2015 banking outlook: The future is bright, but change your password

2 2015 banking outlook: The future is bright, but change your password

Contents3 Introduction

4 Taking stock: The current state of the industry

7 Controlling costs through compliance optimization

9 Essential ERM: Manage risk or risk disaster

11 Cybersecurity

The global banking industry has slowly returned to a position of financial health, but the overall outlook is mixed. On the one hand, nearly every major indicator has rebounded significantly: revenues are up, M&A activity is improving, and the number of bank failures and problem institutions have returned to more normal, pre-recession levels. What’s more, these positive trends should continue in the near future. On the other hand, returns on equity and profitability remain low, and the risk of cyberattacks is growing exponentially.

Further complicating the outlook, a fluid and uncertain regulatory environment has stoked fears that a raft of as-yet-unwritten regulations will unduly restrict the industry’s profitability and undermine the momentum of recent gains. This year brought a record total of penalties and fines, reigniting demands by the general public to break up the largest institutions — those deemed "too big to fail." At the same time, enforcement actions for noncompliance are on the rise, signaling heightened levels of scrutiny going forward. In response, executives are reviewing their business models to identify new sources of revenue. A spike in M&A in 2014 may indicate that banks are pursuing deals to bolster organic growth. Some institutions are investing in digital business models and mobile banking to differentiate themselves in the marketplace.

So how should banks confront these challenges? We believe that a renewed focus on performance and underlying fundamentals can give banks greater capacity and agility to deal with emerging threats and pursue new growth opportunities. Operational optimization, enhanced risk management and strategic investments in technology are key enablers that cut across functions and have far-reaching implications for a bank’s health and prospects. Further, these enablers are interconnected: IT systems help to drive operational optimization by automating processes, for example, but these same technologies can introduce new risks that organizations must address. What’s required is a coordinated effort among business units as well as the vision to manage these tasks in an integrated way.

This report offers an in-depth analysis of the most critical focus areas for the banking industry in the coming year — regulatory compliance and enterprise risk management, including cybersecurity and model risk management. Institutions can boost performance in these areas by optimizing operations, developing sound risk management frameworks and implementing the appropriate technology. When executed successfully, investments in these areas can become strategic assets that position the business for strong growth and profitability.

Introduction

Jack KatzGlobal LeaderNational Managing PartnerFinancial Services

Nigel SmithNational LeaderFinancial Services Advisory

4 2015 banking outlook: The future is bright, but change your password

Taking stock: The current state of the industry

Commercial banking macro trends

Year Global revenue ($T) U.S. revenue ($B)

2010 1.9 376

2011 2.0 343

2012 2.1 310

2013 2.2 388

2014* 2.3 426

Investment banking and securities dealing in the U.S.

Year Revenue ($B) Profits ($B)

2010 170 26

2011 145 22

2012 140 20

2013 133 20

2014* 132 33

1 The M&A Monitor, Olsen Palmer, November 2014.

2 Cox, Jeff. “Small banks are doing some really huge deals,” CNBC, Nov. 10, 2014. (cnbc.com/id/102170284#).

3 Financial institutions: Causes and consequences of recent bank failures, U.S. Government Accountability Office, January 2013 (gao.gov/assets/660/651155.pdf).

Revenues and profitsSince 2010, the global commercial banking industry has demonstrated steady growth. By Q3 2014, revenues had already eclipsed 2012 totals, realizing returns of $2.3 trillion. And while the industry saw a dip in revenues in the United States in the wake of the economic recession, by Q3 2014 revenues had grown to more than $425 billion — a 37% increase over 2012 figures. Meanwhile, investment banking has also rebounded impressively, with over $33 billion in revenues as of Q3 2014. Significantly, investment banks have achieved these returns despite sharply lower revenues.

M&A In the United States, the number of M&A deals in the banking industry rebounded sharply in 2014; through October, 240 deals had closed, making it the busiest year by number of deals since 2007.1 An increase in M&A may signal that some banks are looking to augment their prospects at a time when organic growth has been incremental. According to a recent report by CNBC, “Each of the top 20 fastest-growing banks is either in the small- or mid-cap space, and most have used M&A as their primary engine.2” Institutions are pursuing this strategy despite the fact that regulatory scrutiny has made M&A a much longer process.

