An Effective Way to Combat Cyber Breaches

Banks have always been in the business of risk management, but the risks they face aren’t stagnant; they migrate with time.

Traditionally, banks have faced two types of risk: interest rate and credit risk. Today, however, given the growth of digital banking and transactions, these two risks have been supplanted by another: cybersecurity.

The biggest challenge when it comes to cybersecurity risk is that it constantly evolves, as the threats, actors and attacks increase in sophistication. Banks that prepare for one method of intrusion may find themselves the victim of a different strategy.

Earlier this year, H. Rodgin Cohen, a partner at Sullivan & Cromwell and one of the industry’s most trusted advisors, commented on this change.

“I think the biggest risk in the [financial] system today is a successful cyberattack,” Cohen said. “That is a very serious risk, but I think the more likely [danger] is that a single bank — or a group of banks — are hit with a massive denial of service for a period of time, or a massive scrambling of records.”

Banks of all sizes feel pressure to keep their systems secure from intruders, according to Bank Director’s 2019 Risk Survey, which found that cybersecurity concerns among bankers have increased over the previous year.

Twenty percent of survey respondents say they address cybersecurity as a full board rather than delegating it to a committee, and slightly more than a third say at least one director is a cybersecurity expert.

The concern is ever present, and for some banks, very real: 18% of respondents, excluding chief lending officers and chief credit officers, reported that their bank experienced a data breach or other cyberattack within the last two years.

Concerns like these are why Bank Director created the “Best Solution for Protecting the Bank” category for its 2019 Best of FinXTech Awards. Judges selected winners from the most innovative solutions found in the FinXTech Connect platform.

The finalists for this year’s award were Rippleshot, which helps banks to identify credit and debit card fraud; IDEMIA, which  works to prevent card-not-present fraud; and Illusive Networks, which helps banks detect when their networks have been infiltrated.

This year’s winner was Illusive Networks, based in part on its work to secure the network of Israel Discount Bank, the third biggest bank in Israel.

Illusive approaches cybersecurity from a hackers’ point of view in order to beat them at their own game. Its strategy isn’t to stop an intrusion per se — a feat that seems increasingly impossible with the number of entry points into a system and the scores of malicious actors.

Rather, it detects and remediates an attack once it has happened. Intruders breaking into a bank’s system must persistently monitor the network for bits of information or credentials that will help them move from machine to machine and gradually close in on the data they want. Illusive plants false information across the bank’s network so that, when attackers act on it, the bank can catch them red-handed.

Illusive calls this “endpoint-focused deception.” The deceptive information is only visible to malicious actors and triggers an alert within Illusive. The technology then captures details about the bad actor directly from the machine they were using, which the bank then uses to track and stop the attack.

One of the main selling points of Illusive’s solution is the short implementation period. In Israel Discount Bank’s case, it took a matter of weeks to implement the solution. The net result is that, not only is the solution harder to detect for potential cyber criminals, but it’s also fast and easy to implement.

The Strategic Side of Cybersecurity Governance


cybersecurity-8-7-19.pngWithout a comprehensive cyber risk governance strategy, banks risk playing Whac-A-Mole with their cybersecurity.

Most financial institutions’ cybersecurity programs are tactical or project-oriented, addressing one-off situations and putting out fires as they arise. This piecemeal approach to cybersecurity is inefficient and increasingly risky, given the growing number of new compliance requirements and privacy and security laws. Institutions are recognizing that everyone in the C-suite should be thinking about the need for a cyber risk governance strategy.

There are three key advantages to having a cyber risk governance strategy:

  • Effectively managing the audit and security budget: Organizations that address current risks can more effectively prepare for cybersecurity threats, while meeting and achieving consistent audit results. A thorough risk assessment can highlight real threats and identify controls to evaluate on an ongoing basis through regular review or testing.
  • Reducing legal exposure: Companies and their officers can reduce the potential for civil and criminal liability by getting in front of cybersecurity and demonstrating how the institution is managing its risk effectively.
  • Getting in front of cybersecurity at an organizational level: Strategic planning is an important shift of responsibility for management teams. It proactively undertakes initiatives because it’s the right thing to do, versus an auditor instructing a company to do them.

