Rob Carothers: [00:00:00] now you get certain people within the bank, there’s always an internal struggle probably within banks, between the business side and the compliance legal side because compliance and legal are paid to make sure that you don’t take crazy risk and to pull back on risk. And the business people are saying, but there’s money to be made and so just within the bank itself, there’re gonna be different people pulling in different directions. And sometimes as lawyers we get put in the middle of trying to help balance out between the risk reward between those two components of the bank.[00:01:00] 

​[00:02:00] 

Josh DeTar: Welcome to another episode of the Digital Banking Podcast. My guests today are Tom Walker, Lara Sevener, and Rob Carothers of Jones Walker, LLP. So I think the joke starts something like this, one podcast host and three lawyers walk into a bar. Look, I have to start with a joke because in all seriousness, I’m a little intimidated from staring down the barrel of the firepower of IQ that’s on the show today.

It’s not every day that I get the opportunity to have an unscripted, unstructured, and unpaid for open conversation with three incredible attorneys at the same time. That all being said, I actually take great comfort and look forward to today’s conversation [00:03:00] because Tom, Laura, and Rob bring a ton of passion and almost a calming personality to what can be some very intense and serious conversations.

One of the things that I really love about people is when they take what they do very seriously, but they try not to take themselves too seriously, and I’ve really found that in this group of folks here today. So while today’s conversations will span some really deep topics such as mid-sized fi, cybersecurity m and a trends, fraud risk management, succession planning to data privacy and usage rights, we’re gonna still have a lot of fun discussing how these complex topics can be broken down and find the positive in how community FIS can navigate these challenges.

So with that, Laura, Rob Tom, welcome to the show. Thanks for joining me today. You three. 

Tom Walker: thank you.

Lara Sevener: Thanks for having us.

Rob: Josh.

Josh: Yeah, no, I mean, I always look forward to podcasts. They’re like [00:04:00] a kind of a unique special element of my day. And each time I have a new guest, like there’s always some unique reason as to why I am excited for that one. This one definitely stood out and like I said in the intro, I mean, I usually kind of, try to get into a certain mental state before coming in and doing these podcasts.

And this one I was like, man, hot dang, I gotta like really be on my A game. I gotta make sure I have my coffee. Like I got three rock stars on. So, I’m really looking forward to it. And the set of topics that you all provided me is things that would be interested in discussing, I think is really an exciting topic of conversation too.

And the one I really wanted to start with is, just maybe tell me a little bit about your firm. What do you all specialize in? How do you work with community financial institutions? Maybe give us a little bit of just the background and the structure. So that we have that in the back of our minds as we go through the conversation today.[00:05:00] 

Tom: So who wants to start?

Lara: I think you

Josh: Tom, why don’t you take it away? You got the mic.

Tom: So we’re a full service firm, around three 50 attorneys, mostly located in the southeast, southeastern United States. We do have offices, in DC and, Phoenix and other parts of the country, but mostly in the southeast. We do work pretty extensively, with banking clients, particularly community, mid-sized banking clients.

I’m, located, in Mississippi. Rob’s located, in Mobile and Alabama. And each of us have spent a good bit of time, working in all facets of, community banking and community banking law, cybersecurity, just becoming one of the more prevalent ones. Laura is, I would say that the, the tech expert of this, group, she’s definitely, focused more in, in the tech industry and all things tech.

Rob and I think probably rely a good bit on her, on, the technology aspect of how banking has evolved, but community banks and how [00:06:00] community banks are operating, just like every other business is changing. And I think Rob and I each have seen that in our practices over the last five years, where we have helped clients deal with, data breaches and, and all the risks that are involved, legal and otherwise.

And obviously that’s involved our practices as well. But Laura and Rob, what would y’all say?

Lara: Sure. Thanks Tom. I’ll go. I’m Laura Sevener and I’m located in our New Orleans office, but I have clients all over the country. And yes, Jones Walker is, is a, about 350 lawyers or so, as Tom said, and we advise in, across really every industry and, have virtually every practice area that you can think of.

So one of the benefits that, that we have is being able to sort of tag team things and work together. And so, Tom and Rob really have the deep banking and financial services expertise. And I as Tom said, I do a lot of tech work, so I advise. Eyes clients with respect to really anything technology related.

A lot of my work is sort of, vendor agreements, outsourcing [00:07:00] agreements, bespoke software development, so kind of soup to nuts, anything with a tech, or data privacy component related to it. And obviously there’s so much of that in, in FinTech and financial services. So

Josh: I was gonna say, Laura, that’s like a whole three podcasts in itself.

Lara: Yes it is. you wanna

Rob: Yeah, sure. So, my name’s Rob Carothers. I’m, my practice area is similar to Tom’s. I spent a lot of time with our community and mid-size bank clients on regulatory issues in the financial services industry. Also part of my background is, my family’s been in community banking for probably a hundred years.

We have a community bank. I’m, I sit on the board of the, of our bank and have for the last five or six years. So I think I kind of bring both a, not just a legal perspective, but also a board perspective to looking at issues that our clients have, whether and we talk about it in our boardroom all the time, cybersecurity is probably an issue that comes up, if not every board meeting, every other board meeting.

And then as we have, examinations with our [00:08:00] regulators, that’s probably the hottest topic that comes up during exams or one of the hottest topics. So, very top of mind. And I think that the podcast where we’re talking about cybersecurity, the survey that our firm prepared that. We’ll be talking about, vendor due diligence and management.

All that is very critical to, a lot of what we’re seeing with our bank clients right now.

Josh: Yeah. You know, Rob, that’s one of the things that I find, really interesting about kind of your background is having a seat on both sides of that table. And kind of, as I alluded to in the introduction to this episode, right? You think about, those big scary type of potential events like a cybersecurity event.

Nobody wants to be in it, and it’s not the thing that we ever want to have happen. Hopefully we prepare for it, but it, I kind of almost liken it to a fire extinguisher in your kitchen. Like you, you kind of know, you probably should have one, you should probably make sure it’s up to date and it’s gonna work, but you really hope you never have to use it.

And in that arena, I [00:09:00] feel like you guys are kind of the fire extinguisher, right? You’re like, Hey, look I really hope I don’t ever have to make that phone call, but goodness gracious, if I do, like, I want somebody who really understands both sides of the table here and really understands the impact, not only to us from just a. Incident kind of response and what are we supposed to do and legal implications, but also just a, almost a, a brand awareness hit, right? You think about, at the end of the day, a financial institution. Why do I choose one financial institution over another? One of the biggest reasons, especially in community financial banking, is trust.

And a cybersecurity event can completely erode that overnight, and you could have spent a hundred years building it. So, Rob, would you mind maybe just kind of kicking us off by starting a little bit with, you mentioned this cybersecurity survey that your firm has done. Tell me a little bit about that and, how did you guys go [00:10:00] about it?

What is it and what were some of the unique findings you got out of it?

Rob: Yeah, sure. Be glad to. And Laura, Tom, jump in obviously to to help me flesh this out, to start with. But, so our firm, starting several years ago, we started focusing every two years, on a particular industry to do a cybersecurity survey, on industries that, that we’re, I guess our firm has a lot of clients and expertise in.

And so we focused on the maritime industry in the past, ports and terminals, I think oil and gas and energy. So this year we decided to focus on the community mid-size bank space in terms of cybersecurity. One, because as we’ve talked about, our firm has a, has a very robust banking financial services practice that Tom and I and Laura are involved with.

So we have a lot of clients. We see this firsthand. We know it’s top of mind for regulators, banks, and boardrooms. And if you look at the recent O-C-C-F-D-I-C surveys for emerging risk at the top of that list, in 2024, probably for the last several years has been cybersecurity.

So we [00:11:00] know the importance to the industry of this issue and this topic, and we thought it would be a good resource to, engage, with a, some partners to go out and to conduct a survey to understand just how prepared our client, not just our clients, but just the banking industry overall, how prepared it is, what is their perception of how prepared their peers are.

