Organic growth will remain elusive, but banks can boost performance by focusing on honing operational efficiencies and shoring up risk management.
Learn more - http://gt-us.co/1uaqYal
2. 2 2015 banking outlook: The future is bright, but change your password
Contents
3 Introduction
4 Taking stock: The current state of the industry
7 Controlling costs through compliance optimization
9 Essential ERM: Manage risk or risk disaster
11 Cybersecurity
3. The global banking industry has slowly returned to a position of financial health, but the overall outlook is mixed. On the one hand,
nearly every major indicator has rebounded significantly: revenues are up, MA activity is improving, and the number of bank failures
and problem institutions have returned to more normal, pre-recession levels. What’s more, these positive trends should continue in the
near future. On the other hand, returns on equity and profitability remain low, and the risk of cyberattacks is growing exponentially.
Further complicating the outlook, a fluid and uncertain regulatory environment has stoked fears that a raft of as-yet-unwritten
regulations will unduly restrict the industry’s profitability and undermine the momentum of recent gains. This year brought a record
total of penalties and fines, reigniting demands by the general public to break up the largest institutions — those deemed too big to
fail. At the same time, enforcement actions for noncompliance are on the rise, signaling heightened levels of scrutiny going forward.
In response, executives are reviewing their business models to identify new sources of revenue. A spike in MA in 2014 may indicate
that banks are pursuing deals to bolster organic growth. Some institutions are investing in digital business models and mobile banking
to differentiate themselves in the marketplace.
So how should banks confront these challenges? We believe that a renewed focus on performance and underlying fundamentals can
give banks greater capacity and agility to deal with emerging threats and pursue new growth opportunities. Operational optimization,
enhanced risk management and strategic investments in technology are key enablers that cut across functions and have far-reaching
implications for a bank’s health and prospects. Further, these enablers are interconnected: IT systems help to drive operational
optimization by automating processes, for example, but these same technologies can introduce new risks that organizations must
address. What’s required is a coordinated effort among business units as well as the vision to manage these tasks in an integrated way.
This report offers an in-depth analysis of the most critical focus areas for the banking industry in the coming year — regulatory
compliance and enterprise risk management, including cybersecurity and model risk management. Institutions can boost performance
in these areas by optimizing operations, developing sound risk management frameworks and implementing the appropriate
technology. When executed successfully, investments in these areas can become strategic assets that position the business for strong
growth and profitability.
Introduction
Jack Katz
Global Leader
National Managing Partner
Financial Services
Nigel Smith
National Leader
Financial Services Advisory
4. 4 2015 banking outlook: The future is bright, but change your password
Taking stock:
The current state of the industry
Commercial banking macro trends
Year Global revenue ($T) U.S. revenue ($B)
2010 1.9 376
2011 2.0 343
2012 2.1 310
2013 2.2 388
2014* 2.3 426
Investment banking and securities dealing in the U.S.
Year Revenue ($B) Profits ($B)
2010 170 26
2011 145 22
2012 140 20
2013 133 20
2014* 132 33
1
The MA Monitor, Olsen Palmer, November 2014.
2
Cox, Jeff. “Small banks are doing some really huge deals,” CNBC, Nov. 10, 2014. (cnbc.com/id/102170284#).
3
Financial institutions: Causes and consequences of recent bank failures, U.S. Government Accountability Office, January 2013 (gao.gov/assets/660/651155.pdf).
Revenues and profits
Since 2010, the global commercial banking industry has
demonstrated steady growth. By Q3 2014, revenues had already
eclipsed 2012 totals, realizing returns of $2.3 trillion. And while the
industry saw a dip in revenues in the United States in the wake of
the economic recession, by Q3 2014 revenues had grown to more
than $425 billion — a 37% increase over 2012 figures. Meanwhile,
investment banking has also rebounded impressively, with over $33
billion in revenues as of Q3 2014. Significantly, investment banks
have achieved these returns despite sharply lower revenues.
MA
In the United States, the number of MA deals in the banking
industry rebounded sharply in 2014; through October, 240 deals
had closed, making it the busiest year by number of deals since
2007.1
An increase in MA may signal that some banks are
looking to augment their prospects at a time when organic growth
has been incremental. According to a recent report by CNBC,
“Each of the top 20 fastest-growing banks is either in the small-
or mid-cap space, and most have used MA as their primary
engine.2
” Institutions are pursuing this strategy despite the fact
that regulatory scrutiny has made MA a much longer process.
