What Can the Banking Industry Learn from a Fake Pop Star?

5-10-13_Growth_Postcard.pngWhat does a pop star hologram drawing thousands to her concerts have to do with banking? Well, I’ll get to that in a minute.

Hatsune Miku, a non-human creation of a Japanese media company, is even better than a real singer, if you believe some of her young fans. She’s “post-human being,” according to the media company who created her.

As banking guru Brett King described it at Bank Director’s inaugural The Growth Conference in New Orleans last week, Hatsune Miku is a sign that the banking industry’s assumptions about the value of face-to-face contact may not hold true for the next generation.

Do you really think a generation that will pay to see a hologram perform will go to a bank branch to get financial advice? That was a question King posed to the audience of nearly 200 bank directors, bank officers and industry executives who attended the conference at The Ritz Carlton in the French Quarter.

Part of the theme emerging from The Growth Conference was the need for the industry to transform itself in the coming years with technological and generational changes. However, bankers, especially commercial bankers, tend to be inherently conservative. Jumping into the latest thing and throwing money at unproven ideas is not behavior typical of most bankers. Branches were supposed to have disappeared at least 20 years ago, but they haven’t, because most bankers prefer human tellers to distribution channels that rely solely on technology.  In my conversations with bank directors and bank officers at the conference, I was struck by the healthy skepticism toward technological change. One bank CEO asked me how often people are really going to want to remotely deposit checks through their smartphones. It’s a good question. As with all investments, management and boards are going to have to decide what the smartest and most appropriate technological investments are for their particular banks. Will it be remote deposit capture for commercial accounts? Maybe. Mobile check deposits for consumers? Maybe not. It depends on the bank.

“Predictions about the pace and magnitude of change are inherently very difficult, but the case for its inevitability was very well made,’’ said Michael Kubacki, the chairman and chief executive officer of Lake City Bank in Warsaw, Indiana, who attended the conference. “We need to think more about what might work for us and our clients in the future, and less about what worked in the past.”

Tied with that theme at the conference was the consistent message that community banks need to have a niche or multiple niches to help them compete with bigger banks. Bigger banks have a lower cost of funds, branches on every other corner, and an ability to invest in lots of technology.

5-10-13_Growth_Postcard_2.pngThe special niches that community banks develop will also determine the technology they need, whether it is St. Louis-based Enterprise Financial Services’ private banking business and life insurance policies for family offices, or Bethesda, Maryland-based Congressional Bank’s specialization in medical offices.

The slow growth economy and low interest rate environment have not been kind to bank income statements. Loan growth is minimal. Small businesses are still reluctant to borrow. Consumers are still deleveraging. Banks will need whatever they can do to improve their profitability in the years ahead.

“You must do an authentic self-assessment,” said Jay Sidhu, the chairman and chief executive officer of Customers Bancorp Inc., in Wyomissing, Pennsylvania, who was the keynote speaker at the conference. “You must think differently and take advantage of technology and your unique market position. You have something that big banks don’t have and you can take advantage of that. If you don’t, you’re going to be eaten up.”

Is Bigger Better?

5-1-13_Sutherland.pngThe title of the E.F. Schumacher book “Small is Beautiful” best articulates the argument that bigger may not be better. There’s no mistaking the fact that efficiency ratios and size have a negative correlation. Surprised?

Community banks are doing a bang-up job when it comes to controlling the largest expense line in a bank—people. Unlike the larger global banks that seem inclined to hire-and-fire as a knee-jerk approach to controlling staff costs, community banks are a shining example of how to get it right. In fact, the big banks have a few lessons to learn from their smaller counterparts in this area.

This is evident when you compare the efficiency ratios of community banks to the larger banks.

Efficiency ratios are a good way of measuring how a bank is doing from a revenue-to-expense perspective and here the community banks have done an outstanding job of managing costs well. Also, their locational advantage in the burbs and serving the communities there in a focused manner needs to be acknowledged and large banks can learn from this approach to the small- and medium-sized customers.

The average efficiency ratio of the top 200 community banks in the third quarter 2012 at 50 percent was significantly better than JPMorgan Chase & Co. (63 percent), Bank of America (77 percent), Citi (73 percent) and Wells Fargo & Co. (58 percent) at the end of 2012.

That said, lack of size and lack of a critical mass of transactions are drawbacks when it comes to optimizing operations and technology costs. In general, since people and real estate costs tend to be low in the locales where community banks operate, the strategy has been to replace people with people instead of people with technology. While this approach has withstood the test of time, it remains to be seen whether it will continue to be successful – especially in a world where consumers are demanding better banking products and savvier technologies, and millennials are emerging as the largest customer base for retail banking.

