Financial Institutions In Focus Newsletter - Fall 2016

October 2016


Download PDF Version

Table of Contents

3 Key Issues for Financial Institutions
BDO Spotlight: Q&A with Michael Dombrowski
Considering Compliance in Your Growth Strategy
Executive Compensation Trends in Community Banks


3 Key Issues For Financial Institutions 

By Barry M. Pelagatti

The weather may be cooling, but year-end planning is heating up.

As financial institutions prepare to close the books on 2016 and finalize strategic initiatives for 2017, boardrooms across the country will debate several key issues that could impact planning and results. As an introduction to our first ever Financial Institutions in Focus newsletter, we’ll explore three challenges that have executives burning the midnight oil:

Regulation Makes Waves

Regulation changes over the past several years have significantly altered the way financial institutions deliver, market and evaluate their services. The election year is likely to keep regulation at the forefront of executives’ concerns. But the biggest change—the elephant in the room—is CECL (current expected credit loss model).

Issued on June 16, 2016, ASU No. 2016- 13 Financial Instruments – Credit Losses (Topic 326) created a new standard for calculating expected credit losses, changing the way credit losses on many financial assets, especially loans, are recorded. The standard, which will go into effect on a rolling basis starting in 2019, will apply to all banks, savings associations, credit unions and financial institution holding companies, regardless of asset size.

Designed in the shadow of the 2008 financial crisis, these new standards are meant to be more forward-looking and increase transparency. With that in mind, the new guidance requires that financial institutions measure all expected credit losses for financial assets within the scope of the CECL model based on three key factors:
  • Historical experience,
  • Current conditions,
  • Forward-looking, reasonable and supportable forecasts.
The most notable change will be when companies recognize a potential loss. Under current guidelines, losses are not recorded until they meet the “probable threshold.” The new standards eliminate the probable initial recognition threshold, and instead reflect an organization’s current estimate of all expected losses.

These changes require organizations to develop models for measuring expected credit losses. The new standards provide guidance, but do not specify a single method of measurement. In the coming months and years, we should expect organizations to begin designing their expanded data collection and measurement methods.

Brexit Raises Uncertainty

On June 23,2016, the United Kingdom shocked the world, when the country voted to leave the European Union. Followed swiftly by global market turmoil, the plummeting value of the pound and the resignation of David Cameron, the markets and UK government have since stabilized, to a degree.

While global market volatility has eased, the implications for large and middlemarket financial institutions are still largely unknown. Of the many questions, there are four critical issues for financial institutions to monitor:
  • Will the UK upend its financial regulatory framework? Until Britain’s exit from the EU is complete, the current EU directives remain in place. This means that the UK must still work toward the implementation of pending legislation, such as MiFID II and MIFIR, effective in January 2018.
  • Will UK firms retain access to the EU single market? Under the passport system, financial services firms authorized in one of the member states have authorization to conduct business throughout the region. What happens if the UK loses its passport privileges? Firms with European headquarters in London may need to relocate, or at the very least expand, their operations.
  • What is regulatory equivalence, and how will it impact operations in the wake of Brexit? Even if the separation moves forward, it’s worth noting that EU regulations are largely based on UK common law. But unless it is granted special status, the UK would need to obtain a regulatory equivalence decision from the European Commission to get full access to the single market and sustain current trading, clearing and settlement operations.
  • What market provisions should you watch? The big question is whether UK managers will continue to benefit from the MiFID, AIFMD and UCITS platforms for distribution—a possibility if the UK becomes a member of the European Economic Area, or if the UK can negotiate grandfathering provisions.
While regional U.S. banks have less direct exposure to what happens overseas, the U.S. economy overall remains sensitive to global market trends. After the Brexit vote, regional banks suffered in the market as analysts predicted that any interest rate increase plans would be tabled by the Federal Reserve. In a margin-constrained market, financial institutions will be closely watching the exit and negotiations in the UK.

Fintech Brings New Opportunity, Competition

Technology is the great disruptor of all industries, and now it’s the financial services industry’s turn. A wave of tech-driven startups, and evolving consumer expectations are changing the way consumers bank, borrow and invest.

These new entrants into the banking sphere promise to make payments convenient, borrowing accessible and investing easier. Along the way, they are turning the heads of long established and larger institutions— squeezing margins, changing customer service norms and forcing large corporations to rethink business models—so much so that larger companies are even trying to get into the game themselves.