Problem institutions and bank failuresOver the past five years, bank failures in the global banking industry have declined significantly, thanks to an improving economy. The U.S. market mirrors this trend: The number of institutions on the FDIC’s “Problem List” declined from 411 in Q1 2014 to 354 in Q2, the smallest number since Q1 2009. That total represents a 60% drop from the recent high-water mark of 888 problem institutions in Q1 2011. Similarly, bank failures are at their lowest point in five years, with the number of failed institutions—16 this year thus far—equal to just one-tenth the total in 2010.

An FDIC study of 10 states that experienced 10 or more bank failures from 2008 to 2011 found that small banks, which made up one-fifth of all failed banks, were particularly susceptible to commercial real estate losses.3 Steady economic growth, a stable housing industry, greater federal oversight and increased capital requirements contributed to this trend.

*As of 30 November 2014.Source: December 2014 IBISWorld Industry Report 52211: Commercial Banking in the U.S.

*As of 30 November 2014.Source: November 2014 IBISWorld Industry Report 52311: Investment Banking & Securities Dealing in the U.S.

Source: SNL Financial, Olsen Palmer analysis.

4035302520151050

23

Nov

M&A activity: number of deals by month

Dec Jan

Feb

Mar

Apr

May Jun

Jul

Aug

Sep

Oct

2124

14

2123

25 25

31

17 17

36

Number of FDIC — insured "problem" institutions

1000

750

500

250

50

12/0

6

884

12/1

0

252

12/0

8

651

12/1

2

411

03/1

4

76

12/0

7

813

12/1

1

702

12/0

9

467

12/1

3

354

06/1

4

Num

ber

of In

stitu

tions

20

06 –

201

4

CybersecurityU.S. Attorney General Eric Holder famously noted that there are two kinds of companies: “those that have been hacked and those that don’t know they have been hacked.” The Identity Theft Resource Center’s Data Breach Report cited 24 breaches in the banking, credit and financial sector as of Oct. 21, 2014. This figure accounts for 3.9% of the total number of U.S. breaches for the year to date, but the mere threat of cyberattacks has a far-reaching impact on organizations. The Ponemon Institute estimated that a single breach can run in the tens of millions of dollars for U.S. companies,4 so it’s critical for financial institutions to take the proper precautions. As a result, banks have increased their investments in IT security, monitoring and crisis management to be well-prepared for potential breaches. Indeed, Jamie Dimon anticipates that Chase will double its annual computer security budget, currently at $250 million, over the next five years.5 So while financial institutions might represent a high-profile target, trends indicate that banks are also well-aware of the threat and are enhancing their security capabilities.

4 2014 cost of cybercrime study: United States, Ponemon Institute, October 2014.

5 “Dimon sees JPMorgan cybersecurity costs doubling,” Bloomberg, Oct. 10, 2014(crainsnewyork.com/article/20141010/FINANCE/141019987/dimon-sees-jpmorgan-cybersecurity-costs-doubling).

U.S. Attorney General Eric Holder famously noted that there are two kinds of companies: “those that have been hacked and those that don’t know they have been hacked.”

6 2015 banking outlook: The future is bright, but change your password

6 Parker, Ashley and Pear, Robert. House Narrowly Passes Bill to Avoid Shutdown; $1.1 Trillion in Spending, The New York Times, Dec. 11, 2014.

Jan.1The Final Rule for new regulatory capital frameworks takes effect for "advanced banks" — those with $250 billion or more in total consolidated assets or for $10 billion or more in foreign exposures.

Sep. 2Volcker Rule requires banks with more than $50 billion in assets to submit quantitative metrics and reporting.

Jan. 1The Final Rule for new regulatory capital frameworks takes effect for "standardized banks," the majority of U.S. banking organizations. The liquidity coverage ratio (LCR) compels covered companies to comply with the minimum LCR standard of 80%.

Aug. 1A new mortgage disclosure framework merges forms governed by the Truth in Lending Act with those governed by the Real Estate Settlement Procedures Act.

