The Chicago Fed’s Supervision and Regulation Department, in conjunction with the Center for Financial Services at DePaul University’s Driehaus College of Business, held the seventh annual Financial Institution Risk Management Conference on April 8–9, 2014. The conference brought together business professionals, academics, and regulatory agency staff to discuss current risks and challenges facing a broad range of financial institutions.

This Chicago Fed Letter summarizes the two-day conference that explored risk-management issues and strategies for financial institutions. Many of the speeches and conversations from this year’s conference built upon those from last year’s,¹ with a focus on risks and opportunities stemming from the current U.S. economic environment that has begun showing signs of a sustainable recovery. There was an emphasis on interest rate risk² throughout several panel discussions. Many risk-related issues—including how to instill strong risk management across all levels of a firm’s staff and how to balance the use of qualitative and quantitative risk management—were explored through the perspectives of bankers based in the Seventh Federal Reserve District.³ Moreover, there were in-depth analyses of the role of banks’ boards of directors in overseeing their institutions’ risk management and of the relationship between banks and regulatory supervisors. Lastly, conference participants spoke about cyberattacks on financial institutions and other organizations, including those perpetrated or abetted by employees.

“Strategic risk” in the recovery

Recently passing the five-year mark, the ongoing recovery from the Great Recession and financial crisis has characteristics with few historical precedents. Some of this recovery’s prominent features are a prolonged period of low market interest rates, tepid loan demand, and uneven improvements in the U.S. economy. Benchmark interest rates for loans and investments continue to track well below historical norms as most financial industry customers—commercial and consumer clients alike—are borrowing selectively and paying lower fees for a variety of services. These trends have put pressure on net interest margins⁴ at many financial institutions, creating incentives for them to stretch to support their earnings, including a temptation to focus on isolated pockets of loan demand and industries with faster growth than the broader economy.

This challenging post-crisis environment has required financial institutions and regulatory supervisors to develop ways to measure, calibrate, and mitigate the risks embedded in these institutions’ operations and business strategies. “Strategic risk” is one term to describe these sets of risks, which vary widely from firm to firm. “Strategic risk is something we’re talking about a lot these days because banks are trying hard to find new ways of making money,” said Cathy Lemieux, executive vice president for Supervision and Regulation, Federal Reserve Bank of Chicago.

A panel of regulatory agency representatives held a rich discussion on the effects of fierce competition among lenders due to weak loan demand. The capacity of lenders continues to outstrip aggregate demand from creditworthy borrowers, producing bidding contests to attract and retain customers with high credit quality. “Everyone’s looking for good loans. Lenders are competing by going long on terms and lowering rates,” said Eric Robbins, regional manager, Federal Deposit Insurance Corp. (FDIC).⁵

The need to support earnings has enticed many financial institutions to focus their lending and business activities on industries growing faster than the broader economy. Examples include health care, energy production, transportation, warehouse and distribution, and software technology. The regulatory panelists agreed that a narrow focus on promising sectors can lead to lender distress if underlying fundamentals in those industries erode. Concentration thresholds are a common safety measure. “One of the biggest lessons we learned from the crisis was the danger of concentrations,” said John Vivian, assistant deputy comptroller, Office of the Comptroller of the Currency (OCC).

Interest rate risk

The interest rate risk panelists focused most of their discussion on risks associated with the current low interest rate environment. One form of interest rate risk is repricing risk, which involves pairing long-term fixed-rate assets with funding sources that may reprice over shorter durations. In today’s environment, many institutions have recently been willing to compete for customers by issuing fixed-rate loans at low rates, in some cases with long-dated terms— a strategy that can boost earnings today but can also exacerbate repricing risk. “What’s the worst risk? Lending against commercial real estate over 20 years or having a fixed-rate asset for 20 years? Some banks are currently combining those risks to support earnings,” said panelist Doug Gray, managing examiner, Federal Reserve Bank of Kansas City.

Dennis Angner, president and CFO, Isabella Bank Corp., said such decisions reminded him of the 1980s, when a quick rise in interest rates caused deep losses and even failures at hundreds of financial institutions. Panelists agreed the most optimal scenario for financial institutions would be a gradual rise in interest rates over the course of two or three years. “Quick changes in interest rates leave little time for maneuvering,” said Gray.

