This session explores empowering banks to establish their digital presence and compete effectively with industry disruptors like Chime. Learn how banks maintain compliance while navigating this intricate regulatory landscape.
Attendees will gain specific insights into developing innovative digital products and discover strategies for forging successful bank partnerships, all of which are essential for enhancing customer experiences.
This session is valuable to banks as they embark on their digital transformation journey.
Transcription:
Chris Napier (00:11):
Great. So thank you everyone for coming in. Just brief introductions really quickly, Christine.
Kristiane Koontz (00:18):
I'm Kuntz. I'm the Director of Banking Transformation, and that means just about anything to a salesperson. But what that really means for my day-to-day job is I've spent the last few years modernizing our banker and backend technology, making our customer data accessible and modernizing our integration capabilities as well as our organizational development and change management. And then just briefly about Zions Bancorp, we're an 87 billion regional bank, but what a lot of people don't know is we actually operate under eight different banking brands with local leadership in 11 Western states. So I like to describe that as community banking at scale.
Chris Napier (01:00):
And I'm Chris, I'm a Partner at Mitchell Sandler, and we are a majority women owned and managed banking and financial services law firm in DC where I lead the firms FinTech practice. So there have been a lot of sessions at this conference so far, a lot of great sessions that have dived pretty deep into particular specific topics. So we thought it would be helpful to sort of take a big step back and take a big picture view of just getting started with a digital channel or making decisions in terms of augmenting the existing channel with digital capabilities, sort of the high level questions and considerations to keep in mind to make sure you're setting yourself up for success and also to remain competitive and really happy to be able to have cion here with me to be able to go over some of the things that Stein has been doing because she's going to be able to do a much better job than I in providing real life examples and some lessons learned.
(02:08):
So jumping right in, I think one of the biggest questions is just whether or not digital is really the solution to what you're trying to do anyway. The fact that you're at this conference means you're well past that question, but I think it's still a critical exercise to really interrogate what you strategic objectives are that you feel that a digital solution is the right way to achieve that. And really this is a question of fitment and alignment, right? Between what you want to build and how that is going to get you to where you want to go. And because with any kind of digital solution, it has its own unique risks. Digital in particular is uniquely susceptible to that concept of risk layering where the more you start adding, the more you start building on top of each other, these small manageable risks start to accumulate into something that can become unmanageable. So understanding what you really need and tailoring what you're trying to build to those objectives is going to be critical.
(03:14):
And that really involves sort of laying out what you're trying to do and then also to keep yourself flexible and to also reevaluate in light of what your objectives are, whether or not the solutions that you have in place are getting you there and to pivot when necessary. So I think at Zion's, it's my understanding that you recently actually reached a sort of inflection point in terms of your digital lending channel and that you've also introduced a small business deposits channel. So maybe you could talk a little bit about what led to that inflection point and also what you hope to achieve with small business.
Kristiane Koontz (03:52):
Yeah, absolutely, Chris, and I think it's one of those things that's easy to say and a lot harder to do is to make those strategic trade-offs and decisions. So we had a national lending channel. We of course still lend in our footprint, but we had a national lending channel that was very targeted on a specific customer segment. And as interest rates started to rise, we started to evaluate that and really scrutinize those customer relationships. And we found that they weren't really any broader than that loan product. They had high overhead, we had margin compression, and so it wasn't a good fit for who we are as a bank to continue to do that, particularly as deposits became more and more important. And so we exited that business last year. And then on the other side this year we launched a digital deposits origination platform. And so a small business is a sweet spot for us. It's something that we do really well already in our footprint. And I think we're starting to see this play out where we have these deep relationships with these small businesses where they're driving deposits, there's lending activity, we've got other fee income associated with that. So a really rich strategic business for us. And so we've stood that up now with a digital national offering instead of just the footprint offering.
