CECL Delay Opens Window for Risk Improvements

The delay in the current expected credit loss accounting model has created a window of opportunity for small banks.

The delay from the Financial Accounting Standards Board created two buckets of institutions. Most of the former “wave 1” institutions constitute the new bucket 1 group with a 2020 start. The second bucket, which now includes all former “wave 2 and 3” companies are pushed back to 2023 — giving these institutions the time required to optimize their approach to the regulation.

Industry concerns about CECL have focused on two of its six major steps: the requirement of a reasonable and supportable economic forecast and the expected credit loss calculation itself. It’s important to note that most core elements of the process are consistent with current industry best practices. However, they may take more time for banks to do it right than previously thought.

Auditors and examiners have long focused on the core of CECL’s six steps — data management and process governance, credit risk assessment, accounting, and disclosure and analytics. Financial institutions that choose to keep their pre-CECL process for these steps do so at their own peril, and risk falling behind competitors or heightened costs in a late rush to compliance. Strategically minded institutions, however, are forging ahead with these core aspects of CECL so they can fully vet all approaches, shore up any deficiencies and maintain business as usual before their effective date.

Discussions over the impact of the CECL standard continue, including the potential for changes as the impacts from CECL bucket 1 filings are analyzed. Unknown changes, coupled with a three-year deadline, could easily lead to procrastination. Acting now to build a framework designed to handle the inevitable accounting and regulatory changes will give your bank the opportunity to begin CECL compliance with confidence and create a competitive advantage over your lagging peers.

Centering CECL practices as the core of a larger management information system gives institutions a way to improve their risk assessment and mitigation strategies and grow business while balancing risk and return. More widely, institutions can align the execution across the organization, engaging both management and shareholders.

Institutions can use their CECL preparations to establish an end-to-end credit risk management framework within the organization and enjoy strategic, incremental improvements across a range of functions — improving decision making and setting the stage for future standards. This can yield benefits in several areas.

Data management and quality: Firms starting to build their data histories with credit risk factors now can improve their current Allowance for Loan and Lease Losses process to ensure the successful implementation of CECL. Financial institutions frequently underestimate the time and effort required to put the required data and data management structures in place, particularly with respect to granularity and quality. For higher quality data, start sourcing data now.

Integration of risk and financial analysis: This can strengthen the risk modeling and provisioning process, leading to an improved understanding and management of credit quality. It also results in more appropriate provisions under the standard and can give an early warning of the potential impact. Improved communication between the risk and finance functions can lead to shared terminologies, methods and approaches, thereby building governance and bridges between the functions.

Analytics and transparency: Firms can run what-if scenario analysis from a risk and finance perspective, and then slice and dice, filter or otherwise decompose the results to understand the drivers of changes in performance. This transparency can then be used to drive firms’ business scenario management processes.

Audit and governance: Firms can leverage their CECL preparations to adopt an end-to-end credit risk management architecture (enterprise class and cloud-enabled) capable not only of handling quantitative compliance to address qualitative concerns and empower institutions to better answer questions from auditors, management and regulators. This approach addresses weaknesses in current processes that have been discovered by audit and regulators.

Business scenario management: Financial institutions can leverage these steps to quantify the impact of CECL on their business before regulatory deadlines, giving them a competitive advantage as others catch up. Mapping risks to potential rewards allows firms to improve returns for the firm.

Firms can benefit from CECL best practices now, since they are equally applicable to the current incurred loss process. Implementing them allows firms to continue building on their integration of risk and finance, improving their ALLL processes as they do. At the same time, they can build a more granular and higher quality historical credit risk database for the transition to the new CECL standards, whatever the timeframe. This ensures a smoother transition to CECL and minimizes the risk of nasty surprises along the way.

A Fresh Look At Derivatives Under New Hedging Rules

A new accounting standard could make hedging with derivatives a more-viable risk management strategy for banks that had previously avoided them.

