How Banks Can Use the Dark Web to Shed Light on Cybersecurity


cybersecurity-9-5-19.pngCyberthreat intelligence, or CTI, can give bankers a deeper understanding of the potential threats that face their business.

Whether it is knowing your enemy or learning about the latest malware, CTI provides information that can help executives make prudent, risk-based decisions. This information comes from the open internet as well as closed sources, including the darknet and dark web. Analyzing this CTI can produce insights and identify signs of a potential breach, leaked data or pending attacks.

The darknet is the part of the internet that is not accessible through conventional browsers and requires specific software or configurations; the deep web is the part of the internet that is not accessible through search engines. Some nation states, cybercriminal gangs and threat actors thrive in this underground economy through illegal activity that includes the sale of personal information, financial goods and illicit services. For bank’s CTI, the deep web and darknet are a treasure trove of breached information and threat indicators.

A vast majority of these cyberthreat intelligence sources contain goods and sensitive data stolen from the financial services industry. Potential financial gain drives bad actors to maintain a thriving marketplace built on illicit items, including debit and credit card numbers, identity theft services and banking malware.

While no tool or service can completely eliminate the risk of a data breach, integrating CTI into a bank’s cybersecurity program can make it more difficult to target and lower the likelihood of a breach. To get value from CTI, a bank can:

  • Identify the threat actors that are leveraging potential vulnerabilities in systems used by the financial sector;
  • Understand whether a particular organization or client is being targeted directly;
  • Detect active malware campaigns that could target the bank;
  • Learn where its customer and employee information may exist;
  • Find breached credit or debit cards on deep web or darknet marketplaces; and
  • Understand emerging trends regarding data theft.

There are a variety of ways that financial institutions can leverage, and directly benefit from, CTI. Some examples include:

  • Incorporating technical indicators of compromise into the company’s security information and event management system;
  • Briefing high-level executives on industry trends and providing intelligence on potential future attacks;
  • Providing intelligence briefings to security operation centers (SOCs), increasing the situational awareness of technical campaigns and bad actors;
  • Developing incident response scenarios;
  • Achieving timely integration with fraud teams to deactivate stolen credit or debit cards;
  • Working with law enforcement to remove stolen credit, debit or other financial information from the deep or dark web;
  • Segregating and limiting internal access to systems if an individual’s credentials are exposed;
  • Communicating with social media and marketing teams about exposed data; and
  • Implementing patches for known vulnerabilities that are discovered on external-facing systems and applications.

What does a successful CTI program look like at financial institutions?
Deep analytical CTI is usually not possible at small- to medium-sized financial institutions using the internal resources of their existing security teams, and is often outsourced to a vendor or third party. Outsourcing can provide some value-added actions, such as:

  • Identifying breached credit and debit cards or other financial information;
  • Monitoring chatter about C-suite executives;
  • Assisting in fraud prevention through credential theft;
  • Thwarting attacks planned by adversaries that uses new financial theft malware, ransomware or Trojans;
  • Examining reputational damage or brand-related chatter for an organization;
  • Identifying large credential data dumps or breaches;
  • Identifying or ascertaining stolen or fraudulent goods like blueprints, skimmers and physical devices, or sensitive data such as tax forms, personally identifiable information and protected health information.

CTI can provide a variety of actionable information that executives can use to make better cybersecurity decisions and assess their risk appetite. With CTI, bankers can prioritize initiatives, address budgets and create business strategies for securing customer, employee and client data. A deeper understanding of the threats they face gives companies a firmer grasp of the tumultuous cyber landscape and a clearer vision of how to prevent problems.

The Newest Exposure Facing Community Bank Boards


cyberattack-8-30-19.pngCybercrimes continue to pose the greatest significant risk to the banking sector, ranging from standard phishing attack to a newer ATM jackpotting schemes that manipulate a machine to dispense larger amounts of money.

Many of the losses originate through human error, so it is critical to ensure all employees are trained on the newest phishing schemes and how to best avoid them. Cyber liability insurance claims represented the largest increase in the percentage of total liability claims, according to data from the American Bankers Association, rising from 19% in 2017 to 26% in 2018.

