If one looks at the bank industry as a whole, it’s easy to agree with Jamie Dimon, the chairman and CEO of JPMorgan Chase & Co., the nation’s biggest bank by assets, that we are in the midst of a “golden age of banking.”
This is true on multiple fronts. Dimon’s comments were directed specifically at the easing of the regulatory burden on banks, an evolution that has been going on since the change in administration at the beginning of last year. The lighter touch is most evident at the Consumer Financial Protection Bureau, which has taken a more passive approach to enforcement actions under its current acting director, Mick Mulvaney. The broadest base of regulatory relief culminated last month, when federal legislation was signed into law that eased the compliance burden on smaller banks in particular.
Banks are also reaping benefits from the cut last year in the corporate income tax rate from 35 percent down to 21 percent. The change led to a surge in profits and profitability.
These events highlight a trio of themes that emerged from this year’s Bank Audit & Risk Committees Conference hosted by Bank Director in Chicago. Each theme is unique, but the common denominator is that bank boards face an evolving landscape when it comes to the macroeconomic environment, cyber security threats and the means through which a bank can navigate this landscape.
Profitability is a point that Steve Hovde, chairman and CEO of Hovde Group, stressed in a presentation on the current and future state of banking. Banks earned a record $56 billion in the first quarter of the year, which amounted to 28 percent growth over the same quarter of 2017. And while the industry has yet to report a return on assets above 1 percent on an annual basis since the financial crisis a decade ago, the average bank eclipsed that figure in the first three months of the year.
And banks aren’t just more profitable, they’re also arguably safer, former Comptroller of the Currency Thomas Curry noted in a conversation with Bank Director magazine Editor in Chief Jack Milligan. Curry pointed to the fact that banks have more capital than they’ve had in decades.
Yet, as Hovde noted, many of these positive performance trends are not being experienced equally across the industry, with the lion’s share going to the biggest banks. The return on average assets of banks with between $10 billion and $50 billion in assets is 1.27 percent compared to 0.72 percent for banks with less than $1 billion in assets. This is also reflected in bank valuations, with big banks trading on average for more than two times tangible book value compared to 1.4 percent for smaller banks.
This gap is projected to grow with time, in part because of a second theme that coursed through conversations at this year’s Bank Audit & Risk Committees Conference: trends in technology and cyber threats, which large banks have deeper pockets to address. Of all the things that concern bank officers and directors right now, especially those tasked with audit- and risk-related duties, the need to defend against cyber threats is at the top of the list.
There are approximately 20 million hostile cyber events every day, with an estimated 200,000 of these targeted at financial institutions, noted Alex Hernandez, vice president of DefenseStorm, a cybersecurity defense firm. Seventy-three percent are perpetrated by people outside the organization compared to 28 percent by insiders. It isn’t just criminals who pose a threat, as nation-state actors are behind 12 percent of hostile cyber events, with their timing tending to coincide with elections.
The solution, Hernandez notes, is to double down on the fundamentals of cyber defense. “The most effective way to address cyber threats isn’t to focus on the latest shiny object like artificial intelligence, it’s about educating your staff and securing your network.” To this point, most threats come through unsophisticated channels, be it an email phishing scheme or malware delivered by way of a thumb drive.
One challenge in addressing these threats is simply recruiting the right expertise—not only on the bank level, but also on the board. Finding and retaining the right talent in not only information security but elsewhere was also a recurring theme. Most board members in attendance acknowledge they don’t know enough about technology to ask the right questions. But recruiting people who do is easier said than done, especially for banks in rural communities, who often try to tap into nearby metro areas for talent, or offer creative compensation plans to mitigate risk and retain younger officers.
There are certainly reasons to suggest big banks are experiencing a golden age, but smaller and mid-size banks shouldn’t use this recent change in fortune as an excuse to rest on their laurels. It remains incumbent on bank officers and directors to stay vigilant against ever-evolving cybersecurity risks and focused on recruiting the talent and designing effective governance structures to address them.