The Financial Accounting Standards Board sought to remove some barriers that previously discouraged many banks from using derivatives to hedge exposure to fluctuating interest rates. Now is an appropriate time for board members at banks of all sizes to ask their executive teams about their risk management strategies, and whether derivatives should play a larger role.

The standard — Accounting Standards Update (ASU) 2017-12, “Derivatives and Hedging (Topic 815): Targeted Improvements to Accounting for Hedging Activities” — went into effect for publicly traded institutions in the fiscal year beginning after Dec. 15, 2018. It takes effect for privately held banks in the fiscal year beginning after Dec. 15, 2020, though early adoption is permitted.

In theory, using derivatives such as interest-rate swaps should be an effective way for banks to fine-tune portfolios and offset risks that come with having a mix of fixed rate and floating rate assets and liabilities. In practice, however, many banks chose not to hedge with derivatives because of complicated accounting and financial reporting practices required by generally accepted accounting principles.

Old hedging rules required banks to separately measure and report hedge ineffectiveness, or any amounts by which a derivative did not perfectly mirror the instrument being hedged —even if the hedge was effective overall. Separately reporting ineffectiveness was confusing for investors and often conveyed a misleading impression of a bank’s derivatives-based hedging practices.

The new standard eliminates that requirement, resulting in hedge accounting that more accurately reflects a bank’s risk management activities and provides financial statement users more worthwhile information about the effect of hedging activities.

When initially establishing a hedge, banks must document how they will evaluate its effectiveness in offsetting the changes in the fair value or cash flow of the hedged instrument. This evaluation must be performed quarterly.

In the past, when a bank chose the “shortcut” method for evaluating hedge effectiveness, it was bound to that method throughout the life of the hedge. If management later determined that the more complicated “long-haul” method would be more appropriate, they could not simply start using that method prospectively. Rather, they would also have to evaluate for a possible restatement of previous financial statements, as if hedge accounting had never been applied.

The new standard changes that. Banks now may specify a long-haul method in their documentation to be used as a fallback method if they later determine that the shortcut method is no longer appropriate.

Things also have gotten simpler for banks that choose the long-haul method at inception. Previously, banks using the long-haul method were required to perform a quantitative assessment (such as a regression analysis) every quarter for the life of a hedge. The new standard still requires a quantitative assessment at inception, but now in certain circumstances banks can perform subsequent quarterly assessments using only qualitative methods, validating that the terms and conditions of the hedged transaction and hedging derivative have not changed.

The new guidance also revises how a bank may measure the change in a hedged item’s fair value due to changes in its benchmark interest rate. Instead of calculating fair value based on all the cash flows of the instrument’s coupon, banks now can calculate the change in fair value based solely on the benchmark interest rate component, which is a more targeted and appropriate measure.

Under old hedging rules, hedging the change in fair value of an instrument (such as a fixed-rate loan) generally required the life of the hedged instrument and the life of the hedging derivative (such as an interest-rate swap) to match. The new standard removes that burden and allows for partial-term fair value hedges. For example, a bank can hedge a 10-year fixed rate loan for only two years, using a two-year interest-rate swap.

Another new opportunity known as the “last-of-layer” technique lets banks hedge the change in fair value of a pool of long-term fixed rate assets such as loans or securities — a hedge that generally was not possible in the past. Upon adoption of the standard, banks are permitted to transfer eligible held-to-maturity securities to available for sale, even if the bank eventually chooses not to hedge the securities at all.

Bank directors should familiarize themselves with the ways the new standard simplifies hedge accounting and enables new hedging techniques before engaging management to decide if it’s time to introduce or expand derivatives as risk management tools.

A Long-Term Approach to Credit Decisioning

Alternative data doesn’t just benefit banks by enhancing credit decisions; it can help expand access to capital for consumers and small businesses. But effectively leveraging new data sources can challenge traditional banks. Scott Spencer of Equifax explains these challenges — and how to overcome them — in this short video. 