Several of the most-recent examples of covered cyber claims began when a bank employee succumbed to a phishing attack. This is where the employee clicks on a link provided by what is perceived to be a trusted source, which downloads malware. The malware often causes a breach of network security, providing the perpetrators with complete access to a bank’s networks. In some scenarios, the malware freezes the bank’s systems, and extorts executives for a “consulting fee” to return access of the internal systems. The fee is often in the form of bitcoin or another form of untraceable cryptocurrency.

While that can be a significant expense to the bank, the more-common claim scenario includes the expenses associated with the breach of network security. These can include, but are not limited to:

  • Notification costs
  • Forensics expenses
  • Credit monitoring costs
  • Establishing of a call center
  • Hiring a public relations firm
  • Obtaining legal advice, ensuring all discovery is protected by attorney-client privilege

Most cyber liability policies will cover to both breach remediation expenses, as well cyber extortion costs, as long as the third-party providers are approved by the carrier.

However, the loss scenario does not have to be limited to extortion or post-breach remediation expenses. As reported in 2018, a regional Virginia bank fell victim to an ATM heist for a total loss of $2.35 million. The fraud was initially caused by an employee who fell victim to a targeted phishing email, which allowed culprits to install malware on bank servers. The malware allowed thieves to disable the anti-theft and anti-fraud protections, including 4-digit PIN numbers and daily withdrawal limits thresholds. The bank succumbed to two separate instances of ATM thefts from this intrusion into their computer systems. The first resulted in a loss of $550,000 over a holiday weekend; the second resulted in a loss of over $1.8 million.?

Recommendations:

  • Make sure your employees are trained, and retrained, on how to detect a phishing e-mail and what to do if they suspect the e-mail may not be legitimate.
  • If you have any network security third-party providers, confirm if they are already included under the cyber carrier’s panel counsel list, which is a list of pre-approved vendors with pre-negotiated rates. If not, try to get them added on a pre-approved basis. This would typically occur during the renewal of the cyber policy, not during a claim.
  • If there is a breach of network security, make sure the cyber carrier approves all third-party expenses in writing, in advance, to ensure they will indemnify the bank for those expenses.
  • If cybersecurity, cyber risk or cyber insurance is discussed during a board meeting, make sure to document that in the minutes of the meeting. We suggest that boards show that such discussions take place on a quarterly basis, which can result in those boards being viewed in a better light in the event of a cyber-attack.

This Is a Red Flag for Banks


yield-curve-7-5-19.pngThe yield curve has been in the news because its recent gyrations are seen as a harbinger of a coming recession.

The yield curve is the difference between short- and long-term bond yields. In a healthy economy, long-term bond yields are normally higher than short-term yields because investors take more risk with the longer duration.

In late June, however, the spread between the yield on the three-month Treasury bill and the 10-year Treasury note inverted—which is to say the 10-year yield was lower than the three-month yield.

Inverted Yield Curve.png

An inverted yield curve doesn’t cause a recession, but it signals a set of economic factors that are likely to result in one. It is a sign that investors lack confidence in the future of the economy. Or to put it another way, they have greater confidence in the economy’s long-term prospects than in its near-term outlook.

Long-term yields drop because investors want to lock in a higher return. This heightened demand for long-dated bonds allows the U.S. Department of the Treasury to offer lower yields. The historical average length of recessions is about 18 months, so a 10-year Treasury note takes investors well beyond that point.

Short-terms Treasury yields rise because investors are skittish about the economy’s near-term prospects, which requires the Treasury Department to entice them with higher yields.

It turns out that inverted yield curves have a pretty good track record of predicting recessions within the next 12 months. The last six recessions were preceded by inverted yield curves, although economists point out that inversions in 1995 and 1998 were not followed by subsequent downturns. And more than two years passed between an inversion in December 2005 and the onset of the 2008 financial crisis.

Still, an inverted yield curve is an economic red flag for banks. The industry’s performance inevitably suffers in a recession, and even the most conservative institutions will experience higher loan losses when the credit cycle turns.

An inversion is a warning that banks should tighten their credit standards and rein in their competitive impulses. Some of the worst commercial loans are made 12 to 18 months prior to an economic downturn, and they are often the first loans to go bad.