Let’s consider the cost of technology and how size affects strategy. Take the case of voice biometrics, a multi-channel approach to customer service whereby one platform self-serves customers’ needs for voice, email, text, chat and fax. It costs between $100,000 to $150,000 to deploy a voice biometrics technology. But in the absence of a large transaction base that can benefit from this technology, it becomes a wasteful mechanism to bring this type of technology in-house and smaller banks end up hiring more internal staff to service customers. While that is not a bad move from a short term return perspective, it’s not a strategy for the long haul. Customers today (thanks to Apple and similar companies) are gradually demanding better ways to be served by institutions that offer the latest technologies and enable day-to-day tasks like mobile banking.

Consider, too, how size affects the ability to incorporate an analytics platform, an essential tool that provides everything from customer lifetime value to pricing sensitivities or churn management. Again, this technology costs a few hundred thousand dollars, an expense that many community banks cannot justify. Unable to embrace these techniques, these institution remain locked in the same orbit while bigger banks are able to more accurately price, segment and gather key information about their customers. This helps them better serve their target customers.

While it is tough to assign a number to what size is right, it seems that banks at $5 billion and above have a better chance at embracing leading-edge technologies and operations processes—and, as an outcome of deploying superior processes, are able to achieve significant operations and technology improvements. So, what is the solution for smaller community banks? Here are some suggestions:

  • Look for size elsewhere.  If M&A is not an option to pool resources, look into a variety of service providers, such as Fiserv and Sutherland Global Services, which are able to extend their efficiencies of scale and operations to smaller community banks, based on global aggregated demand for these services.
  • Look at buying a service wrapped with a technology, rather than buying a technology. This ensures the blended unit cost of getting both the service and the technology is low.
  • Use long-term variable contracts as a technique to keep short-term pricing low, but build into the contract the language to ensure poor performance is penalized.
  • Ensure that a Project Management Office (PMO) that will serve your needs in operations and technology is part of any technology service contract.

Community banks have consistently been the most important driver of economic activity in the US. When they become more efficient from an operations and technology perspective, they are a growing tide that buoys other small banks across the industry. Size and efficiencies do have a correlation, and it is very important for community banks to embrace modern techniques of managing operations and technology. By definition, community banks are small and “Small is Beautiful” indeed.

Mobile Payment Revenue Opportunities for Financial Institutions

Mobile payments will create the most significant revenue opportunities of the decade for financial institutions.  It’s estimated that mobile payments will reach $20 billion in annual revenue opportunities for financial institutions. PwC’s Mike Heindl discusses the risks and opportunities for industry players.

Download Related PwC Publication:
PwC Viewpoint: Opportunity calls – An update on the evolution of mobile payments 

Eight Changes To Expect in 2013

The past year saw the banking industry recover significantly from the fallout of bad loans and poor asset quality. While profitability improved, the impact of new banking regulations began to take effect, including provisions that cut debit fee income for banks above $10 billion in assets. So what is in store for 2013? Bank Director asked industry experts to answer the question: What will be the biggest change in banking in 2013? Here are their responses:

Going Paperless in the Boardroom

If your board is considering moving away from paper and towards the convenience and security of tablets, this video from BOARDVantages’s Eastern Region Director Aisha Wallace-Wyche can help guide you in the process. Aisha discusses both the benefits and obstacles of going paperless, as well as how to set a transitional strategy in place that ensures your directors will be adequately prepared for the switch. 

Highlights include:

  • The advantages of going paperless
  •  Instituting training programs for devices
  • Setting a strategy for success

Click on the arrow to start the video.

Five Must-Haves for the Paperless Boardroom

wastebasket.jpgIn the past decade we have witnessed the wholesale transformation from hardcopy to digital for nearly every type of media. Entire industries, from film and music to publishing have been completely upended by digital technology.  Yet in the corporate world, many cling to manual processes and paper-based content distribution. Nowhere were the vestiges of tradition more firmly entrenched than in the boardroom.

This is not to say that these hold-outs are technology luddites. On the contrary, many corporate secretaries have sought change, but the underlying technologies were not ready for primetime. Only recently have secure hosted applications, ubiquitous network connectivity and mobility caught up to delivering on the promise of “going paperless.”

