Authored by: Lisa Ahrens
Baker Tilly recently hosted the Winter 2021 session of its Chief Audit Executive (CAE) Roundtable. Attendees were geographically diverse, from across the country, and generally possessed between $1 billion and $3 billion in total assets. Among the range of topics, the bankers provided their thoughts on the key risks facing their institutions and the industry in the coming year. Not surprisingly, much of the conversation stemmed from the COVID-19 pandemic and its impacts. Highlights from that feedback are summarized here and center around four main risk types: credit, cybersecurity, regulatory and staffing.
The primary concern of most bankers was the uncertainty of credit risk within the loan portfolio. Although some bankers pointed to the last economic downturn as a tool that provides them with a sound view of their borrowers, most participants acknowledged there are uncertainties in both loss amounts and timing of loss recognition.
Some banks are adding a “special watch” system flag for all loans with COVID-19-related deferrals, providing a mechanism for increased focus and timely action. Other banks were leveraging their existing current and expected credit loss (CECL) model preparation efforts with the performance of data analytics on their borrowers to quantify certain industries (e.g., leased office buildings, hospitality, etc.) and other factors. Core system capabilities vary in this area, but in general, the quality and quantity of data available impacts the ability to refine estimates and assumptions. Banks without internal resources may find benefit in seeking external assistance.
The volume of Paycheck Protection Plan (PPP) production and modifications varied among participants. The depth and nature of PPP loan underwriting also varied. The most robust approval methodologies took a worst-case-scenario approach that forgiveness would not occur, and the exposure would remain on the bank’s books; however, the majority of participants performed underwriting with the assumption of forgiveness. Also discussed was the value of documenting all deferrals with identification of the qualifying provision that was used in approving the request.
Adjustments to audit plans varied, with some banks performing targeted PPP and modification origination and approval reviews, others increasing their attention to monitoring for fraud (e.g., destination of PPP funds, etc.), and others focusing on operational issues (e.g., system maintenance for modifications, backlogs due to short staffing, etc.).
Cybersecurity has been a leading risk for several years, so its presence on most participants’ lists was to be expected. The current twist to this risk is, of course, the work-from-home (WFH) environment. Most of the participating banks remained in a hybrid working arrangement at the time of the sessions, with some staff on-site and others working remotely either part- or full-time. The roundtable discussed the combined likelihood that employees may become more lax in their daily habits, along with opportunistic fraudsters increasing their fraud attempts, resulting in increased focus on cybersecurity risk.
Some banks have provided ongoing cyber hygiene reminders and training. Others have performed audits of employees’ WFH connections to ensure they are adequately secured. Increasing the frequency and nature of social engineering exercises can also be a valuable tool to mitigate this risk.
Not surprisingly, given the political landscape and timing of the sessions, the potential impact on regulatory compliance was also discussed. Bankers viewed the election of Democratic President Joseph R. Biden, along with the Democratic majority in the legislature, as an indicator that the Consumer Financial Protection Bureau (CFPB) would be increasing its oversight of the industry. Nomination hearings are forthcoming for the head of this agency, and recent news reports point to an uptick in hiring. It is expected that short-term priorities will focus on consumers’ treatment under the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
The participating banks’ primary regulators included the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC) and Federal Reserve, and they were in various stages of the examination timeline. Those that had already been subject to a remote examination were proponents of proactive communication of pandemic response activities. Some had prepared written summaries with timelines, actions, PPP and modification volumes, etc., and presented the information along with the requested examination materials. Generally, it seemed the remote exam methodology was well received.
Staffing challenges largely stemmed from extended WFH situations. Specific to performance of compliance audits and internal audits, without face-to-face interactions, participants noted barriers to building rapport and reading body language.
Onboarding of staff, both in the risk area and throughout the bank, has been impacted, as well. This often started with delays in filling open positions and continued through difficulties in training and instilling the bank’s culture, as well as barriers to team building. According to many of the participants, the remote environment has taken a toll across the entire onboarding process.
The trending risks noted here were derived from four sessions in December 2020 and January 2021. Individuals who attended the sessions possessed an array of experience in the world of risk, internal audit and compliance. Baker Tilly appreciated their candid views and feedback, and we are planning the spring sessions in April 2021. We invite you to contact your client service team with topic suggestions.