The Chicago Fed’s Supervision and Regulation Department, in conjunction with DePaul University’s Center for Financial Services, held its sixth annual Financial Institution Risk Management Conference on April 9–10, 2013. The conference focused on the challenges to financial institutions’ business models.

This Chicago Fed Letter summarizes the presentations and discussions of regulators, academics, risk-management professionals, and business leaders at the conference. These presentations and discussions focused on the close relationship between the quality of a firm’s risk-management capabilities and its performance—and even survival—in times of distress. About four years after the Great Recession, the financial services industry and its business models face a considerable number of risks, including persistently low interest rates, a slow economic recovery, and difficulty rebuilding core earnings. Moreover, the operational risks of financial firms are on the rise, as the number of cyberattacks on their websites and data systems is growing quickly; a strong defense requires capital investment from increasingly scarce resources.

Current landscape

The conference convened against a backdrop of challenging macroeconomic circumstances. In early April, financial firms of all sizes were continuing to grapple with a fragile operating environment that was about five years removed from the height of the most recent financial crisis but still far short of full recovery. Challenging long-term economic trends were compounded by government decisions at all levels to cut budgets and curtail spending. The circumstances remain largely the same now.

David Marshall, Federal Reserve Bank of Chicago, presented data showing federal government budget cuts and tax increases in 2013 alone will account for a 1.5 percentage point drag on the growth of U.S. gross domestic product (GDP). According to Marshall, the federal budget sequestration,¹ the phaseout of various tax cuts in the first quarter of 2013, and taxes associated with the Affordable Care Act are forecasted to effectively reduce GDP growth in 2013 from 4% to 2.5%.

Marshall underscored the challenges facing firms attempting to grow their business lines. He noted that while a number of economic barometers point to improving conditions, those encouraging signals also carry more troubling undercurrents. U.S. vehicle sales and home prices both staged strong rebounds in the early part of 2013 while the unemployment rate ticked steadily downward over the first quarter. But Marshall also explained that in typical post-recession recoveries dating back to 1980, consumers’ expectations for growth in real income took at most five quarters to return to positive readings, according to the University of Michigan. In the cases of at least two recoveries, expectations for income growth were, in fact, never negative. By contrast, throughout the first four years of the current recovery, consumer expectations for income growth have remained deeply negative. “Things are okay,” said Marshall. “But I’d argue that’s not good enough.”

Interest rate risks

Kevin Stiroh, Federal Reserve Bank of New York, moderated a panel on business model risk featuring industry experts. The panelists focused on the variety of risks rooted in the current low interest rate environment, which is intended to encourage economic growth. Chief among them was forecasting: The federal funds rate² has been near its zero lower bound since December 2008, and the Federal Open Market Committee (FOMC) has provisionally linked future increases in the federal funds rate to changes in economic conditions (e.g., reaching thresholds for the unemployment rate and inflation projected between one and two years ahead).³ Moreover, the panelists discussed how rising-rate scenarios and extensions of current low rates both pose specific sets of challenges for financial institutions.

The panelists noted that while interest rate risk⁴ is in some sense ever present for most financial institutions, the current magnitude of this risk exposure is a keen focus of bankers and supervisors. Stephen Taylor, BMO Financial Group, described the challenge of finding adequate return on long-term assets. “How far out on the [yield] curve do you really want to go right now?” said Taylor. “And yet there’s still pressure to find earnings.” At the beginning of July, for example, the yield on 30-year Treasury bonds, at 3.5%, was not even one full percentage point above that on ten-year Treasury bonds, despite the significantly greater duration and interest rate risk of the 30-year bonds.

An extension of the current low-rate environment carries its own challenges. Taylor said low levels of interest income make it harder to cover fixed overhead costs, including branch costs. “Most retail branch deposits are not as profitable as five years ago, when retail deposits were very profitable,” Taylor said. “Without asset management or fee business, there is much less spread from deposit activities to cover branch infrastructure costs.” Most large banking institutions have responded to weak earnings by shrinking or overhauling branch networks. But that strategy may not be as attractive for smaller banks with assets under $500 million. Robert DeYoung, University of Kansas School of Business, said branch-shrinking strategies can undermine community banks’ business models. “Large banks are happy with a low-touch model, while small banks have historically fostered a high-touch approach,” he said.