Jan. 1Covered companies must comply with the minimum LCR* standard of 90%.

Dec. 31Banks with $10 billion to $25 billion in assets must be in full compliance with Volcker Rule.

April 10U.S. federal banking agencies fi nalize the supplemental leverage ratio applicable to advanced U.S. banks. The regulation goes into effect in 2018.

Oct. 10U.S. regulators change accounting rules regarding bad mortgages, requiring banks that sell loans to investors to keep at least 5% of the risk on their books when they securitize loans.

July 21Banks with more than $50 billion in assets must be in full compliance with the Volcker Rule;* banks with $10 billion to $50 billion must meet minimum compliance requirements.

April 30Banks with $25 billion to $50 billion in assets must be in full compliance with Volcker Rule.

2014 2015 2016

The following timeline highlights the dates when new regulations go into effect in the United States.

Regulatory environmentRegulatory activity accelerated in 2014, with banks facing new Basel III capital requirements and liquidity ratios. In the United States, the Final Rule of new capital regulatory requirements took effect on Jan. 1 for the largest banks, followed by quantitative metrics and reporting on Sept. 2. The coming year brings the implementation of the Volcker Rule, which prohibits banks from engaging in proprietary trading, among other requirements, as well as new mortgage-disclosure guidelines courtesy of the Consumer Financial Protection Bureau. None of these deadlines came as a surprise, as bank executives have been preparing for the implementation of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) since its passage in July 2010. Instead, it’s the ongoing and pervasive uncertainty regarding full implementation that’s at issue. Consider that, in December 2014, the House passed a budget bill that rolls back a key provision of the Dodd-Frank Act.6

This perpetual game of wait-and-see has forced banks to focus less on specific deadlines and more on building the capability to address the incremental rise of regulations on a consistent basis. Many regulations are finally flowing downstream to smaller institutions, which will need to retool their compliance functions and invest in talent to adapt to new processes, methodologies and enablers.

*Liquidity coverage ratio.

*Proprietary trading ban and a requirement that swaps activities be moved into nonbank affiliates.

Overview

• The compliance function has taken its place at the heart of the banking organization, a much more prominent position for what had in the past often been more of a check-the-box function.

• A host of new regulations means that compliance must take on added prominence in organizations and be approached in a more strategic fashion. Indeed, the once-sleepy compliance function now frequently reports into banks’ highest levels.

• In addition to simply trying to keep up with new regulations and addressing any gaps in their compliance, banks must try to address the added costs posed by heightened regulatory requirements, often doing so in the need to control costs created by a low-return environment.

2014 trends/developmentsIn remarks before a conference in September, James A. Forese, co-president of Citigroup Inc., said bank regulatory costs could reach $10 billion industrywide in the near future.

Banks face additional compliance challenges in gathering and assembling the data necessary to meet many new regulatory requirements. Institutions designated as systemically important financial institutions are under additional pressure to implement the Basel Committee on Banking Supervision’s Principles for Effective Risk Data Aggregation and Risk Reporting by 2016.

Heightened governance standards in the form of final guidelines published in September by the Office of the Comptroller of the Currency (OCC) dictate that covered large financial institutions establish and adhere to a written risk governance framework to manage and control their risk-taking activities.7 The guidelines apply to insured national banks, insured federal savings associations, and federal branches of foreign banks with $50 billion or more in average total consolidated assets, as well as OCC-regulated institutions with less than $50 billion in average total consolidated assets if that institution’s parent controls at least one other covered institution.

The task of generating some regulatory reports is one of collaborative disclosure management, with multiple participants in different departments often working together to assemble all the inputs necessary to create the report. Often those requirements involve discrete sources of data generated by separate systems never intended to integrate with one another or report in the manner sought by regulators.

Performing stress testing, either with the Comprehensive Capital Analysis and Review (CCAR) models required by the Federal Reserve, or as part of Dodd-Frank Act Stress Testing (DFAST), is revealing opportunities to strengthen the banks’ risk management functions and implement sounder ERM frameworks and processes. Stress testing provides a much-needed supplement to the traditional capital risk-adjusted management infrastructure. For example, stress testing demands vast data inputs from across the bank and, often, extensive data cleanup efforts as well. Furthermore, meeting Know Your Customer requirements may see a bank pulling together customer history data, analysis on transaction tendencies, information from an anti-money laundering database, financial data from various sources, and information from settlement and trade platforms.

