What Makes an Institution Successful—A Regulatory Perspective

Sonia Portwood (00:00): Welcome to another episode of Banking Out Loud, where we dive into industry trends and topics that matter to community financial institutions. Today we're talking about what makes a CFI successful, all from a regulator's perspective. We'll uncover the key processes and practices that regulators often see, and successful CFIs sharing real-life examples of decisions that either worked out or didn't and what happened as a result. Plus, we'll explore how to build strong relationships with regulators and the best ways to steer clear of corrective programs and enforcement actions. Today we're joined by Cathy Lonowski, a seasoned expert in banking and finance with a wealth of experience from her time at the FDIC. Although Kathy is still very active in the industry, she recently retired and after an impressive 38 years with the Federal Deposit Insurance Corporation in San Francisco. In her last role as the regional director, she oversaw the operations of 350 insured financial institutions and led the risk management and consumer protection divisions across 11 western states. Kathy is here to share some valuable insights into what makes a community financial institution thrive in today's regulatory environment. We're really lucky to have her with us. Hi, Kathy. How are you? Good morning, Sonia. It's great to be here. (01:36): We are beyond thrilled to have you. Before we get started, could you share a bit about your background and your experience with the FDIC? Kathy Lonowski (01:44): So, my regulatory experience includes 38 years with the FDIC. The most recent position I had was as the regional director in the San Francisco region. Throughout that time with the FDIC, I saw a lot of different economic cycles and leading in a regulated environment subject to those economic fluctuations was a really critical role. And I worked closely with federal and state counterparts in maneuvering through that time. And I was the liaison with our Washington office as the regional director, so often responsible for presenting emerging risks and new issues to Washington. And glad to extend my banking regulatory background as a board member and director. Sonia Portwood (02:31): Well, thank you. I wanted to start off by asking you, from your experience as a regulator, what are some of the key processes and practice that you've seen in successful community financial institutions? What do they consistently implement? Kathy Lonowski (02:47): I think good communication internally within the organization and really understanding and having great management information systems and reports to be able to monitor trends and be proactive versus in a reactive mode, not waiting too long to address a problem, being able to pivot quickly is extremely important because there are so many things sort of coming at an institution, internal events as well as external events. So I think that really comes down to strong communication within the institution, good management reports, and then being able to pivot and being realistic with expectations. Sonia Portwood (03:30): Okay. And as far as the reports, do you see the challenge is actually having the good data to make these decisions? Is that a challenge for a lot of institutions? Kathy Lonowski (03:42): Well, it certainly can be, but I wouldn't say it's an insurmountable problem or challenge because I think with technology, data is getting better and better. Yeah, it's really understanding that data and how you analyze that data and slice and dice it to make sure that it's meaningful. Now, if you step back a little bit, obviously depending on what market you are operating in, there's always going to be probably better research data for a larger metropolitan area. For example, if you're primarily operating in a smaller community, you may not have the same types of of real estate data and and statistics to rely upon. However, I would also say in those smaller communities and markets, the bankers probably know their customers quite well. It's easier to know some of the local business and things that are going on that impact the financial institution. So data is certainly available. I think the key point there is data is as good as, you know, garbage in, garbage out, validating the data and how you model that data is, is really important too. Being able to back-test the data that you're getting and that making sure that's reliable is an important step. Sonia Portwood (04:58): Exactly, exactly. So can you give us some example of financial institutions where they did a great job of this and maybe some examples where they did not, and what were the end results of both? Kathy Lonowski (05:12): Well, I think I would sort of tie this into what a bank's corporate governance practices are and how they exercise corporate governance in an institution. To me, that really helped determine their effectiveness and maybe where they weren't quite as effective. It comes down to, to really sort of what some of the best practices are as far as corporate governance. So having that strong framework allows an institution to organize operational risk management reporting and financial processes to ensure the board