Opportunities and drawbacks

Virginia Business talked with six community bank executives in April about the challenges and opportunities they face. The group included G. Robert Aston Jr., chairman and CEO of Portsmouth-based TowneBank; G. William Beale, president and CEO of Richmond-based Union Bankshares; James C. Cherry, Richmond-based CEO of Charlotte, N.C.-based Park Sterling Bank; William J. Ridenour, president and chief administrative officer of Reston-based John Marshall Bank; Gary R. Shook, president and CEO of Middleburg-based Middleburg Bank; and Susan K. Still, president and CEO of Roanoke-based HomeTown Bank. The following is an edited transcript.

Virginia Business: What is the value proposition for community banks?  How are they different from regional and large banks?

Ridenour:  The biggest thing I notice is that, when banks get very large, they’ve got so many employees, that in order to control risk, particularly with lending products, they pull a lot of the authority into a central area, which they have to do. From our standpoint, when you have people that are in the trenches that are meeting with the customers and they can make decisions, they can respond quickly, they can customize things that you don’t see in the larger banks.  I think that’s the biggest thing that we see.

Beale: I’d add [that community banks] would rotate officers on the relationships. The person that a client had 10 years ago is probably the same person today and likely the one they’ll have five years from now … I think the other piece is, after this downturn, there are many of our clients who saw the big banks exit lines of business while we stood in there and continued to finance homebuilders.  We continued to finance others that were out of favor …

Still:  I really felt like the downturn caused a renaissance for community banking because, all of the sudden, the folks that were banking at the larger banks realized they had a choice.

Cherry:  I would only add that community banks provide in-market, personalized, flexible, customized services for their clients and as opposed to oftentimes out-of-market, commoditized services. Those commodities can be fine, and they can work for people as long as they don’t need something to be flexible or tailored for their individual needs.  Once they do, they begin to fall outside of the sweet spot with the very large banks, simply by their nature …  It’s just the nature of the organization that the community banks can be much more responsive and in tune to individual needs.

Aston: Back to ’08, when everything started collapsing, and for those of us fortunate not to have a lot of problems, the movement of the large banks pushing these credits out … led to a lot of business opportunities that actually made those years during the downturn some of our best years. My experience has been when these segments fall out of favor, as it did in real estate, for example, all of a sudden large banks, either by regulatory pressure or by self-imposed pressure, decide to reduce their percentage of penetration in those portfolios.  So then they start not renewing lines. Then the lines that they do get paid off are usually the better customers that can go to another bank. [The large banks] ended up remaining stuck with those that couldn’t pay.  At the end of the day, my view is they may have reduced the size of the portfolio, but the risk of that portfolio probably went up in the process because it was the better customer who could exit.  So, it didn’t feel good at the time, but looking back at it, it was a time of great opportunity.

VB:  It seems like every day there’s a new data breach in the news.  We’re curious to know how this issue is affecting community banks.  Are you investing money or staff to beef up cybsecurity?

Ridenour:  We just went through a conversion to a new operating system. A big part of that process was to increase our ability to have protocols for security, for cybersecurity, for ACH [automated clearing house] transactions and wires. It was a challenging process because our customers now are going through re-establishing their online banking systems and new protocols, but it’s something that’s really in the forefront of everything that we all do because our customers want to know that their transactions are secure. But it was a big investment and a big challenge for us. 

Shook:  We’ve just spent half of our last monthly board meeting talking about cyber risks.  The regulatory regime is trying to catch up to where the cyber world is right now … It’s not an “if,” it’s a “when” type of situation [as far as the possibility that a cybersecurity attack will occur] … Where we run into the bigger problem is the rest of the world that doesn’t follow the same set of rules that we follow … You go back to the Target [breach] scenario.  [The hackers] came in through the computer system that drove the HVAC system and then got into the client data. Then [the banks] ended up covering [all the losses] for everybody. Congress needs to wake up and get something moving on the cybersecurity so it just doesn’t leave us holding the bag. 