7 Federal Register, Volume 79, Number 176, Office of the Comptroller of the Currency, Sept. 11, 2014.

Controlling costs through compliance optimization

Effectively addressing compliance challenges requires a systematic and disciplined approach to implementing change.

8 2015 banking outlook: The future is bright, but change your password

Reporting requirements based on various types of unstructured data — information in document or text form — such as verifying that policies or procedures are being followed, present their own compliance challenges.

An additional compliance challenge facing banks as they look to deal with new regulatory requirements is adding — and paying — the additional staff required to meet expanded compliance demands. As banks look to expand their rosters of risk and compliance personnel, those in some markets are finding the pool of qualified candidates to be a shallow one, with the demand vs. supply equation predictably driving up the cost of acquiring and retaining necessary staff. Banks can mitigate staff shortfalls by relying on a fully integrated project management office to establish a rigorous and systematic approach to compliance efforts.

Suggested actionsBanks must optimize their compliance efforts in order to remain competitive despite ongoing regulatory pressures.

Process improvement is a key element of banks’ efforts to build more structure and governance in moving toward compliance optimization. Ideally, the solution to near-term regulatory gaps can be achieved within the bank’s existing infrastructure without the need to invent new technology.

Banks should take a broad view in making compliance improvements so that the infrastructure and reporting improvements made to address the immediate regulatory issue ultimately support multiple regulatory requirements as well as other important business decisions. Such an approach also will help the organization minimize expenses and maximize profits.

Co-sourcing arrangements with subject matter experts who can assist during preparations for examinations or prior to regulators’ visits can address staffing issues associated with increasing regulatory requirements.

Effective use of advanced analytics can enable banks to gain added benefit from the data they’re gathering and assembling as they comply with new regulations. Using advanced analytics, banks can leverage those data assets to anticipate emerging risks and make more appropriate risk mitigation decisions. To do so, a bank’s leaders must take a strong position advocating the use of data in new ways to allow banks to formalize and incorporate the use of enterprise data to drive informed decisions on future risks and outcomes.

A strategic and sustainable approach to the compliance mission can provide the additional benefit of helping banks address some of the staffing considerations around the increasing regulatory compliance requirements. By going beyond fixing immediate regulatory gaps to take a longer-term approach to transforming the compliance mission — involving the chief risk officer and the chief compliance officer in the process — banks can demonstrate to regulators a strategic multiyear regulatory program. Such strategies for building a compliance transformation and enterprise risk management program will inherently follow a timeline that should allow banks to address adding needed compliance staff over time.

Integrating compliance more closely with product development can also help banks with their compliance optimization efforts. With banks increasingly looking to new or modified products as a way of increasing revenue, they also face the risks associated with new products, among them the compliance risks from products that violate laws, rules or regulations, or fail to comply with internal policies or ethical standards.

Robust governance and sound new product and service risk management processes can reduce those compliance risk exposures. Such moves require strong leadership involvement in the new product governance framework, comprehensive policies and procedures, a formal product approval process, centralized tracking and identification of new products, regular discussions after the new product launch, and a formal reporting process that tracks and retains correspondence to the relevant regulatory body.

It’s important that the compliance optimization improvements be achieved in a fashion that makes them sustainable over the long term. The greatest successes in compliance optimization efforts occur when organizations view risk management and compliance effectiveness as a strategic necessity for the business rather than an additional cost or burden.

Essential ERM: Manage risk or risk disaster

ERM encompasses the strategy, programs and processes that make it possible for organizations to identify, monitor and address potential risks. Institutions that pursue a comprehensive approach to risk management are better positioned to manage uncertainty and risk while generating value to the organization. Two areas — model risk management and cybersecurity — illustrate the need to coordinate activities across the full breadth of the institution to manage risk effectively.

