fall risk-rating loans that had been impacted by the coronavirus pandemic and recession at the same time they tightened credit and financial standards for second-round deferral requests. The result could be that second-round deferrals substantially fall just as nonaccruals and criticized assets begin increasing.

Bankers must stay vigilant to navigate these two diametric forces.

“We’re in a much better spot now, versus where we were when this thing first hit,” says Corey Goldblum, a principal in Deloitte’s risk and financial advisory practice. “But we tell our clients to continue proactively monitoring risk, making sure that they’re identifying any issues, concerns and exposures, thinking about what obligors will make it through and what happens if there’s another outbreak and shutdown.”

Eight months into the pandemic, the suspension of troubled loan reporting rules and widespread forbearance has made it difficult to ascertain the true state of credit quality. Noncurrent loan and net charge-off volumes stayed “relatively low” in the second quarter, even as provisions skyrocketed, the Federal Deposit Insurance Corp. noted in its quarterly banking profile.

The third quarter may finally reveal that nonperforming assets and net charge-offs are trending higher, after two quarters of proactive reserve builds, John Rodis, director of banks and thrifts at Janney Montgomery Scott, wrote in an Oct. 6 report. He added that the industry will be closely watching for continued updates on loan modifications.

Banks should continue performing “vulnerability assessments,” both across their loan portfolios and in particular subsets that may be more vulnerable, says James Watkins, senior managing director at the Isaac-Milstein Group. Watkins served at the FDIC for nearly 40 years as the senior deputy director of supervisory examinations, overseeing the agency’s risk management examination program.

“Banks need to ensure that they are actively having those conversations with their customers,” he says. “In areas that have some vulnerability, they need to take a look at fresh forecasts.”

Both Watkins and Goldblum recommend that banks conduct granular, loan-level credit reviews with the most current information, when possible. Goldblum says this is an area where institutions can leverage analytics, data and technology to increase the efficiency and effectiveness of these reviews.

Going forward, banks should use the experiences gained from navigating the credit uncertainty in the first and second quarter to prepare for any surprise subsequent weakening in credit. They should assess whether their concentrations are manageable, their monitoring programs are strong and their loan rating systems are responsive and realistic. They also should keep a watchful eye on currently performing loans where borrower financials may be under pressure.

It is paramount that banks continue to monitor the movement of these risks — and connect them to other variables within the bank. Should a bank defer a loan or foreclose? Is persistent excess liquidity a sign of customer surplus, or a warning sign that they’re holding onto cash? Is loan demand a sign of borrower strength or stress? The pandemic-induced recession is now eight months old and yet the industry still lacks clarity into its credit risk.

“All these things could mean anything,” Watkins says. “That’s why [banks need] strong monitoring and controls, to make sure that you’re really looking behind these trends and are prepared for that. We’re in uncertain and unprecedented times, and there will be important lessons that’ll come out of this crisis.”

Approaching Credit Management, Risk Ratings Today

As a credit risk consulting firm that supports community and regional banks, Ardmore Banking Advisors has assembled some credit risk management best practices when it comes to how executives should look at their bank’s portfolio during the coronavirus-induced economic crisis.

It is clear that the expectation of regulators is that credit risk management programs (including identification, measurement, monitoring, control and reporting) should be enhanced and adapted to the current economic challenges. Credit risk management programs require proactive actions from the first line of defense (borrower contact by loan officers), the second line of defense (credit oversight) and the third line of defense (independent review and validation of actions and risk ratings).

Boards will have to enhance their oversight of asset quality. Regulators and CPAs will be focusing on process and control, and challenge the banks on what they have done to mitigate risk. Going concern opinions on borrowers by CPAs may become widely used, which will put pressure on banks to be conservative in risk ratings.

New regulatory guidance and best practices indicate that more forward-looking, leading indicators of credit must be employed. We expect greater emphasis on borrower contact and information on liquidity and projections. These concepts are also embodied in the new credit loss and loan loss reserve model that went into effect at larger banks in the first quarter.

Many banks have used Covid-19 as an opportunity to increase their loan loss provisions, reviewing their portfolios for weaknesses in borrowers that may never recover. This evaluation will be expected by regulators during examinations; it is a good indication of forward-thinking proactive oversight by a bank’s officers and directors.

Risk Rating Approaches in the Current Climate
When it comes to risk ratings, it is not advisable for banks to automatically downgrade entire business segments. Instead, executives should scrutinize the most vulnerable segments of the portfolio that include highly stressed industries and types of loans.

Banks do not have to downgrade modifications or extensions solely because they provided relief related to Covid-19; however, the basis for extensions or modifications should be evaluated relative to the ultimate ability of the borrower to repay their loans going forward, after the short-term disruption concludes or the deferral matures.

We have observed that regulators are focusing on second deferrals and asking whether a risk rating change or troubled debt restructuring are warranted. Banks should be reviewing information on further deferrals to determine if there could be an underlying problem indicating that payment is ultimately unlikely.

Paycheck Protection Program loans do not require a downgrade; however, banks may want an independent review of PPP loans to identify any operational or reputational risk. We also recommend that current customers who received PPP loans should be evaluated for their ability to repay other loans once the short-term disruption concludes.

Credit review, the third line of defense, is typically a backward-looking exercise, after loans are already made and funded. It is predicated primarily on an independent review of the analysis of borrowers by loan officers during the first line of defense, and credit officers in the second line of defense. For over 10 years, the industry has experienced relatively good economic times. The current environment requires a more insightful assessment of the bank’s actions and the borrower’s emerging risk profile and outlook, with less reliance on past performance.

The bank should evaluate historical and recent financial information from the borrower as a predicate for evaluating the borrower’s ability to withstand current economic challenges. Executives should review any new information reported by the bank’s officers on the current condition, extensions or modifications provided and the current status of the borrower’s operations to determine if a risk rating change is necessary.

Importance of Credit Review for Banks
Banks must look carefully at risk ratings to confirm that all lines of defense have properly reviewed the borrowers, with a realistic assessment of their ultimate ability to repay the loan after any short-term deferrals, modifications or extensions due to the Covid-19 disruption. This includes an assessment of whether the action requires formal valuation of troubled debt restructuring status. The banks can then follow the current regulatory guidance that an extension or modification does not in itself require a designation as a TDR.

We believe based on our years in banking that the bank regulators will test the bankers’ response and process in the current economic downturn. They, and the CPAs certifying annual financial statements, will expect realistic credit risk evaluations and controls as confirmed by independent and credible loan reviews. Bank boards and executive management teams will be well-served by accurate loan and borrower credit risk assessment during regulatory exams and the annual financial CPA audits for 2020.