  • The Potential for Alternative Data
  • Identifying & Overcoming Challenges
  • Considerations for Leadership Teams

 

An Effective Way to Combat Cyber Breaches

Banks have always been in the business of risk management, but the risks they face aren’t stagnant; they migrate with time.

Traditionally, banks have faced two types of risk: interest rate and credit risk. Today, however, given the growth of digital banking and transactions, these two risks have been supplanted by another: cybersecurity.

The biggest challenge when it comes to cybersecurity risk is that it constantly evolves, as the threats, actors and attacks increase in sophistication. Banks that prepare for one method of intrusion may find themselves the victim of a different strategy.

Earlier this year, H. Rodgin Cohen, a partner at Sullivan & Cromwell and one of the industry’s most trusted advisors, commented on this change.

“I think the biggest risk in the [financial] system today is a successful cyberattack,” Cohen said. “That is a very serious risk, but I think the more likely [danger] is that a single bank — or a group of banks — are hit with a massive denial of service for a period of time, or a massive scrambling of records.”

Banks of all sizes feel pressure to keep their systems secure from intruders, according to Bank Director’s 2019 Risk Survey, which found that cybersecurity concerns among bankers have increased over the previous year.

Twenty percent of survey respondents say they address cybersecurity as a full board rather than delegating it to a committee, and slightly more than a third say at least one director is a cybersecurity expert.

The concern is ever present, and for some banks, very real: 18% of respondents, excluding chief lending officers and chief credit officers, reported that their bank experienced a data breach or other cyberattack within the last two years.

Concerns like these are why Bank Director created the “Best Solution for Protecting the Bank” category for its 2019 Best of FinXTech Awards. Judges selected winners from the most innovative solutions found in the FinXTech Connect platform.

The finalists for this year’s award were Rippleshot, which helps banks to identify credit and debit card fraud; IDEMIA, which  works to prevent card-not-present fraud; and Illusive Networks, which helps banks detect when their networks have been infiltrated.

This year’s winner was Illusive Networks, based in part on its work to secure the network of Israel Discount Bank, the third biggest bank in Israel.

Illusive approaches cybersecurity from a hackers’ point of view in order to beat them at their own game. Its strategy isn’t to stop an intrusion per se — a feat that seems increasingly impossible with the number of entry points into a system and the scores of malicious actors.

Rather, it detects and remediates an attack once it has happened. Intruders breaking into a bank’s system must persistently monitor the network for bits of information or credentials that will help them move from machine to machine and gradually close in on the data they want. Illusive plants false information across the bank’s network so that, when attackers act on it, the bank can catch them red-handed.

Illusive calls this “endpoint-focused deception.” The deceptive information is only visible to malicious actors and triggers an alert within Illusive. The technology then captures details about the bad actor directly from the machine they were using, which the bank then uses to track and stop the attack.

One of the main selling points of Illusive’s solution is the short implementation period. In Israel Discount Bank’s case, it took a matter of weeks to implement the solution. The net result is that, not only is the solution harder to detect for potential cyber criminals, but it’s also fast and easy to implement.

The Strategic Side of Cybersecurity Governance


cybersecurity-8-7-19.pngWithout a comprehensive cyber risk governance strategy, banks risk playing Whac-A-Mole with their cybersecurity.

Most financial institutions’ cybersecurity programs are tactical or project-oriented, addressing one-off situations and putting out fires as they arise. This piecemeal approach to cybersecurity is inefficient and increasingly risky, given the growing number of new compliance requirements and privacy and security laws. Institutions are recognizing that everyone in the C-suite should be thinking about the need for a cyber risk governance strategy.

There are three key advantages to having a cyber risk governance strategy:

  • Effectively managing the audit and security budget: Organizations that address current risks can more effectively prepare for cybersecurity threats, while meeting and achieving consistent audit results. A thorough risk assessment can highlight real threats and identify controls to evaluate on an ongoing basis through regular review or testing.
  • Reducing legal exposure: Companies and their officers can reduce the potential for civil and criminal liability by getting in front of cybersecurity and demonstrating how the institution is managing its risk effectively.
  • Getting in front of cybersecurity at an organizational level: Strategic planning is an important shift of responsibility for management teams. It proactively undertakes initiatives because it’s the right thing to do, versus an auditor instructing a company to do them.