So what’s required to set up a cyber risk governance strategy? Most organizations have talented individuals, but not necessarily personnel that is focused on security. Compounding the industry shortage of cybersecurity professionals, banks may also lack the resources necessary to do a risk assessment and ensure security practices are aligned to the cyber risk governance. As a result, banks frequently bring in vendors to help. If that’s the case, they should undertake a cyber risk strategy assessment with the help of their vendor.

Bank boards can perform a cyber risk governance strategy assessment in three phases:

  1. An assessment of the current cyber risk governance strategy. In phase one, a vendor’s team will review a bank’s current organizational and governance structure for managing information security risk. They’ll also review the information technology strategic plan and cybersecurity program to understand how the bank implements information security policies, standards and procedures. This provides a baseline of the people and processes surrounding the organization’s cyber risk governance and information security risk tolerance.
  2. Understand the institution’s cyber risk footprint. Here, a vendor will review the technology footprint of customers, employees and vendors. They’ll look at internal and external data sources, the egress and ingress flow of data, the data flow mapping, the technology supporting data transport and the technology used for servicing clients, employees, and the third parties who support strategic initiatives.
  3. Align information security resources to cyber governance goals. In phase three, a vendor will help the bank’s board and executives understand how its people, process and technology are aligned to achieve the company’s institution’s cyber governance goals. They’ll review the bank’s core operations and document the roles, processes and technology surrounding information security. They’ll also review the alignment of operational activities that support the bank’s information security strategic goals, and document effective and ineffective operational activities supporting the board’s cyber governance goals.

Once the assessment is complete, a bank will have the foundation needed to follow up with an operational analysis, tactical plan and strategic roadmap. With the roadmap in place, a bank can craft a cyber risk strategy that aligns with its policies, as well as an information security program that addresses the actual risks that the organization faces. Instead of just checking the boxes of required audits, bank boards can approach the assessments strategically, dictating the schedule while feeling confident that its cyber risks are being addressed.

Outsourcing the Service, Not the Oversight


oversight-7-2-19.pngEvery bank director has heard it: You can outsource a service, but you cannot outsource the responsibility.

That sounds clear enough, but how does a board know what its role should be when an opportunity to partner with a financial technology firm, or fintech, arises? The board’s role is oversight and guidance, not day-to-day management. But oversight is not passive. So what does board oversight look like in the evolving world of bank and fintech relationships?

Consider a bank that is reviewing a proposal from a fintech. Management believes that this is a great opportunity for the institution, and presents it to the board for approval. What is the board’s role here? The board’s involvement must be flexible enough that it can react to these situations, but it should also consider some essential inquiries, such as:

Does the proposal match up with the bank’s strategic plan? The board is responsible for the strategic direction of the bank. Directors should consider if the proposal is an appropriate project for the size, resources and initiatives of the bank. They must also think about whether the proposal aligns with the bank’s strategic plan. If the proposal does not match up with the strategic plan, they may also want to consider if it is material enough that the strategic plan should be amended.

What are the risks? The board is responsible for ensuring that an effective risk management program is in place at the bank, which includes the ability to fully assess risks and establish controls and oversight to mitigate those risks. It should assess the fintech proposal through its risk management process

Management should provide the board with a comprehensive risk assessment of the proposed relationship that thoroughly outlines how each identified risk will be mitigated. The board should look at that assessment critically. Was it prepared by competent and experienced personnel? Does it appear to be thorough? Does it focus on IT risks or other narrow issues, or take into account all of the compliance issues? Does it include state laws, which is especially important if the bank is state-chartered? How does the assessment address concerns about privacy and cybersecurity? What does it say about reputation risk?

Is there a negotiated contract that addresses all of the risks? The board is responsible for ensuring that all third-party relationships are documented in negotiated contracts that protect the interests of the bank. The board needs to ensure that appropriate legal counsel is engaged to negotiate the arrangement, depending on the riskiness of a proposed fintech relationship. Counsel should have a thorough understanding of the legal issues involved in the proposed program and the applicable regulatory guidelines for third-party contracts.

