THE FRITZ REPORT

In early October of 2020, I posted an interview with Bart Smith, the inventor, and developer of PT Score®.

At that time, no one knew how the COVID-19 pandemic would turn out—maybe we still don't! I commented that we needed a calm and reliable source of information to guide us through the scary and fraught period we were living through. The analogy I used was the great Tom Hanks movie, Greyhound. "Greyhound" was the callsign of the USS Keeling, a WWII ship that became famous for the incredible bravery exhibited by its captain and crew as they headed through the infamous "black-pit," the area of the Atlantic Ocean where no air cover was available to slow down the onslaught of German U-Boats.

That's kind of how the whole world felt just six months into the pandemic: with no clear exit available. In that interview, Bart provided very clear advice and insights; you can read the whole piece here.

Well, today it seems as if we have crossed our own version of the "black pit" and are now sailing on the other side. The risks are still real, though different, so I thought I would tap Bart and his new partner, Larry Wiltshire, to outline the potential risks banks and credit unions might see in the coming year. Larry joins the team after spending the past fifteen years in the regulatory arena, and he brings some fresh new insights that will expand the value of PT Score in the coming years. To read Larry's bio, please click here.

So, without further ado, let's jump right into the interview:

Q: Bart, many financial institutions are becoming concerned about the potential for rising rates, and how securities depreciation could impact regulatory and tangible capital levels. What are your thoughts on these concerns?

A. I have spoken with several institutions that have real concerns about that possible rate environment, and how that could impact securities depreciation and result in commensurate charges to regulatory and tangible capital going forward. Fortunately, from a regulatory perspective, most banks took advantage of a 2015 option to exclude Accumulated Other Comprehensive Income (AOCI) from regulatory capital, so those ratios will not be impacted by securities depreciation through an AOCI charge. That does not mean that regulators will ignore high levels of depreciation, but their focus will be more on the potential liquidity impacts rather than on ongoing capital levels. If there's a chance that an institution will need to realize depreciation to meet funding demands, that might be an issue, but it can be covered in a well-constructed contingency plan that manages projected liquidity sources and funding needs.

From a tangible capital perspective, a very swift and substantial increase in rates could have a meaningful impact on tangible capital levels. Publicly traded companies are going to be more sensitive to these adjustments, but in the end, I don't expect most banks to have capital declines that will create investor disruptions over the near term. Even during the 70s rate increases, median declines in capital from securities depreciation ran between 15% and 20%. Over the past 20 years, median depreciation levels have not been more than 5% of capital, even when fed funds increased by 400 bps from 2004 to 2006. If you have a big securities portfolio with a lot of potential depreciation, there may be a basis for additional strategic discussion, but I don't believe most institutions need to be overly concerned at this point.

If our economy can support a healthy increase in rates, that should ultimately have real benefits for banks and their operating margins. A healthy economy with rising rates and even moderate loan demand should be very advantageous, creating increased margins and incomes that more than offset moderate depreciation positions. As long as all positions are identified, measured, monitored, and controlled, institutions should be able to manage expected increases in rates over the foreseeable future.

Q: Beyond interest rates, what other risks should financial institutions be thinking about?

A: As we move beyond this two-year COVID-19 cycle, financial institutions will be looking to understand how their environment has changed and what types of challenges and opportunities will be available in the future. Regulators and risk-observers are trying to understand this new environment as well, and there are several markers that are already drawing considerable attention.

Oddly enough, with the exception of credit, the most notable risks that regulators are concerned about are not related to traditional CAMELS ratings. The concerns are based more on operational risk exposures and the ability of management teams to understand and respond to these exposures in the future.

In the OCC's semi-annual risk perspective that was issued late last year, the top four risk concerns cited by the national bank regulator were operational risk, compliance risk, strategic risk, and credit risk (see chart below). Similar risk priorities have also been cited by the FDIC, Federal Reserve, and NCUA. I think everyone understands the traditional risks associated with credit (even as new pressures emerge in a post-COVID-19 environment), and there is an ongoing understanding of the general expectations related to compliance, but the focus on other operational and strategic risk components could be a surprise for many institutions, particularly for those community banks with fewer resources to address these areas, from a regulatory perspective.

The strategic risk concerns of the OCC were focused on NIM compression and on the potential efforts by management to improve earnings. The OCC states that stimulus-fueled deposit inflows, low-yield investment options, and reduced lending opportunities resulted in highly liquid asset structures and lower margins for many banks. The OCC expressed concern that institutions, in an effort to find yield, may attempt to improve earnings by "increasing credit risk (in both loans and investments) and over-extending loan duration." As the post-COVID-19 environment continues to evolve, banks will be expected to have stronger processes to formalize and communicate strategic decisions within their organizations. The lack of disciplined processes will likely be met with regulatory constraints.

On the operational risk front, the OCC's primary concern was related to Cybersecurity. The OCC stated that "Operational risk remains elevated as cyber-attacks evolve, become more sophisticated, and cause damage to more industries." The expectation for strong controls and management of information technology and cybersecurity platforms is becoming more and pronounced and will be a focus of regulatory examinations going forward. Over the past year, operational risk issues have been the primary examination item included in matters requiring board attention (see chart below).