Beale:  Most of us in here, at least we do, pay professional hackers to try to not only penetrate us externally but, in sort of the Sony scenario, [find out if] they can get into the building and if they can get in the building, can they access data? That’s an interesting way to find out where your vulnerabilities are …

I would say, depending upon the size of the bank, we’re all investing somewhere between hundreds of thousands to millions to make sure that we’ve got every piece of it as buttoned down as we can. Probably the main reason nobody in this group has been breached is that we’re all fairly small banks, and we’re not known by some of the actors that would be trying to go after the bigger banks.

Still:  I think banks in general for a long time have been data-security focused. That’s helped the banking industry, but it does present problems with vendor management.  When we start doing business with other vendors, like the core processors, we have to make extra sure that they are very compliant and that cybersecurity is something that they take very seriously. We get reviewed by the regulators for vendor-management practices.  Training is another thing. We constantly keep our employees trained and test them to see if they know not to open certain emails.  We try to have something for our board meetings to keep our board members trained as well.

Cherry:  I think the biggest challenges for us are not the software and hardware and security procedures that we put in place, it’s educational, both internally and externally.  Internally, the biggest likelihood of entry into our system comes through email or internet. It’s an employee unknowingly or unwittingly clicking on a link or opening an email attachment … Externally, it’s the customers who don’t protect their systems that have to interact with us. They unwittingly open themselves up, and therefore gain an entry to us. 

VB:  What about with increased use of mobile apps by the customers?  Does that open another door of vulnerability?

Cherry:  It goes through the same kinds of protections.  The vulnerability usually there is … that customers don’t protect their information and leave it vulnerable. That’s the greater likelihood. … So [it is not as likely that a hacker would gain access] into the entire bank from a mobile app, but it does obviously have vulnerability for customers.

Beale:  You don’t want to be sitting in a coffee shop with an unsecured, open Wi-Fi doing mobile banking.  You’re probably putting yourself at way too much risk.

Shook:  We went through an update recently on our mobile system to a more secure platform. You’ve got authentication, dual authenticate, but nobody wants to add all that in.  They want ease.  They want to press the button and say, “Go,” and we’re trying to protect them in the process. You really want these multiple authentications so that someone can’t break into your system and thus into your financial information.  Everybody wants the data, and everybody wants it in their handheld, but they’re not as focused on the security you really need to be thinking through when you use those devices.

Ridenour:  One important aspect, I’m sure everyone would agree, is that regardless of how the breach occurs, the customer is going to look to the bank. Even if they created the breach, they’re going to say, “Well, you know it was your system.”  It is a public relations issue that we wrestle with every day.

VB:  How has [the use of mobile apps] grown at your banks?

Aston:  It’s definitely a growing part, I think, of every bank, every banking business.

Cherry:  We offer mobile banking capabilities to both commercial customers and consumers, and it’s a hugely important part of community banking going forward because it allows us to play bigger than our footprint. In the past, if you wanted to do business with people, you had to have an office near them.  Now, with remote capture and mobile banking, the ability to initiate and authenticate wires and transfers and those kinds of things through the phone, we now can bank much more broadly then we were able to. 

I think for community banks especially, mobile banking is going to be a hugely important part of their future.  Today, on our consumer side, for example, not only can you get information, transfer money between accounts and make deposits by taking a picture, but you can also pay your bills by taking a picture of them, and you can turn your debit card on and off by just flipping a switch on your mobile banking.  I think that will be ubiquitous, and everyone will ultimately be doing that.

Still:  I think mobile banking is very important, just like technology in general is so important for community banks.  It’s allowed community banks to really leapfrog in the industry. It’s our fastest-growing section and millennials are famous for wanting to use mobile banking.  It’ll be a growing field.
Shook:  [In] the community bank sector, we don’t have the same breadth of branch networks that the large players do.  The internet piece will not force us to have to have that build-out and infrastructure in bricks and mortar.  It really levels the playing field.  It maybe tilts it a little our way on the expense side, ultimately, because we can deliver this at a lot less cost than bricks and mortar would be.