is continually updated. And that way the board can develop its risk tolerances and risk profile for the financial institution and create a framework to control and mitigate that risk if necessary. Those banks that have been very effective in that have identified their risk profile and risk tolerances, and they've set both short and long-term goals related to the risk that they're willing to take and have controls around that. (06:14): So if a bank has been effective, the board's identified its risk tolerance and has goals set. They also have clear policies and procedures around that. So I think that's really a good structure to have in place. And those banks that have a structure in place tend to fare better. They're able to react quicker, sooner, faster. To me, it encompasses how decisions get made, how objectives are accomplished, and how progress is monitored. But bottom line, good corporate governance and best practices comes down to rewarding behaviors that are expected. So in those institutions where maybe that corporate governance framework construction structure has not been there, or they've run into some problems is there hasn't been timely information provided or presented in a context that has specific benchmarks or trends, and it's really not clear that there's, there's a risk. So having relevant and timely information that is meaningful is absolutely a must. (07:20): I would say another area where this is a best practice is, is that the corporate governance structure prioritizes internal audits and internal audit is able to identify risk, and then you're able to respond to them. If I can think of situations where perhaps an internal audit identified issues and concerns, and rather than respond to those issues and concerns, the risks were not elevated or they were not addressed timely, and then it's just like a snowball going down the hill that that gets bigger and bigger as time goes on. So prioritizing things from internal audits is, is extremely important. I think that corporate governance that I mentioned, really it's an opportunity to expose gaps or weaknesses that allows corrective action. I think where there can be a weakness is when people don't have the authority and accountability to take corrective action or they don't feel comfortable bringing forth issues and maybe the decision-making and or concerns, frankly, with bringing something to a higher level prevent action being taken in a timely manner. So really bottom line there is a good corporate governance structure not only improves the performance, but but you have to have trust among the stakeholders at the institution to provide really a strong robust system and long-term sustainability for the institution. Sonia Portwood (08:51): Yes, I would think so, especially when communication fails or there's lack of communication and priorities are different amongst the different leaders within the organization. But with the proper corporate governance, if you are actually following those, it should prevent or mitigate any of those things from happening. Kathy Lonowski (09:11): Absolutely. Sonia Portwood (09:12): Right. Okay. So you mentioned earlier when you were talking about c corporate governance and documenting and having your risk tolerance approved by the board. Do you recommend that the institutions involve their regulators in their risk tolerance decisions, decisions, or is that something that would just be discussed should there be a problem somewhere else? Kathy Lonowski (09:39): I, I would say that typically the regulators would not be involved in that decision-making. I mean, the, the board establishes the risk tolerance, and then it's really up to them to set up the controls and mitigating factors to, to address those risks. Now, if an institution gets into problems, then the regulators may have a say in the risk tolerance levels that are set and, and, and make recommendations to, to adjust down some of those challenges if there are problems that are identified. So that's really when that connection would be made with a regulator. Sonia Portwood (10:17): So if there's any doubt they should consult their regulator. Kathy Lonowski (10:21): I, you know, I always say that it's a good idea to have those conversations with the regulator, and in my experience frequently what would happen, a financial institution, for example, perhaps they're changing an aspect of their business plan or they're considering a new product or service, or there's something that's, that's really a, a pretty significant change in their strategy. Absolutely. Having a conversation with the regulator is, is encouraged. And I always have said that while the regulator is not, not a consultant, it's a tool in the toolbox. So reaching out to your regulator, either your state or your federal to discuss new or novel products is always a good practice and, and it's a good way to foster that relationship with the regulator as well. Sonia Portwood (11:13): So if you were going to look at the top reasons why financial institutions would fall under some type of enforcement action, would you say that it was typically because of a fail in corporate governance? Kathy Lonowski (11:29): It could certainly be one. I wouldn't necessarily categorize