So what’s required to set up a cyber risk governance strategy? Most organizations have talented individuals, but not necessarily personnel that is focused on security. Compounding the industry shortage of cybersecurity professionals, banks may also lack the resources necessary to do a risk assessment and ensure security practices are aligned to the cyber risk governance. As a result, banks frequently bring in vendors to help. If that’s the case, they should undertake a cyber risk strategy assessment with the help of their vendor.

Bank boards can perform a cyber risk governance strategy assessment in three phases:

  1. An assessment of the current cyber risk governance strategy. In phase one, a vendor’s team will review a bank’s current organizational and governance structure for managing information security risk. They’ll also review the information technology strategic plan and cybersecurity program to understand how the bank implements information security policies, standards and procedures. This provides a baseline of the people and processes surrounding the organization’s cyber risk governance and information security risk tolerance.
  2. Understand the institution’s cyber risk footprint. Here, a vendor will review the technology footprint of customers, employees and vendors. They’ll look at internal and external data sources, the egress and ingress flow of data, the data flow mapping, the technology supporting data transport and the technology used for servicing clients, employees, and the third parties who support strategic initiatives.
  3. Align information security resources to cyber governance goals. In phase three, a vendor will help the bank’s board and executives understand how its people, process and technology are aligned to achieve the company’s institution’s cyber governance goals. They’ll review the bank’s core operations and document the roles, processes and technology surrounding information security. They’ll also review the alignment of operational activities that support the bank’s information security strategic goals, and document effective and ineffective operational activities supporting the board’s cyber governance goals.

Once the assessment is complete, a bank will have the foundation needed to follow up with an operational analysis, tactical plan and strategic roadmap. With the roadmap in place, a bank can craft a cyber risk strategy that aligns with its policies, as well as an information security program that addresses the actual risks that the organization faces. Instead of just checking the boxes of required audits, bank boards can approach the assessments strategically, dictating the schedule while feeling confident that its cyber risks are being addressed.

Outsourcing the Service, Not the Oversight


oversight-7-2-19.pngEvery bank director has heard it: You can outsource a service, but you cannot outsource the responsibility.

That sounds clear enough, but how does a board know what its role should be when an opportunity to partner with a financial technology firm, or fintech, arises? The board’s role is oversight and guidance, not day-to-day management. But oversight is not passive. So what does board oversight look like in the evolving world of bank and fintech relationships?

Consider a bank that is reviewing a proposal from a fintech. Management believes that this is a great opportunity for the institution, and presents it to the board for approval. What is the board’s role here? The board’s involvement must be flexible enough that it can react to these situations, but it should also consider some essential inquiries, such as:

Does the proposal match up with the bank’s strategic plan? The board is responsible for the strategic direction of the bank. Directors should consider if the proposal is an appropriate project for the size, resources and initiatives of the bank. They must also think about whether the proposal aligns with the bank’s strategic plan. If the proposal does not match up with the strategic plan, they may also want to consider if it is material enough that the strategic plan should be amended.

What are the risks? The board is responsible for ensuring that an effective risk management program is in place at the bank, which includes the ability to fully assess risks and establish controls and oversight to mitigate those risks. It should assess the fintech proposal through its risk management process

Management should provide the board with a comprehensive risk assessment of the proposed relationship that thoroughly outlines how each identified risk will be mitigated. The board should look at that assessment critically. Was it prepared by competent and experienced personnel? Does it appear to be thorough? Does it focus on IT risks or other narrow issues, or take into account all of the compliance issues? Does it include state laws, which is especially important if the bank is state-chartered? How does the assessment address concerns about privacy and cybersecurity? What does it say about reputation risk?