The actual contract negotiation should be done by management. However, the board could consider requiring a summary of the important contract provisions or a presentation by management or legal counsel about the terms, depending on the level of risk involved and materiality to the bank.

How will the board know if the program is performing? The board should receive ongoing reports relating to monitoring of the program and the fintech. These reports should be sufficient for the board to establish that the program is compliant with law, operates in accordance with the contract and meets the strategic objectives of the bank. If the program is not performing, the board should know whether appropriate action is underway to either facilitate performance or terminate the program.

A bank’s board cannot outsource its responsibility for outsourced services, even if a fintech partner seems to have a fantastic product. The board must ask enough questions to be certain that management has engaged in appropriate due diligence, identified the risks and determined how to mitigate those risks through the contract and oversight. The implementation of all of those steps is up to management. But one role in particular rests with the board: ensuring that the relationship with the fintech partner furthers the strategic goals of the bank.

The Most Effective Bank Directors Share These Two Qualities


director-6-14-19.pngBanks have a slim margin for error.

They typically borrow $10 for every $1 of equity, which can amplify any missteps or oversight. Robust oversight by a board of directors, and in particular the audit and risk committees, is key to the success of any institution.

“At the Federal Reserve Bank of Kansas City, we have consistently found a strong correlation between overall bank health and the level of director engagement,” wrote Kansas City Fed President Esther George in the agency’s governance manual, “Basics for Bank Directors.” “Generally, we have seen that the institutions that are well run and have fewer problems are under the oversight of an engaged and well-informed board of directors.”

This may sound trite, but the strongest bank boards embrace a collective sense of curiosity and cognitive diversity, according to executives and directors at Bank Director’s 2019 Bank Audit & Risk Committees Conference in Chicago.

Balancing revenue generation against risk management requires a bank’s audit and risk committees to invite skepticism, foster intelligent discussion and create a space for constructive disagreements. Institutions also need to remain abreast of emerging risks and changes that impact operations and strategy.

This is why curiosity, in particular, is so important.

“It’s critical for audit committee members to have curiosity and a critical mind,” says Sal Inserra, a partner at Crowe LLP. “You need to ask the tough questions. The worst thing is a silent audit committee meeting. It’s important to be inquisitive and have a sense of curiosity.”

Board members who are intellectually curious can provide credible challenges to management, agrees John Erickson, a director at Bank of Hawaii Corp.

Focusing on intellectual curiosity, as opposed to a set of concrete skills, can also broaden the pool of individuals that are qualified to sit on a bank’s audit and risk committees. These committees have traditionally been the domain of certified public accountants, but a significant portion of audit committee members in attendance at the conference were not CPAs.

Robert Glaser, the audit committee chair at Five Star Bank, sees that diversity of experience as an advantage for banks. He and several others say a diversity of experiences, or cognitive diversity, invites and cultivates diversity of thought. These members should be unafraid to bring their questions and perspectives to meetings.

Having non-CPAs on the audit committee of Pacific Premier Bancorp has helped the firm manage the variety of risks it faces, says Derrick Hong, chief audit executive at Pacific Premier. The audit committee chair is a CPA, but the bank has found it “very helpful” to have non-CPAs on the committee as well, he says.

Audit and risk committee members with diverse experiences can also balance the traditional perspective of the CPA-types.

It’s important [for audit committee members] to have balance. Bean counters don’t know everything,” says Paul Ward, chief risk officer at Community Bank System, who self-identifies as a “bean counter.”

“Some of the best questions I’ve seen [from audit committee members] have come from non-CPAs,” Ward says.

However, banks interested in cultivating intellectual curiosity and cognitive diversity in their audit and risk committees still need to identify board members with an appreciation for financial statements, and the work that goes into crafting them. After all, the audit committee helps protect the financial integrity of a bank through internal controls and reporting, not just reviewing financial statements before they are released.

Executives and board chairs also say that audit and risk committee members need to be dynamic and focus on how changes inside and outside the bank can alter its risk profile. Intellectual curiosity can help banks remain focused on these changes and resist the urge to become complicit.