Instilling firm-wide risk management

A panel of chief risk officers from the Chicagoland region discussed ways in which strong risk management can be instilled across all levels of a financial institution’s staff, including leaders providing detailed descriptions of the firm’s risk appetite. “We think it’s crucial to be clear about which risks we’re taking, and how much of those risks we’re taking,” said Steven Cunningham, chief risk officer, Discover Financial Services.

In an address, Kathy Dick, managing director, Promontory Financial Group, said the financial crisis underscored the importance for financial institutions to understand and manage their risks. “Banking is a risk-taking business,” she said. “But that business is not sustainable if risks aren’t well managed.” John Thain, chairman and CEO, CIT Group, stated, “It’s very important a firm’s CEO is involved in the risk-taking as well as the risk-management process. This is not something CEOs can delegate from 40,000 feet up.” Thain also observed, “The risk-management people have to be just as talented as the business side. Otherwise, you have business people overwhelming the risk department.”

A Chicago financial institution’s perspective

Edward Wehmer, president and CEO, Wintrust Financial Corp., continued the Chicago Fed/DePaul risk conference’s tradition of thought-provoking keynote addresses from industry executives. Wehmer described Wintrust’s firmwide approach to risk management, which includes a culture of encouraging executives to identify and mitigate risks when they surface.

Wehmer explained that the firm’s proactive risk management began before the financial crisis as the company realized the market was taking excessive risks. As the housing bubble expanded, Wintrust’s models showed that prevailing rates on new loans made new real estate credits too risky. “So I made our folks sit on the sidelines,” Wehmer said. “They wanted to keep lending, but I said no.” Wehmer noted that Wintrust made similar decisions with regard to commercial real estate lending, where the company maintained its conservative credit criteria—unlike some lenders that were willing to relax their loan terms and underwriting standards.

Wehmer also described the frequent temptation for financial institutions to shortchange their compliance with the rules and regulations that were developed in response to the financial crisis. He advised his peers: “Spend the money and commit the resources necessary not just to comply, but to overcomply.”

Throughout his address, Wehmer frequently returned to the message that discipline is the central feature in avoiding risks that can imperil financial institutions. “Our credit policy and our profitability policies do not change,” he said. “If the risk numbers show that we can’t do the business, then we won’t do the business.”

Balancing qualitative and quantitative risk management

Throughout the conference, panelists and speakers discussed the emerging need for regulatory supervisors and financial institutions to balance the use of qualitative and quantitative risk management. There is a long and deep history of financial services firms using qualitative risk management—which can be summarized as a combination of management expertise, experience, and subjective judgments that rely on nonquantifiable information to assess risks. By contrast, the history of quantitative risk-management tools—including data-driven stress test analyses⁶ and mathematical models for measuring and forecasting risks associated with markets, borrowers, and counterparties—is relatively much shorter; the use of these tools grew dramatically following the financial crisis of 2007–08.

There was broad agreement that financial services firms should scrutinize assumptions used in quantitative analysis. Gray, of the Kansas City Fed, said, “Modeling is not fortunetelling or being clairvoyant. It’s just having a good approach to thinking about what might happen.” Expressing concern about how data points can be misinterpreted, Kevin Moffitt, executive vice president and chief risk officer, First Midwest Bank, said, “The narrative at the top of a report is just as important as the data that’s underneath it.” Cunningham noted his organization, Discover Financial Services, has been intentional in fostering a culture that constructively questions the inputs used by its quantitative analysts. “The notion of challenging assumptions is something we take to heart,” Cunningham said.

A growing role for boards of directors

For the first time in its seven-year history, the Chicago Fed/DePaul risk conference convened a panel of professionals currently serving on boards of directors that govern banks and bank holding companies. Among the notable features of the post-crisis operating climate is a steadily rising expectation—among supervisors, investors, and institutions alike—that boards of directors become more involved in overseeing financial institutions’ risk management. Some of these growing expectations have become formalized—e.g., through explicit regulatory requirements for larger institutions to form board-level risk committees.⁷ “Expectations for board involvement are at an all-time high,” said Emily Greenwald, vice president for Supervision and Regulation, Federal Reserve Bank of Chicago.

