Risk-Management Deluge Has Some Banks Turning to Outsourcing
Boards at community banks are being asked to have greater oversight of cybersecurity issues as data breaches continue to mount. The challenge is balancing such work with other demands.
The banking industry and federal regulators are struggling to find a middle ground between financial inclusion and preventing bad guys from gaining access to the mainstream financial system but it doesn't appear a solution is coming anytime soon.
Community banks are facing tough choices when it comes to using outsourced labor or beefing up their own staff to handle risk-management tasks.
Industry challenges are well-documented, ranging from persistently low interest rates and tight margins to stiff competition and higher regulatory costs. While those issues help shape a case for outsourcing, banks are equally mindful about reputational risk and regulators' concerns about vendor management.
Confusing matters more is the broad definition of risk management, which can encompass areas such as credit analysis, capital planning and asset liability management.
Smaller banks are more likely to outsource functions due to the difficulty of hiring experts knowledgeable in fields like cybersecurity. And several industry observers believe that many risk-management functions can be successfully handled from the outside.
"We're seeing that outsourcing is still a viable option," said Michele Sullivan, a partner at Crowe Horwath. "Community banks are struggling to find the right resources to bring in-house or they find it to be very expensive which is part of the reason why outsourcing is attractive."
"Banks, especially community banks, can't keep up with the rapid pace of cyberattacks and security," said David Powell, president of consulting firm Vitex. "There are a lot of experts out there that can handle it much more efficiently on an outsourced basis."
Costs are a major concern. Experts in compliance and risk management, who often come from regulatory agencies or larger institutions, are usually expensive to hire.
Empire National Bank in Islandia, N.Y., which handles much of its risk management in-house, outsources its internal audit function because it is more cost effective, said Douglas Manditch, chairman and chief executive. It would be difficult for the $512 million-asset bank to hire the expertise needed for this in house, he said.
"It's probably harder for smaller community banks under $1 billion of assets to consider doing it in-house because of the level of audit that you need to comply with today," Manditch said. "We can actually gain experience through those companies that we couldn't employ because of our size."
However, banks are likely to keep certain functions, such as Bank Secrecy Act and anti-money laundering compliance, in-house because they involve reputational risk and are something that regulators are keenly focusing on, Powell said.
"To really manage, you need to know the bank intimately," Powell said. "You need to know the people and the processes. Regulators are saying, 'You need to own this.'"
There also comes a point when a bank becomes big enough that it can, in a cost-effective manner, attract the talent it needs to handle its own affairs, industry experts said. Though there is no magic number, such institutions typically have several billion dollars of assets. The complexity of a bank's operations can also have an effect.
Even then, management at bigger institutions may opt to supplement some in-house operations with outside expertise.
Trustmark in Jackson, Miss., lowered its services and fees by $280,000 in the first quarter after bringing some activities previously performed by third-party consultants back in house. When Trustmark decides whether or not to outsource a process, it considers fixed and soft costs, internal competencies and knowledge, emerging technologies and time sensitivities, said Jim Outlaw, the 12.2 billion-asset company's chief administrative officer.
"Outsourcing does have its advantages, including the opportunity it provides our associates to learn from industry experts and to cultivate deeper understanding of best practices," Outlaw said. "This has become increasingly important in the financial industry as regulatory requirements become more prolific and complex."
As it approached $10 billion in assets, Trustmark worked with outside sources to build its modeling and validation process for stress-testing requirements tied to the Dodd-Frank Act, Outlaw said. Doing so allowed its staff to deepen their knowledge and expand their resources to the point where they could bring such tasks back in house, he said.
Regulators are unlikely to pressure community banks to keep a function in house or to find an outsourcing option, said Trace Schmeltz, a lawyer at Barnes & Thornburg. Rather, regulators are focused on "protecting consumers and borrowers, and however that happens they are happy that it is," he said.
Outsourcing still has notable risks, experts said. Bank executives must manage the relationship and make sure there is a high quality of work, said Tim Scholten, founder of Visible Progress. Regulators have also been paying close attention to banks' oversight of vendor relationships.
While he noted in a recent speech that "properly chosen and managed" outsourcing can help banks in areas such as cybersecurity, Federal Reserve Board Gov. Daniel Tarullo also cautioned that such activity can lead to increased risk because a bank is no longer in direct control.
"I can imagine that, if the regulators believed that compliance was inadequate and it had been outsourced, there would be a criticism of that," Schmeltz said. "They would want to know the manner in which the vendors are selected and how functions were updated."