I’ll be the first to admit that qualities like curiosity and cognitive diversity sound cliché. But just because something sounds cliché, doesn’t mean it isn’t also true.

An Easy Way to Lose Sight of Critical Risks


audit-6-7-19.pngLet me ask you a question…

How does the executive team at your biggest competitor think about their future? Are they fixated on asset growth or loan quality? Gathering low-cost deposits? Improving their technology to accelerate the digital delivery of new products? Finding and training new talent?

The answers don’t need to be immediate or precise. But we tend to fixate on the issues in front of us and ignore what’s happening right outside our door, even if the latter issues are just as important.

Yet, any leader worth their weight in stock certificates will say that taking the time to dig into and learn about other businesses, even those in unrelated industries, is time well spent.

Regular readers of Bank Director know that executives and experienced outside directors prize efficiency, prudence and smart capital allocation in their bank’s dealings.

But here’s the thing: Your biggest—and most formidable—competitors strive for the same objectives.

So when we talk about trending topics at this year’s Bank Audit and Risk Committees Conference, hosted by Bank Director in Chicago from June 10-12, we do so with an eye not just to the internal challenges faced by your institution but on the external pressures as well.

As we prepare to host 317 women and men from banks across the country, let me state the obvious: Risk is no stranger to a bank’s officers or directors. Indeed, the core business of banking revolves around risk management—interest rate risk, credit risk, operational risk.

Given this, few would dispute the importance of the audit committee to appraise a bank’s business practices, or of the risk committee to identify potential hazards that could imperil an institution.

Banks must stay vigilant, even as they struggle to respond to the demands of the digital revolution and heightened customer expectations. I can’t overstate the importance of audit and risk committees keeping pace with the disruptive technological transformation of the industry.

That transformation is creating an emergent banking model, according to Frank Rotman, a founding partner of venture capital firm QED Investors. This new model focuses banks on increasing engagement, collecting data and offering precisely targeted solutions to their customers.

If that’s the case—given the current state of innovation, digital transformation and the re-imagination of business processes—is it any wonder that boards are struggling to focus on risk management and the bank’s internal control environment?

When was the last time the audit committee at your bank revisited the list of items that appeared on the meeting agenda or evaluated how the committee spends its time? From my vantage point, now might be an ideal time for audit committees to sharpen the focus of their institutions on the cultures they prize, the ethics they value and the processes they need to ensure compliance.

And for risk committee members, national economic uncertainty—given the political rhetoric from Washington and trade tensions with U.S. global economic partners, especially China—has to be on your radar. Many economists expect an economic recession by June 2020. Is your bank prepared for that?

Bank leadership teams must monitor technological advances, cybersecurity concerns and an ever-evolving set of customer and investor expectations. But other issues can’t be ignored either.

At our upcoming event in Chicago, the Bank Audit and Risk Committees Conference, I encourage everyone to remember that minds are like parachutes. In the immortal words of musician Frank Zappa: “It doesn’t work if it is not open.”

How Innovative Banks Keep Up With Compliance Changes


compliance-6-5-19.pngBankers and directors are increasingly worried about compliance risk.

More than half of executives and directors at banks with more than $10 billion in assets said their concerns about compliance risk increased in 2018, according to Bank Director’s 2019 Risk Survey. At banks of all sizes, 39 percent of respondents expressed increasing concern about their ability to comply with changing regulations.

They’re right to be worried. In 2018, U.S. banks saw the largest amount of rule changes since 2012, according to Pamela Perdue, chief regulatory officer for Continuity. This may have surprised bankers who assumed that deregulation would translate to less work.

“The reality is that that is not the case,” she says. “[I]t takes just as much operational effort to unwind a regulatory implementation as it does to ramp it up in the first place.”

Many banks still rely on compliance officers manually monitoring websites and using Google alerts to stay abreast of law and policy changes. That “hunt-and-peck” approach to compliance may not be sufficiently broad enough; Perdue said bankers risk missing or misinterpreting regulatory updates.

This potential liability could also mean missed opportunities for new business as rules change. To handle these challenges, some banks use regulatory change management (RCM) technology to aggregate law and policy changes and stay ahead of the curve.