Ironically, if banks tighten up too much, they risk contributing to a recession by cutting off the funding that businesses need to grow. Banks make these decisions individually, of course, but the industry’s herd instinct is alive and well.

It’s possible that the most recent inversion presages a recession in 2020. In its June survey, the National Association of Business Economics forecast the U.S. economy to grow 2.6 percent this year, with only a 15 percent chance of a recession. But they see slower growth in 2020, with the risk of a recession by year-end rising to 60 percent.

This has been an unprecedented time for the U.S. economy and we seem to be sailing through uncharted waters. On July 1, the economy’s current expansion became the longest on record, and gross domestic product grew at a 3.1 percent annualized rate in the first quarter. Unemployment was just 3.6 percent in May—the lowest in 49 years—while inflation, which often rises when the economy reaches full employment because employers are forced to pay higher salaries to attract workers, remained under firm control.

These are historic anomalies, so maybe the old rules have changed.

The Federal Open Market Committee is widely expected to cut the fed funds rate in late July after raising it four times in 2018. That could both help and hurt bankers.

A rate cut helps if it keeps the economic expansion going. It hurts if it makes it more difficult for banks to charge higher rates for their loans. Many banks prospered last year because they were able raise their loan rates faster than their deposit rates, which helped expand their net interest margins. They may not benefit as much from repricing this year if the Fed ends up cutting interest rates.

Is an inverted yield curve a harbinger of a recession in 2020? This economy seems to shrug off all such concerns, but history says yes.

How Innovative Banks are Eliminating Online Card Fraud

Card fraud has a new home. Just a few years after the prolonged and pricey switch to EMV chip cards, fraud has migrated from purchases where the card is physically swiped to transactions where the card is not present. The shift means that U.S. banks might be on the cusp of yet another move in card technology.

EMV chips were so successful in curbing cases of fraud where the card was swiped that fraud evolved. Fraud is 81 percent more likely to occur today in “card-not-present” transactions that take place over the phone or internet rather than it is at the point of sale, according to the 2018 Identity Fraud Study by Javelin Research.

Technology has evolved to combat this theft. One new solution is to equip cards with dynamic card verification values, or CVVs. Cards with dynamic CVVs will periodically change the 3-digit code on the back of a credit or debit card, rendering stolen credentials obsolete within a short window of time. Most cards with dynamic codes automatically change after a set period of time—as often as every 20 minutes. The cards are powered by batteries that have a 3- to 4-year lifespan that coincides with the reissuance of a new card.

Several countries including France, China and Mexico have already begun adopting the technology, but the rollout in the United States has been more limited. The new Apple Card, issued by Goldman Sachs Group, boasts dynamic CVV as a key security feature. PNC Financial Services Group also launched a pilot program with Motion Code cards in late 2018.

Bankers who remember the shift to EMV might cringe at the thought of adopting another new card technology. But dynamic CVVs are different because they do not require merchants to adopt any new processes and do not create extra work for customers.

But one challenge with these more-secure cards will be their cost. A plastic card without an EMV chip cost about 39 cents. That cost rose to $2 to $3 a card with EMV. A card with the capability for a dynamic CVV could cost 5 times as much, averaging $12 to $15.

But advocates of the technology claim the benefits of eliminating card-not-present fraud more than covers the costs and could even increase revenue. French retail bank Société Générale S.A. worked with IDEMIA, formerly Oberthur Technologies, to offer cards with dynamic CVVs in fall 2016. The cards required no change in customers’ habits, which helped with their adoption, says Julien Claudon, head of card and digital services at Société Générale.

“Our customers appreciate the product and we’ve succeeded in selling it to customers because it’s easy to use.”

He adds that card-not-present fraud among bank customers using the card is “down to almost zero.”

Eliminating card-not-present fraud can also eliminate the ancillary costs of fraud, says Megan Heinze, senior vice president for financial institutions activities in North America at IDEMIA. She says card fraud is estimated to cost banks up to $25 billion by 2020.

“A lot of prime customers ask for the card the next day. The issuer then has to get the card developed—sending a file out that has to be printed—and then it’s FedExed. The average FedEx cost is around $10. The call to the call center [costs] around $7.50,” she says. “So that’s $17. And that doesn’t even include the card.”