Decisions to “reach for yield” are often intertwined with a financial firm’s overall activities and strategies, and identifying risky behaviors is a challenge for supervisors. In many cases, regulatory agencies must discern which types of risk-taking pose a threat to financial stability and which are more prudent uses of risk rooted in well-planned business strategies. “We are being charged with distinguishing more risk-taking from excessive risk-taking,” said Ron Feldman, Federal Reserve Bank of Minneapolis. “This is the main challenge facing the people in supervision at the moment.”

A natural reaction to low rates squeezing existing liabilities is a reach for yield on the asset or investment side. Marshall noted during his aforementioned presentation that life insurers and pension funds are particularly vulnerable to the temptation to reach for yield, since their business models rely on income derived from investing policy premiums to cover future claims. “Life insurers and others have a target yield based upon their liabilities,” he said. Life insurers and pension funds provide financial guarantees of long maturity. Many outstanding guarantees were made in a time of higher interest rates. The current low rates magnify the value of these outstanding guarantees (liabilities), forcing the guarantor to seek an alternative means (assets) to offset the future promise.

Search for growth

Financial institutions’ earnings continue to reflect the economy’s uneven recovery. While many firms have managed to restore their earnings to pre-crisis levels, a significant portion of the improved profitability is attributable to expense reductions, improvements in loan losses, and one-time gains on asset sales, rather than broad growth across core business lines. Since the crisis, loan demand has been confined to very few sectors, including commercial-and-industrial and auto lending.

Introducing a panel covering current and emerging risks from chief risk officers’ perspectives, Steven Durfey, Federal Reserve Bank of Chicago, said, “One of the lessons of the financial crisis for firms and their supervisors is to focus on the new and existing revenues firms generate, and the risks they take to do so.” Representatives from financial firms around the country noted how current circumstances call for concentration limits for specific asset types as well as controls for underwriting and credit risk. Bruce Thompson, Bank of America Corp., noted that in the most recent financial crisis, the most severe losses were typically concentrated in business lines that in prior years had experienced the fastest growth. In the current environment, “if you’re growing significantly faster than the market you’re competing in, you’re probably doing something you shouldn’t be,” Thompson said. Panelists urged participants to remember that during the most recent crisis, many financial institutions suffered their deepest losses from new product lines. “Firms that did well during the crisis stuck to basics,” said Richard Hidy, U.S. Bancorp. “Firms that got in trouble were taking risks they didn’t quite understand.” Ken Phelan, RBS Americas, said risk managers should see warning signs when one business line begins to book unusually large quarterly profits. Some participants said it is incumbent on supervisory agencies to fully understand firms’ strategic plans, which would entail scrutiny of their growth in new markets or products. The pressure to chase growth by expanding into new markets was a hot topic at the conference among risk managers and supervisors alike. Rising loan demand in niche markets such as oil and gas production and equipment leasing have made them attractive to institutions looking for alternative sources of revenue growth.

The conference discussion also focused on a need for firms to have flexible strategies they can update as operating environments evolve. During a panel on residential mortgage securitization, the moderator, Scott Frame, University of North Carolina at Charlotte, described how mortgage lenders must adjust to the new “ability-to-repay” rule and “qualified mortgage” requirements issued by the Consumer Financial Protection Bureau.⁵ At the same time, firms must stand ready to adapt as federal government officials and policymakers continue to weigh a variety of reforms to the structure and mission of government-sponsored enterprises (GSEs) Fannie Mae and Freddie Mac. These GSEs, which are the two principal purchasers of mortgages on the secondary market, were put into conservatorship by the federal government in September 2008, in the midst of the financial crisis. According to Mario Ugoletti, Federal Housing Finance Agency (FHFA), the FHFA in its capacity as conservator for Fannie Mae and Freddie Mac has developed a strategic plan for GSE operations that seeks to build a new infrastructure for the secondary mortgage market and contract the GSEs’ presence in the market. “Conservatorship is not a long-term option,” Ugoletti said.