Is there a negotiated contract that addresses all of the risks? The board is responsible for ensuring that all third-party relationships are documented in negotiated contracts that protect the interests of the bank. The board needs to ensure that appropriate legal counsel is engaged to negotiate the arrangement, depending on the riskiness of a proposed fintech relationship. Counsel should have a thorough understanding of the legal issues involved in the proposed program and the applicable regulatory guidelines for third-party contracts.

The actual contract negotiation should be done by management. However, the board could consider requiring a summary of the important contract provisions or a presentation by management or legal counsel about the terms, depending on the level of risk involved and materiality to the bank.

How will the board know if the program is performing? The board should receive ongoing reports relating to monitoring of the program and the fintech. These reports should be sufficient for the board to establish that the program is compliant with law, operates in accordance with the contract and meets the strategic objectives of the bank. If the program is not performing, the board should know whether appropriate action is underway to either facilitate performance or terminate the program.

A bank’s board cannot outsource its responsibility for outsourced services, even if a fintech partner seems to have a fantastic product. The board must ask enough questions to be certain that management has engaged in appropriate due diligence, identified the risks and determined how to mitigate those risks through the contract and oversight. The implementation of all of those steps is up to management. But one role in particular rests with the board: ensuring that the relationship with the fintech partner furthers the strategic goals of the bank.

The Most Effective Bank Directors Share These Two Qualities


director-6-14-19.pngBanks have a slim margin for error.

They typically borrow $10 for every $1 of equity, which can amplify any missteps or oversight. Robust oversight by a board of directors, and in particular the audit and risk committees, is key to the success of any institution.

“At the Federal Reserve Bank of Kansas City, we have consistently found a strong correlation between overall bank health and the level of director engagement,” wrote Kansas City Fed President Esther George in the agency’s governance manual, “Basics for Bank Directors.” “Generally, we have seen that the institutions that are well run and have fewer problems are under the oversight of an engaged and well-informed board of directors.”

This may sound trite, but the strongest bank boards embrace a collective sense of curiosity and cognitive diversity, according to executives and directors at Bank Director’s 2019 Bank Audit & Risk Committees Conference in Chicago.

Balancing revenue generation against risk management requires a bank’s audit and risk committees to invite skepticism, foster intelligent discussion and create a space for constructive disagreements. Institutions also need to remain abreast of emerging risks and changes that impact operations and strategy.

This is why curiosity, in particular, is so important.

“It’s critical for audit committee members to have curiosity and a critical mind,” says Sal Inserra, a partner at Crowe LLP. “You need to ask the tough questions. The worst thing is a silent audit committee meeting. It’s important to be inquisitive and have a sense of curiosity.”

Board members who are intellectually curious can provide credible challenges to management, agrees John Erickson, a director at Bank of Hawaii Corp.

Focusing on intellectual curiosity, as opposed to a set of concrete skills, can also broaden the pool of individuals that are qualified to sit on a bank’s audit and risk committees. These committees have traditionally been the domain of certified public accountants, but a significant portion of audit committee members in attendance at the conference were not CPAs.

Robert Glaser, the audit committee chair at Five Star Bank, sees that diversity of experience as an advantage for banks. He and several others say a diversity of experiences, or cognitive diversity, invites and cultivates diversity of thought. These members should be unafraid to bring their questions and perspectives to meetings.

Having non-CPAs on the audit committee of Pacific Premier Bancorp has helped the firm manage the variety of risks it faces, says Derrick Hong, chief audit executive at Pacific Premier. The audit committee chair is a CPA, but the bank has found it “very helpful” to have non-CPAs on the committee as well, he says.

Audit and risk committee members with diverse experiences can also balance the traditional perspective of the CPA-types.

It’s important [for audit committee members] to have balance. Bean counters don’t know everything,” says Paul Ward, chief risk officer at Community Bank System, who self-identifies as a “bean counter.”

“Some of the best questions I’ve seen [from audit committee members] have come from non-CPAs,” Ward says.