The directors explained ways their institutions have developed directorate roles, including scrutiny of individual business units. Susan Gordy, director, Johnson Bank and Johnson Financial Group, told the audience, “We want the business lines to own the risks they take.” Board oversight can be particularly valuable during periods of rising competition, when business-line managers can feel pressure to take on additional risk in order to keep pace with competitors and prop up near-term results. John Rau, director and chairman of the risk oversight committee, BMO Financial, emphasized, “‘Everyone else is doing it’ is not a rationale. It’s a red flag.”

Ronald Peterson, director, Quad City Bank and Trust and QCR Holdings Inc., said a board’s risk committee should be a hub of risk-management discussion. “At our firm, the risk committee is a vibrant committee, and a very high priority at the company,” Peterson said. “All the board members are invited, and almost everyone attends.” The other panelists also agreed that risk committee chairs need expertise in their institutions’ business lines.

There was also consensus among the panelists that recruiting qualified directors is a challenge for many financial institutions, especially in light of rising demands for expertise and participation. Gordy observed, “The board’s role is to ask probing questions and challenge management. To do that, you have to have a base of education. That can make it challenging to find directors.”

Other panels from the conference also highlighted the importance of engaging a bank’s board of directors. During the aforementioned panel on interest rate risk, Angner said he is always looking for ways to help directors better understand the strategies and risks of his firm, Isabella Bank. “For most board members, interest rate risk is an abstract concept,” he said. “They understand credit risk, but interest rate risk is more difficult.” Angner described how his board’s discussions improved after management translated interest rate scenarios from percentage changes in balance-sheet performance to dollars gained or lost.

Regulatory perspectives

The agendas of regulators often reflect emerging trends at financial institutions, and the regulatory update panel discussed a handful of current issues.

Anthony Gibbs, Midwest regional director, Consumer Financial Protection Bureau (CFPB), said his agency’s focus includes scrutinizing the following areas: reporting errors among consumer credit reports, mortgage servicing practices, and payday lending activities (including transactions cleared through banks). Among mortgage servicers, Gibbs noted, the CFPB found substantial evidence of loan servicers’ failure to accurately record receipt of mortgage payments and, in other cases, follow protocols for when to stop charging borrowers private mortgage insurance. Robbins, from the FDIC, said he’s become aware that third-party payment processors are contacting banks to entice them with lucrative transaction-clearing arrangements that may present a variety of risks. Moreover, Robbins noted that the FDIC recently published an article reiterating that “deposit relationships with payment processors can expose financial institutions to risks not present in typical commercial customer relationships, including greater strategic, credit, compliance, transaction, legal, and reputation risk.”⁸

The discussion among the regulatory panelists demonstrated that oversight of thirdparty vendors has become a top priority.⁹

The panelists reminded the audience that each financial institution is responsible for its own entire operations, including vetting and monitoring outsourced functions.

A number of panels discussed the ways that financial institutions and regulatory agencies can improve their relationships. New rules following the financial crisis—in particular, those stemming from the Dodd–Frank Wall Street Reform and Consumer Protection Act—have increased the interaction between financial organizations and the agencies that supervise them.

There was ample conversation about the need for financial institutions to be proactive in engaging regulators, particularly when it comes to stressful matters and changes in strategies or risk profiles. In turn, panelists agreed, supervisors need to be more receptive, most notably to informal deliberations. Vivian, on the regulatory panel, said the OCC is eager to participate in such discussions. “Before you roll out a significant new product or push into a sector or business line, get us at the table, so we can talk through it and help make sure it matches your strategic plan,” Vivian said. “We need to always be asking ourselves, What can we do to make sure these relationships are a two-way street?” Greenwald, of the Chicago Fed, said.

Speakers and panelists outside the supervisory panel were also in broad agreement that regulatory agencies need to be constantly evaluating how they supervise and communicate with financial institutions. Dick, of the consultancy Promontory, observed: “The crisis has made bankers much more concerned about going to regulators and asking, ‘Do you think I have this right?’ There are a lot of questions that come into my firm where I think it’s unfortunate they don’t feel comfortable posing them to their regulators.”