it just under corporate governance. Sonia Portwood (11:38): Is there any one thing that you see more than anything else that results in an enforcement action? Kathy Lonowski (11:44): I would say fundamentally, if the bank has not adhered to its business plan, and they are starting to, from things that have worked really, really well, operating outside of policy limits and really not having a good handle on the risk that's present at the institution. So exceeding the risk appetite at the institution is, is typically where they're going to run into problems. Like I've mentioned earlier, how important the data is and what the data is telling you, if you're seeing exceptions or unusual trends and deviations, that will be a clear sign that there's some red flags, there's something bubbling. I think historically, asset quality problems have created probably the most trouble for a financial institution. Now, that could be because there is a lack of corporate governance in sort of following those policies and practices that are in place, but when asset quality problems arise, it may not always be because of something internally that happened. (12:47): It could be external economic factors, economic, which we've seen, for example, through a pandemic or through a crisis and, and downturns in real estate, which, which we've seen over the years or in the past. So when asset quality problems arise, that typically will require increased reserves and capital to cover losses. So if a bank is not being responsive to those issues, knowing sort of when to slow loan growth or watching those signs of softening, that's where it's really easy to get into trouble and, uh, could create some kind of an informal or, or formal enforcement action. That's probably the primary area where banks do get into trouble just because asset quality problems can lead to low loss. Sonia Portwood (13:33): Well, we certainly witnessed that, especially back in 2009 and 10. Any specific examples you'd like to share with us? Kathy Lonowski (13:41): Well, one of the things that, that I have seen is banks will make the mistake of sort of maybe launching a product too too quickly, it may be a good idea, and other banks are entering a certain segment of the market and, and there sort of becomes this fear of missing out that we've heard about. What happens if there's a product that launches and you launch and then you build a policy and put the controls and, and address the compliance processes later, or even bring on the talent later? My experience is that typically does not end very well, and it's too easy to to go down that route. But in a regulated environment, it, it really is so important that, that the policies and controls and infrastructure has to be put in place. And I would just say this is just kind of an FYI for everyone. Formal enforcement actions are public documents, and if you read those documents, you can determine if you have any similar gaps or weaknesses in your own institution. And those are good indicators as to where maybe a particular product or service or or strategy is not working well, and it's a good way to test your own system. So, um, I Sonia Portwood (15:01): Would just ask, ask, it's also interesting, I'd never thought of it from that standpoint, but I guess you could sort of use it as a blueprint for what not to do, Kathy Lonowski (15:08): Right? What, what not to do, learn from others' mistakes, unfortunately. But is it is a good way to, to learn? I would say the, the other thing is if there are problems that have surfaced, think of it from the perspective of how would the regulators view that situation and ensure that management and their board enterprise of the actions and controls that are needed to remedy the situation and then implementing a prompt swift formal response may limit the need for a more formal or progressive corrective program. Just being very responsive and kind of thinking about it from the perspective of how the regulators would view a particular issue. Sonia Portwood (15:49): So owning the problem, taking the responsibility for the solution, and communicating that as well. Kathy Lonowski (15:55): Right. Sonia Portwood (15:56): So Kathy, financial institutions are feeling a lot of pressure from non-bank financial solutions that are being offered to their customers, and they feel the need to, to act and to act quickly in some cases. What advice would you give them? Kathy Lonowski (16:17): Well, so that pressure I think is certainly real, and I think it's important, but I would say like with any new product or service that a financial institution may offer, there has to be a robust due diligence process in place to understand the partner, the vendor, the third party, the regulators have published a lot of guidance on dealing with third parties, and it goes through a laundry list of actions that should be considered. In fact, there's also a publication on dealing with non-financial parties and could be used on either side of the transaction, whether it's the financial institution or the vendor. There are certain requirements that a bank as a regulated institution needs to have in place. So if that third party that's offering that product or service cannot respond to or