However, banks interested in cultivating intellectual curiosity and cognitive diversity in their audit and risk committees still need to identify board members with an appreciation for financial statements, and the work that goes into crafting them. After all, the audit committee helps protect the financial integrity of a bank through internal controls and reporting, not just reviewing financial statements before they are released.

Executives and board chairs also say that audit and risk committee members need to be dynamic and focus on how changes inside and outside the bank can alter its risk profile. Intellectual curiosity can help banks remain focused on these changes and resist the urge to become complicit.

I’ll be the first to admit that qualities like curiosity and cognitive diversity sound cliché. But just because something sounds cliché, doesn’t mean it isn’t also true.

An Easy Way to Lose Sight of Critical Risks


audit-6-7-19.pngLet me ask you a question…

How does the executive team at your biggest competitor think about their future? Are they fixated on asset growth or loan quality? Gathering low-cost deposits? Improving their technology to accelerate the digital delivery of new products? Finding and training new talent?

The answers don’t need to be immediate or precise. But we tend to fixate on the issues in front of us and ignore what’s happening right outside our door, even if the latter issues are just as important.

Yet, any leader worth their weight in stock certificates will say that taking the time to dig into and learn about other businesses, even those in unrelated industries, is time well spent.

Regular readers of Bank Director know that executives and experienced outside directors prize efficiency, prudence and smart capital allocation in their bank’s dealings.

But here’s the thing: Your biggest—and most formidable—competitors strive for the same objectives.

So when we talk about trending topics at this year’s Bank Audit and Risk Committees Conference, hosted by Bank Director in Chicago from June 10-12, we do so with an eye not just to the internal challenges faced by your institution but on the external pressures as well.

As we prepare to host 317 women and men from banks across the country, let me state the obvious: Risk is no stranger to a bank’s officers or directors. Indeed, the core business of banking revolves around risk management—interest rate risk, credit risk, operational risk.

Given this, few would dispute the importance of the audit committee to appraise a bank’s business practices, or of the risk committee to identify potential hazards that could imperil an institution.

Banks must stay vigilant, even as they struggle to respond to the demands of the digital revolution and heightened customer expectations. I can’t overstate the importance of audit and risk committees keeping pace with the disruptive technological transformation of the industry.

That transformation is creating an emergent banking model, according to Frank Rotman, a founding partner of venture capital firm QED Investors. This new model focuses banks on increasing engagement, collecting data and offering precisely targeted solutions to their customers.

If that’s the case—given the current state of innovation, digital transformation and the re-imagination of business processes—is it any wonder that boards are struggling to focus on risk management and the bank’s internal control environment?

When was the last time the audit committee at your bank revisited the list of items that appeared on the meeting agenda or evaluated how the committee spends its time? From my vantage point, now might be an ideal time for audit committees to sharpen the focus of their institutions on the cultures they prize, the ethics they value and the processes they need to ensure compliance.

And for risk committee members, national economic uncertainty—given the political rhetoric from Washington and trade tensions with U.S. global economic partners, especially China—has to be on your radar. Many economists expect an economic recession by June 2020. Is your bank prepared for that?

Bank leadership teams must monitor technological advances, cybersecurity concerns and an ever-evolving set of customer and investor expectations. But other issues can’t be ignored either.

At our upcoming event in Chicago, the Bank Audit and Risk Committees Conference, I encourage everyone to remember that minds are like parachutes. In the immortal words of musician Frank Zappa: “It doesn’t work if it is not open.”

How Innovative Banks Keep Up With Compliance Changes


compliance-6-5-19.pngBankers and directors are increasingly worried about compliance risk.

More than half of executives and directors at banks with more than $10 billion in assets said their concerns about compliance risk increased in 2018, according to Bank Director’s 2019 Risk Survey. At banks of all sizes, 39 percent of respondents expressed increasing concern about their ability to comply with changing regulations.

They’re right to be worried. In 2018, U.S. banks saw the largest amount of rule changes since 2012, according to Pamela Perdue, chief regulatory officer for Continuity. This may have surprised bankers who assumed that deregulation would translate to less work.