What’s more, dynamic CVVs could also create a revenue opportunity. Société Générale charges customers a subscription fee of $1 per month for the cards. The bank saw a more than 5 percent increase in new customers and increased revenue, according to Heinze.

Still, some are skeptical of how well a paid, consumer-based model would fare in the U.S. market.

“The U.S. rejected EMV because it was so expensive to do. It was potentially spending $2 billion to save $1 billion, and that’s what you have to look at with the use case of these [dynamic CVV] cards,” says Brian Riley, director of credit advisory service for Mercator Advisory Group. “If it tends to be so expensive I might want to selectively do it with some good customers, but for the mass market there’s just not a payback.”

Still, dynamic CVVs are an interesting solution to the big, expensive problem of card-not-present fraud. While some institutions may wait until another card mandate hits, adopting dynamic CVV now could be a profitable differentiator for tech-forward banks.

Potential Technology Partners

IDEMIA

Idemia’s Motion Code technology powers cards for Société Générale and is being piloted by PNC and WorldPay.

GEMALTO

Gemalto’s Dynamic Code Card hasn’t been publicly linked to any bank or issuer names, but the company cites its own 2015 Consumer Research Project for some impressive statistics on customer demand for dynamic CVV cards.

SUREPASS ID

SurePass ID offers a Dynamic Card Security Code. The company’s founder, Mark Poidomani, is listed as the inventor of several payment-related patents.

FITEQ

FiTeq’s dynamic CVV requires cardholders to push a button to generate a new CVV code.

VISA AND MASTERCARD

Visa and Mastercard are leveraging dynamic CVV codes in their contactless cards

Learn more about the technology providers in this piece by accessing their profiles in Bank Director’s FinXTech Connectplatform.

Avoiding Unnecessary Unclaimed Property Forfeitures and Keeping Customers


risk-5-27-19.pngUnclaimed property issues are complex, but there are steps banks can take to help their customers maintain claims to their assets and keep their funds within the institution.

“Escheatment” is the legal term for the transfer of abandoned property to the state. Once a customer’s property is considered “abandoned” after a specific waiting period, state laws require that the bank turn over the asset to the state treasury department for safekeeping. Dormancy periods can be as short as one year, but vary by state or jurisdiction.

Banks can take four key actions that can reduce the risk that unnecessary escheatment could have on their customers’ accounts, and keep assets and deposits within the institution.

Institutions need to design processes and systems that can prevent unnecessary escheatment. Many banks lack the internal processes and technology solutions that would help minimize the risk of escheatment and often do not formalize their approach until faced with an audit, compounding an already-stressful situation.

Banks can create a culture of compliance by having policies and procedures for this process in place. They can also use technology to mitigate escheatment risk, lower the cost of the process and increase the efficiency of mitigation efforts.

However, many financial organizations lack robust systems to aid this process. For example, banks might allow certificates of deposit to be escheated because of inactivity, even though the CD owner has actively made deposits in or withdrawals from another account type. Linking customer accounts together allows the bank to assess contact activity across all holdings.

Banks can also educate their customers on the importance of maintaining accurate contact information and regular activity, which could prevent accounts from becoming dormant. Effective ways to help clients accomplish this include:

  • Providing customers with educational information when they open an account—one of the best times to educate them.
  • Adding messages on customer communications.
  • Establishing online alerts if mail has been returned as undeliverable, prompting customers to update their address when they log into their accounts.
  • Training bank employees about the risks of unnecessary escheatment so they are well-versed about unclaimed property compliance and can guide customers appropriately.

Banks should also proactively identify their customers who might be at risk for escheatment. All jurisdictions, except for Puerto Rico, have basic due diligence requirements that require banks to make a final attempt to contact owners of dormant accounts and uncashed checks towards the end of the dormancy period. But there are several steps that banks can take to identify customers at risk of escheatment ahead of the dormancy period:

  • Monitor which accounts have been inactive for 12 to 18 months and note the relationship with these customers.
  • Begin outreach campaigns early and allow sufficient time for communication, rather than waiting for the mandated due diligence process.
  • Identify deceased customer accounts that appear to be inactive, which can happen when family members are not aware that the account needs to be transferred or overlook paperwork when settling an estate.