fulfill those requirements, it's probably not a party that, that you wanna do business with. (17:20): I think it's just good fundamentals to do that due diligence and walk through the checklist. The other aspect I would point out is, does this new product or service, whatever it might be, really fit within the financial institution's strategic plan and vision. If it's just the next shiny object, is it really something that fits within their business? And do they have the skills talent a year from now, five years from now? Those are the just sort of some fundamental steps that have to occur. And just because somebody else is, is offering that product or service doesn't necessarily mean it's a good fit for every financial institution. Sonia Portwood (18:06): So Kathy, what are some best practices for ongoing relationships with the regulators beyond the examination period? Can you possibly give us some examples of how a bank can best achieve this? Kathy Lonowski (18:19): Sure. So having, having a strong relationship with your regulators is really important. And I would say the, the bank CEO or chairman of the board, they probably don't like surprises and the regulators really don't, don't either. So fostering a working relationship with your regulator is really important, and to do that outside of the examination cycle allows you to pick up the phone. When there is a problem, it's much easier because you've established a relationship with them previously. And since financial institutions, they're examined every 12 or 18 months, depending on the size and the rating. And maybe the largest institutions are examined under a continuous exam program, and, and so there's more frequent contact. But while I would say it's not a requirement to update your regulators on unusual items, it is certainly a best practice to do that. And if you have a change in business plan, or maybe there's even turnover and key positions, things like that, it's really a great idea to, to establish and have that communication. Some financial institutions will make it a practice to sort of preview plans ahead of time and get feedback and make sure that they understand the regulatory role and expectations related to whatever they're planning to launch. Sonia Portwood (19:38): Well, you know, that's not different really than anyone in a management position. They don't like to be surprised, and it's always better to get their input on the front end than to wait till you've spent a lot of time and energy somewhere. And then to get the input Kathy Lonowski (19:56): Right, an opportunity to clear upstanding of regulatory expectations, I can tell you, I, I've heard from vendors and consultants that they may say, well, this is what the regulators want. And I always thought, well, if you really wanna know what the regulators think or or want, then ask Sonia Portwood (20:16): Exactly. Well, I've heard bankers across the country say time and time again, if you communicate with your regulator, make sure they understand what you're doing and why you're doing it, and that you, as you said, have the right governance in place, that everything's fine, that things work out well. There's no surprises when exams come around. It's, those are good words generally, really best practices, Kathy Lonowski (20:41): Good words to advice. Sonia Sonia Portwood (20:42): , nobody likes surprises, not those types. Right. I know that there's a lot of confidentially here, but is there any example of a bank that just really missed the mark on this, and if they had had better corporate governance and better communication with their regulator, they could have sidestepped any regulatory action that they may have received. Is there any examples you'd like to give us that you think would be beneficial for us to, to learn from? Kathy Lonowski (21:16): Well, I would say this event with, uh, CrowdStrike is really kind of a pivotal lesson learned for, for everyone. And I think we asked institutions to go through a lot of process to have to plan for those unknown events and, and uncertainty. And it's really difficult to plan, but to have, have business continuity plans in place, the importance of that is so critical. And this CrowdStrike event is really a good example of, of why it's important to have business continuity plans in place to, to test ahead of time that your processes work, that you can recover in a timely manner, and that, that all of the systems are, are go, I kind of liken that to stress testing as well. Prior to when interest rates went up dramatically over the past several years, regulators would ask banks to stress test for interest rate changes, and we would ask to stress test a 400 basis point shock. (22:24): And frankly, when we would bring that up, we would get some eye rolls that, oh, well, that will never happen. Well, it did happen. So stress testing and planning for those unknown events is critically important. And I can also tell you that sharing that information and the outcome of, of those events, good or or bad with your regulators is, is probably a, a good best practice as well. I can think of situations where this is a little off track, but I think it's important for, for banks to sort of learn and realize why sharing the bad