“The reality is that that is not the case,” she says. “[I]t takes just as much operational effort to unwind a regulatory implementation as it does to ramp it up in the first place.”

Many banks still rely on compliance officers manually monitoring websites and using Google alerts to stay abreast of law and policy changes. That “hunt-and-peck” approach to compliance may not be sufficiently broad enough; Perdue said bankers risk missing or misinterpreting regulatory updates.

This potential liability could also mean missed opportunities for new business as rules change. To handle these challenges, some banks use regulatory change management (RCM) technology to aggregate law and policy changes and stay ahead of the curve.

RCM technology offerings are evolving. Current offerings are often included in broader governance risk and compliance solutions, though these tools often use the same manual methods for collecting and processing content that banks use.

Some versions of RCM technology link into data feeds from regulatory bodies and use scripts to crawl the web to capture information. This is less likely to miss a change but creates a mountain of alerts for a bank to sort through. Some providers pair this offering with expert analysis, and make recommendations for whether and how banks should respond.

But some of the most innovative banks are leveraging artificial intelligence (AI) to manage regulatory change. Bank Director’s 2019 Risk Survey revealed that 29 percent of bank respondents are exploring AI, and another 8 percent are already using it to enhance the compliance function. Companies like San Francisco-based Compliance.ai use AI to extract regulatory changes, classify them and summarize their key holdings in minutes.

While AI works exponentially faster than human compliance officers, there are concerns about its accuracy and reliability.

“I think organizations need to be pragmatic about this,” says Compliance.ai chief executive officer and co-founder Kayvan Alikhani. “[T]here has to exist a healthy level of skepticism about solutions that use artificial intelligence and machine learning to replace what a $700 to $800 an hour lawyer was doing before this solution was used.”

Compliance.ai uses an “Expert in The Loop” system to verify that the classifications and summaries the AI produced are accurate. This nuanced version of supervised learning helps train the model, which only confirms a finding if it has higher than 95 percent confidence in the decision.

Bankers may find it challenging to test their regulatory technology systems for accuracy and validity, according to Jo Ann Barefoot, chief executive officer of Washington-based Barefoot Innovation Group and Hummingbird Regtech.

“A lot of a lot of banks are running simultaneously on the new software and the old process, and trying to see whether they get the same results or even better results with the new technology,” she says.

Alikhani encourages banks to do proofs of concept and test new solutions alongside their current methodologies, comparing the results over time.

Trust and reliability don’t seem to be key factors in bankers’ pursuit of AI-based compliance technology. In Bank Director’s 2019 Risk Survey, only 11 percent of banks said their bank leadership teams’ hesitation was a barrier to adoption. Instead, 47 percent cited the inability to identify the right solution and 37 percent cited a lack of viable solutions in the marketplace as the biggest deterrents.

Bankers who are adopting RCM are motivated by expense savings, creating a more robust compliance program and even finding a competitive edge, according to Barefoot.

“If your competitors are using these kinds of tools and you’re not that’s going to hurt you,” she says.

Potential Technology Partners

Continuity

Combines regulatory data feeds with consultative advice about how to implement changes.

Compliance.ai

Pairs an “Expert in the Loop” system to verify the accuracy of AI summaries and categorization

OneSumX Regulatory Change Management from Wolters Kluwer

Includes workflows and tasks that help banks manage the implementation of new rules and changes

BWise

Provides impact ratings that show which parts of the bank will be impacted by a rule and the degree of impact

Predict360 from 360factors

Governance risk and compliance solution that provides banks with access to the Code of Federal Regulations and administrative codes for each state

Learn more about each of the technology providers in this piece by accessing their profiles in Bank Director’s FinXTech Connect platform.

77 Percent of Bank Boards Approve Loans. Is That a Mistake?


loans-5-17-19.pngBank directors face a myriad of expectations from regulators to ensure that their institutions are safe and sound. But there’s one thing directors do that regulators don’t actually ask them to do.