Recently, Goldman Sachs introduced Marcus, its consumer lender, and GS Bank, its onlineonly bank offering savings accounts and CDs. Seven large banks, including Bank of America, Chase, Wells Fargo and Capital One, have come together to create a payments network – called Zelle. All are examples of large financial institutions making forays into the fintech space, designed to compete with the likes of PayPal and Venmo, Lending Club, Prosper, Ally and others.

While some in the industry believe that fintech startups can coexist with established financial institutions, at present it is larger banks that are taking advantage of the opportunity by investing in or partnering with startups or funding their own incubators to launch products and services.

For middle market and community banks, the opportunity to take advantage of technology is now. Since the 2008 financial crisis, there’s been significant consolidation among local and community banks, financial regulation has increased the need for compliance, and customers are demanding greater scale and convenience. Fintech offers community banks the opportunity to partner with or acquire the resources and services that customers want and need without the overhead required of brick-and-mortar branches. While the big players may need to form nontraditional alliances to gain market share, community banks have a chance to be more experimental and even leading-edge when it comes to technology-enhanced services.

2017 is likely to see continued change and innovation in the financial institutions industry. As boards and executives plan ahead, there’s one other factor likely to influence investment and product development: cybersecurity. Read on for a Q&A with Mike Dombrowski where he discusses some of the top cybersecurity topics for financial institutions in the year ahead.

Barry M. Pelagatti is an assurance partner and leader in BDO’s Financial Institutions & Specialty Finance practice. He can be reached at [email protected]

BDO Spotlight: Q&A with Michael Dombrowski

Michael Dombrowski recently joined BDO Consulting as a Managing Director in the Technology Advisory practice. He has more than 25 years of experience in information security, application development, enterprise resource planning (ERP), infrastructure and complex program management. He has significant experience in both the public and private sectors across numerous industries, including financial services. Prior to joining BDO, Michael was a Director of Operations and Technology, Global Information Security at Citigroup, where he managed a global shared service covering all business lines.

Tell us about your background and areas of focus. What led you to work in the financial services industry, and what types of services do you provide?

My career path has followed technology. As IT and security evolved and became more tightly integrated, I wanted to evolve with it, and that’s what led me to financial services. At the time, information security was the biggest challenge in the financial services industry, and so it was an opportunity to develop standard-setting best practices and solutions and expand to new areas.

Working as both a consultant and within a global financial institution has helped me expand my toolkit. The challenges were not just U.S.-based. The international perspective really took the complexity to unprecedented levels. That opportunity allowed me to get closer to cybersecurity and opened up other opportunities in Anti-Money Laundering technology. Now at BDO, as a member of the Technology Advisory Practice, I work with clients across all of our service lines including IT strategy and governance, IT optimization and cybersecurity. While I work across industries, my financial services experience provides more advanced and customized offerings to our clients in that industry.

Financial services, and banking in particular, is one of the most targeted industries for cyberattacks. How are you seeing the threat landscape evolve?

The threat landscape is much more sophisticated than it was 10 years ago, particularly when it comes to the actors. Attacks used to be indiscriminate, without an understanding of the industry. Now, attackers are more knowledgeable: they know how banks work, how money moves and the regulations that apply. The attack leveraging SWIFT was a clear example of that level of sophistication.

Methods of attack also continue to evolve. While ransomware is making headlines in the industry, it’s not having as much of an impact as it might in other industries like healthcare because financial institutions have been building cyber capabilities for years and are better positioned to deal with it. I recently attended the Black Hat conference and a key takeaway was that the healthcare industry is under siege. A decade ago, that is where financial services was. Still, no one and no industry is ahead of the hackers. Financial institutions are increasingly shifting investments from prevention to speed of detection and response.

What are your thoughts on the role of blockchain in cybersecurity and data privacy, particularly in financial services?

Blockchain is an interesting data architecture that creates a digital ledger that is shared among others participating in the blockchain. The premise is to be able to clear transactions at network speeds versus what can take days to settle a transaction through the current central clearinghouse approach used in financial services. While it shows promise regarding increasing the speed of processing and clearing transactions, there are still many questions regarding security. It’s being looked at by financial institutions, but it’s unclear whether the challenges can be adequately addressed, including security and how other risk management solutions such as fraud detection and anti-money laundering would need to be adjusted to be effective.