To understand why the digital board book is a transformative opportunity for general counsels and directors, we need look no further than the iPad. The iPad ushered in a new era. With its dramatic revision to the user interface, the iPad is ideally suited to the dense information boards need to review in an intuitive and accessible manner. Most importantly, the iPad’s readability and portability makes the online board book a better experience than its traditional printed predecessor.

Simply put, the iPad settled the debate about which device to use and took concerns about directors’ digital literacy off the table, and we can turn our attention to how a paperless board room fulfills the board’s needs. It’s worthwhile to keep in mind that in the pre-iPad era, tech-savvy directors had always been interested in basic online access to the boardbook, a technically uncomplicated task. A number of solutions existed to fulfill that need. But in the post-iPad world, the goal has grown more ambitious. Directors now want to do all their board work on the iPad, not just document review but also written consents, e-signatures, secure email and other tasks.  In other words they are ready to go 100 percent paperless. So with that in mind, here are five technology must-haves for a successful outcome:

1. Online-Offline Syncing: Directors carry their iPads wherever they go and rely on them for access to their board materials. Not unreasonably, they expect ready access to those materials even if they’re out of Wi-Fi range.  An essential requirement is briefcase technology that syncs content seamlessly between online and offline so any notes made while offline are immediately available when a director is back online. Also, to ensure directors have the latest information, the system lets the general counsel push new materials directly to the director’s briefcase.

2. Protect Against Discoverability: The iPad is a groundbreaking mobile device, but there is a tension between mobility and the risk of discoverability. Having the board book on a director’s iPad creates a potential legal exposure because directors may forget to purge this information. The way to eliminate this risk is with a system that centralizes control with the general counsel so that downloaded content, and directors’ notes, can be purged remotely by the general counsel, without relying on the actions of directors. This is akin to the traditional practice of the general counsel collecting and shredding paper board books following the meeting.

3. Map the Paper Process: Board communication is characterized by varying levels of access to sections of the boardbook. For example, what members of the audit committee see is often different than what members of the governance committee see, or outside counsel may be added for a single meeting and then her access rights revoked. In other words, a big part of board communication is about who sees what and when they see it. Today, that control exists with paper. It may be onerous, expensive and slow, but it works.  It is critical then that the portal has an equivalent ability to differentiate access between various users. In the portal this comes in the form of a control matrix and content segregation.

4. An Experience that is Better than Paper: When you change a long-standing process, you have to offer people an incentive. What you give them has to be better than what they have today. That means the user experience for your directors has to be more engaging and satisfying than what exists with paper. This requires an application that takes maximum advantage of the rich graphics and animation of the iPad to improve directors’ entire boardroom experience.

5. Embrace Two-Way Communication: For years, the board portal was a one-way communication tool. The general counsel distributed materials and directors retrieved it online and rarely communicated back. Now portals are shifting to two-way interactive capabilities that can improve decision-making by providing greater efficiency but also allowing directors to focus on the substantive issues rather than minutiae.

For more information on how to get started, check out this video on Going Paperless in the Boardroom.

Breaking Barriers: A Global Information Security Study

barriers-wp.pngWith increasing business demands and evolving regulatory frameworks, information security is a top priority for financial services industry (FSI) organizations. This year’s security survey study conducted by Deloitte finds that many FSI organizations have become more proactive in implementing innovative security measures and creating greater awareness of information security within their businesses. However, most organizations in the survey are challenged with balancing the cost of information security initiatives with the perceived risks of sophisticated threats and emerging technologies.

The following summary highlights the responses from over 250 financial services organizations from 39 countries:

Stronger Together: Silos and Barriers Retreat

  • Almost two-thirds of respondents believed that their information security function and business are engaged.
  • Over 50 percent of respondents indicated that they have a strong working relationship with operational risk management. Close to half of respondents indicated that they have strong relationships and coordinated activities with enterprise risk management.
  • Information security governance; identity and access management; and information security strategy and roadmap are cited to be the top security initiatives for this year.

Adapting to New Technologies: Security Innovation

  • As the use of social media increases, 37 percent of respondents are revising organizational policies; and 33 percent are educating users on social networking to address the security risks.
  • Many surveyed organizations have explored cloud computing options. However, 40 percent of the respondents indicated they still do not use cloud computing. The reasons cited include technology prematurity, security risks, and adoption capabilities of the organization.
  • As a part of their mobility program, many organizations have already deployed, or plan to deploy, mobile VPN, central device management, and mobile device management software. However, more than 50 percent of respondents have not yet planned for deployment of anti-phishing software, employee and customer-facing applications, and data loss prevention for mobile devices.