“There’s no requirement or even suggestion, that I’m aware of, from any regulators that says, ‘Hey, we want the board involved at the loan-approval level,’” says Patrick Hanchey, a partner at the law firm Alston & Bird. The one exception is Regulation O, which requires boards to review and approve insider loans.

Instead, the board is tasked with implementing policies and procedures for the bank, and hiring a management team to execute on that strategy, Hanchey explains.

“If all that’s done, then you’re making good loans, and there’s no issue.”

Yet, 77 percent of executives and directors say their board or a board-level loan committee plays a role in approving credits, according to Bank Director’s 2019 Risk Survey.

Boards at smaller banks are more likely to approve loans than their larger peers. This is despite the spate of loan-related lawsuits filed by the Federal Deposit Insurance Corp. against directors in the wake of the recent financial crisis.

Loans-chart.png

The board at Mayfield, Kentucky-based First Kentucky Bank approves five to seven loans a month, says Ann Hale Mills, who serves on the board. These are either large loans or loans extended to businesses or individuals who already have a large line of credit at the bank, which is the $442 million asset subsidiary of Exchange Bancshares.

Yet, the fact that directors often lack formal credit expertise leads some to question whether they should be directly involved in the process.

“Inserting themselves into that decision-making process is putting [directors] in a place that they’re not necessarily trained to be in,” says James Stevens, a partner at the law firm Troutman Sanders.

What’s more, focusing on loan approvals may take directors’ eyes off the big picture, says David Ruffin, a director at the accounting firm Dixon Hughes Goodman LLP.

“It, primarily, deflects them from the more important role of understanding and overseeing the macro performance of the credit portfolio,” he says. “[Regulators would] much rather have directors focused on the macro performance of the credit portfolio, and understanding the risk tolerances and risk appetite.”

Ruffin believes that boards should focus instead on getting the right information about the bank’s loan portfolio, including trend analyses around loan concentrations.

“That’s where a good board member should be highly sensitized and, frankly, treat that as their priority—not individual loan approvals,” says Ruffin.

It all boils down to effective risk management.

“That’s one of [the board’s] main jobs, in my mind. Is the institution taking the right risk, and is the institution taking enough risk, and then how is that risk allocated across capital lines?” says Chris Nichols, the chief strategy officer at Winter Haven, Florida-based CenterState Bank Corp. CenterState has $12.6 billion in assets, which includes a national correspondent banking division. “That’s exactly where the board should be: [Defining] ‘this is the risk we want to take’ and looking at the process to make sure they’re taking the right risk.”

Directors can still contribute their expertise without taking on the liability of approving individual loans, adds Stevens.

“[Directors] have information to contribute to loan decisions, and there’s nothing that says that they can’t attend officer loan committee meetings or share what they know about borrowers or credits that are being considered,” he says.

But Mills disagrees, as do many community bank directors. She believes the board has a vital role to play in approving loans.

First Kentucky Bank’s board examines quantitative metrics—including credit history, repayment terms and the loan-to-value ratio—and qualitative factors, such as the customer’s relationship with the bank and how changes in the local economy could impact repayment.

“We are very well informed with data, local economic insight and competitive dynamics when we approve a loan,” she says.

And community bank directors and executives are looking at the bigger picture for their community, beyond the bank’s credit portfolio.

“We are more likely to accept risk for loans we see in the best interest of the overall community … an external effect that is hard to quantify using only traditional credit metrics,” she says.

Regardless of how a particular bank approaches this process, however, the one thing most people can agree on is that the value of such bespoke expertise diminishes as a bank grows and expands into far-flung markets.

“You could argue that in a very small bank, that the directors are often seasoned business men and women who understand how to run a business, and do have an intuitive credit sense about them, and they do add value,” says Ruffin. “Where it loses its efficacy, in my opinion, is where you start adding markets that they have no understanding of or awareness of the key personalities—that’s where it starts breaking apart.”