RCM technology offerings are evolving. Current offerings are often included in broader governance risk and compliance solutions, though these tools often use the same manual methods for collecting and processing content that banks use.

Some versions of RCM technology link into data feeds from regulatory bodies and use scripts to crawl the web to capture information. This is less likely to miss a change but creates a mountain of alerts for a bank to sort through. Some providers pair this offering with expert analysis, and make recommendations for whether and how banks should respond.

But some of the most innovative banks are leveraging artificial intelligence (AI) to manage regulatory change. Bank Director’s 2019 Risk Survey revealed that 29 percent of bank respondents are exploring AI, and another 8 percent are already using it to enhance the compliance function. Companies like San Francisco-based Compliance.ai use AI to extract regulatory changes, classify them and summarize their key holdings in minutes.

While AI works exponentially faster than human compliance officers, there are concerns about its accuracy and reliability.

“I think organizations need to be pragmatic about this,” says Compliance.ai chief executive officer and co-founder Kayvan Alikhani. “[T]here has to exist a healthy level of skepticism about solutions that use artificial intelligence and machine learning to replace what a $700 to $800 an hour lawyer was doing before this solution was used.”

Compliance.ai uses an “Expert in The Loop” system to verify that the classifications and summaries the AI produced are accurate. This nuanced version of supervised learning helps train the model, which only confirms a finding if it has higher than 95 percent confidence in the decision.

Bankers may find it challenging to test their regulatory technology systems for accuracy and validity, according to Jo Ann Barefoot, chief executive officer of Washington-based Barefoot Innovation Group and Hummingbird Regtech.

“A lot of a lot of banks are running simultaneously on the new software and the old process, and trying to see whether they get the same results or even better results with the new technology,” she says.

Alikhani encourages banks to do proofs of concept and test new solutions alongside their current methodologies, comparing the results over time.

Trust and reliability don’t seem to be key factors in bankers’ pursuit of AI-based compliance technology. In Bank Director’s 2019 Risk Survey, only 11 percent of banks said their bank leadership teams’ hesitation was a barrier to adoption. Instead, 47 percent cited the inability to identify the right solution and 37 percent cited a lack of viable solutions in the marketplace as the biggest deterrents.

Bankers who are adopting RCM are motivated by expense savings, creating a more robust compliance program and even finding a competitive edge, according to Barefoot.

“If your competitors are using these kinds of tools and you’re not that’s going to hurt you,” she says.

Potential Technology Partners

Continuity

Combines regulatory data feeds with consultative advice about how to implement changes.

Compliance.ai

Pairs an “Expert in the Loop” system to verify the accuracy of AI summaries and categorization

OneSumX Regulatory Change Management from Wolters Kluwer

Includes workflows and tasks that help banks manage the implementation of new rules and changes

BWise

Provides impact ratings that show which parts of the bank will be impacted by a rule and the degree of impact

Predict360 from 360factors

Governance risk and compliance solution that provides banks with access to the Code of Federal Regulations and administrative codes for each state

Learn more about each of the technology providers in this piece by accessing their profiles in Bank Director’s FinXTech Connect platform.

77 Percent of Bank Boards Approve Loans. Is That a Mistake?


loans-5-17-19.pngBank directors face a myriad of expectations from regulators to ensure that their institutions are safe and sound. But there’s one thing directors do that regulators don’t actually ask them to do.

“There’s no requirement or even suggestion, that I’m aware of, from any regulators that says, ‘Hey, we want the board involved at the loan-approval level,’” says Patrick Hanchey, a partner at the law firm Alston & Bird. The one exception is Regulation O, which requires boards to review and approve insider loans.

Instead, the board is tasked with implementing policies and procedures for the bank, and hiring a management team to execute on that strategy, Hanchey explains.

“If all that’s done, then you’re making good loans, and there’s no issue.”

Yet, 77 percent of executives and directors say their board or a board-level loan committee plays a role in approving credits, according to Bank Director’s 2019 Risk Survey.

Boards at smaller banks are more likely to approve loans than their larger peers. This is despite the spate of loan-related lawsuits filed by the Federal Deposit Insurance Corp. against directors in the wake of the recent financial crisis.

