This article is the second in a two-part series.
The past year brought major changes in banks' awareness of emerging risks from cybersecurity and technological innovations. Meanwhile, regulators are urging banks to take greater responsibility for risk management or else face intervention. My five predictions for 2015 suggest that this will be the year banks step up their game.
Regulatory deadlines will make for a busy start to 2015. Financial institutions will be keeping pace with a number of regulatory deadlines, including changes to Bank Secrecy Act and anti-money laundering examinations, capital rules and flood insurance policies. They will also be dealing with the Federal Financial Institutions Examination Council's recommendation that banks participate in industry-sponsored cybersecurity sharing forums such as FS-ISAC (Financial Services Information Sharing and Analysis Center). Banks that neglect to allocate appropriate resources to compliance risk will face hefty fines, litigation, and in some cases, jeopardized M&A plans.
Cybersecurity risk will move to the top of banks' agendas. The members of the FFIEC released the results from their cybersecurity examinations of more than 500 community financial institutions in November 2014. The assessments examined banks' inherent risk associated with data points of entry, including VPNs, wireless networks and bring your own device programs. The report found that many firms are insufficiently focused on the interconnectedness of cyber-risk. Banks need to strengthen their first line of defense and reviews of third parties and update and clarify expectations for board members. Banks should expect increased regulatory scrutiny and expectations that extend well beyond the IT and information security departments.
Vendor management will become a top priority. As banks begin to think about their third-party service providers as a risk that must be assessed and managed, they will increasingly focus on third-party audits, paring down the number of contracted vendors they work with and improving contract management. As the cost of vendor oversight increases, expect to see consolidation in the number of vendors contracted by financial institutions.
Banks will shake up their boards. In 2015, banks will look to recruit stronger board directors who keenly understand emerging operational risks, cyber risk, compliance and technology. Regulators will step in to accelerate this review process for financial institutions that are slow to initiate change.
The risk management talent pool will continue to shrink. People who are talented and experienced enough to lead and support the risk management programs of the nation's largest banks are few and far between. In 2015, organizations need to join together to enrich the talent pool and find solutions to this global problem. This could mean looking to recruit people from academic programs, as well as providing promising employees with industry training and professional certification programs. Internal human resources development programs focused on governance, risk management and compliance can also help address this shortage.
Susan Palm is vice president of industry solutions at risk management and compliance software company MetricStream. She previously served as senior vice president of audit and risk at Sterling Savings Bank and as senior vice president of enterprise governance and risk management at Norwest and Wells Fargo.