Are financial institutions adequately investing in cybersecurity? What areas of risk mitigation may be overlooked or under-prioritized?

Most major banks are in a good position. They can invest a great deal, and they have years of experience under their belts. Middle market, regional and community banks have a huge challenge as their capabilities and resources are typically more constrained. Middle market banks are familiar with cybersecurity regulations, but are less clear about what they need to do at their organization and how to get it done effectively given their constraints. But there is good news to address that challenge. The advancement in cybersecurity capabilities and resources are making it easier and more cost-effective for banks to take advantage. For example, middle market companies can subscribe to a threat intelligence monitoring service through cloud-based Software-as-a-Service (SaaS) rather than having to invest in internal talent, tools and technology.

One emerging area of interest is a “user-centric” approach to cybersecurity. No matter what policies, procedures or systems a company has in place, security issues are most often a result of human error. Companies are beginning to step back and examine if their cybersecurity practices are effective and designed for the user in mind. I believe that’s the next wave of progress that can make a big impact on reducing risk.

Regulators have increased their examination of financial institutions’ cybersecurity measures and protocols in recent years. Do you expect to see additional regulation in the year ahead?

Believe it or not, we are still in the early stages of cybersecurity regulation.

As an example, in the state of New York, Governor Cuomo just announced proposed cybersecurity requirements for financial services companies. The proposed requirements have the intent to set minimum standards, but not be overly prescriptive on the financial institutions. This says two things to me: 1) financial institutions must take steps towards improving cybersecurity measures—it’s not optional; and 2) there are certain specifics that need to be followed, whether it’s in the domains covered by a cybersecurity program, the roles or reporting requirements or specific implementation requirements such as audit logs and multi-factor authentication.

However, the most telling parts of the proposed requirements are the enforcement capabilities, the requirement for the board of directors to be briefed at least twice a year on the cybersecurity plan and progress, and having a senior officer sign off on the institution’s compliance to the requirements. It feels similar to how Sarbanes-Oxley changed the financial reporting requirements.

This is perhaps the most direct and specific set of requirements I’ve seen to date. These are the trends I expect to continue across regulated industries: clarity, more specifics, stronger enforcement and accountability up to and including the board of directors. No one is expected to be perfect, but there must be an absence of ignorance. Understanding your risks, the steps you have taken, the steps you are taking, the remaining gaps that need to be addressed and making consistent and appropriate progress towards closing those gaps are key. Not knowing is unacceptable.

Along with continued regulation requirements, I expect we’ll also see progress at an even more detailed level. For example, standards bodies like NIST (National Institute of Standards and Technology) are taking additional steps toward more clarity on the types of multi-factor authentication, such as SMS (short message service), that they consider no longer good enough to be part of the solution. Financial institutions need to have cybersecurity programs that are adaptive and agile so that the continued evolution to regulations, as well as the threats and risks themselves, can be effectively addressed without being disruptive to the business.

Outside of cybersecurity, what issues and priorities are at the top of the list for CIOs at financial services firms?

I think CIOs have some of the toughest challenges in the industry. Their top priority remains providing the business with the capabilities to enable strategy and drive growth. They’re asked to do more with less and have to deal with multiple competing priorities including cybersecurity.

Board-level attention on cybersecurity has also elevated the focus on the CIO in financial institutions. Over the last 10-15 years, financial institution CIOs had to expand their expertise to include cybersecurity, fraud detection and anti-money laundering all while continuing to enable the business strategy through core applications and financial products.

With that being said, the biggest challenge that CIOs have is speed: speed to market, speed to detecting risks or issues and speed to recovery. More so today than ever before, speed has become the critical challenge across all fronts.

Michael Dombrowski is a Managing Director in the Technology Advisory practice at BDO Consulting. He can be reached at [email protected]


Considering Compliance in Your Growth Strategy

By Laurence Talley

The economic downturn and recession have led banks to operate in the most regulated and scrutinized environment in history. New and more rigorously enforced regulations like Dodd-Frank are designed to enhance risk management and protect the going concern of financial organizations and the consumers who rely upon them. But, in some cases, the environment may be causing banks to delay growth while they prepare internally to meet future compliance needs. In this article, we will identify regulations that banks need to prepare for at key asset milestones and offer a readiness road map.