Banks should communicate early, often and effectively with at-risk customers well in advance of the due diligence escheatment process. This process generally occurs late in the dormancy period: accounts have often been dormant for three to five years, making it difficult to find and communicate with their owners.

The process typically involves a single mailing sent to the last address of the dormant account’s owner, in hopes that they will respond. Most jurisdictions do not require due diligence mailings if the address on the account has been deemed inaccurate.

Owners that do receive and open the due diligence mailing may miss the window to reactivate their account if they do not act immediately. Customers may also think these letters are potential scams because they do not perceive themselves to be inactive or lost.

Effective ways to communicate with at-risk customers include:

  • Calling customers directly and explaining the situation before incurring the expense of a due diligence mailing
  • Using colored envelopes and company logos in customer communications.
  • Using direct mailings when time, budget, resources or the volume of accounts prevent telephone efforts.

Varying the communication techniques, changing the appearance of each mailing and customizing the specific details of the communication to the customer’s unique situation may also accelerate and increase the response rate. Proper documentation is critical–banks should retain all correspondence for control and audit purposes.

The key to preventing unnecessary escheatment is being proactive long before the state dormancy periods begin. These methods will help banks reduce the cost of compliance and retain assets and customers.

How Innovative Banks are Eliminating Online Card Fraud


technology-5-8-19.pngCard fraud has a new home. Just a few years after the prolonged and pricey switch to EMV chip cards, fraud has migrated from purchases where the card is physically swiped to transactions where the card is not present. The shift means that U.S. banks might be on the cusp of yet another move in card technology.

EMV chips were so successful in curbing cases of fraud where the card was swiped that fraud evolved. Fraud is 81 percent more likely to occur today in “card-not-present” transactions that take place over the phone or internet rather than it is at the point of sale, according to the 2018 Identity Fraud Study by Javelin Research.

Technology has evolved to combat this theft. One new solution is to equip cards with dynamic card verification values, or CVVs. Cards with dynamic CVVs will periodically change the 3-digit code on the back of a credit or debit card, rendering stolen credentials obsolete within a short window of time. Most cards with dynamic codes automatically change after a set period of time—as often as every 20 minutes. The cards are powered by batteries that have a 3- to 4-year lifespan that coincides with the reissuance of a new card.

Several countries including France, China and Mexico have already begun adopting the technology, but the rollout in the United States has been more limited. The new Apple Card, issued by Goldman Sachs Group, boasts dynamic CVV as a key security feature. PNC Financial Services Group also launched a pilot program with Motion Code cards in late 2018.

Bankers who remember the shift to EMV might cringe at the thought of adopting another new card technology. But dynamic CVVs are different because they do not require merchants to adopt any new processes and do not create extra work for customers.

But one challenge with these more-secure cards will be their cost. A plastic card without an EMV chip cost about 39 cents. That cost rose to $2 to $3 a card with EMV. A card with the capability for a dynamic CVV could cost 5 times as much, averaging $12 to $15.

But advocates of the technology claim the benefits of eliminating card-not-present fraud more than covers the costs and could even increase revenue. French retail bank Société Générale S.A. worked with IDEMIA, formerly Oberthur Technologies, to offer cards with dynamic CVVs in fall 2016. The cards required no change in customers’ habits, which helped with their adoption, says Julien Claudon, head of card and digital services at Société Générale.

“Our customers appreciate the product and we’ve succeeded in selling it to customers because it’s easy to use.”

He adds that card-not-present fraud among bank customers using the card is “down to almost zero.”

Eliminating card-not-present fraud can also eliminate the ancillary costs of fraud, says Megan Heinze, senior vice president for financial institutions activities in North America at IDEMIA. She says card fraud is estimated to cost banks up to $25 billion by 2020.

“A lot of prime customers ask for the card the next day. The issuer then has to get the card developed—sending a file out that has to be printed—and then it’s FedExed. The average FedEx cost is around $10. The call to the call center [costs] around $7.50,” she says. “So that’s $17. And that doesn’t even include the card.”

What’s more, dynamic CVVs could also create a revenue opportunity. Société Générale charges customers a subscription fee of $1 per month for the cards. The bank saw a more than 5 percent increase in new customers and increased revenue, according to Heinze.