Cyberthreats

While risks related to the economic climate dominated the conference, the rapidly increasing threats from cyberattacks were also a focus.¹⁰ Cyberthreats have required institutions to invest in staff and infrastructure to protect systems, databases, websites, mobile banking platforms, and customer data. In a presentation that illustrated the shifting landscape, Joseph Nocera, partner, PricewaterhouseCoopers, shared research showing cyberattacks on commercial organizations rose 170% from 2012 to 2013. That might be a conservative estimate, he said, because nearly one in five firms surveyed still do not know how many attacks they have suffered. “The use of technology has created types of risk we never imagined before,” said Elijah Brewer III, professor and chairman of the Department of Finance, DePaul University.

Presenters said the highest priority for information technology among financial institutions should be the identification and protection of their most critical data, including customer information and trade secrets. An effective defense against cyberthreats must include the management of insider threats—whether intentional or unwitting—in addition to customary protection from outsider dangers. John Fleshood, chief risk officer, Wintrust Financial Corp., shared a story to illustrate information security risk: “A chief risk officer at another firm told me how he got a call from someone who had bought a flash drive at a garage sale. They had found all sorts of banking data on it.” Panelists also discussed the importance of having methods to monitor employee activity, most notably the copy or transfer of sensitive information.

Conclusion

The conference’s speeches, presentations, and discussions underscored how the current operating environment has made it imperative for financial institutions to manage risk in dynamic and proactive ways. Moreover, conference participants repeatedly returned to a lesson that has emerged since the financial crisis: Financial institutions that embrace enterprise-wide risk management are better positioned than those that neglect to do so. Sound risk management is not merely a supervisory checklist or expense line item to be managed, but rather a distinguishing feature of stable and successful financial institutions.

Notes

¹ A summary of the 2013 Chicago Fed/DePaul risk conference is available at www.chicagofed.org/webpages/publications/chicago_fed_letter/2013/november_316a.cfm.

² Interest rate risk is the risk of changes to a financial institution’s balance sheet due to a change in the yield curve’s shape or in any other interest rate relationship.

³ The Seventh District, which is served by the Chicago Fed, comprises all of Iowa and most of Illinois, Indiana, Michigan, and Wisconsin.

⁴ Net interest margin is the income generated by a bank minus the interest paid on its borrowed funds, divided by the average value of the assets on which it earned income.

⁵ Data from the Federal Reserve’s Senior Loan Officer Opinion Survey on Bank Lending Practices (available at www.federalreserve.gov/boarddocs/snloansurvey/) demonstrate a steady decrease in underwriting standards for commercial and industrial (C&I) and commercial real estate (CRE) credit since the middle of 2012. Separately, in March 2013, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the FDIC jointly issued supervisory guidance (available at www.federalreserve.gov/bankinforeg/srletters/sr1303.htm) in response to declines in underwriting standards for leveraged commercial loans, most notably “syndicated loans,” or those held by multiple lenders.

⁶ The Dodd–Frank Wall Street Reform and Consumer Protection Act requires some form of annual stress-testing exercises at all institutions with at least $10 billion in consolidated assets. Institutions with at least $50 billion in consolidated assets are subject to higher stress-testing requirements, including separate tests performed by the institution and the regulatory agencies.

⁷ Supervisory guidance published by the Fed in December 2012 describes boards of directors’ responsibilities at institutions with more than $10 billion in consolidated assets. These include, but are not limited to, requirements to “establish and maintain the firm’s culture, incentives, structure, and processes that promote its compliance with laws, regulations, and supervisory guidance.” See www.federalreserve.gov/bankinforeg/srletters/sr1217.htm.

⁸ See https://www.fdic.gov/regulations/examinations/supervisory/insights/sisum11/managing.html.

⁹ In December 2013, the Board of Governors of the Federal Reserve System provided guidance on managing risks associated with outsourcing (available at www.federalreserve.gov/bankinforeg/srletters/sr1319.htm); it applies to all financial institutions supervised by the Federal Reserve.

¹⁰ Several types of cyberthreats are discussed in www.chicagofed.org/digital_assets/publications/economic_perspectives/2013/3Q2013_part2_dhameja_jacob_porter.pdf.