Model risk management and stress testingOverview

• Guidance from the Federal Reserve Board and OCC calls for better implementation, usage, validation and governance of risk models to manage the operational risks associated with model usage and deployment and to support decision-making.

• Although institutions are devoting significant time and resources to model risk management, they must seek to improve their agility to respond effectively to shifting market conditions.

• By coordinating model risk management efforts with those of risk and compliance departments and improving data management capabilities, banks can be well-placed to mitigate risk and perform well on stress tests.

Trends and developments from the past yearIn March 2014, the Federal Reserve released results from the stress testing conducted by the capital plans of large bank holding companies (BHCs) and foreign-owned banks (FOBs). The aim of the annual reviews is to ensure that large financial institutions have robust, forward-looking capital planning processes that account for their unique risks, and to help ensure that they have sufficient capital to continue operations throughout times of economic and financial stress.

For CCAR, the Fed reviewed the capital plans of 18 U.S. BHCs and rejected just one. However, two FOBs (out of four) found that their capital plan didn’t meet the standard. These findings can have far-reaching implications: Institutions that fall short can’t distribute dividends until demonstrating improvement, which significantly restricts capital management strategies. Further, banks whose plans don’t meet CCAR standards must devote additional resources to address outstanding issues and commit additional capital to bring their plans up to acceptable levels. The regulations have already made an impact on capital holdings. According to the Fed, the 30 large BHCs that took part in CCAR in 2013 increased their aggregate Tier 1 common capital from $460 billion in Q1 2009 to $971 billion in Q4 2013, while their Tier 1 common ratio for these firms has more than doubled, reaching a weighted average of 11.1%.8

Under Section 165(i)(2) of the Dodd-Frank Act, banks with total consolidated assets of more than $10 billion must conduct annual stress tests, which the OCC uses to assess a bank’s risk profile and capital. Results from this year’s DFAST review found that just one of the 12 BHCs breached the minimum Tier 1 common ratio of 5%.

8 For more information on the results, go to federalreserve.gov/newsevents/press/bcreg/20141017a.htm.

Ever-changing markets. Heightened investor expectations. Increasingly complex financial instruments. Each of these factors contributes to increased risk. Although these activities are interrelated, they are often addressed in a vacuum.

10 2015 banking outlook: The future is bright, but change your password

In October 2014, the European Central Bank (ECB) released results of its stress test of the eurozone’s 130 biggest banks.9 The ECB’s study found that 13 banks fell short of baseline levels for capital, down from 25 banks at the end of 2013. Collectively, the number of underperforming institutions, which included four Italian and two Greek banks, need to stockpile an additional €10 billion ($12.5 billion) to cushion themselves against any future crises. In an independent review by the European Banking Authority, all 20 banks exceeded capital requirements.10

Suggested actionsBanks are working around the clock to improve their capital management process and model risk management and prepare for stress tests. In many cases, executives will need to devote increased resources to model development, validation and governance. As BHCs have already transitioned to the Fed’s annual framework, banks with $10 billion to $50 billion in assets will now need to develop and implement strategies to manage compliance effectively:

Validation. Validation, both quantitative and qualitative, is fundamental to mitigating model risk. Assessing whether models are performing in line with their designed objectives and business usage should include an evaluation of conceptual soundness, ongoing monitoring and outcomes analysis. Generally, validation should be embedded into the model life cycle and performed by different parties. Independent validation can be performed by internal audit or third-party vendors that aren’t responsible for development or use and do not have a stake in a model’s output.

Documentation. Banks must document their policies and processes in sufficiently granular detail. Without this level of information, an institution’s model risk management will not enable reviewing parties unfamiliar with a model to understand how it operates, its limitations and its key assumptions. In addition, regulators expect financial institutions to provide extensive documentation on their model risk management efforts.

Governance. An emphasis on model governance begins with the appropriate participation of the C-suite and board. As part of their overall responsibilities, a bank’s board and senior management must ensure that its model risk management framework aligns with and supports its broader risk strategy. Since the models are often interconnected — that is, assumptions in one model could have a profound impact on other parts of the organization — the board should develop a holistic view of the bank’s aggregate risk. A framework should include standards for model development, implementation, use, validation and governance. As part of an appropriate “three lines of defense” approach, model risk management activities should involve the business and corporate functions that develop, use and monitor models. For example, risk and finance functions are typically involved, along with internal audit, treasury and marketing.