Regulation is a broad term. For the purpose of this discussion we consider regulation to encompass: 1) rulemaking—congressional authority to issue banking rules; 2) supervision—power to examine bank and instruct remediation required for compliance; and 3) enforcement—authority to take legal actions for noncompliance.

Regulations by Milestones

In an attempt to reduce compliance burdens, some regulators are staggering the application of certain regulations by bank size and activities. Many new regulations have been adjusted to provide relief for smaller banks, specifically to balance and mitigate the risk of regulations becoming unduly burdensome. Most are trigged by a bank’s asset size. Significant regulatory milestones begin when bank assets reach $1 billion, $10 billion and $50 billion.

Savvy regional and community banks are managing growth and integrating compliance readiness into growth strategy and initiatives, allocating time and resources to prepare people, process and technology for resulting compliance requirements.

The following outlines key regulations compliance milestones that warrant additional consideration and preparation:


Compliance Monitors

Managing just these noted regulations requires significant resources and time, and understanding the responsible regulatory body adds another layer of complexity. Most safety and soundness regulations are governed by a bank’s prudential regulators (FDIC, Federal Reserve, OCC, National Credit Union Administration [NCUA]). Consumer protection is jointly regulated by prudential regulators and the Consumer Financial Protection Board. 


How to Prepare

The complexity of the regulations and regulators begs the question: how should banks prepare? The responsibility for readiness is wide-ranging and may require participation from bank leadership, operations, compliance, IT and other stakeholders that can influence or will be subject to resulting changes. 


Laurence Talley is a managing director in BDO’s Risk Advisory Services practice. He can be reached at [email protected]



Executive Compensation Trends in Community Banks

By Tom Ziemba, PhD

Many community banks are re-examining executive compensation programs in response to the introduction of new business models and improved earnings over the past year. Executive base salary budgets have risen 3.4 percent for executives this year, according to BDO research.

BDO recently reviewed proxy statements of 52 public banks in the Northeast with $500 million to $2.5 billion in assets, examining executive compensation for the top C-suite officers. While the analysis focused on one section of the country, BDO believes the trends it observed are consistent with patterns seen in banks across the nation.

Multi-level Strategies

More community banks are moving away from one single executive compensation strategy for all of its executives. In part, as community banks expand business into new areas like Small Business Administration (SBA) loans, which are growing in popularity, it’s critical to update how success is defined in executive compensation programs. Often, it’s useful to have a separate compensation program for a new business area until it’s fully integrated into the business.

Many banks are also facing a baby boomer exodus in the C-suite. By some estimates, 40 percent of bank CEOs are over 60 years old and potential replacements are within five to 10 years of retirement. As a result, many banks are embracing two-tier strategies, with standard long-term compensation arrangements supplemented by programs more attractive to mid-career high potential employees, such as customized deferred compensation plans or special retention plans that acknowledge career milestones.


Our analysis revealed that annual incentives—which make up 14 to 20 percent of total direct executive compensation—were typically funded by one or more performance metrics. The most common metrics were:

  • Custom metrics unique to the business model (44 percent)
  • Net income (27 percent)
  • Earnings per share (23 percent)
  • Return on assets (19 percent)

The more frequent use of custom metrics over traditional metrics, like return on assets, reflects a closer alignment with the bank’s business model. Custom metrics typically contain a discretionary component, which can be used to reward executives for completion of increasingly burdensome compliance programs or activities.

Long-term incentives, which tend to comprise 15 to 20 percent of total direct compensation, have seen a slight increase in size since 2014. Stock options have fallen out of favor, instead replaced by performance shares or restricted stock unit programs that are anchored by performance vesting requirements.

Compensation Risk

Boards are becoming more involved in monitoring executive compensation programs. Regulatory agencies are proposing new rules that may require greater disclosure on incentive plan arrangements and the definition of “significant risk taking.”

As new regulatory and business developments unfold, it’s critical to take a fresh look at how executive compensation will need to adjust course.

Tom Ziemba is a managing director in BDO’s Financial Services practice. He can be reached at [email protected].


For any questions regarding this publication, or the BDO FI&SF practice, please feel free to contact one of the individuals noted below:

Jim Carter
Glenn James

Rick Baab
Paul Bridge

Brian Kirkpatrick
Imran Makda

Barry M. Pelagatti
Ernie Saumell

Laurence Talley