news sometimes with the regulators is so important. If, for example, there was a ransomware attack or some kind of a cyber event at an institution, and they're required to report that within a certain amount of, of time, but if that item can be reported to the regulator in a, in a timely manner, then the regulators can, through their systems alert other banks that may be subject to that same ransomware or cyber event. So that proactive approach with the regulators can help the financial system more broadly by sharing that information. So, uh, I just, I thought that was important to add to this element of just being, being responsive and how you can really foster that relationship with your regulator. Sonia Portwood (23:43): So when it comes to regulators, I know there can be a bit of confusion in the financial industry about how all the different regulators fit together. Like what's the hierarchy since you've been in the industry for so long, could you help clear that up for us? Maybe give us a quick overview of how the regulatory system works and how these agencies interact with each other? Kathy Lonowski (24:03): I would be glad to. I would, and I'll just add, I think if it was organized today, it probably wouldn't be organized the same way , but . Here's a, here's a little history. So banks are organized under a banking charter when they're formed or when they're merged. So the, the charter type determines who the primary federal regulator is. So for example, the Federal Reserve, they offer a state chart and banks that are part of that, the Fed are members of the Federal Reserve System. The Federal Reserve also has primary oversight for bank holding companies, the office of the Comptroller of the Currency, or OCC, they offer a national charter. The FDIC is responsible for banks with a state charter. However, those banks are not a member of the Federal Reserve. So those banks are referred to as state non-member institutions. Now, all three of those buckets are all FDIC-insured financial institutions, but they have a different primary federal regulator. (25:08): And there are approximately 4,500 institutions today with the majority of those banks being state non-member institutions. And then the other government agency is the Consumer Financial Protection Bureau, which was formed as part of DOD Frank's Wall Street Reform and Consumer Protection Act in 2010. And you might recall that that agency was formed to really oversee those areas that impact consumers. So for example, like payday lenders, private student, student loan companies, debt collectors, those non-financial, non-bank financial institutions were not previously regulated under one regulator. So the CFPB is really an advocate for financial risk that might impact consumers. So what is the overlap between the CFPB and the Prudential regulators? Well, the CFPB doesn't necessarily regulate banks themselves, but the agency has primary responsibility for certain consumer protection regulations for those banks with total assets greater than 10 billion. So the primary federal regulator may work with the CFPB of, uh, a bank of certain size, but otherwise they really kind of stay in their own. (26:23): Now, I mentioned earlier that all of the, the institutions are FDIC-insured and the separate agencies are responsible for supervising their banks based on the charter. But if a bank were to get into trouble, uh, the FDIC could exercise what's called backup authority and go in and join the other regulator on an exam. There's also the state regulators, so state regulators, each state has a department of banking, they're called different names, department of of Finance, et cetera, all have different names, but oftentimes for those state charter banks, so that could be either a Federal Reserve member bank or a non-member bank, they have a state charter, and the state may, uh, join the federal regulator on an exam or conduct their own separate independent state regulator, uh, that state exam. But, um, probably the, the area that I think is, is somewhat confusing for sort of the general public, unless you recall or learn this back in in school, is just how the Federal Reserve system is, is set up because the Federal Reserve system, which is often referred to as the Federal Reserve or simply the Fed, is, is it's really the central Bank of the United States. (27:45): It was created by Congress to provide the nation with a safe and stable financial system and has, has multiple responsibilities. But the Federal Reserve System is governed by the, the Federal Reserve Board of Governors. So that's the governing body. The Board of Governors oversees 12 reserve banks and shares the responsibility for regulating financial institution activities and is the agency of the government that reports directly to Congress. So the 12 reserve banks operate really as sort of arms of the Federal Reserve system, and each reserve bank operates within its own geographic area or district. And while they do operate somewhat independently, they each carry out the same four functions such as supervising and enforcing consumer protection lending to financial institutions if necessary. And then they play a really important role as far as the nation's payment