Chris Napier (05:15):
Yeah, so once you have those sort of strategic objectives down, you figure it out what it is you want to build to be able to get there, then that question comes up of how are you going to build it, right? Which is, and sticking at that high level view we're talking about the question of are you going with a sort of all-in-one off the shelf third party solution? Are you going to partner up with a FinTech that's going to distribute white label products and services for you? Do a lot of that build leg work and day-to-day administration, or are you going to really kind of own this and bring this in-house? Right? And all of those approaches have their own pros and cons in terms of speed to market, upfront capital and resource commitments, the type of regulatory scrutiny you might be able to expect from going in that direction as you alluded to before. In terms of are you, and this might be a strategic objective of are you trying to build deeper customer relationships or is it just about the numbers and you just want deposits and loans? And it's also important to keep in mind that these things will probably evolve as your channel evolves as well, where those needs will change and you might change direction or take different approaches and start bringing things more. So at Zions, how did you sort of approach this issue?
Kristiane Koontz (06:38):
Yeah, we take a, it's not a one size fits all approach actually for us. So where it relates to the customer, we really want to control that, and not in all cases, but where it's a strategic value point for the bank. We want to own that technology. And so for example, the actual deposits origination, we built that internally. We use a vendor platform that we built several apps on top of, but we control every screen, every click, every decision, all of the logic. And so that's one of those things, anything really core to the customer relationship, we'll build that out internally. And then there's other things that are more commodity that we could get to speed to market, anything sort of behind the curtain we can use. Fraud orchestration is a great example where there's great providers out there that can layer in many of those fraud controls from a technology perspective that we don't necessarily need to go build that, right?
(07:35):
And so that's a point of differentiation for us. Now, there's some things that fall in the middle. It's not everything customer facing. So an example I'll give is in our digital banking platform, we wanted to provide an invoicing and bookkeeping solution to our customers, and we felt like this would keep, particularly for small businesses, it may make them stickier in terms of a relationship with us, but it wasn't so core to our relationship with a customer that we had to go build it ourselves. And we didn't necessarily want to expend our limited development teams doing that kind of work. And so that's again where we partnered with a vendor to bring that in and integrate it into our digital banking. Now, I will say, just sort of implied in that is I think it's critical to own your integration fabric itself. Really being able to control those aspects will give you the flexibility as well. I think we'll talk about this in a bit of how do you swap in and swap out some of those providers as technology evolves as they're required, et cetera.
Chris Napier (08:38):
Yeah, yeah. So sticking on the topic of third parties, no matter what path you build, you are going to be dealing with third parties. Even if you bring everything in-house building on your own, there's inevitably going to be gaps that need to be filled where it just makes sense to take something from a third party solution rather than to absolutely build absolutely every aspect of this. So there's plenty of guidance that's already out there in terms of third party risk management, particularly in the technology context. So I think for today, we're just going to highlight a few things where at least in kind of my experience where I've seen some shortfalls in that sort of initial planning with the first one being is the third party that you're dealing with actually able to execute on your regulatory obligations? I think a lot of companies and earnestly so will be wholeheartedly behind compliance and we'll talk a good game, but when you peel back the onion a bit, sometimes you'll find that they just lack the infrastructure or the expertise or the experience to be able to really execute on that properly or give you confidence that they'll be able to do that.
(09:54):
And it's important to be able to understand where they're at and what their capabilities truly are. What sorts of things do they do at Zion to try to get at that risk?
Kristiane Koontz (10:04):
Well, a few strategies that have worked really well for us, one is we in our Agile teams, we've embedded our compliance partners and our risk partners directly upfront in the process. They're included in vendor selection, they're included in our actual scrum teams in terms of implementation and testing. And so they are there upfront with us to raise concerns. We actually build compliance acceptance criteria into every product and feature. And so that also helps us to ensure that as we go along, and then those risk and compliance partners, they know that they've got a direct line to me if they don't feel like they're getting traction, if something is getting overlooked. And so at the time that we're ready to go live with these solutions, they are our biggest advocates. They're the ones saying they're ready to go live. We've looked at everything. So that's sort of one big strategy that I would highlight, and I think some other leading banks are doing that as well.
