As bank boards of directors prepare their 2021 agendas, they face a set of risks and governing responsibilities both old and new. Some are standing issues familiar to all well-functioning boards: relentless monitoring and managing of credit, market, and operational risks—which can affect the bank’s profitability and basic safety and soundness—as well as financial crime. Also, of course, the impacts of the global pandemic will continue to demand attention until COVID-19 is controlled around the world.
Along with these issues, three evolving themes deserve fresh attention: climate change, cyberrisk, and social justice. While these themes are by no means new, they have become more prominent and pressing, and some have been intensified by the COVID-19 crisis. Boards should have a clear perspective on the implications of these themes for their institutions, understanding specific risks that could materialize. They also should hold senior management accountable for monitoring these themes and developing plans to factor them into the bank’s strategy and operations. While governments may address the themes through regulation or policy changes, banks that act now to develop an approach to these issues demonstrate prudent risk management. This is good for business and, in many cases, simply the right thing to do.
Climate change has been a known risk for decades, but 2020 was a watershed in widespread acceptance of the threat, particularly among the business and regulatory community. Indeed, climate change is likely to be a high priority for boards throughout the foreseeable future.
The Biden administration has made climate change a key element of its policy agenda.1 As an initial action, on January 20, 2021, the administration issued a statement to rejoin the United Nations’ 2016 Paris Climate Agreement.2 Additional announced plans include requiring public companies to disclose climate risks and greenhouse-gas emissions.3
At a regulatory level, the Federal Reserve Board of Governors announced in December 2020 that it had joined the Network of Central Banks and Supervisors for Greening the Financial System to support its “understanding of how best to assess the impact of climate change on the financial system.”4 Some Federal Reserve governors have gone further. In a December 2020 speech, Governor Brainard highlighted the systemic risk of climate change and noted the importance of disclosure, scenario analysis, and incorporating climate risks in modeling of credit, market, liquidity, and operational risks.5 In addition, the Climate-Related Market Risk Subcommittee of the US Commodity Futures Trading Commission issued a report examining climate-change-related financial risks and recommending actions by US financial regulators to understand and address these risks.6
While the specific implications for banks of new climate change policy remain to be seen, we identify three areas requiring near-term attention. These enable a better understanding of the potential risk and could be required by prudential regulators, without legislative action.
Climate risk management. As a foundational step, banks should understand their climate risk exposure and incorporate climate considerations into risk management more broadly. This not only represents prudent risk management regardless of policy action, but also positions the bank for possible future regulation. Already in Europe, supervisory guidelines and regulations coming into force require the integration of climate into risk management at banks and the incorporation of environmental factors into credit decisions.7
Climate disclosures. The second near-term step is disclosure of climate-related risk exposure over some transition period. Apart from potential regulatory requirements, investors and other stakeholders have begun to push for disclosures and target setting. This pressure is part of a broader trend of divestment from companies not meeting investors’ expectations for attaining climate goals and shareholder pressure to reduce activity in high-emitting sectors. A globally accepted template already exists, courtesy of the Task Force on Climate-Related Financial Disclosures (TCFD) of the Financial Stability Board (FSB). This public-disclosure reporting framework consists of four pillars: governance, strategy, risk management, and metrics and targets. It has been used by British, Canadian, and Australian banks for several years and has been embraced by the BlackRock Investment Stewardship initiative.8
Climate-related stress-testing. The Bank of Canada, in one example, has announced plans for running climate-change scenarios with a pilot of six large Canadian financial institutions.9 Similarly, the Bank of England is introducing a scenario exercise to “test the resilience of the current business models of the largest banks, insurers, and the financial system to climate-related risks.”10 The scenario exercise will encompass both physical risks (e.g., damage from extreme weather events) and transition risks (e.g., impacts of a more carbon-neutral economy), with participation from 19 large financial institutions.
Actions for bank boards
Boards should expect management to provide an integrated view of how the institution is approaching climate risk, together with a view of how business opportunities will shift. This first step is embedding transparency—a clear view of emissions as well as climate-related risks and impacts. Looking ahead, annual strategic-planning exercises and major strategic changes between cycles should explicitly consider any emissions targets and climate risk implications.