Problem institutions and bank failures
Over the past five years, bank failures in the global banking
industry have declined significantly, thanks to an improving
economy. The U.S. market mirrors this trend: The number of
institutions on the FDIC’s “Problem List” declined from 411 in
Q1 2014 to 354 in Q2, the smallest number since Q1 2009. That
total represents a 60% drop from the recent high-water mark
of 888 problem institutions in Q1 2011. Similarly, bank failures
are at their lowest point in five years, with the number of failed
institutions—16 this year thus far—equal to just one-tenth the
total in 2010.
An FDIC study of 10 states that experienced 10 or more bank
failures from 2008 to 2011 found that small banks, which made
up one-fifth of all failed banks, were particularly susceptible to
commercial real estate losses.3
Steady economic growth, a stable
housing industry, greater federal oversight and increased capital
requirements contributed to this trend.
*As of 30 November 2014.
Source: December 2014 IBISWorld Industry Report 52211:
Commercial Banking in the U.S.
*As of 30 November 2014.
Source: November 2014 IBISWorld Industry Report 52311:
Investment Banking Securities Dealing in the U.S.
5. Source: SNL Financial, Olsen Palmer analysis.
40
35
30
25
20
15
10
5
0
23
Nov
MA activity: number of deals by month
Dec
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
21
24
14
21
23
25 25
31
17 17
36
Number of FDIC — insured problem institutions
1000
750
500
250
50
12/06
884
12/10
252
12/08
651
12/12
411
03/14
76
12/07
813
12/11
702
12/09
467
12/13
354
06/14
NumberofInstitutions
2006–2014
Cybersecurity
U.S. Attorney General Eric Holder famously noted that there are
two kinds of companies: “those that have been hacked and those
that don’t know they have been hacked.” The Identity Theft
Resource Center’s Data Breach Report cited 24 breaches in the
banking, credit and financial sector as of Oct. 21, 2014. This figure
accounts for 3.9% of the total number of U.S. breaches for the
year to date, but the mere threat of cyberattacks has a far-reaching
impact on organizations. The Ponemon Institute estimated
that a single breach can run in the tens of millions of dollars for
U.S. companies,4
so it’s critical for financial institutions to take
the proper precautions. As a result, banks have increased their
investments in IT security, monitoring and crisis management to
be well-prepared for potential breaches. Indeed, Jamie Dimon
anticipates that Chase will double its annual computer security
budget, currently at $250 million, over the next five years.5
So
while financial institutions might represent a high-profile target,
trends indicate that banks are also well-aware of the threat and are
enhancing their security capabilities.
4
2014 cost of cybercrime study: United States, Ponemon Institute, October 2014.
5
“Dimon sees JPMorgan cybersecurity costs doubling,” Bloomberg, Oct. 10, 2014
(crainsnewyork.com/article/20141010/FINANCE/141019987/dimon-sees-jpmorgan-cybersecurity-costs-doubling).
U.S. Attorney General
Eric Holder famously noted
that there are two kinds
of companies: “those that
have been hacked and
those that don’t know they
have been hacked.”
6. 6 2015 banking outlook: The future is bright, but change your password
6
Parker, Ashley and Pear, Robert. House Narrowly Passes Bill to Avoid Shutdown; $1.1 Trillion in Spending, The New York Times, Dec. 11, 2014.
Jan.1
The Final Rule for new
regulatory capital
frameworks takes effect
for advanced banks
— those with $250
billion or more in total
consolidated assets or
for $10 billion or more in
foreign exposures.
Sep. 2
Volcker Rule requires
banks with more than
$50 billion in assets
to submit quantitative
metrics and reporting.
Jan. 1
The Final Rule for new
regulatory capital
frameworks takes
effect for standardized
banks, the majority
of U.S. banking
organizations. The
liquidity coverage ratio
(LCR) compels covered
companies to comply
with the minimum LCR
standard of 80%.
Aug. 1
A new mortgage
disclosure framework
merges forms
governed by the Truth
in Lending Act with
those governed by the
Real Estate Settlement
Procedures Act.