(11:05):
The other is, and this is just a huge cost savings, we require these vendors wherever possible to provide us with a list of here's the regulations that I believe are in scope for my product and here's how I test for them. I've actually asked for test cases and then test evidence. And we have our compliance team go through and validate those. And sometimes we'll find, well maybe there's one test for a regulation that's this big. And so you either get a very early warning sign of this vendor has absolutely no idea what their compliance requirements are, and you can make a decision then and there before you've invested too much of, am I going to stay on this train and help them get up to speed and meet all of the compliance requirements that I have, or am I going to jump ship and I'm going to be able to do that really quickly before I've invested so much money and time in this relationship that it feels like it's really hard to get off that train.
(12:03):
There's a lot of inertia. And so those are some of the strategies that we're using there. And we'll actually, I've got a vendor right now where I've asked them to go back and I said, Hey, I don't see enough depth in this testing. And so before we invest more resources here, I want to see more and come back to us. I'm not going to be prescriptive on where the gaps are. Here are three or four examples and come and prove to me, show me your test cases, your evidence, et cetera. I've got a 700 meg file that I've got compliance people going through just to validate. And that protects the bank hugely in terms of the compliance risk. Our regulators love to see it. And then of course, just from an investment perspective, a big help. I will say at the end of the day, we own the risk. We can't solely rely on the vendor's testing results. It ultimately comes to us. And so we of course do our own independent testing, but this is just a huge risk hedge for us.
Chris Napier (13:04):
Yeah, and that's definitely critical, particularly when you're dealing with emerging technologies and novel technologies. Just the sorts of companies that are at the forefront of that are typically not super established companies with decades of track record that you can sort of find some comfort in. So it requires some more upfront homework in terms of determining where they're at, but then also that you've built in the sort of contractual protections for yourself and rights, particularly around audit and reporting and everything, to be able to facilitate that sort of in-depth oversight as a relationship goes.
Kristiane Koontz (13:44):
Chris, can I turn the question back on you? Yeah, because the lawyer here, I mean, what are some of those contractual protections you would advise your clients to look for?
Chris Napier (13:54):
Yeah, so I mean it's definitely in the area of auditing and reporting. I think you'll typically see on bank forms when it's a more typical third party relationship, not so much focused on technology where there are sort of boilerplate language in there about we get to audit you, we get to request certain reports, et cetera, but not a lot of thought is given into the details. And so I think with these sorts of relationships, it's not so much that you have different rights or obligations or contracts or forms in terms of the overall provisions, but that you've built in specifics and really kind of thought out, how is this relationship different than my typical relationship? And to be able to describe those out so that you don't end up in some dispute or having to argue about it down the road. And I think something closely related to this that I often see as missed is sort of appreciation for fourth parties. It's almost inevitable in the technology space where your third party is going to be dependent on its own third parties for various aspects of its solution. And so it's just critical to understand who they are, what they're doing, and what amount of oversight and control you're going to have over them because it's going to be more limited than with the party you're directly dealing with. So do you have thoughts on that?
Kristiane Koontz (15:18):
Well, yeah, I think it's a real challenge. And I don't know that there's a silver bullet there. I mean, the regulator has been very clear that we all own the risk, but I think the vendors, these third party vendors that are engaging with fourth party solutions have a real obligation. And I'm looking out and I see a lot of vendors in the room and you've got an obligation if you have an incident to be quick in notifying your customers that their customers data has been exposed. And we're still seeing challenges where major technology providers, and I'm very close to the core banking landscape for example, whether it's SolarWinds or other breaches, have been slow to let their customers know when they've been victim to one of these breaches and in an exposed a bank's customer data. And so we have got to elevate the transparency and speed with which that is reported.