US bank boards also should prepare now for climate-related stress-testing in line with evolving global standards. In particular, boards should expect management to review the implications across the entire stress-testing framework, so they can begin to understand how to incorporate climate-related risks. Banks can test processes and build capabilities by developing preliminary estimates of losses due to the potential direct and indirect impacts of climate-related scenarios.
Especially at larger banks, boards should pay close attention to how global peers, including in Canada and the United Kingdom, are responding to evolving global standards. This will help them adapt relevant models once US policies and regulations are finalized.
Cyberrisk has been on most boards’ radar for some time, but recent events have underscored how far many institutions still need to go in improving their security and cyberrisk management. Specifically, the recent SUNBURST malware attack was unprecedented in its reach and scale. The attack, which compromised third-party software used by numerous government agencies and many Fortune 500 companies, resulted in unauthorized access to systems and sensitive data.11
Even as external actors are becoming more sophisticated and aggressive, banks are growing more vulnerable. While digital and analytic transformations have been underway at many institutions for years, in response to the COVID19 pandemic, banks have accelerated the introduction of new digital and analytics offerings at scale for customers and employees. Even before the pandemic, the majority of institutions had not sufficiently invested in their technology infrastructure and risk management capabilities, so they are in a “technology risk debt” relative to their needs. In our experience, this risk is often heightened for banks engaged in M&A activities, requiring further vigilance.
Risks including loss of sensitive data and unauthorized access to systems resulting in misdirected funds have direct impact. Regulators are also increasingly taking notice, renewing the focus on technology risk management, and broadening the types of incidents that banks must report to their prudential regulators. Regulators also recognize the risks introduced through the rapid adoption of digital technologies during the COVID-19 pandemic and will expect banks to articulate how they are managing and mitigating these risks.
The SUNBURST attack and increasing regulatory scrutiny should compel banks to intensify their consideration of the risks in their digital and technology landscape. We identify three areas requiring particular near-term focus.
Incident response. A renewed focus on incident response has resulted from the increased manifestation of severe cybersecurity events, the new types of risks that exist, and the acknowledgment that attacks can have downstream impacts on other institutions. In December 2020, for example, the Office of the Comptroller of the Currency (OCC), Federal Reserve, and Federal Deposit Insurance Corporation (FDIC) issued a joint notice of proposed rulemaking requiring banks to notify their primary regulator of major computer security incidents no later than 36 hours after identification.12 Major security incidents include data breaches and interruptions in service. If the rule is adopted, banks will need to review existing incident-response policies and update them to reflect the broader scope of incidents and faster time frame.
Third-party risk management. The SUNBURST attack showed that banks are increasingly exposed to cyberrisks in their supply chain. Banks should be evaluating their supply-chain risks with a level of urgency and regularity similar to that of companies reliant on supply chains to create value, such as those in advanced manufacturing, like auto manufacturers. For many banks, this will require significantly changing the way they have evaluated vendors, both initially and continuously.
The proposed OCC, Federal Reserve, and FDIC rule would cover bank service providers as well as banks themselves. It would require bank service providers to notify affected banking organizations of computer security incidents that could impair or disrupt the service being provided. The inclusion of bank service providers reflects the increasing use of vendors to supply technology-related services to banks and the risks inherent in those relationships.
Change management. The shift to remote interactions with employees and customers necessitated the rapid rollout and adoption at scale of a variety of new and largely untested digital technologies. Banks need to assess and prioritize remediation of key risks introduced in this process and should show their boards and regulators how those risks are being reduced. They also need to redesign change-management processes to prevent new risks from being introduced. These processes will need to incorporate risk mitigation “by design”—for example, secure by design, compliance by design, and privacy by design—as a core part of the value proposition. Along with this, banks will need to refine the engineering operating model and incentive structure to reinforce the redesigned processes.
Actions for bank boards
Boards will play a critical role in keeping bank management focused on and accountable for understanding emerging cyberrisks, remediating old ones, and reducing the introduction of new risks. Specifically, boards should request digestible summary reports on what vulnerabilities may affect key systems and how these are changing. They can use the SUNBURST attack as an opportunity to test the sufficiency of current reporting, particularly focusing on third-party and vendor concentration risks. One large bank recently undertook a fully independent cyber assessment in the spirit of a financial audit to determine its cyberrisk vulnerabilities, with plans to present the results to its board. Timely and accurate reporting on cyberrisks is a critical tool to ensure management is remediating old risks and limiting the creation of new ones.