Jan. 1
Covered companies
must comply with
the minimum LCR*
standard of 90%.
Dec. 31
Banks with $10
billion to $25 billion
in assets must be in
full compliance with
Volcker Rule.
April 10
U.S. federal banking
agencies finalize the
supplemental leverage
ratio applicable to
advanced U.S. banks.
The regulation goes
into effect in 2018.
Oct. 10
U.S. regulators
change accounting
rules regarding bad
mortgages, requiring
banks that sell loans
to investors to keep at
least 5% of the risk on
their books when they
securitize loans.
July 21
Banks with more
than $50 billion in
assets must be in full
compliance with the
Volcker Rule;* banks
with $10 billion to
$50 billion must meet
minimum compliance
requirements.
April 30
Banks with $25
billion to $50 billion
in assets must be in
full compliance with
Volcker Rule.
2014 2015 2016
The following timeline highlights the dates when new regulations go into effect in the United States.
Regulatory environment
Regulatory activity accelerated in 2014, with banks facing new Basel
III capital requirements and liquidity ratios. In the United States,
the Final Rule of new capital regulatory requirements took effect
on Jan. 1 for the largest banks, followed by quantitative metrics and
reporting on Sept. 2. The coming year brings the implementation
of the Volcker Rule, which prohibits banks from engaging in
proprietary trading, among other requirements, as well as new
mortgage-disclosure guidelines courtesy of the Consumer Financial
Protection Bureau. None of these deadlines came as a surprise, as
bank executives have been preparing for the implementation of the
Dodd-Frank Wall Street Reform and Consumer Protection Act
(Dodd-Frank Act) since its passage in July 2010. Instead, it’s the
ongoing and pervasive uncertainty regarding full implementation
that’s at issue. Consider that, in December 2014, the House passed a
budget bill that rolls back a key provision of the Dodd-Frank Act.6
This perpetual game of wait-and-see has forced banks to focus less
on specific deadlines and more on building the capability to address
the incremental rise of regulations on a consistent basis. Many
regulations are finally flowing downstream to smaller institutions,
which will need to retool their compliance functions and invest in
talent to adapt to new processes, methodologies and enablers.
*Liquidity coverage ratio.
*Proprietary trading ban and a requirement that swaps activities be moved into nonbank affiliates.
7. Overview
• The compliance function has taken its place at the heart of the
banking organization, a much more prominent position for what
had in the past often been more of a check-the-box function.
• A host of new regulations means that compliance must take
on added prominence in organizations and be approached in
a more strategic fashion. Indeed, the once-sleepy compliance
function now frequently reports into banks’ highest levels.
• In addition to simply trying to keep up with new regulations
and addressing any gaps in their compliance, banks must try
to address the added costs posed by heightened regulatory
requirements, often doing so in the need to control costs
created by a low-return environment.
2014 trends/developments
In remarks before a conference in September, James A. Forese,
co-president of Citigroup Inc., said bank regulatory costs could
reach $10 billion industrywide in the near future.
Banks face additional compliance challenges in gathering and
assembling the data necessary to meet many new regulatory
requirements. Institutions designated as systemically important
financial institutions are under additional pressure to implement
the Basel Committee on Banking Supervision’s Principles for
Effective Risk Data Aggregation and Risk Reporting by 2016.
Heightened governance standards in the form of final guidelines
published in September by the Office of the Comptroller of the
Currency (OCC) dictate that covered large financial institutions
establish and adhere to a written risk governance framework to
manage and control their risk-taking activities.7
The guidelines apply
to insured national banks, insured federal savings associations, and
federal branches of foreign banks with $50 billion or more in average
total consolidated assets, as well as OCC-regulated institutions
with less than $50 billion in average total consolidated assets if that
institution’s parent controls at least one other covered institution.
The task of generating some regulatory reports is one of
collaborative disclosure management, with multiple participants
in different departments often working together to assemble
all the inputs necessary to create the report. Often those
requirements involve discrete sources of data generated by
separate systems never intended to integrate with one another or
report in the manner sought by regulators.