Policing Cyber Threats: Safeguarding Data Assets

  • Three out of four respondents have dedicated privacy resources; organizations are increasingly focusing on protecting their sensitive information and formalizing the privacy function.
  • Forty-nine percent of surveyed organizations claim to actively manage vulnerabilities, 82 percent of which are also actively researching new threats to proactively protect their environment from emerging threats.
  • Most surveyed organizations use the Security Operation Center (SOC) to monitor traffic and data and actively respond to incidents and breaches.
  • More than half of the respondents indicated that their organizations manage the SOC internally to get a better understanding of information security issues and gain more control over their operations.
  • Consistent with prior years, respondents cited a lack of sufficient budget (44 percent) and the increasing sophistication of threats (28 percent) as the primary barriers to implementing an effective information security program.

Sector Highlights: Banking

As banks adapt to increased financial regulatory pressure and adopt new technologies to stay competitive, they are challenged with managing myriad vulnerabilities and business expectations.

The following highlights the responses from 158 banking organizations, making up 62 percent of respondents:

Maturity Paradox: How To Keep The Information Security (IS) Program Effective

  • With increasing regulatory pressure, banking respondents continue to enhance their security programs. Close to 80 percent of respondents believe that their information security programs have reached a Level 3 (set of defined and document standard processes with degree of improvement over time) maturity or higher.
  • Even as security practices mature and advance, nearly 25 percent of the banking respondents indicated they experienced security breaches in the past 12 months.
  • Excessive access rights, security policies and standards that have not been operationalized, and lack of sufficient segregation of duties are cited as the top three external audit findings by banking respondents.

Balancing Act: Security and Cost Containment

  • Even though more than 70 percent of banking respondents dedicate at least 1 to 3 percent of their IT budget to information security, lack of sufficient budget and/or resources is cited as the top barrier for an effective information security program.
  • Nearly half of banking respondents have already implemented or purchased cloud computing services. Of those who have not implemented cloud computing services, close to 90 percent of the respondents believe the benefits outweigh the security risks.
  • Vulnerability scanning and penetration testing (72 percent) is the top information security function that is outsourced to a third-party. This is followed by threat management and monitoring services, at 24 percent.

Security Innovation: New Technologies and Their Risks Have Arrived

  • Nearly 75 percent of the banking respondents are making use of social media; 20 percent of the banking respondents have deployed technical controls to block or limit organizational usage.
  • When it comes to adoption of mobile devices, banking respondents indicated that the top three security controls are enhancing the consumer acceptable use policy, integrating consumer device security into awareness campaigns and enforcing complex passwords.

To view more results, please download the full study.

Is Banking’s Future in the Cloud?

Cloud_Puzzle_Pieces.jpgThe buzz on cloud computing is growing louder, leaving bank chief information officers—and the boards they report to—to examine whether cloud computing is a good fit for their banks. Broadly defined, it is the storage and management of data, which can then be accessed from virtually anywhere—on the road, from your home or from the office—via the web. According to Tom Garcia, CEO of InfoSight, Inc., an IT security firm based in Miami Lakes, Florida, the cloud is “really in its infancy” but “growing exponentially.” While regulators seem to be approaching cloud like any other vendor-provided service, a lot of bankers today are taking a wait and see approach, wondering, “Am I going to open up Pandora’s box with an examiner if I do this?” explains Garcia.

Atlanta-based SunTrust Banks, a $178.2-billion institution, is one banking company that is already on the cloud, using a private cloud that is unique to the company for customer relationship management software that allows the company to keep track of sales leads. Anil Cheriyan, SunTrust’s chief information officer, says the board of directors is actively engaged in a discussion about cloud computing, and SunTrust sees benefits in cost savings, efficiencies and flexibility. “The speed and agility [cloud computing] provides is of significant benefit,” he says, and it “clearly enables us to get our products and services to market much quicker.” He declined to describe the exact cost savings as those numbers vary.

Due to its ability to expand and contract quickly based on usage, Garcia adds that banks can see “great economies in cost savings” with cloud—as high as 40 percent for applications like hosted email over a traditional in-house solution. 

SunTrust has been steadily increasing oversight of vendor-provided services in general since the financial crisis began in 2008, Cheriyan says, so cloud computing has not directly resulted in any increases in oversight.

“We’ve taken that task of increased oversight anyway,’’ states Cheriyan, and continue to be “more and more aggressive [in terms of] how our data is protected.”