Chris Napier (16:11):
And I think again, it comes down to at the early negotiation stages of these relationships of you're not always going to be able to get the kind of control you might ideally want, but to make sure you understand what you do have to be able to negotiate for what you can get, and then make sure you're comfortable with what the end result's going to be before you proceed. Things like if a fourth party fails, what happens in terms of substitution? How much input do you have? Can you due diligence them before they get inserted? And do you have the option to get out of this if it's an option that's unacceptable to you. And a lot of times these things aren't really fully thought out upfront. And then again, you're stuck sort of retroactively trying to negotiate what's going to happen here.
(17:04):
Alright, so then the last thing I think we'll highlight is to plan for failure. I think it's in the back of everyone's mind to some degree it's in everyone's regulatory guidance in terms of, particularly in the technology space. You just have to understand that a lot of times the people that are really at the forefront of technology are newer growth stage startup type companies and inevitably some proportion of them will fail. And that's not necessarily a reason to not engage, but it is something to understand and to be able to get your head around that. So is that something that's at the back of mind designs?
Kristiane Koontz (17:48):
Well, I think two sides of that. One is it's fine for an idea to fail, especially if it fails early. I don't like it as much when my vendor fails. And so we do a lot of due diligence around the vendors themselves, what do their financials look like? And we really audit those where we can, what is their ownership structure? How are they financed, et cetera, are they likely to be acquired? Are they owned? And PE is not terrible, but it could mean that there is a lack of investment coming or that could happen for many other reasons as well. I've seen great PE deals that have led to a product reinvigoration, but really scrutinizing the ownership, the financials, et cetera, the footing of the company, even just asking them what's your exit plan I think is important. And then on the point of test and learn, I mean I would just highlight that importance of owning your integration layer.
(18:56):
And that is part of the reason why we really wanted to control our customer experience as well, so that core look and feel to our customers. That basic experience wasn't so subject to a particular vendor. And we're not perfect there. We still have lots of exposure, but they're with larger providers, they're not with some of these newer entrants and we're planning for backups. We just had a conversation about a large provider of ours that we're hoping for better technology out there. There's really no one, but we know that we need to be planning for something, whether that's five years out or 10 years out, do the research now, know who that provider is so that if you find yourself in a situation where you want to move more quickly than you originally anticipated, that you're not starting it at square one.
Chris Napier (19:45):
And I think that's a great segue too. And the last thing I think we want to talk about, which is having an overall vision for this, a strategic roadmap for your digital channel, what it's going to look like six months down the road, a year down the road, several years out. I think a lot of times we kind of get lost in the weeds in terms of, well, I like this kind of shiny new capability. And you start to focus on the kind of components rather than the bigger picture. And having that long-term roadmap helps you sort of stay on track. And I think it helps you do a couple of other things too, which is make sure that you are defining an initial scope where you're going to be building incrementally so you don't end up biting off more than can chew up front. It helps you stick to sort of a path that's going to be conducive to achieving those strategic objectives that you've laid out. And then at the same time, it also helps you, I think, be able to step back and reevaluate where you're at at any given point of time, realize when something needs to change, when you need to make a pivot. But without that long-term vision, I think things can kind of go off the rails. So maybe you can talk a little bit about where Zions is at on its digital journey and what kind of considerations went into planning that out.
Kristiane Koontz (21:10):
Absolutely. Well, for this small business deposits origination channel that we just launched this year, so we're live in just a few markets, and that was strategic by design, it was narrow. We're doing zero marketing about this because we wanted to do exactly what you just suggested is get that experience, that real life feedback of what's working and then what do we need to tweak? There were other features that we felt like we didn't need them as a minimum viable product to get this out there, but we'd like to have them. And so we've got some time to develop those. And what we found interestingly enough, is the technology all works beautifully in this case that we recently upgraded our core. And so we're able to originate these accounts and even before the account is done originating, it's technically already boarded onto our core in real time.