Performing stress testing, either with the Comprehensive Capital
Analysis and Review (CCAR) models required by the Federal
Reserve, or as part of Dodd-Frank Act Stress Testing (DFAST), is
revealing opportunities to strengthen the banks’ risk management
functions and implement sounder ERM frameworks and processes.
Stress testing provides a much-needed supplement to the traditional
capital risk-adjusted management infrastructure. For example, stress
testing demands vast data inputs from across the bank and, often,
extensive data cleanup efforts as well. Furthermore, meeting Know
Your Customer requirements may see a bank pulling together
customer history data, analysis on transaction tendencies, information
from an anti-money laundering database, financial data from various
sources, and information from settlement and trade platforms.
7
Federal Register, Volume 79, Number 176, Office of the Comptroller of the Currency, Sept. 11, 2014.
Controlling costs through
compliance optimization
Effectively addressing compliance challenges requires a systematic and disciplined
approach to implementing change.
8. 8 2015 banking outlook: The future is bright, but change your password
Reporting requirements based on various types of unstructured
data — information in document or text form — such as verifying
that policies or procedures are being followed, present their own
compliance challenges.
An additional compliance challenge facing banks as they look to deal
with new regulatory requirements is adding — and paying — the
additional staff required to meet expanded compliance demands. As
banks look to expand their rosters of risk and compliance personnel,
those in some markets are finding the pool of qualified candidates to
be a shallow one, with the demand vs. supply equation predictably
driving up the cost of acquiring and retaining necessary staff.
Banks can mitigate staff shortfalls by relying on a fully integrated
project management office to establish a rigorous and systematic
approach to compliance efforts.
Suggested actions
Banks must optimize their compliance efforts in order to remain
competitive despite ongoing regulatory pressures.
Process improvement is a key element of banks’ efforts to build
more structure and governance in moving toward compliance
optimization. Ideally, the solution to near-term regulatory gaps
can be achieved within the bank’s existing infrastructure without
the need to invent new technology.
Banks should take a broad view in making compliance
improvements so that the infrastructure and reporting
improvements made to address the immediate regulatory issue
ultimately support multiple regulatory requirements as well as
other important business decisions. Such an approach also will
help the organization minimize expenses and maximize profits.
Co-sourcing arrangements with subject matter experts who can
assist during preparations for examinations or prior to regulators’
visits can address staffing issues associated with increasing
regulatory requirements.
Effective use of advanced analytics can enable banks to gain
added benefit from the data they’re gathering and assembling as
they comply with new regulations. Using advanced analytics,
banks can leverage those data assets to anticipate emerging risks
and make more appropriate risk mitigation decisions. To do so, a
bank’s leaders must take a strong position advocating the use of
data in new ways to allow banks to formalize and incorporate the
use of enterprise data to drive informed decisions on future risks
and outcomes.
A strategic and sustainable approach to the compliance mission
can provide the additional benefit of helping banks address some
of the staffing considerations around the increasing regulatory
compliance requirements. By going beyond fixing immediate
regulatory gaps to take a longer-term approach to transforming
the compliance mission — involving the chief risk officer and the
chief compliance officer in the process — banks can demonstrate
to regulators a strategic multiyear regulatory program. Such
strategies for building a compliance transformation and enterprise
risk management program will inherently follow a timeline that
should allow banks to address adding needed compliance staff
over time.
Integrating compliance more closely with product development
can also help banks with their compliance optimization efforts.
With banks increasingly looking to new or modified products as a
way of increasing revenue, they also face the risks associated with
new products, among them the compliance risks from products
that violate laws, rules or regulations, or fail to comply with
internal policies or ethical standards.
Robust governance and sound new product and service
risk management processes can reduce those compliance risk
exposures. Such moves require strong leadership involvement in
the new product governance framework, comprehensive policies
and procedures, a formal product approval process, centralized
tracking and identification of new products, regular discussions
after the new product launch, and a formal reporting process that
tracks and retains correspondence to the relevant regulatory body.
It’s important that the compliance optimization improvements be
achieved in a fashion that makes them sustainable over the long
term. The greatest successes in compliance optimization efforts
occur when organizations view risk management and compliance
effectiveness as a strategic necessity for the business rather than an
additional cost or burden.