When it comes to vendor management, ’cause I know with Tom and I we’ve seen, and Laura, we’ve seen a lot of third party vendors. Banks are highly regulated, their vendors really aren’t regulated. And a lot of times the issues that we’ve seen just personally in our experience has been with third party vendors.

So we’ll get into that. I know. In the course of the podcast as far as some of the issues we’ve seen there, maybe discussing ways to be prepared for, a vendor issue. But that was a reason for our focus this year on the community, mid-size bank space, just our firm expertise as well as just knowing with the regulators and our clients, just how big of an issue this really is for the industry.

Josh: That makes a lot of sense. I wanna put a pin in that and come back to [00:12:00] it, the. The financial institutions regulated the vendors not right. And, I think that’s an interesting topic I’d like to touch on, but, I think that’s also too why it’s cool to have all three of you on the podcast today because, you’re touching a lot of different areas of the business of a financial institution when you do something like a cybersecurity audit.

Right. So, Laura, with kind of your tech background, how did that play into your thought process for this survey? I.

Lara: Yeah, I mean, I think it’s really interesting because, with my tech background, I really see technology as a force multiplier. You see how transformative it can be. And I think what we learned when we were speaking to these banks is, often they may be smaller, they may have more limited resources or just leaner teams, and so naturally, it’s.

Important to stay competitive. And they, I think that technology can bring great advantages, by, leveraging things like AI and other emerging [00:13:00] tech. And increasingly, it’s sort of unavoidable. I mean, it’s just, the rapid evolution of change is, all organizations kind of have to embrace it to, to keep up.

And so, I think that we, where it’s a sword and a shield, right? We try to counsel clients in, the things to look for proactively that they can do to help, protect their environment, secure their environment. And then also, sometimes, I think we found that many organizations use, small and midsize bank organizations use, use, third party service providers as sort of an extension of their workforce or an assist, to assist them with maintaining security of their environment. So they work, hand in hand with, with vendors many times. And as Rob said, it’s critical to just make sure that you’re really, assessing that relationship at the outset and thinking, really understanding how the parties are going to interact, so that you can address everything in the contract.

Josh: Laura, when you guys went through and, kind of created this survey, what were kind of the mechanisms that you used to create the line of questioning? And what I’m trying to get at is [00:14:00] maybe as you built this out, how much of a lens did you apply to like looking at things like, directly under the control of the, the institution versus indirectly?

Lara: We sent many, survey participants, a pretty extensive list of questions. And so we asked, we, we took a survey of, we asked all sorts of questions like that. Like, who has. An internal cso, what, how do you manage the risk? What role in your bank or, institution is responsible for, for cybersecurity, preparedness, for incident response, things like that.

And so we really kind of, because of the variation among, small and midsize banks, I think we approached it with fairly open ended, questions so that we could sort of understand all the different places where, where the different, where the different banks were and how they each managed these risks respectively.

And then sort of saw where the, concentration points were.

Josh: How [00:15:00] many financial institutions did you include in the survey if you’re able to share?

Rob: I think it was 125 total. Total respondent. Yeah.

Tom: Yeah. And they were really from all over the country. We, we had probably, most of our respondents I think were from the, the southeast, but we had respondents from each region of the country as well. So it was a fairly well represented group.

Josh: and Tom, like what was the, the swath of size of institutions?

Tom: So we actually, quote that in our survey, and I’m referencing it right now as we’re talking, but, we had only 1% of our respondents were less than a hundred million, which, is probably your smallest group of banks now. The vast majority of our respondents, were between a hundred million in assets and, 4.9 billion in assets, which is, still a pretty small community bank.

I know that sounds like a lot of money. But you know, it’s 5 billion in assets is still a pretty small community bank. And for, from the purposes of regulatory, considerations, usually 10 billion is kind of your [00:16:00] cutoff for, community banks. That group was roughly 75% of our respondents.

We did have, almost 10% that were between 5000000009.9 billion. And we had, around 15%. That were greater than 10 billion, but less than 50 billion. So it was a pretty well, represented group, but the vast majority of the respondents, 75% or so, were between a hundred million and 4.9 billion, which honestly are prob is probably the group that struggles the most, trying to get their hands around, cybersecurity in this new world.

Josh: Yeah, that makes a lot of sense. Have you guys run this survey before or was this the first time you ran this survey? For banks.

Tom: First time we ran it for banks. So as Rob mentioned we have performed the survey in the past, for groups that probably are a little less regulated, maritime and ports and terminals, and oil and gas. So this was I felt like the first time that we have, conducted the survey for a group as highly regulated as banking.

And I think that’s one reason, probably why, one of the main takeaways is that some of the [00:17:00] gaps are most centered around, third party vendors and, third party risk. ’cause that’s kind of. The hardest group for banks and regulators to get their hands around. But that this was the first time to do it for banking.

Josh: That’s good to know. So, so I’m curious for the group, what, were there any like holy cows, any big surprises that, you’d run this survey or similar survey with say, maritime right? And got a certain set of types of responses and then you run it in banking. Was there anything that like blew your mind when you got the responses from financial institutions?

Rob: Yeah.

Tom: I’ll mention, I guess what I thought, and I’ll let Rob and Laura go, but I, like Rob, we have a common background. I come from a family banking background as well, and actually spent early part of my career working with my dad, in about a 250 million bank. And one thing I recognize or I remember is, that bankers and lawyers are very different bankers.

One of their strengths is their optimism. And their ability to embrace [00:18:00] risk in order to make a profit lawyers avoid risk at all costs. And so it was a little unusual being a lawyer in a community bank and, and realizing that a lot of these vendor relationships that they get into, they, they really do very little diligence, before they enter into some of these agreements, or at least historically have.

Now. I think that’s changing a little bit with, the ri the cyber risk and the regulatory oversight. So I don’t think it was too much of a surprise, for me and probably Rob or Laura that, you know, third party risk, third party vendors was, was, was an issue that was identified. I think what was a surprise were some of the things that are not really being reviewed that seem to be pretty basic, such as parts of an agreement that are related to insurance requirements for, for third party vendors or indemnification requirements in the case of a breach.

You know, those things seem to be pretty low on, on everyone’s totem pole. And, and, you know, some other things that, that may even seem to be a little more difficult. Seemed to be a little higher, but Rob and Laura, what, what were y’all’s thoughts?

Rob: That, that, that was, that was my takeaway too. [00:19:00] When we first saw the results, and I think Tom, we were kind of scratching our heads just on some of the things that you would expect banks to be doing, really to comply with regulatory requirements that, that maybe 50% of the respondents were doing that, that was a surprise.

Things like making sure that your, your third party vendor complies with the, the federal banking regulations that, that require banks to, to do certain things. From a, a customer security standpoint, information security standpoint, 50%, I think it was less than 3% said they were doing that. That’s really required by regulation.

And then also prompt notification of, of a data breach is something that’s required. That was, I think, less than 50%. So, I think a lot of the protections that Tom and I or and Laura, when we’re looking at a vendor contract, first thing we go to would be to include identification, things of that nature.

Less than half of, of the respondents said that they were doing as part of their, their vendor review, diligence and, and contractual negotiation process. So that, that was along, along the lines of what Tom said. Probably the biggest takeaway immediately when I saw it.[00:20:00] 

Lara: Yeah, I mean, I, I would love to have a, a different answer, but I think to me, the magnitude of the vendor risk really stood out. So I think that we found that 99% of the respondents, rely on third party vendors for what they would consider to be essential or critical functions. So things like cybersecurity or, you know, fund transfers, things like that, that, that, you know, were, I think due to their size, sometimes smaller, mid-size banks can be very, very reliant on, on their outside vendors.

And, and to Rob’s point, I think that. You know, if you think of the customer experience, they’re seeing themselves in the bank. But if, if you’re heavily leveraging a third party and, and that third party does not have, you know, something happens in their, in their environment or they have, you know, they improperly use your data, the, the customer’s looking to you, right?

And so the buck kind of stops with the bank. And so I think it, we were surprised at how little, and I don’t think it’s for, I think it could be sort of lack of awareness, but equally sometimes lack [00:21:00] of resources. I think that the, the time and attention page in negotiating those third party vendor agreements, I think the importance kind of can’t be overstated at the front end.