Loans-chart.png

The board at Mayfield, Kentucky-based First Kentucky Bank approves five to seven loans a month, says Ann Hale Mills, who serves on the board. These are either large loans or loans extended to businesses or individuals who already have a large line of credit at the bank, which is the $442 million asset subsidiary of Exchange Bancshares.

Yet, the fact that directors often lack formal credit expertise leads some to question whether they should be directly involved in the process.

“Inserting themselves into that decision-making process is putting [directors] in a place that they’re not necessarily trained to be in,” says James Stevens, a partner at the law firm Troutman Sanders.

What’s more, focusing on loan approvals may take directors’ eyes off the big picture, says David Ruffin, a director at the accounting firm Dixon Hughes Goodman LLP.

“It, primarily, deflects them from the more important role of understanding and overseeing the macro performance of the credit portfolio,” he says. “[Regulators would] much rather have directors focused on the macro performance of the credit portfolio, and understanding the risk tolerances and risk appetite.”

Ruffin believes that boards should focus instead on getting the right information about the bank’s loan portfolio, including trend analyses around loan concentrations.

“That’s where a good board member should be highly sensitized and, frankly, treat that as their priority—not individual loan approvals,” says Ruffin.

It all boils down to effective risk management.

“That’s one of [the board’s] main jobs, in my mind. Is the institution taking the right risk, and is the institution taking enough risk, and then how is that risk allocated across capital lines?” says Chris Nichols, the chief strategy officer at Winter Haven, Florida-based CenterState Bank Corp. CenterState has $12.6 billion in assets, which includes a national correspondent banking division. “That’s exactly where the board should be: [Defining] ‘this is the risk we want to take’ and looking at the process to make sure they’re taking the right risk.”

Directors can still contribute their expertise without taking on the liability of approving individual loans, adds Stevens.

“[Directors] have information to contribute to loan decisions, and there’s nothing that says that they can’t attend officer loan committee meetings or share what they know about borrowers or credits that are being considered,” he says.

But Mills disagrees, as do many community bank directors. She believes the board has a vital role to play in approving loans.

First Kentucky Bank’s board examines quantitative metrics—including credit history, repayment terms and the loan-to-value ratio—and qualitative factors, such as the customer’s relationship with the bank and how changes in the local economy could impact repayment.

“We are very well informed with data, local economic insight and competitive dynamics when we approve a loan,” she says.

And community bank directors and executives are looking at the bigger picture for their community, beyond the bank’s credit portfolio.

“We are more likely to accept risk for loans we see in the best interest of the overall community … an external effect that is hard to quantify using only traditional credit metrics,” she says.

Regardless of how a particular bank approaches this process, however, the one thing most people can agree on is that the value of such bespoke expertise diminishes as a bank grows and expands into far-flung markets.

“You could argue that in a very small bank, that the directors are often seasoned business men and women who understand how to run a business, and do have an intuitive credit sense about them, and they do add value,” says Ruffin. “Where it loses its efficacy, in my opinion, is where you start adding markets that they have no understanding of or awareness of the key personalities—that’s where it starts breaking apart.”

Exclusive: How This Growing Community Bank Focuses on Risk


risk-5-16-19.pngManaging risk and satisfying examiners can be difficult for any bank. It’s particularly hard for community banks that want to manage their limited resources wisely.

One bank that balances these challenges well is Bryn Mawr Bank Corp., a $4.6 billion asset based in Bryn Mawr, Pennsylvania, on the outskirts of Philadelphia.

Bank Director Vice President of Research Emily McCormick recently interviewed Chief Risk Officer Patrick Killeen about the bank’s approach to risk for a feature story in our second quarter 2019 issue. That story, titled “Banks Regain Sovereignty Over Risk Practices,” dives into the results of Bank Director’s 2019 Risk Survey. (You can read that story here.)

In the transcript of the interview—available exclusively to members of our Bank Services program—Killeen goes into detail about how his bank approaches stress testing, cybersecurity and credit risk, and explains how the executive team and board have strengthened the organization for future growth.