9. Essential ERM:
Manage risk or risk disaster
ERM encompasses the strategy, programs and processes that
make it possible for organizations to identify, monitor and
address potential risks. Institutions that pursue a comprehensive
approach to risk management are better positioned to manage
uncertainty and risk while generating value to the organization.
Two areas — model risk management and cybersecurity —
illustrate the need to coordinate activities across the full breadth
of the institution to manage risk effectively.
Model risk management and stress testing
Overview
• Guidance from the Federal Reserve Board and OCC calls for
better implementation, usage, validation and governance of
risk models to manage the operational risks associated with
model usage and deployment and to support decision-making.
• Although institutions are devoting significant time and resources
to model risk management, they must seek to improve their
agility to respond effectively to shifting market conditions.
• By coordinating model risk management efforts with those
of risk and compliance departments and improving data
management capabilities, banks can be well-placed to mitigate
risk and perform well on stress tests.
Trends and developments from the past year
In March 2014, the Federal Reserve released results from the
stress testing conducted by the capital plans of large bank holding
companies (BHCs) and foreign-owned banks (FOBs). The aim
of the annual reviews is to ensure that large financial institutions
have robust, forward-looking capital planning processes that
account for their unique risks, and to help ensure that they have
sufficient capital to continue operations throughout times of
economic and financial stress.
For CCAR, the Fed reviewed the capital plans of 18 U.S. BHCs
and rejected just one. However, two FOBs (out of four) found
that their capital plan didn’t meet the standard. These findings can
have far-reaching implications: Institutions that fall short can’t
distribute dividends until demonstrating improvement, which
significantly restricts capital management strategies. Further,
banks whose plans don’t meet CCAR standards must devote
additional resources to address outstanding issues and commit
additional capital to bring their plans up to acceptable levels. The
regulations have already made an impact on capital holdings.
According to the Fed, the 30 large BHCs that took part in CCAR
in 2013 increased their aggregate Tier 1 common capital from
$460 billion in Q1 2009 to $971 billion in Q4 2013, while their
Tier 1 common ratio for these firms has more than doubled,
reaching a weighted average of 11.1%.8
Under Section 165(i)(2) of the Dodd-Frank Act, banks with total
consolidated assets of more than $10 billion must conduct annual
stress tests, which the OCC uses to assess a bank’s risk profile
and capital. Results from this year’s DFAST review found that
just one of the 12 BHCs breached the minimum Tier 1 common
ratio of 5%.
8
For more information on the results, go to federalreserve.gov/newsevents/press/bcreg/20141017a.htm.
Ever-changing markets. Heightened investor expectations. Increasingly complex financial
instruments. Each of these factors contributes to increased risk. Although these activities
are interrelated, they are often addressed in a vacuum.
10. 10 2015 banking outlook: The future is bright, but change your password
In October 2014, the European Central Bank (ECB) released
results of its stress test of the eurozone’s 130 biggest banks.9
The
ECB’s study found that 13 banks fell short of baseline levels for
capital, down from 25 banks at the end of 2013. Collectively, the
number of underperforming institutions, which included four
Italian and two Greek banks, need to stockpile an additional €10
billion ($12.5 billion) to cushion themselves against any future
crises. In an independent review by the European Banking
Authority, all 20 banks exceeded capital requirements.10
Suggested actions
Banks are working around the clock to improve their capital
management process and model risk management and prepare
for stress tests. In many cases, executives will need to devote
increased resources to model development, validation and
governance. As BHCs have already transitioned to the Fed’s
annual framework, banks with $10 billion to $50 billion in assets
will now need to develop and implement strategies to manage
compliance effectively:
Validation. Validation, both quantitative and qualitative, is
fundamental to mitigating model risk. Assessing whether models
are performing in line with their designed objectives and business
usage should include an evaluation of conceptual soundness,
ongoing monitoring and outcomes analysis. Generally, validation
should be embedded into the model life cycle and performed by
different parties. Independent validation can be performed by
internal audit or third-party vendors that aren’t responsible for
development or use and do not have a stake in a model’s output.
Documentation. Banks must document their policies and
processes in sufficiently granular detail. Without this level of
information, an institution’s model risk management will not
enable reviewing parties unfamiliar with a model to understand
how it operates, its limitations and its key assumptions. In
addition, regulators expect financial institutions to provide
extensive documentation on their model risk management efforts.