Still, some are skeptical of how well a paid, consumer-based model would fare in the U.S. market.

“The U.S. rejected EMV because it was so expensive to do. It was potentially spending $2 billion to save $1 billion, and that’s what you have to look at with the use case of these [dynamic CVV] cards,” says Brian Riley, director of credit advisory service for Mercator Advisory Group. “If it tends to be so expensive I might want to selectively do it with some good customers, but for the mass market there’s just not a payback.”

Still, dynamic CVVs are an interesting solution to the big, expensive problem of card-not-present fraud. While some institutions may wait until another card mandate hits, adopting dynamic CVV now could be a profitable differentiator for tech-forward banks.

Potential Technology Partners

IDEMIA

Idemia’s Motion Code technology powers cards for Société Générale and is being piloted by PNC and WorldPay.

Gemalto

Gemalto’s Dynamic Code Card hasn’t been publicly linked to any bank or issuer names, but the company cites its own 2015 Consumer Research Project for some impressive statistics on customer demand for dynamic CVV cards.

SurePass ID

SurePass ID offers a Dynamic Card Security Code. The company’s founder, Mark Poidomani, is listed as the inventor of several payment-related patents.

FiTeq

FiTeq’s dynamic CVV requires cardholders to push a button to generate a new CVV code.

Visa and Mastercard

Visa and Mastercard are leveraging dynamic CVV codes in their contactless cards

Learn more about the technology providers in this piece by accessing their profiles in Bank Director’s FinXTech Connect platform.

Managing Cost, Efficiency & Control in the Loan Portfolio

What sets today’s lending environment apart is the potential for banks to collaborate with technology platforms to manage their risk more effectively and efficiently, explains Garrett Smith, the CEO of Community Capital Technology. In this video, he outlines how banks of varying sizes are diversifying their loan portfolios, and he shares his advice for banks seeking to buy or sell loans on the secondary market.

  • Using Technology to Manage the Loan Portfolio
  • Purchasing Loans on a Marketplace Platform
  • What to Know About Selling Loans

Rodge Cohen: Are We Preparing to Fight the Last War?


risk-3-1-19.pngHis name might not command the same recognition on the world stage as the mononymous Irish singer and song-writer known simply as Bono, but in banking and financial services just about everyone knows who “Rodge” is.

H. Rodgin Cohen–referred to simply as Rodge—is the unrivaled dean of U.S. bank attorneys. At 75, Cohen, who is the senior chairman at the New York City law firm Sullivan & Cromwell, is still actively involved in the industry, having recently advised SunTrust Banks on its pending merger with BB&T Corp.

Cohen has long been considered a valued advisor within the industry.

In the financial crisis a decade ago, he represented corporate clients like Lehman Brothers and worked closely with the federal government’s principal players, including Treasury Secretary Hank Paulson and Federal Reserve Chairman Ben Bernanke. His character even made an appearance in the movie “Too Big To Fail,” based on a popular book about the crisis by Andrew Ross Sorkin.

Eleven years later, Cohen says the risk to the banking industry is no longer excessive leverage or insufficient liquidity—major contributing factors to the last crisis.

The Dodd-Frank Act of 2010, passed nearly a decade ago, raised bank capitalization levels substantially compared to pre-crisis levels. In fact, bank capitalization levels have been rising for 40 years, going back to the thrift crisis in the late 1980s. Dodd-Frank also requires large banks to hold a higher percentage of their assets in cash to insure they have enough liquidity to weather another financial storm.

The lesson from the last crisis, says Cohen, revolves around the importance of having a fortress balance sheet. “I think that was the lesson which has been thoroughly learned not merely by the regulators, but by the banks themselves, so that banks today have exponentially more capital, and the differential is even greater in terms of having more liquidity,” says Cohen.

But does anyone know if these changes will be enough to help banks survive the next crisis?

“I don’t think it is possible to calculate this precisely, but if you look at the banks that did get into trouble, none of them had anywhere near the level of capital and liquidity that is required now,” says Cohen. “Although you can’t say with certainty that this is enough, because it’s almost unprovable, there’s enough evidence that suggests that we are at levels where no more is required.”