(22:03):
It's in our customer master data management system. So all of that is working terrifically where we've got the friction, and this is where we're focused right now, is operationalizing all of that. And in particular, there is a human element to all of this, even if it's a digital channel and in particular that includes around fraud. And there's been a lot of conversations today around fraud. Many banks that you'll talk to will actually say, oh my gosh, you guys are crazy. You're doing a small business digital account opening and aren't you seeing huge rates of fraud? And by the way, when I say small business digital account opening, I don't just mean for a sole prop. We are doing this for broad use cases, much broader than the sole prop use case that I think a lot of other folks are pretty much everything other than a trust you can now open digitally with us.
(22:52):
But what we're finding is we still have a lot of human intervention that's required. We're using several fraud tools and we're putting in a great vendor for fraud orchestration, but there's still a human element and it's too much for us to scale. It's very controllable. The fraud rates are low, but we know if we start to crank up the volumes on this, it's going to be way too many people. And so that's where we're tweaking the processes, bringing in automation, looking at other vendors that can help us in this space. And then once we've got that really locked down, we'll launch to incremental markets and start building that out.
Chris Napier (23:28):
And I love that you alluded to this before, and also it was great that it was covered multiple times in the last session too, which is please include legal and compliance early. There is so many times when I have seen a project essentially at the point where everything's been designed, the term sheets have been negotiated, the vendors have all been selected, and that's when legal and compliance comes in to sort of fix the agreements and make sure that they're okay before everyone starts to execute. That's probably too late. And it's sort of a recipe for ending up with a square peg of a solution that you're trying to cram through around regulatory hole, which can lead to a lot of extra expenses and ultimately not an ideal outcome. So would you agree?
Kristiane Koontz (24:13):
Oh yeah, absolutely. And I think on the point of, obviously I agree because we bring those folks in early and our regulators have loved it. And that's an easy conversation when you say, Hey, compliance is here at the table with us. And we've been very transparent with the regulator wherever we see challenges. And then I think on the point of silos and the risk of maybe you've got different teams and they end up working on sort of solutions that aren't congruent or there's something sort of opposing, we don't see it as much on the compliance side because our compliance folks, just for us personally, they're so deeply embedded in what we're doing. And then they do a great job of connecting with one another. And so there's, we will sometimes get feedback back, Hey, we chatted amongst ourselves and here's the risk we see. We just needed some time.
(25:04):
But I've seen it happen. We had one item where it actually would've been a potential financial and regulatory reporting impact for us. So we hadn't foreseen because we would standardized one part of the process over here and we standardized another process with sort of a different solution. And when we combined those, it was actually going to create some change management from a financial reporting perspective that we did not want to go through. And so that's just an example where obviously we had those conversations, albeit later than I would've liked to. And so we were able to retool that. But I would just amplify the role of data governance in a lot of that. And I think it's very underappreciated sometimes when you think about not just data governance for the data that you're collecting, but how does that flow all the way downstream into financial and regulatory reporting.
Chris Napier (25:53):
And I think that's the last point we'll leave this at is that's a great summary of exactly why it's important to include those functions of the bank in there, which is it does a great job of helping with the silo problem, right? Because compliance and legal tend to be at the enterprise level, they have a full view of the organization as a whole and that having them involved allows you to essentially integrate as needed into the broader organization and manage your risk properly. And also they can help you identify all those regulatory impacts that might come from a new project as well as opportunities, right? It's not always a cost center to have compliance and legal involved. They can do things like assist with, well what positive CRA impact we might be able to leverage out of this new project. How can we use this maybe to reduce our fair lending risk rather than anticipating that it'll increase it. So there are very synergies that you can get out of various projects you might not have anticipated, but that illegal I or compliance side might be able to spot. So that does it for us today, and thank you so much for joining. Please do feel free if you do have any questions or want to talk to us to reach out to one of us. So thank you. Thank you.
Essential Tools to Thrive in the Digital Era
July 17, 2024 6:47 PM
27:16