Governance. An emphasis on model governance begins with
the appropriate participation of the C-suite and board. As
part of their overall responsibilities, a bank’s board and senior
management must ensure that its model risk management
framework aligns with and supports its broader risk strategy.
Since the models are often interconnected — that is, assumptions
in one model could have a profound impact on other parts of the
organization — the board should develop a holistic view of the
bank’s aggregate risk. A framework should include standards
for model development, implementation, use, validation and
governance. As part of an appropriate “three lines of defense”
approach, model risk management activities should involve the
business and corporate functions that develop, use and monitor
models. For example, risk and finance functions are typically
involved, along with internal audit, treasury and marketing.
Efficiency and agility. Model risk management and stress
testing rely on huge amounts of data, and having access to up-
to-date information is critical. Therefore, banks can improve
the efficiency and agility of their risk activities by selecting and
implementing technology solutions and systems to support
effective data management. Having the right tools can enable
banks to automate and streamline key processes; deploy relevant
risk, operational and financial data; and apply required business
and risk analytics.
9
European Central Bank press release, Oct. 26, 2014 (ecb.europa.eu/press/pr/date/2014/html/pr141026.en.html).
10
Without adequate documentation, model risk assessment and management will be ineffective. Documentation of model development and validation should be sufficiently detailed so that parties
unfamiliar with a model can understand how the model operates, its limitations and its key assumptions. dealbook.nytimes.com/2014/10/26/ecb-stress-test-finds-13-banks-fall-short/?_r=0.
Regulatory changes
In October 2014, the Federal Reserve issued a final rule that adjusts the
due date for capital plan and stress test results from BHCs with total
consolidated assets of $50 billion or more. Beginning in 2016, these
BHCs must make their submissions on or before April 5.
11. Overview
• With JPMorgan Chase’s early-October announcement of a
data breach affecting more than 80 million customers being just
the latest example, cybersecurity has jumped well up the list of
issues most likely to keep bank executives awake at night.
• For banks, it’s yet another risk that must be addressed on an
enterprise basis as the threat of cybercrime raises not only
operational and regulatory risks but significant reputational
risk exposure, as well.
• Successfully addressing cyberrisk is not simply a matter of
finding a technological fix but also involves people and processes.
Trends/developments
Attacks on banks come from a variety of sources, including
organized crime, unfriendly nation states and so-called hacktivists
out to make political statements by disrupting business. And, as
the costs of technology continue to decrease, the barriers to entry
into the world of cybercrime get ever lower while the Internet
creates a target-rich environment for cybercriminals.
Indeed, as much of banks’ technology strategies have shifted
in recent years to increasingly focus on customer service and
convenience, the financial institutions have also increased their
cybersecurity exposures. At the same time as banks have become
more and more technologically interconnected to various
vendors and other third parties, extended data supply chains have
expanded their vulnerability to cybercrime.
A 2014 report, prepared by the New York Department of
Financial Services, examined the state of cybersecurity in the
banking sector. The report, based on the department’s 2013
survey of 154 New York depository institutions, found that most
institutions, regardless of size, reported breaches or attempted
breaches of their IT systems over the past three years.
While the methods used in the intrusions or attempts varied,
including such techniques as malicious software, phishing,
pharming and botnets or zombies, the New York survey found
that the larger the institution, the more likely it was to be the
target of malware and phishing attacks. The report acknowledged,
however, that it’s unclear whether the discrepancies between the
figures reported by institutions of various sizes reflected a true
difference in experience or simply that larger financial institutions
are better able to identify intrusions into their IT systems.
Cybersecurity
Depository institution cyberattack targets by size
Percentage of New York depository institutions reporting
attacks, 2013
N = 154 institutions
Malware Phishing
Large institutions 35% 33%
Midsize institutions 21% 22%
Small institutions 13% 16%
It’s scarcely an exaggeration to suggest that every bank’s IT systems are under attack and,
with cyberattacks becoming more frequent and more sophisticated, the need
to enhance cybersecurity is critical.
Source: 2013 New York Department of Financial
Services survey.
12. 12 2015 banking outlook: The future is bright, but change your password
In remarks in April, U.S. Comptroller of the Currency Thomas
J. Curry addressed differences in cybersecurity preparations
between large banks and their smaller counterparts, noting
that as large banks improve their cyberdefenses, hackers may
increasingly turn their attentions to community banks as a point
of entry into the larger banking network.