Josh: Yeah.

Rob: would mention kind to, kind of, kind of add on to what Laura was just saying, you know, Tom and I have a, a community bank background just with the, the, the banks that our families have been involved with. And so we, we tru we truly understand kind of the limited resources that community bank has when it comes to negotiating a contract, doing due diligence.

The person usually, like at our bank that would be in charge of that is doing, wears 15 different hats and they’re, they’ve got a lot on their plate. And so I think it’s one of those things, it’s almost like they, they need to be doing a risk assessment of what are the critical vendors that’s gonna have access to the most information and kind of start at the top, like your core vendor who’s doing your core processing.

That’s the one that really you gotta focus on. If you gotta get outside help, that’s, whether it’s a consultant, law firm, whatever that’s truly got that expertise. It’s a good, probably a good spin to kind of, evaluate that contract. Somebody that’s got very [00:22:00] basic information, maybe not as sensitive, obviously that can be way down the list of contracts to, to maybe focus on.

So just, just pointing that out, I thought, you know, just. The lack of resources is key, I think, as to why maybe some of these banks aren’t doing some of this due diligence.

Tom: What, and I think one thing that was kind of interesting to me on talking about the vendor mix, and, and Laura mentioned how the survey said 99% of, of the respondents, use third party vendors to help address cybersecurity. But you know, it also said that 90% of respondents, you know, were using, third party vendors for banking as a service.

Which for this group I was a little surprised about. You know, a lot of these banks, you know, are probably not your most tech savvy banks. And so, you know, I, I don’t know that I would’ve expected that large of a percentage to, to, to really be engaging actively with, with tech for banking as a service.

But you think about things like Zelle and, and some other things that have really kind of become somewhat ubiquitous with all banks, and I think that’s probably part of it. But to Rod’s [00:23:00] point, I think it also reflects the fact that these banks. You know, they need more outside help to provide services that are becoming expected from all banks.

And so that’s, you know, not only do vendors, help them provide a solution, but but also as, as evidenced by a survey, they also can provide a source of risk if that’s not adequately managed.

Rob: Yeah, and, and I really see it more as a partnership, I would say, between the bank and the bank. Because it’s not really an adversarial type of situation because at the end of the day, it’s in the bank’s best interest and their vendor’s best interest not to have a data breach. So if the vendor can look to the bank who’s highly regulated, maybe more experienced with, with you know, cybersecurity and, and working with outside consultants, experts, they can utilize that experience because at the end of the day, I mean, if you’re a vendor and you have a breach, the bank’s gonna have a reputation risk to their customers, which I think is huge.

Maybe their big, probably their biggest risk. But if you’re the vendor, you’ve got the same reputation risk. ’cause if you have a breach and any bank, you know, anybody that’s looking to [00:24:00] use your service Google’s and sees you’ve been subject to some massive breach, you know, again, that’s gonna go towards are they gonna really trust you as a vendor to, to have that kind of sensitive information.

So it’s really a partnership, I think the vendor and the bank together working, drawing on each other’s experience to try to put together the most robust data security, cybersecurity processes, procedures, and controls they can have. And, and treat it like a partnership.

Josh: That’s a good point, Rob. I want to come back to that, but you know, Tom, you said something earlier that kind of stuck with me and then Rob, you were talking about it from kind of a different perspective and you were talking about how, you know, when you came into the bank you were like, it was funny to have a lawyer be in the bank.

Right. And, and just the different personalities and, I I, I think this is, you know, kind of a silly statement should go without saying, but I mean, that’s one of the things that’s so fascinating about us humans, right? Is we all have different strengths and weaknesses and we all have different personalities and you know, a lot of times we gravitate towards certain professions based on those personality traits and things and [00:25:00] Absolutely.

You know, we see a very different type of person starts a Silicon Valley FinTech versus as an attorney versus as a doctor, versus as an artist, right? And, and then Rob you were kind of talking about that, that exactly, you know, translates into, if you look at the makeup of the employee base of a financial institution, right?

They’re amazing bankers, but they’re not great lawyers. That’s kind of on purpose, right? And that, and that’s why it’s kind of so important to have those different partnerships, to bring in the unique strengths of, Hey, this is our area of focus and this is our area of expertise. Because a, a bank today does, they have to do so many things.

It’s, it’s just, it’s completely impossible to think that you could do every single one of those things the absolute best with just in-house talent, right.

Rob: For sure.

Tom: Yeah, and I think that’s especially true [00:26:00] for community banks, most of which are in rural areas where it, it’s sometimes hard to get talent, particularly young talent, to move to a small town, and, and, and young talent that’s very much in demand and in other areas, in other industries. And so I do think that that is a big reason, for third party risk management, you know, being the issue it is for, for community banks is not only, is that a risk that they may not, be well as well equipped to manage.

But it is also one that’s just generated by their needs because they have to fill those talent gaps with third party vendors to the extent that they’re unable to get, people in-house that can, that can provide that expertise.

Josh: Well, and Laura, you were talking about that in, you, you, you look at just how many. External vendors it takes to support even a small to mid-size community bank anymore. You know, I’m coming up on my decade in providing, you know, technology to financial services and even just in that [00:27:00] timeframe, I remember when I first started, one of our largest customers had I think four integrations.

I think that same customer today has like 47 just for digital banking alone. And so you imagine, yeah, you, you look at just doing the cybersecurity on the one digital banking vendor, but then there’s 47 other connections and then you start talking about the third parties of the third parties and the fourth parties and just how many people start getting involved in this.

I mean, this thing becomes a really complex Rubik’s cube really, really quickly. And what I also have found really fascinating that I’d love to get your perspective on. Because I’m on the other side of this usually is in that same timeframe. I remember some of the first times that we went into contract negotiations and red lines and kind of to all of you have touched on the point of you know, if it was internal, just the team that was doing the evaluation to the vendor [00:28:00] also looked at the contract.

They’re like, yeah, I mean this thing kinda looks good, you know, so we’ll go, we’ll go ahead. Right to, you know, today some of the scrutiny that we go through, has changed a lot and we kind of laugh internally. I love when I see certain red lines, I’m like, oh, who burned you? Like, what made you have to put that language in there?

’cause you’re not putting it in there for fun and you’re not putting it in there just because like you’re putting it in there probably because you got burned or someone got burned. And then kind of like, I think Rob, you were talking about like. All it takes is one incident. Take cybersecurity breach outta the equation, right?

Just even one type of incident that happens to a critical vendor, say a major core banking provider has a serious outage that affects a bunch of different banks, right? I tell you what, the next bank that does a core conversion, whether it’s on or off of that vendor, doesn’t matter. They’re [00:29:00] gonna be that much more diligent about ensuring that there’s language that protects them, because you’re right, right?

Core goes down. Customer. The bank doesn’t call, you know, Fiserv and yell at Fiserv. They don’t know who they are. They got no idea who the core is. They’re calling the bank and they’re pissed because they can’t get to their money digitally, and that’s all that matters. So as you all kind of conducted this, were there any, you know, kind of realizations that came out of, of that, just how financial institutions are looking at the complexity of this and how they need to start thinking about navigating different contracts to protect themselves against this?

Lara: Yeah, I mean, I’ll jump in there. I think that, you know. What you’re describing is, is so true and I, I have, you know, I act for service providers as as much, you know, as I act for customers. And so I, I really liked what Rob said about it being a partnership. And I think that, you know, I having kind of sat on both sides of the [00:30:00] table.

I, I agree. I mean, sometimes there are, you know, services are priced at a point where they, you know, the service provider or the vendor may say, you know, I can’t underwrite all of this risk. This is not, you know, this is a one to many solution or the nature of our service is that this is how it works and this is the maximum protection I’m willing to give.

And that’s why I think it’s so critical. I think it’s really important. I always sort of go back to the data flow, and that’s kind of my first question every time I’m approaching a contract negotiation is, you know, what data will they have access to? You know, what is the purpose, for which they’ll have the, the access to the data, you know?