Cherry:  But one of the largest areas of new adopters to mobile banking, interestingly, are the ones you would think least.  It’s the older people who are finding they can access their accounts and information much easier than they can go to a bank, and it’s rural people, a farmer sitting on a tractor who has to drive miles to get to the bank who now doesn’t have to do that anymore.  So while we think of it as being the millennials and the young, and they clearly were the initial and the largest group of adaptors, it’s now shifting.

VB: What about the emergence of FinTech startups that are offering a variety of financial services? Do they represent a threat to banks or can banks learn something from them? 

Beale:  FinTech came into being when banks were in a weakened state. All of them have started up since the downturn. You can make an argument that, had banks tried to create a LendingClub or a Prosper … we probably couldn’t have or wouldn’t have been allowed to. 

I think there are things to learn from them.  They’re a box, and the [lending decision process] that come out of that … is pretty interesting, but it has never been tested in a downturn.  It’s all post-2010. 
We partner with some of them and are continuing to look at that as an alternative way to deliver consumer loans, but we’re sort of toeing the water in trying to feel our way.
I think they’re a disrupter.  I think they will and do take business away from the banks, which is why I think you’ll find more and more partnering going on. 

Cherry: One of the reasons that FinTech has come [about] is because they’re not regulated. As they become a bigger and greater force, they ultimately are going to be subjected to regulation, and I think that will have a significant impact.

Shook:  I think that the real change will come where there is a downturn, and the music stops; then not everyone has a chair to sit in. Or there’s a breach. Then, and I’m being halfway facetious here, there will be new regulations put on the banks because of what FinTech has done cause they can’t regulate FinTech.  We always end up getting the brunt when these things take place.

VB: How is the regulatory environment affecting the bank’s profitability and your ability to make loans?

Still:  It’s certainly a drain on profitability.

Beale:  I don’t know that it’s affecting our ability to make loans.  Even after the downturn, I never felt that any regulation was prohibiting us from making a loan.  There may have been decisions around how the economy was and those sorts of things that kept us from making a loan. 

With the Dodd-Frank Act, a lot of artificial barriers or thresholds were created [resulting in] artificial decision-making by CEOs. I guess there’s two of us in this room that one day will cross $10 billion [in assets] if we just keep doing business the way we’re doing it. We’re probably three years away, and that $10 billion threshold is forcing artificial decision making.

Obviously, we are investing more in compliance, specifically focused on fair credit because of the impact and the focus of the Consumer Financial Protection Bureau, and that’s in hundreds of thousands of dollars of people and software. 

We are spending money on building out enterprise risk management systems, which have become the new buzzword for regulators to try to have this overarching approach, and that runs into the millions. All of that impacts profitability, and there aren’t that many banks that are making the same return on equity or the return on assets that we were making pre-downturn, and I think it will be a while before we can get back there.

Cherry:  It has significantly increased costs, helping to drive the consolidation in the banking industry, but it is only one of a number of factors doing that.

But I would disagree a little bit on the ability to lend.  It is much more difficult for banks to differentiate themselves from one another when they all have the exact same requirements for information that they have to comply with.

Mortgage lending, residential mortgages, would be a great example of that.  There’s no question there have been increased barriers to the ability to make mortgage loans and the difficulty of distinguishing yourself when you have a stack of documents that big that have to be signed by your customers and length of time before you can go through in the  process. That clearly has discouraged customers from borrowing.  So whether it’s kept us from being able to do it or whether it’s discouraged the customer from wanting to go through the process or not, the end result is probably the same.  It is a significant dampening effect on our economy.

If you look today at small business formation for example, it is dramatically reduced from what it has been.  I’m convinced that’s because of all of the criteria and hoops that have to be jumped through because of regulation and compliance issues that make it more difficult.  I think our whole economy is suffering significantly by virtue of the current pendulum having swung way too far from a compliance and regulatory standpoint.