The new security: Banks focus on cyber world, not vaults

Bank security was once measured in the thickness of vault walls.

The industry took literal iron-clad protections to keep safe not only money and valuables, but records and documents. But the architecture of today’s bank security looks different — to the extent it can even be seen.

“Nowadays, what we’re protecting is a bunch of ones and zeros online,” said Frank Sorrentino of ConnectOne Bank. “As far as cybersecurity risk, there’s more focus on it as a component for security at a bank than anything else.”

Sorrentino, chairman and CEO of Englewood Cliffs-based ConnectOne, said the number of ways banks can continue to provide data safety and soundness is top of mind in the industry. That’s because banks are extending their services online in every which way, sometimes deploying automated systems that feature less human oversight and depending on third-party technology firms.

“It’s part of banks just needing to be more and more efficient over time,” Sorrentino said. “Fee income opportunities are declining, so we need to generate a reasonable return on capital, and that is going to come from efficiency in the industry.”

This need to adopt the latest tools in the sector has become something of an arms race.

John Kamin, chief information officer at Provident Bank, said it’s a competition that involves banks and non-bank fintech competitors alike.

Like most current trends in the banking sector, the roots of this can be found in the financial crisis.

“For years, banks spent millions of dollars to retool and catch up to the new regulatory standard,” Kamin said. “In the meantime, so much had been changing with innovation in apps in the tech space. And while banks were working on the regulatory piece, fintechs were coming in with new perspectives — even if narrowly focused on particular products or services.”

But, increasingly, fintech startups today are working in concert with banks, especially given that the large majority of banks don’t themselves have the resources for technological innovation. This has encouraged the growth of a whole industry of companies out to develop new products for banks, alongside the tech firms that have long done that as vendors.

Kamin said it serves banks well that aren’t in the category of behemoth national institutions. These banks are up against competitors such as Chase, which he said spent almost $10 billion last year on technology.

“We’re not going to pretend that a bank of our size can build everything from scratch with the risks involved,” Kamin said.

But here’s where the security question comes back in: Is the proliferation of third-party solutions at banks at all adding uncertainty into the safety equation?

Sorrentino doesn’t think so.

“Working with these big, fully-staffed companies, often I would trust that more than I would a six-person (information technology) department,” Sorrentino said. “Not saying it isn’t susceptible to being attacked, but I think it’s a better way to think about business as a bank. We’re not a technology company, even if we have to think like one.”

On the other hand, no one doubts that bankers have to keep close watch of these developments. Kamin said it’s no comfort that a bank today may work with several third-party providers at a time.

“Because, in a sense, it’s actually making security more complex — and not actually improving the situation,” he said. “We have to tread very carefully. We can’t trust they know it all, because this is an extension of our own environment and we ultimately have responsibility for it.”

It is the case that most of the companies in their association with banks are subjected to many of the same testing mechanisms that banks are under regulations.

“And some regulators — without saying it out loud — look to us as being deputies that will be working with these guys to make sure they’re doing everything they have to,” Kamin said, “with the realization, of course, that, as a bank working with these firms, you have responsibility, too.”

Paris Roselli, who heads digital banking and payments at M&T Bank, said fintech startups are sensitive to that fact.

It helps that banks are increasingly taking part in the creation of fintech ventures — as was the case with Zelle, a new digital payments network.

M&T, ConnectOne and Provident banks are all adopting the use of the platform, which allows easy bank-to-bank money transfers, and going live with it next year.

The fact that this new fintech is a bank-driven venture makes digital banking experts such as Roselli confident the data security protections involved will be consistent with what banks have sought to establish for their own institutions. He puts that in opposition to Zelle’s dominant competitor, the non-bank fintech Venmo.

“What we’ve seen historically is consumers have been willing to do a trade-off on security,” Roselli said. “Look at the millions who entered bank login details for Venmo, giving up two of the most important pieces of their security to a service that they don’t know is totally secure.”

But it’s incumbent on banks to get involved in developing alternatives to comparatively unregulated competitors.

“We want to have something that makes it so consumers don’t have to go elsewhere, that they can get these same offerings directly through their bank,” Roselli said. “And it comes with knowing that, because it comes through their bank, it comes with security and the rest.”

Here’s a vote against a state bank

On the eve of New Jersey’s gubernatorial election, bank consultant Don Musso weighed in on the takeaways from the state’s next leader.

Musso, head of FinPro, said Phil Murphy was the candidate that bankers heard the most from that could come to bear on the industry, for better or worse. Musso addressed Murphy’s proposal for the creation of a state-owned public bank:

“There’s only one in the country; it’s in North Dakota. Basically, the one there takes tax receipts and houses all the state funding. In North Dakota, it probably works. I’m not sure it will here. But I guess if it were run the right way, and it didn’t compete with banks — that don’t need more competition — for deposit or loans, if it was a funding vehicle for the state and helped facilitate loan participation in the state, then it could work.”

Musso said there are a lot of potential hurdles to the proposal, such as finding someone to run the public bank, given payroll caps on state employees. Overall, Musso believes the creation of such a bank will be complicated.

His view is also that proposed tax hikes for millionaires wouldn’t be good.

“If he follows through on campaign promises, we expect to have significant devaluation of high-end real estate because of the wealthy that could flee the state,” Musso said.

Musso just doesn’t have much optimism about the prospects for a champion for banks coming to prominence in New Jersey politics at all.

Right now, he’s most focused on what’s going on with federal policy — and the recently proposed tax reform, to be exact. In particular, he thinks the removal of a state tax deduction could clobber New Jersey banks and their clientele.

The local bank consultant also said he’s hearing a lot of questioning of whether S corporation banks, which Musso said are prominent in the Midwest, could be the business structure of choice for banks if the reform goes through.

“And we don’t know what to tell people besides sit back and wait,” he said.