And there’s been a lot of movement in that space over the past, I would say 10 to 15 years. And, and so. You know, really just having a lot of a transparent and open discussion about the bank’s needs and how the service works, how the vendor, you know, does operate. And so sometimes you can flesh those, issues out really early on.

But, but I liked what you said about the Rubik’s cube because I think that some of these deals have gotten [00:31:00] extremely complex and, and I see it particularly in sort of the data use provisions, the data access rights provisions. Because you’re right, it’s not just one, it’s, it’s, you know, it can be an API, it can be push and pull, it can be, you know, there’s so many different data flows and there are different considerations that attach depending on how that data’s coming in, what it’s being used for.

And so, you know, I don’t know that we saw, I, I think that, you know, these issues are complex and I think that banks really understanding how the services work. I almost think it’s easier with the core service provider in that you typically might have more leverage, you know, with a big deal like that versus if you’re using.

You know, a software as a service for something or some other type of tech service that is, you know, really low price and, and you know, you’re not gonna have any leverage maybe to push for some of the protections that you need. So making sure that everyone in the bank understands, you know, how the service operates, what the, what the service provider will have access to, and then being able to really weigh that risk and understand, or, or, or put [00:32:00] mitigating measures in place so that you’re not so exposed.

I think that, all of that needs to be part of the conversation.

Josh: You know, Laura, I’m, I, I appreciate that kind of all three of you have talked about this, in that. And I kind of picked up on this, the, the very first time we got introduced and kind of had a quick discovery call before the podcast. And if I’m being totally honest, it’s one of the reasons why I was really excited to have you all on, very specifically you three as guests is you know, I think especially and quick legal disclaimer, I am not an attorney, right?

But I think what I find being on one side of that table is probably 99% of the time the issues get hung up around intent. Right. And when you’re able to just sit at the table and have a conversation about, well, what’s the intent behind this? And to your point, Lara, like, well, well tell me how this thing actually works and let’s understand this.

And, and Rob, [00:33:00] Tom, like both of you have touched on this, like this should be a partnership. And at the end of the day, like the contract, yes, it has to be in place to meet the what ifs, but in all reality, if it’s done right, it should be thought about as not necessarily a contract of like, I’m gonna screw you over or get you, if you screw me, it should be like, Hey, how do we put on paper that we both agree, like we’re going into this as a relationship, as a partnership.

And we wanna be able to navigate challenging situations with a framework and a guideline, and what’s the intent around that? And that should really set us up for success. And, and that kind of goes back to what I was, I was saying from earlier, right? It’s like sometimes you see these things and you’re like, oh man, who burned you?

Right? Like, why, why is that the ask? And when you actually understand more about that, I think sometimes that changes how the intent can come [00:34:00] across. Because I think we all have to recognize no one is perfect, right? And no company, no financial institution is ever gonna be perfect. You know? I mean, we talk about things like SLAs and up times, right?

I’d love to tell you that you can be a hundred percent for a hundred percent of the time for eternity. It is physically not possible, right? Like, and, and if anybody tells you that they are, they’re lying. I, period, end of story, right? AWS. Has gone down. I mean, if you look at the percentage, I mean, it’s a ridiculously tiny number, but it’s not perfect.

Bank of America has gone down, right? Like, let’s be honest here. So it’s not necessarily like I want a contract that says you’re gonna be up a hundred percent of the time. It’s like, Hey, what’s the, what’s the guide rails around when there is an issue? Have we structured this thing in a way where, kinda like you were saying, Rob, like we’ve [00:35:00] agreed that we’re gonna come to this together and like, I don’t wanna be down anymore than you do.

So let’s, let’s figure out a path for, making sure that everybody’s taken care of and that we have the right motivations in place. I don’t know, what are your thoughts?

Rob: I, I know when I’m negotiating a contract, whether it’s a merger agreement, whether it’s a vendor contract, whatever it is, my approach is always trying to balance the risk and make it a balanced, fair document to both sides and not a one sided document. We’re not, I know, at least from my perspective, I think it’s a, it’s, it’s bad business to come in and try to make something totally one sided, when it lengthens the process, but also it just needs to be fair, to both sides.

And so, I, I agree with everything you just said as far as, you know, the, the, the, the tone and the, the way this should be done. And I think it’s just making sure that if, if the vendor and the bank have a meeting in the minds of the services to be provided, who’s responsible for what and how that risk is allocated and shared and, and the liability associated with it to try to make the contract as fair as possible.

And balance is, is always the objective, at [00:36:00] least when, when I’m looking at it.

Tom: And, and I do, you know, I think, at least my experience, Rob’s, is probably the same. You know, most of the cyber issues that I’ve noticed, in the community banking space has not been really centered around vendors who were not able to provide their product. You know, for the most part, most of the banking vendors that we work with, do a very good job of maintaining, their service and making it available.

And, and that’s rarely a problem. You know, the biggest issue kind of gets back to, to, what Laura had talked about, which was data and data use and data sharing and, and you know, when that, becomes a problem, and that’s such an intangible issue. For both the banks and the vendors until it happens. And so to your point, Josh, you know, a lot of times banks, you know, don’t get burned by something or don’t realize it’s a problem until it becomes a problem.

And I know there was one specific data breach that Rob and I dealt with with several clients a few years ago, that that was a, a loan platform vendor that was going through its own [00:37:00] conversion. And through that conversion it was uploading, customer information from the bank’s server onto its server and then converting the software and then it was gonna put the data back onto the bank’s server and somehow it was breached in the middle of that process.

And I think in that process, the banks realized that they were not doing a good enough job of going through and, and culling out their data in order to make sure they didn’t, I mean, some of the banks that we worked with, you know, had customer data that went back, you know, 20 years. Some of ’em, you know, maybe even former customers.

And so that was not a risk that they had contemplated until it happened. And then I think on the vendor side, they really had never considered why they had to have that on their server to do the software conversion instead of just kind of leaving everything on the bank server. And so I think once those experiences are are, or once those both sides go through those experiences, you know, as you mentioned, that’s when they become much more important in the next contract and, and making sure that they tie things down.

And I think regulatory scrutiny has become a bigger issue on the, on the [00:38:00] bank side as well. And, and maybe some of those, harder lines that banks are taking on contracts to the extent that they’re really kind of going through ’em. You know, some of that I think is probably coming from, from reg regulatory scrutiny as well.

Josh: Yeah. You know, Tom, when you were talking about that, I was thinking, a a again, it’s just, it’s so interesting to see how, again, nobody’s perfect, so there’s always gonna be something, and then it’s like, what is the next thing? And then that becomes, and it’s like, you know, if you go back to the stone ages, it’s like, you know, our first contracts were probably pretty simple.

’cause they had no exposure to, they’re like, oh, I never thought that. Like Ugg would just use his club to hit me over the head and then take my tomatoes instead of like actually bartering for them. Like, oh, we should probably have a contract that says, you’re not allowed to just hit me over the head with your club and take my tomatoes.

Like it took the first time somebody got bunked on the head, you know, and then they’re like, oh, we should learn from that. So it’s like each [00:39:00] one of these. You know, different and, and I don’t even wanna call it events ’cause I don’t want to like tie it to just cybersecurity events or data breaches or something like that.

But, but each time something happens that compounds for that bank. Right. And then the network of sharing, again, it may not even have had to happen to you, but, so, you know, how do you all think about, you know, as you take all of these learnings, right? All of this information that you gathered through this survey, how does that like change your mindset going into this next year in helping to think about negotiating contracts for your clients?

Lara: I, I guess I’ll jump in. I mean, I think that, you know, what we heard in the survey, you know, I, I think just raising awareness, I. On some of these things, like the, you know, I think that the, to me it’s almost pre-contractual too. I mean, [00:40:00] really just having, you know, for organizations to really, you know, either have someone outside or internally, you know, really kind of, sometimes we advise clients on like a data privacy, health check or a data governance, you know, and I think many, most of the small and mid-sized banks are already doing this, but kind of understanding, sort of, you know, it goes back to kind of the cybersecurity and, and really just risk, risk management basics of sort of knowing where your crown jewels are, knowing what your retention policy is.

You know, what are the downside risks on, you know, in any given situation. And so I think sort of the more that, you look at these, these issues kind of holistically, and you can approach that not just in the contract, but even in your, you know, day-to-day counseling of clients. But understanding that, you know, they need to be thinking about these things, not just at the contract stage.

There may be, you know, there could be a contract that’s been in place for 15 years, but now things are done differently. And so maybe that contract needs to be reopened and re-looked at, you know, different data is [00:41:00] moving, or maybe it’s moving in different ways now. Maybe we never thought about telling people they had to delete our data x number of days after termination of the agreement.

Right. So I think that we approach ’em when, when I speak with clients, about entering into any type of sort of technology transaction, but certainly one involving sensitive data as would be involved in, in many banking transactions. It’s, you know, asking these questions at the outset, asking. What will they have access to?

What is the worst case scenario? You know, have you thought about this? And really just helping, you know, make it be a conversation so that the bank has a very clear understanding of what their goals are going in and what is of critical importance to them. And that helps us then, you know, advise and inform and, and assist.

Rob: Yeah, I, I would just tack onto what Laura said. I think, as, as I’ve thought about it with, with our smaller bank clients, community bank clients that don’t have the financial resources to, to maybe pay every single time they have a contract come up for renewal, but work with them to kind of develop [00:42:00] for their own internal checklist, whether it’s contract review, here are the items that are, you know, to be aware of.

I mean, you, you may not be able to get that in your contract, but at least consider it and understand the risk if you don’t have it in your contract, what the risk is that you’re taking. And then from a due diligence perspective, kind of just procedurally here are the kind of things you should ask for a SOC two report, you know, a list of any recent data breaches or, audits, you know, that you can get a, a review of, you know, and if you see an issue, has that been addressed that way?

At least internally at the bank. They’ve got their own set of kind of procedures to, you know, if, if the lawyer’s not there holding their hand through that, that they’ve got their own checklist to kind of go through.

Josh: That’s a great piece of advice. Yeah.

Tom: And, you know, I, I mentioned too increased regulatory scrutiny and, and about a year or so ago, a year and a half ago, the banking regulators came out. With some, inter agency guidance on third party risk management, and that’s becoming a little more disfavored recently. I think some members of the Republican Congress don’t really like that guidance and kind of asked them to pull it back.

But one thing that I thought was interesting in that guidance that it talked about, and this gets to Rob and [00:43:00] large points on planning, is it talked about the lifecycle of third party, risk management, which obviously applies to cybersecurity as well. And you know, we’ve talked a lot about contract negotiation, but it really starts all the way back at planning.

You know, whenever a bank recognizes the idea that it needs a service or it needs a vendor, you know, planning how it needs that vendor and then doing, using that planning to inform its due diligence and then using that due diligence to form, its, its contract negotiation. And I really feel like a lot of community banks have historically blown straight past one and two and gotten into three and really didn’t do a whole lot of three.

But I think that is critical. To, to help pre prevent problems. Like, you know, what we just talked about with data usage. You know, why do you need this vendor and why does that vendor need the information? And I think, you know, if more banks do do that, I think it does kind of help maybe explain to both sides, you know, the reasons for those contractual provisions before they, before they get into the negotiation.

Josh: You know, I’m glad you said that, Tom. I think one of the things, you know, I, I steal this from a, a, a good friend and [00:44:00] colleague, but you know, we talk about when we talk to financial institutions is as you go through the vendor selection process, right, and as you go through the contract negotiation phase for whatever, it’s, say it’s SLA on uptime, say it’s data breach, say it’s whatever, let’s just use, you know, pick some arbitrary example and just random numbers, right?

If you’re down for more than 5%, you owe me a million dollars, right? At the end of the day, the bank couldn’t care less about the million dollars. They don’t want the money. Their customers don’t get any of that. They don’t care, right? I call the bank and I’m like, Hey, I couldn’t access my account when I needed to.

And they’re like, yeah, we need to understand, but we got a million bucks for that. They’re like, I don’t care. They’re like, I want the service. I don’t

Tom: you’re right. And that’s the, the reputation of the bank is on the line, with respect to the service that they can provide [00:45:00] to their customers. And obviously, you know, behind that curtain is the vendor that’s helping them provide the service. So, to your point, you know, they, they’re much more concerned whether you’re talking about a data breach where they’re, you know, have, have the embarrassment of having to notify their customer of the fact that their data has gotten out or their inability to, to provide the service.

You know, at the end of the day, that’s what, that’s really the bigger risk is the reputational risk, and it’s also the hardest risk to quantify. So, to your point, you know, getting, having a damage built in, if nothing else is, is maybe just a, a disincentive for the vendor to allow it to happen. But it’s, it’s really more about the bank knowing and, and being able to depend on the vendor to provide the service.

And by, and like I said, most, by and large, my experience has been that most bank vendors do a pretty good job with that. But you know, it, it, it does happen from time to time.

Josh: Yeah, well, I mean, there’s an interesting element to that, right? I mean, if you think about it from that perspective, so you just use that as an example, right? It’s like in that scenario, the bank doesn’t want the [00:46:00] million dollars, the, you know, service provider doesn’t really wanna pay out the million dollars, right?

Like, that’s a pretty uncomfortable conversation for me to go have to tell my board, like, Hey, why is our revenue down a million bucks? Well, I had to pay out a bank customer ’cause we, you know, failed on an SLA or something. So there’s obviously some, you know, quote unquote discouragement from that. But kind of like the three of you were talking about.

I mean, at the end of the day, if you pick the right vendor, the financial penalty again, shouldn’t necessarily matter to either the bank or the vendor. You’re both incentivized. Like, I want my services up. Because if I’m trying to sell another bank client and they call you as the reference, I want you to be happy.

Right? Like that lost customer, because you’re a bad reference, is, is gonna cost me actually more than that million dollar penalty. So, you know, again, this, this comes back to like a lot of this is trying to do the due diligence on the right types of, of vendors and partners. Where again, you know, [00:47:00] those contracts and things are guiding principles, but if you pick the right people, the, almost the culture, the heart of the organization is gonna matter actually even more so than that contract.

But like you were saying, Rob, I mean, it’s so important to have some sort of framework that guides the conversations for those contracts. Because it does, it becomes a set of guardrails for the conversation. It helps, you know, mediate the conversation to ensure that you know, as people and personalities and cultures and organizations and challenges and environments and regulatory frameworks, as all of these things change around each other, there’s at least a good bounding box for, Hey, we’re gonna come sit at the table and we’re gonna agree that you need us for a service and we need you as a customer, and we want to have a great, happy relationship that provides that.

Rob: [00:48:00] Yep.

Josh: So I wanted to come back to the, the point that you made from earlier, Rob, about, kind of as we were just talking about, right? We, we want to come sit at the table and have this conversation. We wanna have this partnership, but each of us are coming at it from different, positions, from different personalities, from different approaches.

Like a, a software company that’s a FinTech is gonna operate very, very differently than a financial institution. I mean, even from, I, I had a gentleman from a, a PE firm that invests in fintechs for financial institutions come onto the podcast and he was just talking about the difference in personalities when like A CFO at a financial institution is doing the due diligence on the FinTech and is looking at their financials.

A lot of times, you know, they look at a FinTech and they’re like, oh my gosh, like I cannot do business with them. They’re gonna go outta business in 12 months. They’re burning a million dollars in capital. You know, every month. They’re like, yeah, well I’ve 75 [00:49:00] million in investment, another 150 committed, and I can access a line of credit tomorrow for another 50 million if I need it.

And we’re reinvesting all of that in innovation and technology. But to a banker, that’s scary, right? Like, if their books looked like mine, it would be bad news bears and the regulators would come a knocking. So the comment that you made from earlier, Rob, was about, you know, a highly regulated industry like banking, working with and being very ultra reliant on partners that are not regulated the same way.

What have you found in, in kind of that dichotomy of that relationship?

Rob: You know, I think that

it’s becoming so prevalent. I mean, the, the tie in between banks. Third four party service providers, FinTech. Right now we’re working with, I, I’m personally working with, with a couple of banks that are, you know, working in the digital bank space, [00:50:00] trying to set up a division that’s a digital bank. And you, when you do that, you’ve gotta rely on and be comfortable with FinTech companies that help you provide that service, that that’s a partnership.

I think the, the attitude now you get certain people within the bank, there’s always an internal struggle probably within banks, between the business side and the compliance legal side because compliance and legal are paid to make sure that you don’t take crazy risk and to, to pull back on risk. And the business people are saying, but there’s money to be made and so just within the bank itself, there’re gonna be different people pulling in different directions.

And sometimes as lawyers we get put in the middle of trying to help balance out between the risk reward between those two components of the bank. When I got put on our board, my uncle was CEO and basically said that his, his. I guess it was my, my great uncle had told him, don’t ever put a lawyer on your board.

’cause all they do is tell you no was his advice. So I, I try not to be that lawyer. But, but you know, you, you got in [00:51:00] internally. You’ve got, I think he said that in a way to be like, okay, just we we’re gonna put you on the board, but just understand your role here. You’re not just to tell us no, because you see risk everywhere.

So I do think it’s a balance internally between the financial compliance, legal and the business side. And I think, I guess going back to what I was originally saying, you’ve, you’ve got such an interplay now between the FinTech side and the bank side and third party vendors. I do think there’s more comfort level when you kind of put those two together and, and you’re working with a vendor.

I, I think you gotta be wary of the risk and who you’re, who you’re kind of partnering with and doing your due diligence. But I think there is just an understanding that we’re gonna have to take that risk if we wanna, I. Stay modern and current and stay, you know, on top of trends, there’s risk to be taken.

You just gotta make sure the partner you’re choosing has the kind of cybersecurity systems in place. And if, if, and it, and it goes back to your Ruby’s cube comment, know who they’re partnering with because, you know, you can’t just blindly give your information to a vendor and hope they’re not sharing that with sub [00:52:00] subcontractor that doesn’t have the same procedures that, that, that your vendor has in place.

And so, kind of protecting yourself, at least knowing what the risk is and trying to, to make sure your partner’s doing their own due diligence on their subcontractors, which they should be doing because ultimately that’s their reputation as well. You know. But I do think there’s kind of a, an interplay between, I guess, a more comfort level between the FinTech, the, the, the, the vendor side of it and the bank side of it.

And, and I think it just takes enough people at the bank coming together to truly understand that risk and, and kind of what they’re getting into.

Josh: Yeah. You know, I think risk tolerance is, is a big topic of conversation and you see, to your point, Rob, like you see varying risk tolerances within, you know, multiple institutions. You see it within one institution. I mean, I remember when my wife and I got married. And we sat down with my financial advisor to kind of bring all of our, you know, finances together, our retirement planning, et cetera.

And [00:53:00] I remember Zach, Zach was like, all right, Erica, look nice to meet you. I’ve been working with Josh for a while. He’s extremely risk tolerant. His portfolio’s a little bit crazy and aggressive, like, how do you feel? And she’s like, ho, poor mission. Like, I’m the exact opposite of that, you know, she’s like bonds and treasuries, you know?

And so coming up with a plan that worked for both of us and made both of us feel comfortable and confident in, you know, all our long term strategy, that’s just two of us and two people who, you know, agreed. We love each other enough that we’re gonna get married and we’re gonna do this whole thing together forever.

The two of us. In a bank, like I may be hired and then somebody else picks our compliance officer and I’m over here like, woo, crazy stocks, and they’re like, bonds. How do you, how do you bring those two parties to the table and come up with, you know, what is the risk tolerance of this institution? And then how do we create [00:54:00] processes, procedures, documentation around understanding, identifying risk in new partnerships, and then mitigating that to meet our institution’s level of risk tolerance.

Tom: Yeah, I, I think leadership is a big part of that. Not only executive leadership, but also the board. I mean, I think it’s the responsibility of the board and executive leadership to set the culture of the organization and to help both sides understand that we have to manage risk. We, we have to understand our risk and balance those risks, but we also have to make money.

And so I, I do think that culture and the communication of that culture, you know, the responsibility of that, and even the regulators said this, the responsibility for that falls on the executive managing board of directors. So I, I think, you know, if that happens. And, and they do the job they’re supposed to do, which is to, to really keep the big picture in mind and, and, and, and pursue both sides or both goals for the bank.

And then communicate those goals, to both sides. I think it will help [00:55:00] them, more easily serve that mediated role of, of keeping both parties and both sides in line and, and, and also hopefully help make the bank more successful to make more money, but at the same time kind of protect against the really big risk.

Lara: Yeah, and I think that push pull is sort of always inherent. I think Rob made a great point. You know, I. I used to be in-house counsel at a large organization and, and in a heavily regulated space. And I remember our chief technology officer, when you’re in-house counsel anywhere, I think you quickly learn that if you’re the, if you’re the department of no, the business just isn’t gonna come to you anymore.

So you’ve gotta find a way to enable the business. And so, you know, you have to advise and, and your role is to sort of counsel and say, these are the risks and here are the various ways we could approach them and mitigate them. But at the end of the day, here’s what the exposure may be. And, and oftentimes it’s a business decision as to how to, how to move from there.

And I think, you know, what he said to me once was, you know, there’s a risk to me not doing this too. And it’s called, you know, losing out against the [00:56:00] competition, right? So there’s a risk to not transforming, just like there’s a risk to transforming. And so, and I think some of it too is just dictated, you know, by modernization of our lives, right?

I mean, if everyone were still willing to hold a paper check and walk into a bank and watch it be deposited. You know, that’s probably maybe a lot less risky than moving money all around, you know, electronically. But it’s, it’s, there are benefits to both. And so I think, you know, I think having that open conversation and, and weighing as, as I think as Tom and Rob both said, you know, the, the tone at the top and the leadership and, but then really just kind of having that open conversation about, pros, cons, and, and best ways to mitigate if you do choose to proceed

Josh: Laura. Laura, that’s such a good point. I mean, seriously, you think about just, yeah. I mean, if you want to be a completely risk averse bank today, I can give you strategies where you could make fraud zero, and you’ll be outta business in a week because [00:57:00] all your customers are gonna be like, Hey, look, I mean, this is great, but I, I’m sorry, somebody else is offering this, and my life is all about convenience.

At this point, right? I mean, I use the kind of the, the perfect or the personal example. I remember when, you know, Amazon started bringing the, I won’t say her name ’cause she’ll pipe up, you know, Amazon Lady Speaker into the house. And, and I remember people talking about, I don’t want it listening to me.

And I’m like, man, at a certain point, like one, I just, I feel like if I’m saying stuff that I wouldn’t want out there, like should I really be saying it in the first place? And, and two, like, I don’t know, there’s so many different data breaches across so many different things at so many points. Like what is even private of mine anymore at this point?

Like everybody’s all, you know, guarded about social security number. I’m like, man, I can buy your social security number for like five bucks on the dark web in like six minutes. Like, it’s just at a certain point, like it’s, it’s gone. That ship has sailed. And I’m like, so if the ship is sailed and she can turn my lights off for me and I don’t have to get up, I’m like, baller, let’s do [00:58:00] it.

Put that thing in every room in the house, like I’m done. You know? And so I, I tell you what Laura, like, I do not envy, I don’t think I’m the personality that could do your role as like inside council and have to try and figure out how to go to sleep at night knowing that like, you’re like, yeah, our CTO is a wackadoodle and it’s doing this crazy stuff.

And it’s like I can’t support it, but I have to, I mean, I have to, I have to find a way because yes, it’s introducing elements of risk, but the point is well taken, right? Like if we don’t take any risk, someone else is going to and will that disintermediate my business? And then yeah, I will have zero risk because I will be out of business.

Lara: No, and I just have to jump into inter deck that my CTOs have always been amazing. But yes, it really, I thought it was an excellent point, and I still think about it today, you know, is there’s a risk to not doing this too. And that’s a, that’s a very fair point, you know, and it’s, and I think it’s top of mind for many businesses as they’re, as they’re constantly [00:59:00] evolving and staying competitive, you know, in a rapidly changing landscape.

Tom: A and I, and I do, I have a, a really big fear of ation for community and, and mid-size banks. And, and I know Rob probably feels this way as well. I, some of this is family bias, I’m sure Same for Rob, but I do feel like there is a very important place in our economy for community and mid-size banks, and particularly for rural areas.

I, I think there, you know, there is money creation and, and capital formation that will not happen in rural parts of our country without community midsized banks. So I, I, I do feel like that’s a very important, very, noteworthy risk is if these community midsized banks. Don’t adjust and don’t provide these services that their larger counterpoint counterparts can provide.

It’s not only a risk for those banks, I do think it’s a risk for, for our economy and particularly, the rural, the rural areas of our economy because those, those banks have to survive in order for our economy to keep doing what it’s doing. I, I do feel like that’s the case.

Josh: Tom, I couldn’t. I’m like, I’m willing to die on this [01:00:00] hill and I will state this for the record. We need community financial institutions, period. End of story. Like you can support it with objective and subjective data across the board that community financial institutions are absolutely a major element of the backbone of this economy.

Right? I mean, I was literally just talking to a, a community banker recently and talking about so many of the different small businesses that they support and how many people that employs and they’ve got data on how much, you know, income that brings into their small rural community and the impacts that that has.

And if that goes away, like again, I, I sit in the FinTech seat technically, but if we leave this up just completely to the fintechs, I’m sorry. But the best interests of the American consumer will no longer be at the core. Of the guiding principles of those organizations. We see it time and time [01:01:00] again, and I’m not saying all fintechs are corrupt or bad, right, and aren’t out for the best interest of the consumer, but I will argue that they’re not to the level of a community banker credit union.

Tom: Well, and I will say too, and I I, I was probably even speaking about larger banks as much as I, I, I was speaking about fintechs, but I do think that’s why it’s important for both fintechs, beauty banks to partner on, on, on these types of things. As, as Rob has mentioned, and several of you mentioned, you know, I think together, they provide a service, that, that really benefits society as a whole and, and obviously each party, individually.

And, and so I, I think, you know, each side, the fintechs or the vendors and the banks, really, really bring something to the relationship that I think would make both of them better. And, and I think from a banking perspective, it’s critical for them to get comfortable with and know how to work with these fintechs, so that they can remain relevant, and continue to provide services, that society really needs.

Needs.

Josh: Can I just say that it, it, it’s kind of cool and I don’t know, maybe my listeners, like I don’t, I feel like I guess our data [01:02:00] would show us if, you know, people would actually stop listening if, if this was true. But, maybe people get sick of just how much. It seems like every single episode I do eventually leads itself to like the kumbaya moment of like we heart community financial institutions.

And it’s like, here I have three attorneys on and you know, we’ve been talking for an hour and here we are at talking about how like we believe at our, at our core in the impact that these institutions have in our communities. So much so. But yeah, I mean, Rob’s sitting here saying, yeah, like I, I have my day job, which I would, I would be relatively, you know, certain Probably keeps you quite busy, sir.

And on top of that, like, I care about serving on the board of a community bank because I wanna see them have the ability to maintain relevance. Like, I, I just think it’s fascinating that even, even having like three lawyers on the podcast, like we’ve, here we are, we’ve arrived at the same point that I arrive at with every stinking [01:03:00] podcast, which is just like, there’s, there’s absolutely people that believe in this so much and the impacts that it has so much that, like, we always arrive at this point.

So I just, I found that kind of fascinating, Tom.

Tom: Yeah. And, and I, you know, to that point, and I’m sure Rob has this experience as well, I mean, a lot of times, you know, I have opportunity to maybe put new board members of banks, through orientations or kind of introduce them to the world of, of, bank board directors in the regulatory framework they’re about to enter.

And, and what I say every time is that you are performing what I think is one of the most critical community services, which is serving on the board of a bank. And, and I do a community bank, and I do think that’s getting harder and harder, you know, in, in a new world with new risk and new regulatory.

Scrutiny, but I do think it’s still a critical part and, and I think these third party vendors that we’ve talked about that banks maybe are, are trying to figure out how to utilize and utilize safely, I think they’re a critical part of, of them being able to continue their [01:04:00] mission, as community banks.

Josh: So, you know, after all of this conversation that we’ve had, and you know, the survey that you’ve done and working across all of these customers and all the different areas of expertise, the three of you each, you know, uniquely. Bring to this scenario. What do you think are some of the biggest threats, and concerns from your vantage point for community financial institutions?

Lara: Gonna let the bankers answer that question first.

Josh: I was gonna say, who wants to jump on that grenade?

Rob: Yeah, I, I think one of the biggest threats is, I mean, I think Tom just hit on it, which is when you’re a small community bank, like we, like we described, is, you know, 10 billion or below whatever. I, I think if, if you can’t find ways to reach your customer to make their lives easier through partnering with a FinTech and, and you’re, you’re just kind of using the traditional model only, you run the risk of larger banks, large non-banks, taking some of your customers [01:05:00] away because just convenience is, is critical.

I mean, you look at in all aspects of life with, with, I mean, my kids won’t even sit through a commercial these days. They need things done fast. You know, it’s, it’s, it’s a, it’s a mentality. And so if you don’t work with a FinTech provider, as a community bank to find ways to reach your customers and you allow the larger banks and, and larger non-banks to, to pull your customers away is gonna be a, a model.

I think that’s gonna, I think that’s the biggest threat to the model. I think there’s always gonna be room for what a community bank does. Like I see it with our bank and our community. I mean, we know our small businesses in our area. There are banks that probably will not underwrite those that would be removed from our market because they don’t know the people behind the business, what their history is, you know, kind of how the model works, who they rely on to, to, to, to sell their products.

So I think there’s always a place for that. But I do think as, as if you don’t adapt and evolve, it, with, with technology, it’s, you’re, you’re gonna be. You run the risk of losing customers over time, and, and I think that’s a threat to that, that model if, if [01:06:00] you don’t adapt.

Tom: Yeah, I, I would agree with that. Obviously I do agree that I, I think third party vendors are a big part of helping those banks evolve. But I also think another critical part, and we, we kind of alluded this earlier, is talent and talent acquisition and talent recruiting. And I think that is a very real and difficult problem for a lot of your, particularly rural community banks, mid-size banks, is, is getting the talent they need, to provide, you know, the in-house services that are required for, for this new world of technology.

And I think that’s getting a little easier for some, particularly some of your, what you’d say, mid-size banks that are able to, to maybe even allow talent work virtually. You know, we, we have some clients, for example, in some of their more technical roles, you know, they may be a Mississippi bank, but they may have.

You know, some of their, their chief technology officer, for example, may live, you know, on the east coast somewhere. And so it’s, you know, that, that, that is, I think technology has, has helped that a little bit. But I do think talent acquisition and succession planning and, and particularly upper level management, that [01:07:00] understands and, and can address these problems is becoming, you know, becoming a little more of an issue for community banks as well.

Rob: Yeah, I would, I would agree with that, Tom.

Josh: Laura, what

Lara: I don’t think I, I mean, I, I, I think that Rob and Tom are much closer to sort of, you know, being on, having served on boards and worked in community banks, I think I, I completely agree with what they’ve said. I think I was reflecting kind of when, when Rob was talking about the convenience piece, and it’s funny because in, in the tech world, we’re always kind of thinking about obsolescence, right?

And so I, I do think there’s sort of that, I don’t think that community banks, you know, I, I, I actually think that there, there’s a huge strength as, as Rob and Tom have mentioned, to being a, a community bank. But I think that, I do think that that sort of ability to change with the times if needed, and to leverage some, you know, leverage partner partnerships with fintechs or other things in order to [01:08:00] remain, remain relevant as Rob said.

You know, and, and I think, I think, I think that’s what we’re seeing, but I think that that’s sort of what we are all being, tasked with these days is, you know, you kind of can’t, can’t stop evolving and, and, modernizing.

Josh: You know, it’s funny, I I, again, just thinking back to like this whole conversation that we’ve been having, this kind of goes back to what you were talking about Laura earlier, of like having to find kind of the optimistic side of well there’s risk, but there’s also risk of what if we don’t do anything?

And you know, I asked the three of you like what the biggest, threat is, and instead of each one of you taking some sort of like, oh, the biggest threat is this and we need to, like, all of you took almost the more positive thought process of like, the risk of not doing anything. I, I thought that was pretty fascinating.

I mean, but I think that goes back to kind of what, you know, Tom, you were talking about earlier, just the importance of having the community bank infrastructure [01:09:00] supporting us consumers. So I mean, I was gonna ask, but you might just respond with like the same thing that you said from earlier, but maybe taking.

What do you think are some of the biggest opportunities for community financial institutions and maybe if you were able to give them one piece of advice from your chair, like what would be the the one thing that you hope they take away from it?

Tom: And Josh, you might have gone out a little bit, I think, but I think, I don’t know if Laura and Rob heard all the question, but I think what I understood you say is, is kind of looking on the other side, what are some of the biggest opportunities for community banks in this new world? And I do think, you know, it’s, it’s the same advantage or, or our strength that community banks have always had.

And it’s kinda the personal touch of knowing your customers and, and being able to help your customers address financial problems. Even in a world that maybe is becoming a little less personal. And, and, you know, technology with all its strengths sometimes is not. As personal as you want it to be.

And I think that’s one strength that community banks [01:10:00] can provide. And it is always, they, they have always been able to provide is that personal touch and, and the knowledge of their customer and their ability to solve problems for their customer quickly. I think pairing that with the technology, is a strength that that really gives community banks an advantage and continue, we’ll continue to do so.

I, I feel like over time.

Lara: I, I think, I think the same thing, Tom. I think that that sort of personal element, I think in an increasingly technical world, it’s amazing how much is still sort of relationship based and how much, of business, particularly financial business is so, you know, rooted in, in trust. I mean, you know, and, and I think that community banks are uniquely positioned to build those longstanding relationships and, and engender, you know, deep and lasting trust with generations of, of customers.

And I think, you know, further being able to sort of enable that and maybe even bring, maybe even bring some of the customers in rural areas along a little bit on that journey, right? [01:11:00] To say, you know, this is how we’re needing to change. But it, it, it, it, you know, I think it’s a, there they’re in a really unique position and, and want to make a lot of, a lot of impact, in, in their communities.

So I think, I think that’s an asset, a huge asset. I.

Rob: Yeah, I don’t, I don’t think I could say it any better than Lauren. And Tom just said it, so, I just, I would agree with exactly what they said on that point.

Josh: Yeah. You know, and, and I guess maybe all I’ll rounded out by saying I agree too, which is funny coming from the guy who’s trying to sell technology to banks, right? Like, I don’t think technology is a silver bullet. I do, I think, I think, you know, our money is so deeply rooted in our society that it has to be relational and having a relationship with your financial institution, I’m living proof of the positive impact that it can have on your life.

Right? So I, I do, I agree. You know, we’ve kind of talked about all the areas of this, of, you know, technology brings [01:12:00] about innovation, it brings about efficiency, it brings about new products and services and all of these wonderful things. But if it’s not rooted in. Positive humanity, then, you know, we’re missing a big element of that.

So I, I couldn’t agree more. You know, look, I, I feel like I could talk to the three of you until like next Tuesday. You are just an absolute blast to chat with, but I do wanna respect that. I’m sure you all have, busy lives to get back to. So, you know, before we kind of close things out, I’d love to, end with kind of two final questions for the group.

And, and maybe if we could just go, you know, Laura, Rob, Tom, you know, where, where do you all go to get information about what’s happening in the industry? How do you stay informed? Maybe some resources that you use.

Rob: Yeah. I, I’ll just speak for myself on, I’ll go first on, in terms of resources that I use. I love the, I guess every morning I read the American Banker. That’s [01:13:00] a, a resource publication that, that, that we get at the firm, the state’s current on, you know, things going on in Washington for, for financial institutions.

A lot of discussion of, of, of technology, cybersecurity, things of that nature. But just in general, you know, policy, regulations. And then, law three Sixty’s and another publication that, that I receive daily too, that I, that I review. Those are two of the key ones on top of the, just the Wall Street Journal, other, you know, typical newspapers and things of that nature that, that, that we stay on top of.

Lara: Yeah, I, I would say that one of the aspects of my practice is that it’s, you know, by definition it’s constantly changing. I mean, certainly for all of us, but, techno, nothing to make you feel outdated, like, trying to keep up with all of the technology and, and privacy, changes. So I try to stay abreast of that.

I listen to a lot of tech podcasts. Privacy in particular is extremely active right now, and so I, I receive a. I receive updates from the, international Association of Privacy Professionals. They do a really good job of, of [01:14:00] keeping up with privacy legislation globally. And so, just sort of have a heat map of what’s changing, what’s different, there.

But, you know, try to read as much as I can as often as I can on, on both of those topics.

Tom: Yeah, I think Rob and I have almost an identical reading list, but that’s, and this makes me sound old, but the first thing I do every morning is I read the Wall Street Journal, and that seems to give me, you know, a pretty broad outlook on, on how things are going, nationally. Not only economically in banking, but technology as well.

And then also generally I get the American banker, like I’m sure Rob does through my email every morning. So, I, I go through it and kind of catch up on banking specific issues. And then Law 360 is something that our firm uses. That, that sends out specific information either once a day or even throughout the day on various, developments in the legal world that impact, you know, banking or securities or, or whatever area that you, you kind of like to be updated on.

And so I, I feel like I rely on those a good bit as well as I’m sure Rob does.[01:15:00] 

Josh: Awesome. No, thank you for the insight. And last but not least, if folks want to connect with you, or if they wanna learn more about your firm and the services that you offer, how can folks do that? Oh, Laura, you’re on mute. We almost made it the whole podcast.

Lara: I was saying I use LinkedIn and people are welcome to reach out to me to connect on LinkedIn. And also all of us are, are available at our, our law firm’s webpage, which is ww dot jones walker.com.

Tom: I, I will say too, one thing that’s interesting on our webpage for those who are interested, so we all, we do, I think we do a pretty good job of, of writing articles periodically, and, and putting out, you know, our thoughts on various topics, cyber or otherwise. And so, you know, you can go out on our, our website and particularly look for [01:16:00] each professional and find articles that they published.

And I think sometimes that’s kind of interesting as well.

Josh: You know, and, I, I meant to ask this earlier, but, if a bank wants to get, access to the survey that you guys did or wants to participate in your next one, how can they get that information, and how can they participate?

Tom: So you can’t go on our website and you can on our website, enter a request to receive the survey. And so, that is probably the easiest way. And, and best way to, to request copy of the survey is, is go on our website and look for, the cybersecurity survey and then you can enter your email information, I believe to receive the survey.

As far as participating, in the next survey, presumably it will not be a banking, survey. Presumably it’ll be a different industry is, is kind of been our prior practice, with the, with the, the firm. But I will say, you know, with respect to Jones Walker in general. You know, if you, if you want to reach out or contact us about any information we [01:17:00] have, whether it’s the survey or participating pertaining in the survey or participating in other services we have, you know, emailing us is always a good idea and you can find our email addresses on the website.

Josh: Awesome. Well, again, thank you all so incredibly much for. Or the time and energy that you’ve dedicated to this. Thank you for just sharing in your knowledge and the resources that you’ve acquired. And, again, I know this is gonna sound kind of silly, but like thank you for your optimism in the industry and the support that you provide it.

I think that you do provide a really valuable service in, in providing what you do, but with the approach that you do as well. So, Laura, Tom, Rob, thank you so much for coming and being guests on the Digital Banking podcast.

Rob: Thanks for having

Lara: It is been a pleasure.

Rob: it’s been a blast. Enjoyed it. 

​[01:18:00]