It is often said that generals have a tendency to fight the last war even though advances in weaponry—driven by technology—can render that war’s tactics and strategies obsolete. Think of the English cavalry on horseback in World War I charging into German machine guns.

It can be argued that regulators, policymakers and even customers in the United States still bear the emotional scars of the last financial crisis, so we all find comfort in the fact that banks are less leveraged today than they have been in recent history, particularly in the lead up to the last crisis.

But what if a strong balance sheet isn’t enough to fight the next war?

“I think the biggest risk in the [financial] system today is a successful cyberattack,” says Cohen. While a lot of attention is paid to the dangers of a broad attack on critical infrastructure that poses a systemic risk, Cohen worries about something different.

“That is a very serious risk, but I think the more likely [danger] is that a single bank—or a group of banks—are hit with a massive denial of service for a period of time, or a massive scrambling of records,” he says. This contagion could destabilize the financial system if depositors begin to worry about the safety of their money.

Cohen believes that financial contagion, where risk spreads from one bank to another like an infectious disease, played a bigger role in the financial crisis than most people appreciate. And he worries that the same scenario could play out in a crippling cyberattack on a major bank.

“Until we really understand what role contagion played in 2008, I don’t think we’re going to appreciate fully the risk of contagion with cyber,” he says. “But to me, that is clearly the principal risk.”

And herein lays the irony of the industry’s higher capital and liquidity requirements. They were designed to protect against the risk of credit bubbles, such as the one that precipitated the last crisis, but they will do little to protect against the bigger risk faced by banks today: a crippling cyberattack.

“That’s why I regard [cyber] as the greatest threat,” says Cohen, “because a fortress balance sheet won’t necessarily help.”

What Are The Real Risks Of Blockchain?


blockchain-2-25-19.pngIn the landscape of innovative disruption, the public’s attention is often focused on bitcoin’s impact on financing and investment options. However, it is important to understand that blockchain, the underlying technology often conflated with bitcoin, carries an even greater potential to disrupt many industries worldwide.

The attraction of blockchain technology is its promise to provide an immutable digital ledger of transactions. As such, it is this underlying technology—an open, distributed ledger—that makes monetary and other transactions work.

These transactions can include bitcoin, but they may also include records of ownership, marriage certificates and other instances where the order and permanence of the transaction is important. A blockchain is a secure, permanent record of each transaction that cannot be reversed.

But with all the positive hype about its potential implications, what are the risks to banks?

The Risk With Fintech
One of the most disruptive effects of blockchain will be in financial services. Between building cryptocurrency exchanges and writing digital assets to a blockchain, the innovation that is occurring today will have a lasting effect on the industry.

One of the principles of blockchain technology is the removal of intermediaries. In fintech, the primary intermediary is a bank or other financially regulated entity. If blockchain becomes used widely, that could pose a risk for banks because the regulatory body that works to protect the consumer with regulatory requirements is taken out of the equation.

This disintermediation has a dramatic effect on how fintech companies build their products, and ultimately requires them to take on a greater regulatory burden.

The Risk With Compliance
The first regulatory burden to consider concerns an often-forgotten practice that banks perform on a daily basis known as KYC, or Know Your Customer. Every bank must follow anti-money laundering (AML) laws and regulations to help limit the risk of being conduits to launder money or fund terrorism.

Remove the bank intermediary, however, and this important process now must occur before allowing customers to use the platform.

While some banks may choose to outsource this to a third party, it is critical to remember that while a third party can perform the process, the institution still owns the risk.

There are a myriad of regulations that should be considered as the technology is designed. The General Data Protection Regulation (GDPR), the European Union’s online privacy law, is a good example of how regulations apply differently on a blockchain.

One of the GDPR rules is the so-called right to be forgotten. Since transactions are immutable and cannot be erased or edited, companies need to ensure that data they write to a blockchain doesn’t violate these regulatory frameworks.

Finally, while blockchains are sometimes considered “self-auditing,” that does not mean the role of an auditor disappears.

For example, revenue recorded on a blockchain can support a financial statement or balance sheet audit. While there is assurance that the number recorded has not been modified, auditors still need to understand and validate how revenue is recognized.

What’s Ahead
The use of blockchain technology has the potential to generate great disruption in the marketplace. Successful implementation will come to those who consider the risks up front while embracing the existing regulatory framework.

There has already been massive innovation, and this is only the beginning of a massive journey of change.

Prepare Your Portfolio for an Economic Downturn


portfolio-11-12-18.pngAs we reach the 10-year anniversary of the inflection point of the 2008 financial crisis, it’s the perfect time to reflect on how the economy has (and hasn’t) recovered following the greatest economic downturn since the Great Depression. If you’ve paid the slightest attention to recent news, you’ve probably heard or read about the speculation of when the nation’s next economic storm will hit. While some reports believe the next downturn is just around the corner, others deny such predictions.

Experts can posit theories about the next downturn, but no matter how strong the current economy is or how low unemployment may be, we can count on at some point the economy will again turn downward. For this reason, it’s important that we protect ourselves from risks, like those that followed the subprime mortgage crisis, financial crisis, and Great Recession of the late 2000’s.

In an interview with USA Today, Mark Zandi, chief economist for Moody’s Analytics, explained, “It’s just the time when it feels like all is going fabulously that we make mistakes, we overreact, we over-borrow.”

Zandi also noted it usually requires more than letting our collective guard down to tip the economy into recession; something else has to act as a catalyst, like oil prices in 1990-91, the dotcom bubble in 2001 or the subprime mortgage crisis in 2006-07.

As the number of predictions indicating the next economic downturn could be closer than we think continues to rise, it’s more important to prepare yourself and your portfolio for a potential economic shift.

Three Tips for Safeguarding Your Construction Portfolio In the Event of an Economic Downturn

1. Proactively Stress Test Your Loan Portfolio
Advancements in technology have radically improved methods of stress testing, allowing lenders to reveal potential vulnerabilities within their loan portfolio to prevent potential issues. Technology is the key to unlocking this data for proactive stress testing and risk mitigation, including geotracking, project monitoring and customizable alerts.

Innovative construction loan technology allows lenders to monitor the risk potential of all asset-types, including loans secured by both consumer and commercial real estate. These insights help lenders pinpoint and mitigate potential risks before they harm the financial institution.

2. Increase Assets and Reduce Potential Risk While the Market’s Hot
If a potential market downturn is in fact on the horizon, now is the best time for lenders to shore up their loan portfolios and long-term, end loan commitments before things slow. This will help ensure the financial institution moves into the next downturn with a portfolio of healthy assets.

By utilizing modern technologies to bring manual processes online, lenders have the ability to grow their construction loan portfolio without absorbing the additional risk or adding additional administrative headcount. Construction loan administration software has the ability to increase a lender’s administrative capacity by as much as 300 percent and reduce the amount of time their administrative teams spend preparing reports by upwards of 80 percent. These efficiency and risk mitigation gains enable lenders to strike while the iron’s hot and effectively grow their portfolio to help offset the effects of a potential market downturn.

3. Be Prudent and Mindful When Structuring and Pricing End Loans
As interest rates continue to trend upward, it’s crucial that lenders price and structure their long-term debts with increased interest rates in mind. One of the perks of construction lending, especially in commercial real estate, is the opportunity to also secure long-term debt when the construction loan is converted into an end loan.

Due to fluctuations in interest rates, it’s important for financial institutions to carefully consider how long to commit to fixed rates. For lenders to prevent filling their portfolio with commercial loan assets that yield below average interest rates in the future, they may find it more prudent to schedule adjustable-rate real estate loans on more frequent rate adjustment schedules or opening rate negotiations with higher fixed rate offerings (while still remaining competitive and fairly priced, of course).

Though we can actively track past and potential future trends, it’s impossible to know for sure whether we are truly standing on the precipice of the next economic downturn.

“That’s one of the things that makes crises crises—they always surprise you somehow,” said Tony James, Vice Chairman or Blackstone Group, in an interview with CNBC.

No matter the current state of the economy, choosing to be prepared by proactively mitigating risk is always the best course of action for financial institutions to take. Modern lending technology enables lenders to make smart lending decisions and institute effective policies and procedures to safeguard the institution from the next economic downturn—no matter when it hits.