BNC Bancorp’s Bank of North Carolina, a $2.4-billion institution based in High Point, North Carolina, is at a fork in the road when it comes to the cloud, says Michael Bryan, the bank’s chief information officer. The bank outsources 90 percent of its core and ancillary systems already, and he feels good about cloud computing for core systems, seeing several benefits, particularly from a business continuity aspect in regards to disaster recovery. With cloud, if something happens to Bank of North Carolina’s operations center, “all I have to do is restore an Internet connection.”  As it is now, Bryan has to “spend more money” to acquire and maintain hardware. However, benefits found in cost, time and continuity are, to Bryan, not worth the loss of control if there is a security breach. Cloud vendors are not going to take on liability, “So if something goes wrong there; it’s up to you. Well, you don’t have any control over it,” Bryan says. “How do I explain that to my regulator?”

Once the security issues are worked out, Bryan sees tremendous opportunity. “Life would be a lot simpler,’’ he says.

SunTrust’s Cheriyan shares some of Bryan’s security concerns, and won’t trust everything to the cloud. “I wouldn’t trust our bank data on the public cloud at all,” he says. While SunTrust’s directors and management might read about exciting developments in the retail space, “You certainly have to weigh that against all the security concerns and manage core banking systems on much more secure environments.”

Due to the higher levels of regulation required in the financial industry, public cloud adoption rates will be slower. Can the benefits outweigh the risks? In areas like human resources and customer relations management Garcia believes so, and cautions that retail banks that hesitate to take advantage of the cloud may do so at their peril.

As the cloud industry grows, bankers’ trust in it—and their need for a competitive edge—could evolve. Can bank boards eventually trust their data to the public cloud?  In the world of technology, Cheriyan says, “Never say never.”

Avoiding Liability for Online Banking Fraud

security.jpgIf you are a community bank executive, imagine facing this unpleasant scenario:  Your head of operations calls to tell you that one of the bank’s largest customers suffered a computer hack and millions of dollars were transferred out of the customer’s accounts. 

This situation will deliver a severe stress test to your bank’s operational systems. Were the right procedures in place?  Were they followed?  Are you liable and is the loss insurable?  When your biggest customer has taken a crushing financial loss and is desperately looking for a source of recovery, you don’t want to be discovering for the first time that there were some basic steps you could have taken. While hacking can never be prevented entirely, a careful bank can avoid liability for a hacking incident. A careless bank can be forced to absorb the customer’s loss, plus interest and other amounts.

In most cases, the fraud is discovered well after deadlines for reversing or cancelling the transfer.  However, depending on applicable state law, there may be a way to impose a freeze on the funds by delivering the correct affidavit and/or indemnity.  Sometimes, if there is a reasonable basis for believing the funds have not left the destination account, the bank’s attorneys can impose a temporary restraining order to freeze the funds in place.  The success of such measures is highly uncertain, given the strict deadlines that apply to funds transfers.  If the funds were sent outside the U.S., then legal recourse is usually limited or unavailable as a practical matter.

Insurance of course is vital and all community banks should ensure that they (and hopefully their customers) have a policy directly covering losses caused by unauthorized online transfers. It is well worth the time to “stress test” your policy by running through a common online fraud scenario. Does your insurance application accurately describe all of your online banking operations?  And, is the coverage amount adequate if a criminal drains all the funds in your largest business deposit account? Because these cases are almost always litigated, you need to know that your defense costs are squarely covered and that the policy limit is enough to cover defense costs and the dollar amount of your customer’s loss. 

After a loss, observe the basics in obtaining coverage such as not agreeing to settle with your customer without the insurer’s express consent.  Even if all of these issues are adequately addressed, a bank may still face an insurer that denies coverage for at least a portion of the bank’s costs, delays a coverage determination or obstructs a settlement, forcing the bank to litigate with its customer. 

Far better than relying on only an assumed insurance coverage is a thorough review of the bank’s policies and account documents to ensure the bank can withstand a massive online fraud on one of its business customers. Do your operations, Bank Secrecy Act and information technology teams understand what the other is doing with regard to online fraud prevention? Are you positive that your team has pored over the Federal Financial Institutions Examination Council guidance on “Authentication in an Internet Banking Environment” (supplemented in June 2011) and made a thoughtful choice as to the online banking security and anti-fraud procedures the bank will follow and offer to its customers? 