Efficiency and agility. Model risk management and stress testing rely on huge amounts of data, and having access to up-to-date information is critical. Therefore, banks can improve the efficiency and agility of their risk activities by selecting and implementing technology solutions and systems to support effective data management. Having the right tools can enable banks to automate and streamline key processes; deploy relevant risk, operational and financial data; and apply required business and risk analytics.

9 European Central Bank press release, Oct. 26, 2014 (ecb.europa.eu/press/pr/date/2014/html/pr141026.en.html).

10 Without adequate documentation, model risk assessment and management will be ineffective. Documentation of model development and validation should be sufficiently detailed so that parties unfamiliar with a model can understand how the model operates, its limitations and its key assumptions. dealbook.nytimes.com/2014/10/26/ecb-stress-test-finds-13-banks-fall-short/?_r=0.

Regulatory changesIn October 2014, the Federal Reserve issued a final rule that adjusts the due date for capital plan and stress test results from BHCs with total consolidated assets of $50 billion or more. Beginning in 2016, these BHCs must make their submissions on or before April 5.

Overview

• With JPMorgan Chase’s early-October announcement of a data breach affecting more than 80 million customers being just the latest example, cybersecurity has jumped well up the list of issues most likely to keep bank executives awake at night.

• For banks, it’s yet another risk that must be addressed on an enterprise basis as the threat of cybercrime raises not only operational and regulatory risks but significant reputational risk exposure, as well.

• Successfully addressing cyberrisk is not simply a matter of finding a technological fix but also involves people and processes.

Trends/developmentsAttacks on banks come from a variety of sources, including organized crime, unfriendly nation states and so-called hacktivists out to make political statements by disrupting business. And, as the costs of technology continue to decrease, the barriers to entry into the world of cybercrime get ever lower while the Internet creates a target-rich environment for cybercriminals.

Indeed, as much of banks’ technology strategies have shifted in recent years to increasingly focus on customer service and convenience, the financial institutions have also increased their cybersecurity exposures. At the same time as banks have become more and more technologically interconnected to various vendors and other third parties, extended data supply chains have expanded their vulnerability to cybercrime.

A 2014 report, prepared by the New York Department of Financial Services, examined the state of cybersecurity in the banking sector. The report, based on the department’s 2013 survey of 154 New York depository institutions, found that most institutions, regardless of size, reported breaches or attempted breaches of their IT systems over the past three years.

While the methods used in the intrusions or attempts varied, including such techniques as malicious software, phishing, pharming and botnets or zombies, the New York survey found that the larger the institution, the more likely it was to be the target of malware and phishing attacks. The report acknowledged, however, that it’s unclear whether the discrepancies between the figures reported by institutions of various sizes reflected a true difference in experience or simply that larger financial institutions are better able to identify intrusions into their IT systems.

Cybersecurity

Depository institution cyberattack targets by sizePercentage of New York depository institutions reporting attacks, 2013

N = 154 institutions

Malware Phishing

Large institutions 35% 33%

Midsize institutions 21% 22%

Small institutions 13% 16%

It’s scarcely an exaggeration to suggest that every bank’s IT systems are under attack and, with cyberattacks becoming more frequent and more sophisticated, the need to enhance cybersecurity is critical.

Source: 2013 New York Department of Financial Services survey.

12 2015 banking outlook: The future is bright, but change your password

In remarks in April, U.S. Comptroller of the Currency Thomas J. Curry addressed differences in cybersecurity preparations between large banks and their smaller counterparts, noting that as large banks improve their cyberdefenses, hackers may increasingly turn their attentions to community banks as a point of entry into the larger banking network.

In addition to the wrongful activities resulting from cyberattacks widely reported by depository institutions in the New York survey, large financial institutions also noted cases of mobile banking exploitation, ATM skimming/point of sale schemes, and insider access breaches.