In addition, boards should monitor banks’ responses to the risks identified. They should consider requiring—and pressure-test management’s prioritization of—actions to address new vulnerabilities. They also should closely oversee management’s efforts to eradicate existing cyberrisks. These efforts should include a focus on plans to mitigate any material new risks introduced when banks adopted new technologies over the course of 2020, in quick response to pandemic conditions.
Finally, boards should hold management accountable for fundamentally shifting the culture and mindset of technology development and deployment. This will require board members to have sufficient working knowledge of potential cyberrisks and the implications of management decisions. Boards lacking this knowledge will have to obtain it soon; for example, by adding members with technical backgrounds.
Many banks are closely examining social-justice concerns. Internally, they are focusing on equity in employee treatment and compensation, and on how they can best support employees that have been affected by the pandemic. Externally, banks are looking closely at the impact of their lending and banking offerings and policies, particularly—in light of the impact of COVID-19—at how lower-income and minority customers and communities are affected by these policies. Leading banks are publicly affirming their commitment to addressing social-justice concerns. For example, Goldman Sachs created the Fund for Racial Equity to support leading organizations addressing racial injustice, while JPMorgan Chase launched more than $1 billion in initiatives aimed at shrinking the racial wealth gap.13
Issues of social justice may also become more prominent matters of public policy. One potential area of focus is the racial wealth gap. In its first month, the Biden administration announced a new policy on racial economic equity: “The Federal Government should pursue a comprehensive approach to advancing equity for all, including people of color and others who have been historically underserved, marginalized, and adversely affected by persistent poverty and inequality.”14 Reflecting a similar concern, a bill introduced in Congress in August 2020 would have required the Federal Reserve to “minimize and eliminate racial disparities in employment, wages, wealth, and access to affordable credit” as part of its mandate.15 While this bill was not passed, it reflects the growing focus on this topic among policy makers. We highlight three particular social-justice issues in this context.
Equitable access to banking services. Boards should evaluate potential new policies in terms of their implications for supporting and advancing efforts to guarantee affordable banking services for low- and middle-income individuals and families. Such services include basic bank accounts, real-time payment systems, and easily accessible service locations. Fully understanding and meeting the myriad financial needs of all customers—especially low- and middle-income ones—and managing the associated risks are critical for banks. By looking beyond regulatory compliance and ensuring that their products and services are equal and equitable, banks reflect the needs and values of stakeholders, including customers, employees, and shareholders.
Consumer protection. New leadership at the Consumer Financial Protection Bureau (CFPB) will have the opportunity to review and revise policies on unfair, deceptive, and abusive acts and practices. Notably, the Biden administration has signaled plans to enhance enforcement of the Fair Housing Act and the Home Mortgage Disclosure Act, and empower the CFPB to enforce settlements related to discriminatory lending.16 The CFPB is also expected to rethink its approach to enforcement of consumer protection laws more broadly, such as expanding enforcement actions related to abusive acts or practices, as specified under the Dodd-Frank law.17
Community Reinvestment Act. The Biden administration has also signaled that it will prioritize strengthening the Community Reinvestment Act. These measures are likely to include enhanced coverage for fintechs and nonbank lenders, expanded requirements for all financial-services institutions, and stricter enforcement of standards.18
Actions for bank boards
Bank boards should maintain a clear view of new consumer policies, particularly those addressing social justice. More broadly, they should ensure that their institution has a clear stance on issues of social justice, reflected in both internally and externally focused actions.
This stance needs to be informed by an up-to-the-moment understanding of the needs of customers, shifts in regulatory expectations and requirements, as well as the expectations of all other stakeholders. No matter what institutions are doing of their own accord—and even if their actions go beyond what regulations require—they must be able to describe how their actions address specific expectations and requirements.
While 2020 brought a seemingly once-in-a-lifetime risk event, the COVID-19 pandemic, 2021 will deliver its own challenges. Forward-looking boards can help their bank thrive by adopting a proactive and thoughtful approach, first understanding and then managing and appropriately mitigating these key risks. To maintain resilience in today’s world, boards should require from management a periodically refreshed view of potential scenarios (from those that are likely to those that are uncertain but possible), how they would impact the bank, and how the institution would respond.