In addition to the wrongful activities resulting from cyberattacks
widely reported by depository institutions in the New York
survey, large financial institutions also noted cases of mobile
banking exploitation, ATM skimming/point of sale schemes, and
insider access breaches.
According to the New York report, the majority of financial
institutions surveyed have a documented information security
strategy in place for the next one to three years, though such a
strategy was more commonplace at larger institutions. The survey
found that while more than 90% of large institutions and 82%
of midsize institutions had a documented information security
strategy, such a strategy was in place at only 62% of small
financial institutions.
Suggested actions
Banks must constantly prepare for potential attacks and
regularly test those preparations. Further, in findings from the
2014 Cybersecurity Assessment pilot examination work program,
the Federal Financial Institutions Examination Council (FFIEC)
noted that financial institutions’ dependence on information
technology, the industry’s interconnectedness, and the rapid
growth and evolution of cyberthreats demands the attention of
institutions’ boards and senior management.
Exposures stemming from third-party and vendor
relationships must be addressed. The extended “data supply
chain” created by such relationships is a common path for
hackers to gain access to banks’ information technology systems.
In addition to establishing risk management practices related to
those third-party arrangements, banks also need to consider the
vendors’ risk management practices and controls.
Banks must look for warning signals and identify potential
vulnerabilities across the entire business “ecosystem” as they assess
cyberrisks arising from third-party and vendor relationships.
There are various resources available to banks looking to assess
and manage cyberrisk exposures, including the FBI’s InfraGard,
the U.S. Computer Emergency Readiness Team, the U.S. Secret
Service Electronic Crimes Task Force, and the National Institute
of Standards and Technology.
Banks’ boards and senior management’s attention to
cyberrisk should include an understanding of the institution’s
inherent cybersecurity risks, according to the FFIEC, as well as
routine discussions of cybersecurity issues, regular monitoring
and awareness of threats and vulnerabilities, the creation and
maintenance of a dynamic control environment, the management
of third-party connections, and the development and testing of
business continuity and disaster recovery plans incorporating
cyberincident scenarios.
For banks, the cybersecurity task is an ongoing one, as
cybersecurity arrangements must constantly evolve with the
changing nature of the threat. Here there’s work to be done, the
New York report suggests: Only 49% of institutions surveyed
reported their information security strategies adequately address
new and emerging cyberrisk exposures, while 31% said their
strategies needed to be modified to address emerging risks and
22% said further investigation was needed to understand those
new exposures.
Wrongful acts most likely to result from financial
institution cyberattacks
Percentage
Account takeovers 46%
Identity theft 18%
Telecommunications network disruptions 15%
Data integrity breaches 9.3%
Source: 2013 New York Department of Financial
Services survey.
13. We believe banks would be
well-served by focusing on
operational efficiency and
risk management as paths
to generating additional
profits — in essence,
optimizing the factors that
are within their control.
Strategic growth in 2015
In the coming years, banks will continue to face a challenging
environment characterized by tight operating margins, an
evolving regulatory landscape, and a range of known and
emerging risks. Recent data and trends suggest that organic
growth will remain elusive, particularly with more restrictive
regulations. To identify sustainable sources of revenue, some
institutions have already begun reassessing their business models
and product portfolios. Given this pervasive uncertainty, we
believe banks would be well-served by focusing on operational
efficiency and risk management as paths to generating additional
profits — in essence, optimizing the factors that are within their
control. By building capabilities in these areas, banks can also
develop the assets to pursue growth opportunities as they emerge.
We will continue to monitor banking trends throughout the year
and share our thoughts and analysis.
15. The authors would like to acknowledge the significant contributions of Ilieva Ageenko, Molly Curl, Nichole Jordan, Tariq Mirza,
Jose Molina, W. Graham Tasman and Markus Veith to the research underlying this report.
Contact
Jack Katz
Global Leader
National Managing Partner
Financial Services
T +1 212 542 9660
E jack.katz@us.gt.com
Nigel Smith
National Leader
Financial Services Advisory
T +1 212 542 9920
E nigel.smith@us.gt.com