Stress tests and business model risk

The Federal Reserve’s supervisory stress test program represents a recurring opportunity for supervisors to analyze financial firms’ business lines and strategies. But conference participants also explored the ways stress test requirements have the potential to create unintended consequences, including a temptation for firms to engineer specific results.

A panel on stress testing and capital planning, featuring industry and regulatory experts, discussed the capital stress testing process. First introduced in early 2009 to help supervisors better understand selected banking organizations’ risk exposures, the stress tests are also partly aimed at encouraging financial institutions to improve their ability to analyze and understand their own risk profiles.⁶ David Palmer, Board of Governors of the Federal Reserve System, said, “One of the goals is for companies to do some hard thinking about the full set of risks and vulnerabilities that they face, including firm-specific ones.”

Panelists also described some potential unintended consequences from capital stress testing measurements. Thomas Day, Moody’s Analytics, said he regularly talks to bankers who are focused almost exclusively on achieving specific stress test results, rather than using the process as an opportunity to improve their firms’ strategic planning and risk management. “The emphasis has gone so far in one direction that I encourage the group here to think about unintended consequences,” Day said.

Some panelists argued the industry will be better served by the stress test requirements if firms use the process to build stronger, more detailed risk-management capabilities. “The banks that continue to stub their toe will be those that continue thinking about stress tests only as a compliance exercise,” Day noted.

The previously referenced chief risk officers’ panel also discussed stress testing, including qualitative factors such as workplace cultures that encourage employees to faithfully execute risk-management protocols. Hidy urged attendees not to overlook the crucial role of institutional culture in effective risk management. “If you have a cultural defect, you have to correct it before risk policies can work effectively,” he said. Phelan said risk-management protocols should empower employees on “the first lines of defense”—especially those who have the earliest opportunities to identify and mitigate risks. There was also broad consensus that firms should regularly reexamine and update their risk policies to prevent them from becoming stale.

Cyberattacks and operational risks

At the conference, considerable attention was also given to emerging operational risks. While less quantifiable than traditional threats such as liquidity and credit risks, operational risks are growing more prominent by the day. The recent rise of cyberthreats is particularly challenging for operational risk managers, in part because of timing. At a time when earnings are weak and pressures to reduce overhead are intense, executives and directors face difficult decisions over how to fund expensive cyber defense systems. But as conference presenters demonstrated, defense systems are must-haves for any well-run organization.

Andrew Hoog, viaForensics, provided a presentation on cybersecurity, indicating how cyberattacks on U.S. companies have increased 75% since 2010. He noted that dozens of large U.S. financial institutions have already been targets, most notably through “distributed denial-of-service” (DDoS) attacks, which aim to shut down website portals by overwhelming them with traffic. But even as DDoS events have grabbed headlines over the past few years, Hoog and other speakers noted they still represent just one of many emerging cyberthreats.

Hoog used the majority of his address to demonstrate how mobile devices, such as smartphones and tablets, are new hot spots of risk. While financial firms offer more consumer services through mobile platforms, their employees are increasingly using mobile devices—both the companies’ and their own—to perform daily tasks. “Everybody’s going to be on these devices—customers, clients, and employees,” said Hoog. He and via-Forensics employees in the audience used a live exercise to show how hackers can rather easily penetrate institutions’ databases and systems by hijacking mobile devices connected to a laptop’s port.

In a conference panel that followed Hoog’s address, cybersecurity professionals discussed how the cyberattacks have, in a matter of a few years, evolved into a series of enduring risks that institutions will have to manage indefinitely. “One of our examiners described DDoS attacks as the ‘new normal,’ and many banks have taken strong steps to incorporate DDoS threats into their security and resiliency configurations,” said Adrienne Haden, Board of Governors of the Federal Reserve System. She also underscored Hoog’s warning that employees can provide an opening for attacks without ever realizing it. “Insiders may be accidental enablers,” Haden said.