He discusses:

  • The top risks facing his community bank
  • Hiring the right talent to balance risk and growth
  • Balancing board and management responsibilities in lending
  • Conducting stress tests as a community bank
  • Managing cyber risk
  • Responding to Bank Secrecy Act and anti-money laundering guidance

The interview has been edited for brevity, clarity and flow.

download.png Download transcript for the full exclusive interview

Credit Due Diligence Is Even More Important Now


due-diligence-4-17-19.pngWith loan quality generally viewed as benign while M&A activity continues into 2019, is any emphasis on credit due diligence now misplaced? The answer is no.

With efficiency driving consolidation, bank boards and management should not be tempted to take any shortcuts to save time and money by substituting credit quality through recent loan reviews and implied findings of regulatory exams.

The overarching reason is the nature of the current business and credit cycle. The economy is strong right now, and among many banks net recoveries have replaced net charge-offs.

But it is not a matter of if but when credit stress rears its head.

And time truly is money when trying to stay ahead of the turn of the credit worm. That means now is the time to highlight a few buy- or sell-side justifications for a credible M&A credit due diligence.

Some challenges always require vigilance. These include:

  • Heightened correlated lending concentrations
  • Superficial underwriting and/or servicing
  • Acquired third-party exposures through participations or syndications
  • Insider lending (albeit indirect)
  • Getting upside down on commodity or collateral valuations
  • Covenant-light lending
  • Credit cultural incongruity

New Risks, New Assessments
The emergence of a portfolio-wide macro approach to credit risk during the past decade has ushered in a flurry of statistical disciplines, such as calculating probabilities of default, loss-given defaults, risk grade migrations, and probability modeling to project baseline and stress loss credit marks for investors and acquirers.

Credible due diligence now provides rich assessments of various pools and subsets of loans within a target’s portfolio. These quantitative measures provide a precise estimate of embedded credit losses, in parallel with the adoption of the current expected credit loss (CECL) standard, to project life of portfolio credit risk and end deficiencies in the current allowance guidance.

Good credit assessment is capped by qualitative components. There are several factors to consider in the current credit cycle.

  • Vintage of loan originations: Late-cycle loans to chase growth goals or to entice investors carry higher risk profiles.
  • Exotic lending: Some banks have added less conventional loan products to their offerings, which may require specialized talent.
  • Leveraged financial transactions: For some banks, commercial and industrial (C&I) syndications have replaced the real estate participation of a decade ago. They have recently grown in leverage and stress, and would be susceptible to an economic downturn.
  • Hyper commercial real estate valuation increases: Recent studies have shown significant increases in commercial property values, well over the pace of residential 1-4 family properties, along with the headwinds of higher interest rates and the advent of diminished real estate requisites accompanying the tech-driven virtual marketplace.
  • Dependence on current circumstance as proxies for future credit quality: We must accept that we are affected by trailing, rather than by leading, credit metric indicators.
  • Lending cultural protocols: Knowing the skill sets and risk appetites of prospective teammates is imperative. Some would argue that in today’s consolidation environment, cultural incongruity trumps loan quality as the biggest determinant of success.

What Should Lie Ahead
Credit due diligence should provide a key strategic forerunner to the financial and cultural integration between institutions that might have disparate lending philosophies.

It should include an in-depth quantitative dive combined with a skilled assessment of qualitative factors, both of which are critical in providing valuable insight to management and the board. Yet, to reduce costs some have difficulty swallowing any in-depth credit diligence, given the de minimis nature of recent losses and low levels of problem loans.

Many economic indicators point to tepid economic growth in 2019. At some point, the current credit cycle will turn. A lesson learned from the financial crisis has been to be proactive in risk management to stay ahead of the risk curve—and not be left to be reactive to negative effects.

During the crisis, many banks suffered greater losses due to their reluctance to initiate remediation in response to deteriorating credit. M&A credit due diligence must be treated as an anticipation of the future, not a validation of the past, and an investment in curtailing future losses.