Q: Larry…you are working on the Information Technology Cybersecurity platform in PT Score. What are the most important things that community banks should think about when addressing this issue?

Yes. As Bart noted earlier, the OCC highlighted cybersecurity as the primary concern within operational risk, and we are finding that all the regulators are emphasizing technology and cybersecurity as an examination priority. While there is attention on all types of technology exposures, the emphasis has been on the protection of customer data.

The regulators have been emphatic that all financial institutions, including community banks, need to protect the sensitive data that customers provide to them during the course of normal business. There can be material financial implications for financial institutions that fail to adhere to the compliance standards for information security. For example, in 2020, the OCC imposed $625 million in fines on financial institutions that failed to comply with cybersecurity regulations. There can also be long-lasting business and reputational effects of a cybersecurity breach.

Beyond customer data rules, the latest cybersecurity guidance was issued on November 23^rd of last year, when the OCC, the Federal Reserve Board, and the FDIC published a final rule to establish computer-security incident notification requirements for banking organizations and their bank service providers. The rule requires a bank to notify their primary regulator as soon as possible and no later than 36 hours after the bank determines that a computer-security incident has occurred.

Given all the updates and emphases on this area, it's probably a good idea for banks to make sure that ongoing training and support are provided to protect against potential cybersecurity breaches. The most important training involves how to spot phishing emails and other Trojan attacks that could expose the institution to a data breach. This type of training has been elevated given the remote/hybrid work posture that many institutions have adopted in response to the pandemic.

Last year, our team held a series of virtual training sessions on the PT Score ERM platform. During those sessions, we proposed the idea of incorporating a separate IT/cybersecurity module into the operational risk section of the qualitative framework. The attendees were hugely in favor of this carve-out, so I have been spending the past few months developing that new IT/cybersecurity module. If all goes as planned, we expect to have the IT/cybersecurity additions added by the end of March so that they can be included in first-quarter qualitative results.

Q: Larry…as a new partner on the PT Score team, what are your thoughts on the PT Score process, and how it can help banks address these emerging risk concerns?

A: The first time I used PT Score, I was really impressed with the breadth and depth of the tool. PT Score can provide banks (and eventually credit unions) with a comprehensive view of the risks across their enterprise. Equally as important, the PT Score process can assist bank management in identifying potential regulatory areas of weakness and enhance communication between supervised institutions and their respective regulators.

As a former regulator with the FDIC and the Federal Reserve, I have witnessed first-hand the confusion and fear that bank management can occasionally have when communicating with their regulators. Some of the fear and miscommunication is partially attributable to certain parts of the examination process, which can appear nebulous to bank management. I think this is especially true in the qualitative portions of the exam, such as operational risk. Clearly quantitative areas such as asset quality and liquidity are extremely important to the overall health of the bank, but these areas are less subjective.

One of the strengths of the PT Score ERM tool is that it is modeled after the regulatory framework that is used by the FDIC, OCC, and FRB. This allows it to give management teams insight into how they potentially could be viewed by their regulators, both qualitatively and quantitatively. It also enables them to identify areas of their bank that could be of regulatory concern before the regulators do so. I can tell you from personal experience that when a bank is able to pinpoint a potential issue and propose a solution before their regulator does, it enhances the confidence of the regulator in bank management and the directorate.

So, both for strategic and regulatory application, I think PT Score is a great platform to help banks make better decisions and improve performance in a safe and sound manner.

I want to thank Bart and Larry for taking some of their very valuable time to share their thoughts with us.

One of the points from the movie "Greyhound." That really stuck with me: the freighter captains, competent operators all, still needed help. Many of them had made dozens of Atlantic crossings, had weathered storms and rough seas, but the U-Boat threat was an entirely new situation. The pandemic has also been entirely new, different for career's worth of experience. If you have made "the crossing," you have done something no one alive today has had to do before. Congratulations, but don't rest. There will still be challenges—some of them new, and some as old as banking itself. We will need steady hands to help us steer a clear route for the coming years.

If you would like to ask Bart or Larry specific questions about your bank or credit union, they can be reached by phone or email: Larry at 646-321-7890 and lwiltshire@performancetrust.com and Bart at 312-521-1643 and bsmith@performancetrust.com.

Final, final thought: This may sound weird, but I found a good recipe for Chicken Tetrazzini. I know, it sounds old school, but it's so good (and easy) on the cold February evenings. You can also make it ahead of time and throw it in the oven when the kids get home from school. Let me know if you want my recipe.

Fill out the form below to subscribe to my weekly blog.

The information, analysis, guidance, and opinions expressed herein are for general and educational purposes only and are not intended to constitute legal, tax, securities, or investment advice or a recommended course of action in any given situation. Information obtained from third-party resources are believed to be reliable but not guaranteed. All opinions and views constitute our judgments as of the date of writing and are subject to change at any time without notice. Past performance does not guarantee future results.