Keep in mind a recent harsh federal court decision in the Patco Construction Co. case (July 2012, First Circuit Court of Appeals in Boston) that faulted a bank for not using features of its computer system that the court theorized could have been used to prevent the account hijacking. The court also faulted the bank for taking a uniform approach to fraud prevention, i.e., not taking the customer’s particular circumstances into account. It is generally worth the investment to seek written assurance from legal and/or security experts as to compliance of the bank’s online security with FFIEC guidance and those in Uniform Commercial Code Article 4A.

There is a continuing clash between the security a bank wants its customers to implement and what the customers are actually willing to do. A bank is not required to force its customers to adopt and follow all security best practices, but it should carefully document its offer of additional security precautions and the customer’s rejection of the offer. 

Once a bank has designed a suitable online security program, the bank must ensure careful compliance with those procedures. Banks’ security procedures do evolve and change over time. It is critically important to know what the bank’s actual procedures are so that new personnel can seamlessly comply and the bank’s auditors can accurately audit compliance. 

A bank should also inventory and review the agreements, certifications and other documents that affect the relative rights and obligations of the bank and its customers with respect to online fraud. If the bank’s form documentation is outdated, then those documents may allocate far more liability to the bank than banking regulations require or that is acceptable in the industry. 

Designing and following robust and compliant online security procedures is necessary to avoid catastrophic liability for a bank. It is also smart business. Senior management that thoroughly understands the bank’s security system is a management team that can then communicate the value of that system to customers and enhance the value of the franchise.

The Board’s IT Check-Up

tech-health.jpgAt the conclusion of Bank Director’s recent board compensation survey co-sponsored with Meyer-Chatfield Compensation Advisors, we followed up with some of our respondents who reported being overwhelmed by information technology concerns. Directors have the responsibility of ensuring their banks are keeping up with IT threats and safeguards, but for some, keeping on top of IT to the satisfaction of regulators is becoming increasingly frustrating and time-consuming. 

Paul Schaus, president of CCG Catalyst, a consulting firm that works with banks in regulatory compliance and technology planning, spoke with Bank Director about what directors should be considering when handling IT at their bank.

BD: What is changing about the board’s IT responsibility?

Boards are in some aspects in a transition phase. Now the regulators want them to have more oversight and know more what’s going on because they are legally responsible.  Just having a community member on the board isn’t the only requirement.  Having somebody with expertise to bring to the table is becoming more of a factor in banking.

So what you are seeing is more diversification of knowledge because directors are responsible for that oversight. You’ve seen the change in the larger banks.  It’s slowly working its way down.

The board has to do what is reasonable based on its size, where it’s located, and its infrastructure. The problem is that the regulations are written in more of a vacuum. Regulators get under pressure like anybody else. 

BD: What are some steps boards can take to address this change?

It’s healthy for a board to evaluate itself, to say, ‘Do we have the right people and do we need to bring some more people on the board?’  If a director can’t add anything to the board, and you can’t train him because he’s not a finance guy or a tech guy, a regulator could look at that as the board having poor judgment. 

So do your due diligence, listen to the experts, and when you don’t know, go get outside advice.  There is nothing wrong with saying, ‘we don’t know and we need outside help.’  Make sure what you are doing is not putting too much stress or risk on the bank itself, including the directors personally.

If I was sitting on the board of a bank, from my perspective, I would look at my personal risk.  That’s how you have to look at things. If a board member doesn’t feel comfortable about something, his view should be voiced.  The last thing you want is to have a regulator come in and talk to your board and the regulator makes a comment, ‘you do understand?’ and someone says, ‘no, I don’t.’  The regulator knows you didn’t know what you were doing when you approved something in the first place.

BD: What should boards be cautious of when taking a more proactive role in IT?

Some boards really go beyond what the rules require, and they create subcommittees that are technology oriented.  The [chief information officer] will work with that subcommittee heavily. There’s nothing wrong with banks that are getting more involved; it’s just that it can lead to some micromanagement issues.  There is a line. If the directors are going to start micromanaging the bankers, then do they have the right people in the right positions?

The board has to rely upon the expertise of the people that are working at the bank, and if that expertise is not there, then they have to question if they have the right people.  That’s the board’s responsibility. 

BD: Could you leave us with some questions directors need to be asking about IT?

Yes. Here they are:

  1. Are we confident we have a clear and viable IT strategy that supports our business strategy?
  2. Are we making capital investment decisions about technology proactively or reactively?
  3. Is our technology strategy customer-centric?
  4. Are we making measurable and sustainable progress toward integrating our IT at the enterprise level, or are we still predominantly a silo-focused organization?
  5. Is our technology usage moving us measurably and sustainably toward greater operating efficiency?