Applying the 1-10-100 Rule to Loan Management


data-4-2-19.pngImplementing new software may seem like an expensive and time-consuming challenge, so many financial institutions make do with legacy systems and workflows rather than investing in robust, modern technology solutions aimed at reducing operating expenses and increasing revenue. Unfortunately, banks stand to lose much more in both time and resources by continuing to use outdated systems, and the resultant data entry errors put institutions at risk.

The Scary Truth about Data Entry Errors
You might be surprised by the error rates associated with manual data entry. The National Center for Biotechnology Information evaluated over 20,000 individual pieces of data to examine the number of errors generated from manually entering data into a spreadsheet. The study, published in 2008, revealed that the error rates reached upwards of 650 errors out of 10,000 entries—a 6.5 percent error rate.

Calculating 6.5 percent of a total loan portfolio—$65,000 of $1 million, for example—produces an arbitrary number. To truly understand the potential risk of human data entry error, one must be able to estimate the true cost of each error. Solely quantifying data entry error rates is meaningless without assigning a value to each error.

The 1-10-100 Rule is one way to determine the true value of these errors.

The rule is outlined in the book “Making Quality Work: A Leadership Guide for the Results-Driven Manager,” by George Labovitz, Y.S. Chang and Victor Rosansky. They posit that the cost of every single data entry error increases exponentially at subsequent stages of a business’s process.

For example, if a worker at a communications company incorrectly enters a potential customer’s address, the initial error might cost only one dollar in postage for a wrongly-addressed mailer. If that error is not corrected at the next stage—when the customer signs up for services—the 1-10-100 Rule would predict a loss of $10. If the address remains uncorrected in the third step—the first billing cycle, perhaps—the 1-10-100 Rule would predict a loss of $100. After the next step in this progression, the company would lose another $1,000 due to the initial data entry error.

This example considers only one error in data entry, not the multitude that doubtlessly occur each day in companies that rely heavily on humans to enter data into systems.

In lending, data entry goes far beyond typos in customers’ contact information and can include potentially serious mistakes in vital customer profile information. Data points such as social security numbers and dates of birth are necessary to document identity verification to comply with the Bank Secrecy Act. Data entry errors also lead to mistakes in loan amounts. A $10,000 loan, for example, has different implications with respect to compliance reporting, documentation, and pricing than a $100,000 loan. Even if the loan is funded correctly, a single zero incorrectly entered in a bank’s loan management system can lead to costly oversights.

Four Ways Data Entry Errors Hurt the Bottom Line
Data entry errors can be especially troublesome and costly in industries in which businesses rely heavily on data for daily operations, strategic planning, risk mitigation and decision making. In finance, determining the safety and soundness of an institution, its ability to achieve regulatory compliance, and its budget planning depend on the accuracy of data entry in its loan portfolios, account documentation, and customer information profiles. Data entry errors can harm a financial institution in several ways.

  1. Time Management. When legacy systems cannot integrate, data ends up housed in different silos, which require duplicative data entry. Siloed systems and layers of manual processes expose an institution to various opportunities for human error. The true cost of these errors on an employee’s time—in terms of wages, benefits, training, etc.—add up, making multiple data entry a hefty and unnecessary expense.
  2. Uncertain Risk Management. No matter how many stress tests you perform, it is impossible to manage the risk of a loan portfolio comprised of inaccurate data. In addition, entry errors can lead to incorrectly filed security instruments, leaving a portfolio exposed to the risk of insufficient collateral.
  3. Inaccurate Reporting. Data entry errors create unreliable loan reports, leading to missed maturities, overlooked stale-dates, canceled insurance and other potentially costly oversights.
  4. Mismanaged Compliance. Data entry errors are a major compliance risk. Whether due to inaccurately entered loan amounts, file exceptions, insurance lapses or inaccurate reporting, the penalties can be extremely costly—not only in terms of dollars but also with respect to an institution’s reputation.

Reduce Opportunities for Human Error
An institution’s risk management plan should include steps intended to mitigate the inevitable occurrence of human error. In addition to establishing systems of dual control and checks and balances, you should also implement modern technologies, tools, and procedures that eliminate redundancies within data entry processes. By doing so, you will be able to prevent mistakes from happening, rather than relying solely on a system of double-checking.