system, including distributing cash and currency and operating the electronic payment systems. (28:51): Each of the reserve banks can have different initiatives and areas that are important to them. For example, what's important to the Kansas City Federal Reserve may be different than what's important to the San Francisco Federal Reserve. They also adopt different initiatives. For example, fed Now that was really led by, by one of the reserve banks. It wasn't by all 12 reserve banks. They could have certainly, and I'm sure they did have a role and input, but it was an initiative led by one of the reserve banks. So that's kind of it in a nutshell. And, and really the OCC and the FDIC are organized in a similar fashion in that there are different regions or districts and they report to their headquarters office in Washington DC. So that's a little bit about the background. There's a lot of information sharing that occurs between all of the federal regulators, which is really an important role. And I'm probably a little biased being with the FDIC, that having that information as the insurer of financial institutions was extremely important. And so there's regular communication between the primary federal regulator regulators, as well as, as the state regulators when it comes to supervision and policies and procedures and so on. Sonia Portwood (30:11): Is there any top dog for all of them? Kathy Lonowski (30:14): No, they each have their own. So for example, the Office of the Comptroller that supervises nationally chartered institution reports to the treasury. The Federal Reserve system is with the Board of Governors, and the FDIC is an independent agency funded through deposit insurance premiums. So ultimately, they all report to Congress in one way or the other, but there's not necessarily a hierarchy amongst the three federal regulators. One thing I didn't talk about is the Federal Open Market Committee, which is the, the 12-member group of the Federal Reserve System that sets monetary policy during the year. So the monetary policy, which we know influences interest rates and, and can impact financial conditions, we've seen interest rates that have, have gone up, and they're really have been at an all-time high. Um, the Federal Open Market Committee makes all the dec decisions regarding the appropriate position or stance on monetary policy to help the economy, and they've been under a mandate to try to get inflation under control. The, the folks that are on the Federal Open Market Committee, the FOMC, it's comprised of the seven members of the Board of Governors and the president of the Federal Reserve Bank from New York, and then four of the other Federal Reserve members represent the 12 voting member members on the FOMC. And then the four folks can alternate from the 12 reserve banks over over time. But that's really the decision body that influences monetary policy and interest rates and conditions which impact our financial conditions and the overall economy. Sonia Portwood (32:05): I think it's great that we're able to share this. Maybe it's worth talking a little bit about the relationship between the state regulators and the Fed and the rotation of the state-chartered banks between the two and how they work together. Kathy Lonowski (32:21): Sure, sure. A state-chartered bank can be examined either independently or, or jointly. So joint in, in some cases, they, they may exercise an alternating schedule where one exam is conducted by the, and then the following exam cycle. The exam is, is conducted independently by the state. So it's done on an alternating basis every 12 or 18 months. And, and some cases it may just be, um, a resource issue or perhaps just the sheer size of an institution. It's much easier to conduct a joint examination where both the federal regulator and the state conduct the examination at the same time. I know some institutions would say we prefer to have a joint examination, and it's certainly a possibility where poss an institution can, can indicate its preference to have either an independent or a joint examination. So the regulators really do try to coordinate with the institution as well as with each other in executing their supervisory responsibilities. Sonia Portwood (33:31): You know, this is information that the average person doesn't even think about. Kathy Lonowski (33:35): I know. I know. Sonia Portwood (33:37): Yeah, you just, they don't even think about it. We can't thank you enough. We really appreciate this. Thank you so much. Kathy Lonowski (33:44): Yeah, Well, thank you. Sonia Portwood (33:47): I hope you found this conversation as eye-opening as I did. We touched on a lot of important topics today from proactive communication and strong corporate governance to the crucial role of little management and the importance of building strong relationships with regulators. Thanks for tuning in. If you haven't already, be sure to check out our other episodes and subscribe. So you'll be the first to know when a new episode drops. We're always looking for suggestions on what to cover. So if you have something in mind and would like to be a guest on our podcast, please drop us an email at banking out loud at PCBB dot com. Until next time, take care.