According to the New York report, the majority of financial institutions surveyed have a documented information security strategy in place for the next one to three years, though such a strategy was more commonplace at larger institutions. The survey found that while more than 90% of large institutions and 82% of midsize institutions had a documented information security strategy, such a strategy was in place at only 62% of small financial institutions.

Suggested actionsBanks must constantly prepare for potential attacks and regularly test those preparations. Further, in findings from the 2014 Cybersecurity Assessment pilot examination work program, the Federal Financial Institutions Examination Council (FFIEC) noted that financial institutions’ dependence on information technology, the industry’s interconnectedness, and the rapid growth and evolution of cyberthreats demands the attention of institutions’ boards and senior management.

Exposures stemming from third-party and vendor relationships must be addressed. The extended “data supply chain” created by such relationships is a common path for hackers to gain access to banks’ information technology systems. In addition to establishing risk management practices related to those third-party arrangements, banks also need to consider the vendors’ risk management practices and controls.

Banks must look for warning signals and identify potential vulnerabilities across the entire business “ecosystem” as they assess cyberrisks arising from third-party and vendor relationships.

There are various resources available to banks looking to assess and manage cyberrisk exposures, including the FBI’s InfraGard, the U.S. Computer Emergency Readiness Team, the U.S. Secret Service Electronic Crimes Task Force, and the National Institute of Standards and Technology.

Banks’ boards and senior management’s attention to cyberrisk should include an understanding of the institution’s inherent cybersecurity risks, according to the FFIEC, as well as routine discussions of cybersecurity issues, regular monitoring and awareness of threats and vulnerabilities, the creation and maintenance of a dynamic control environment, the management of third-party connections, and the development and testing of business continuity and disaster recovery plans incorporating cyberincident scenarios.

For banks, the cybersecurity task is an ongoing one, as cybersecurity arrangements must constantly evolve with the changing nature of the threat. Here there’s work to be done, the New York report suggests: Only 49% of institutions surveyed reported their information security strategies adequately address new and emerging cyberrisk exposures, while 31% said their strategies needed to be modified to address emerging risks and 22% said further investigation was needed to understand those new exposures.

Wrongful acts most likely to result from fi nancial institution cyberattacks

Percentage

Account takeovers 46%

Identity theft 18%

Telecommunications network disruptions 15%

Data integrity breaches 9.3%

Source: 2013 New York Department of Financial Services survey.

We believe banks would be well-served by focusing on operational efficiency and risk management as paths to generating additional profits — in essence, optimizing the factors that are within their control.

Strategic growth in 2015In the coming years, banks will continue to face a challenging environment characterized by tight operating margins, an evolving regulatory landscape, and a range of known and emerging risks. Recent data and trends suggest that organic growth will remain elusive, particularly with more restrictive regulations. To identify sustainable sources of revenue, some institutions have already begun reassessing their business models and product portfolios. Given this pervasive uncertainty, we believe banks would be well-served by focusing on operational efficiency and risk management as paths to generating additional profits — in essence, optimizing the factors that are within their control. By building capabilities in these areas, banks can also develop the assets to pursue growth opportunities as they emerge.

We will continue to monitor banking trends throughout the year and share our thoughts and analysis.

14 2015 banking outlook: The future is bright, but change your password

The authors would like to acknowledge the significant contributions of Ilieva Ageenko, Molly Curl, Nichole Jordan, Tariq Mirza, Jose Molina, W. Graham Tasman and Markus Veith to the research underlying this report.

ContactJack KatzGlobal LeaderNational Managing PartnerFinancial ServicesT +1 212 542 9660E jack.katz@us.gt.com

Nigel SmithNational LeaderFinancial Services AdvisoryT +1 212 542 9920E nigel.smith@us.gt.com

About Grant Thornton LLPThe people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest-quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the world’s leading organizations of independent audit, tax and advisory firms. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity.

In the United States, visit grantthornton.com for details.

Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issues discussed, consult a Grant Thornton LLP client service partner or another qualified professional.

“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and its member firms are not a worldwide partnership. All member firms are individual legal entities separate from GTIL. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. Please visit grantthornton.com for details.

© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd

Connect with us

grantthornton.com

@grantthorntonus

linkd.in/grantthorntonus