Every Friday, we bring you a few stories that caught our eye at the intersection of banking, technology/data, and staying ahead as a community FI.
This week, a few must-reads on non-bank vs. bank CRE risks, whether losses are being hidden, why finance, in particular, took the Crowdstrike failure on the chin, and understanding the metric the boss cares about.
1. Are banks underreporting expected loss in CRE?
Jonathan Weil at the WSJ writes on the apparent mismatch in credit losses between bank and non-bank lenders in commercial real estate.
The old system was called the incurred-loss model. To book a loss, a lender had to conclude it was “probable” that one had already happened. The term “probable” wasn’t defined numerically, but the bar was widely interpreted to be very high—perhaps a 70% or greater likelihood. Bankers used to explain, conveniently, that they would have booked more loan losses, if only the rules would have let them.
Under the new system, in place at most large companies since 2020, lenders from day one are supposed to continuously estimate their credit losses over the life of a given instrument, be it a loan or bond. The threshold for recording losses is supposed to be much lower—when they are “expected,” rather than waiting until losses probably happened. This was supposed to lead to more aggressive, and more timely, loss recognition.
Curiously, default rates have been higher for property loans backing widely held commercial-mortgage-backed securities than for the same types of loans on banks’ balance sheets. That underscores how traditional lenders have more flexibility to help borrowers work out their problems than do the vehicles that issue commercial-mortgage-backed securities, which can’t so easily “extend and pretend.”
Banking regulators have said they are aware there is a problem, while also assuring the public that this won’t be another 2008. An interview that Federal Reserve Chair Jerome Powell gave to CBS’s “60 Minutes” in February is worth revisiting. Asked about banks’ office loans, he said, “There will be expected losses. It feels like a problem we’ll be working on for years. It’s a sizable problem.”
The irony of that statement: If Powell was right about the losses then, under the expected-loss model, banks probably should have booked them already.
2. Getting Falcon punched by Crowdstrike
Patrick McKenzie presents a good technical explainer for the global impact to IT systems due to apparent failures of security software Crowdstrike. What is more interesting and relevant is the apparent role regulators played in opening the door to such widespread, and probably accidental, mayhem.
The United States has many, many different banking regulators. Those regulators have some desires for their banks which rhyme heavily, and so they have banded into a club to share resources. This lets them spend their limited brainsweat budgets on things banking regulators have more individualized opinions on than simple, common banking regulatory infrastructure.
One such club is the Federal Financial Institutions Examination Council. They wrote the greatest crossover event of all time if your interests are a) mandatory supervisory evaluations of financial institutions and b) IT risk management: the FFIEC Information Technology Examination Handbook’s Information Security Booklet.
The modal consumer of this document is probably not a Linux kernel programmer with a highly developed mental model of kernelspace versus userspace. That would be an unreasonable expectation for a banking supervisor. They work for a banking regulator, not a software company, doing important supervisory work, not merely implementation. Later this week they might be working on capital adequacy ratios, but for right now, they’re asking your IT team about endpoint monitoring.
But this necessitates a series of actions and dependencies that lead (maybe inevitably?) to events like last month’s failure, which has bigger ramifications.
But money is core societal infrastructure, like the power grid and transportation systems are. It would be really bad if hackers working for a foreign government could just turn off money. That would be more damaging than a conventional missile being fired at random into New York City, and we might be more constrained in responding.
And so, we ended up in a situation where we invited an advanced persistent threat into kernelspace.
3. Alignment, it’s not just for your car
Taylor Malmsheimer, COO of executive education company Section, shares practical advice on using key metrics to better align with teams and personally with your organization’s essential goals.
When I was at L2, our founder/CEO Scott Galloway spent at least one all hands a month discussing NDR (Net Dollar Retention).
He was relentlessly focused on this metric, which meant the rest of the organization was relentlessly focused on it. We tracked NDR obsessively and were constantly testing and piloting new products to grow our best accounts.
Sometimes, this was frustrating, especially when we’d sell products or services we didn’t have yet to retain a large account – and then have to shift other priorities (or just work more) to deliver.
But to become a leader in your organization, you need to be able to understand metrics like NDR and how they shape priorities and drive behaviors in your org.
Here’s why NDR matters so much and how you can help your CEO meet it….
And that’s for this week. As the Summer Games of the 33rd Olympiad wrap up this week, one more look back with the request from 14-year old Gold Medalist Arisa Trew that has her parents at odds.
Click below to let us know how we did: