How the Fed is tackling small banks post-SVB
Digging into the recent enforcement action for Kansas-based Small Business Bank.
After a pretty quiet August, the Federal Reserve Board kicked off September by issuing a Cease and Desist order against a relatively small bank with around $100 million in assets - Lenexa, KS based Small Business Bank (formerly/also known as Gardner Bancshares, Inc. (Gardner, KS)). In this week's edition of our newsletter, we'll take a look at this action and put it in a broader context to see what it means for the financial services space.
The Enforcement Action - some background
One thing to note right off the bat is that this has probably been brewing for some time. Nevertheless, there are different levels to which regulators tend to take action at - a light recommendation, a matter requiring attention, a matter requiring immediate attention (where the board is more involved/on the hook), a consent order, and a consent order with a civil money penalty attached. While we don't know how things transpired, there's a lot of time between the exam commencement date (October 2022) and the date of this issuance (September 2023) - almost one year, to be precise. The exam was performed by the Kansas City division of the Fed, in collaboration with the Kansas Office of State Bank Commissioner.
Small Business Bank - a brief history
Having been around since 1984, the bank was set up as "Gardner Bancshare" as a local "homely" option for small businesses, eventually becoming "Small Business Bank" in 2009. The bank saw a decent growth in its deposits in the '90s and especially in the 2000s. There's an interesting puff piece published by a local Kansas City newspaper that is a wild blast down memory lane. It profiles the then-and-current CEO, Ray Leno, along with a number of seemingly satisfied customers, with mentions of things like superstores, shoe stores, and the office Christmas party, which all seem to be things of the past particularly after the pandemic. The bank is noted as being a $100 million asset institution in this report from American Banker on the enforcement action.
The state of the bank today, in person and online
In doing some of my own research, I found some other interesting things about this bank. They had a single branch in their hometown of Lenexa, which now appears to be closed (although there appear to be two entries - one for Gardner Bancshares, and one for Small Business Bank). Interestingly, the reviews on the Google Maps location are pretty revealing. Here's one example:
I then started to go down the rabbit hole to see what the rest of the online presence looked like. I found their Facebook page, but it seems to be mostly dead since 2021, with the exception of some angry comments:
The last piece of the puzzle was to check out their website. The first thing you see is a confusing message that pops up discussing what appears to be issues with Chase transfers.
Beyond this, I noticed several other issues. There was no ability to sign up for a new account on the website - they force you to the mobile application. I actually went ahead and downloaded it to see what would happen. While the download was in progress, I was actually pretty pleased to see that they appear to be maintaining their website, with the latest update having been pushed through just one week ago. Upon downloading the app, there wasn't much I could do without signing up, although one point against it was that the SSN can be entered in a registration form in clear text - a pretty big info-sec related gap.
What went wrong?
The enforcement action hits on a variety of issues:
Staffing
Internal Controls
Credit and lending
Capital planning
IT and InfoSec
Regulatory reporting
Recordkeeping
Liquidity and funds management
Earnings
Third Party risk management
Interest rate management
Internal Audit, Risk management and compliance
Safety and Soundness
From these areas, there were a number of details that caught my eye:
For staffing, this one is pretty fun because you can dive onto Linkedin and see the issues right there. The callouts are for not enough qualifications/skills/training, and just not enough people period. They did just hire a CTO for the first time ever a few days ago, but the departures otherwise are massive - the CFO and SVP of Ops left in 2021, the Director of Credit risk left right during/before the exam, a Compliance Director lasted for a few years and then left, the Legal Counsel simultaneously served as the information security officer, the Chief Risk office departed in 2020, the SVP of Compliance and IA left in 2019. They have a Director of Risk and BSA that was hired in February, and the aforementioned CTO, but beyond that there are all of the above roles and areas that seem to be severely understaffed. They also talk about staff rotation, which makes me feel like they are going directly after the CEO who has been around for over 30 years now - there's a risk that he may be less than concerned with the performance of the bank given it's likely he is probably gearing up for retirement and has gotten everything he wanted to out of the role.
One area of major concern for the Fed was lending and credit administration and risk management. There are some basic things that seem to be missing within the institution. There is no concept of risk appetite, credit allocation management, weak management information systems controls around credit, poor analysis of credit, poor loan documentation, a review of deteriorating credit, issues around the sale of larger loans, and many other gaps. Based on all of these, the basic ability of the bank to function has to come into question. Lending and granting of credit is one of the most basic things a financial institution can do, and to have such a weak infrastructure around this is super concerning.
Another one of the big areas of focus among this new "banking crisis" of sorts is institution liquidity and how the banks receive their funding. Unsurprisingly, on that point the Fed went after Small Business Bank as well. Specifically, they called them out for not having diversified sources of funding (I wonder if the CEO was injecting his own funding or had 1-2 close connections that kept the funding going) and also for not doing stress testing (a thing that banks much larger than them were also guilty of).
The last thing that stood out was related to earnings - on the surface, one would wonder why the Fed is getting involved with earnings. But I think this has more to do with tying back to the issue brought up earlier, about the CEO being around for 30 years. It would make sense that if a CEO has been around for that long, at some point there is going to be less and less interest in seeing the bank perform well.
Context and Conclusion
One thing seems to become pretty apparent - before this year, this enforcement action, while certainly warranted, might have possibly manifested itself as a series of MRIAs or MRAs, with the possibility that it could have become a consent order/enforcement action. However, the actual result of the examination was in fact an enforcement action. Granted, no money was attached to it and thus this was classified as a "cease and desist" rather than a civil money penalty, but what does the past history of the agency tell us?
Interestingly, reviewing the Fed's history of enforcement, a few things stand out:
In 2021, there was one cease and desist against a banking organization.
In 2022, there were two cease and desist orders, with one of them being attached to a civil money penalty for an affiliated bank.
In 2023, there have been six cease and desist orders (two attached to civil money penalties), with all six of them coming after the March 2023 bank failures.
It becomes pretty clear that the failure of SVB and the other banks has opened up this new avenue at enforcement for the fed, given sporadic C&D activity for the two years before this and a sudden spike in C&D activity after March 2023. The other thing that also becomes clear is that by using cease and desist orders, it allows the Fed to go after banks publicly (because MRAs and MRIAs are private/confidential) while also acknowledging the sorry state that many of them are in financially (potentially being unable to afford paying a civil money penalty), and thus finding that giving them a C&D is the most effective way to push for change. The nature of the orders also will continue to be similar as we look at previous C&Ds and find many components (i.e. liquidity/capital issues, risk management, etc) in this C&D showing up in those ones as well.
The bottom line is, expect more of these orders to start coming out as the months pass on, until either the economy starts improving and thus banks find themselves in better shape, or a new crisis emerges and the Fed shifts its focus in that direction.