While mitigating credit and market risks requires financial firms to look inward, conference panelists argued that an effective defense against cyberattacks is, by contrast, only possible when firms look outward—by collaborating with one another and by working closely with law enforcement. Eric Brelsford, Federal Bureau of Investigation, urged financial institutions to proactively engage law enforcement agencies to stay abreast of emerging trends.

Keynote address

The conference’s keynote address was delivered by James Rohr, chairman, PNC Financial Services Group. Rohr urged bankers and supervisors to expand their emphasis on operational risks—including legal, cybersecurity, and reputational risks—beyond their traditional focus on credit and market risks.

Rohr said the rise of cyberattacks requires bank managers to think more dynamically about operational risks than many are accustomed to. “In the past, operating risk was the security of the Brink’s cash truck or maybe a power outage,” Rohr said. “Operating risk is totally different today. Cyberattack is the biggest threat we face.”

Rohr touched on some specific operational risks that financial institutions are only beginning to account for—some tied to the aftermath of the financial crisis and others stemming from new regulations. He described how mortgage underwriting departments can open themselves to costly litigation by not following the fine print of new requirements, including those for handling mortgage borrowers and foreclosure proceedings. He noted financial firms must also develop methods for monitoring the work of consulting firms and other third-party service providers.

Echoing some of the conference’s panel discussions, Rohr urged financial industry executives to see value in the Fed’s stress test exercises, calling them “one of the best things the Fed has done in a long time.” However, like a number of conference panelists, he also cautioned they could become a catalyst for rising systemic risk. “If the whole industry lives by one model, then that represents even more risk,” Rohr stated.

Rohr also endorsed reform of incentive compensation schemes to align the interests of executives and directors with those of the institution and its shareholders. He applauded efforts to tie compensation to an organization’s long-term performance, including equity-based awards and “claw-back” provisions.⁷ “We’re in a long-term business,” Rohr said. He contended that financial institution executives “need to be investors. They need to have their money at risk.”

Conclusion

The conference’s two days of presentations and discussion pointed to broad agreement that the current operating environment requires financial institutions to manage risk in new and different ways. Well-rounded strategic plans must explain how a firm expects to operate in a context of prolonged low interest rates, sluggish economic growth, intense competition, and emerging forms of operational risk, including reputational threats and cyberattacks. In keeping with the conference’s broad themes, panelists repeatedly returned to an enduring lesson from the most recent financial crisis: There is often a close relationship between a firm’s performance in trying times and its ability to take a forward-looking approach to identifying and mitigating potential risks.

Notes

¹ For more on the sequestration’s implications, see www.cbo.gov/publication/43961.

² The federal funds rate is the interest rate depository institutions charge when they make loans to each other (usually overnight) using funds held at the Federal Reserve.

³ Details on the FOMC’s state-contingent monetary policy, which remains in place, were first announced in December 2012; see the penultimate paragraph of www.federalreserve.gov/newsevents/press/monetary/20121212a.htm.

⁴ Interest rate risk is the risk that an investment’s value will change because of a change in the absolute level of interest rates, in the spread between two rates, in the yield curve’s shape, or in any other interest rate relationship.

⁵ For details, see www.consumerfinance.gov/ newsroom/consumer-financial-protection-bureau-issues-rule-to-protect-consumers-from-irresponsible-mortgage-lending/.

⁶ The agencies that participated in the 2009 stress tests—officially known as the Supervisory Capital Assessment Program (SCAP)—were the Board of Governors of the Federal Reserve System (along with the Federal Reserve Banks), the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency. Subsequent stress tests—officially known as the Comprehensive Capital Analysis and Review (CCAR)—have been run annually by the Federal Reserve since 2011.

⁷ Clawback provisions are contracts allowing a firm to recover employee rewards if critical indicators on which the rewards were based are revised in the future.