The Chinese have a phrase. If you want to kill the tiger, masquerade yourself as a swine. He who poses as a fool is not a fool. The best way to be well received by all is to clothe yourself in the skin of the dumbest of brutes.
Kelly Coughlin, CEO of BankBosun, a management consulting firm helping banks C-level offices, navigate risks, and discover reward. He’s the host of the syndicated audio podcast bankbosun.com. Kelly brings over 25 years of experience with companies like PWC, Lloyd’s Bank, and Merrill Lynch. On the podcast Kelly interviews key executives in the banking ecosystem to provide bank C-suite offices risk management, technology, and investment ideas and solutions to help them navigate risks and discovery reward. Now your host, Kelly Coughlin.
Greetings. This is Kelly Coughlin, CEO and program host of Bank Bosun, helping banks C-Suite executives manage risk, regulation, and revenue in a sea of threats and opportunities. You know, 100 years ago the risk environment of the banking world was much different than it is today. The Federal Reserve System was established only a little over 100 years ago in 1913. There were about 26,000 banks back then compared to about 7,000 today. In fact, Citibank only had about $1 billion in assets back then compared to $2.6 trillion today. And the risk profile of bad guys – criminals - was much different, too. Charles Ponzi was launching his famous scheme to turn a profit by manipulating international reply coupon systems in which he'd buy stamps in one country, and then sell them for profit in another. He defrauded investors of about $20 million, $220 million in today’s funds, and destroyed six banks in the process. And then in 1925, the famous Victor Lustig convinced a bunch of investors to give him funds to purchase the Eiffel Tower for scrap metal. He even convinced Al Capone to invest $50,000 in another bogus scheme. Lustig returned the funds to Capone, who was so impressed with him that he let him keep $5,000 of the original $50,000. Of course, that was Lustig’s plan all along. That's all he was looking for.
Today’s criminals, however, are different. Yes, we still have bank robbers. The FBI reports that U.S. has about 5,000 per year. But the bigger risk today is in the cyber security and social engineering area. Cyber security, of course, is new. We didn't have computers or Internet 100 years ago. Technically, though, social engineering is not new. The definition of social engineering is the clever manipulation of the natural human tendency to trust, but the tactics and methods used today are much different than in the days of Ponzi and Lustig and Jessie James. These methods involve strange names like dumpster diving, email phishing, vishing, pretexting, baiting, and piggybacking, just to name a few.
My guest today is a recognized expert in today’s version of social engineering. His name is Kyle Konopasek, and he works in the Business and Technology Risk Services Group of CBIZ MHM.
The stated mission of CBIZ is to help clients prosper by providing them with professional business and individual services to better manage their finances and employees. To accomplish that, CBIZ has three operating practice groups, one of which is Business Services, and that's where Kyle operates out of, in their Kansas City office. The specific mission of Kyle, however, is to assist clients in the internal control areas related to information security, cyber security, vendor management, and of course social engineering. Kyle has a BS in accounting at Rockhurst. He is a certified internal auditor. He lives in the great city of Kansas City, home of some of the best barbeque in the country. So, I want to start off with the most important thing and get that out of the way. Kyle, what is your favorite barbeque restaurant in Kansas City?
That's kind of a loaded question, Kelly. I actually had Joe’s KC Barbeque today for lunch. Used to be known as Oklahoma Joe’s. Don’t understand why they changed that iconic name to Joe’s KC, but it's still pretty darn good. But you know what? There's a smaller, a little bit lesser-known barbeque restaurant in town called Smokehouse Barbeque, and that's actually my favorite.
Smokehouse Barbeque? Where is that located?
Well, they've got just a few locations around town. They've got one up in Gladstone, Missouri, one out in Independence, Missouri, and then there's another one over in South Overland Park, Kansas.
Okay. I'll have to give that a go. Well, now that we've got the important things out of the way, let's get down to business here. First of all, did I get your bio correct, and was there anything that I said in my introduction that was either wrong or you disagreed with?
Not at all, Kelly.
Why don’t you tell me what your definition of social engineering is? I think I took my definition frankly from a Power Point that you had, but is there anything you wanted to elaborate on in terms of the definition of social engineering? Especially related to the cyber security world.
Yeah. Kelly, you did mention the technical definition of social engineering earlier. However, we can elaborate on what social engineering is and what that means a little bit further. In some of the speaking engagements that I have with some of my clients and various organizations around the country, we usually talk about what our children do to us. If you think about it, even just a small child, a toddler, a three- or four-year-old, take them to the grocery store, you push them in the cart through the grocery store. Oh, Mommy, Daddy, I want this. Mommy, Daddy, I want that. Well, you tell them no a few times, and then they begin to find other ways to try and manipulate Mom and Dad into how to get that item that they want. We start performing acts of social engineering, every one of us, very early on in life without really understanding what it is. And I think that's very important to distinguish, because social engineering, as you stated, is not new at all.
In fact, we all do it without really understanding or comprehending that it is social engineering that we're doing. We may not necessarily be trying to manipulate one another for bad intent, but we often use different shades of social engineering, if you will, to try and get certain things that we want. And quite frankly, social engineering is ancient in its methodologies. The Trojan, with the whole Trojan horse scenario, that's really social engineering. Hollywood loves to depict examples of social engineering in its movies. Just to name a couple of better-known social engineering oriented movies, Catch Me If You Can, with Leonardo DiCaprio, about the story of Frank Abagnale. Sneakers, with Robert Redford. Those are both excellent movies that depict in every facet, different types of social engineering.
Now, when we talk about social engineering, sometimes, people get confused as to how that relates to cyber security. Cyber security and social engineering are very tightly linked together. However, we like to take it up one more level when we think about the two. We think of this large bubble called information security, and within that large bubble of information security, there are other bubbles floating around inside, one of which is social engineering. Another one is cyber security. Another one is vendor management, and you can continue to break it down into subsets of bubbles within the information security bubble. So, that's important to point out, that they are related, but they're not one and the same. For example, email phishing is one type of social engineering that is widely understood, but many people still describe that actively as a cyber security breech or a cyber security issue. You can definitely blur the lines between those two, and there is a gray space there. But email phishing at its heart belongs to social engineering.
What are the main motivations for social engineering attacks? Is it always financial gain? Or on the other side of is it harm? Or is it a competitive advantage? Or do we get personal vendettas or that part of it, too?
In the business world, Kelly, really all of those are examples that you mentioned of motivators for performing an act of social engineering. Social engineering is essentially a grouping of attack vectors that an attacker can use to attempt to not necessarily defraud an organization, but start to build a dossier of information about that organization for the purpose of executing a much larger attack. And when I say a larger attack, it can be in terms of dollars or it can simply be in terms of volume of information obtained. For an example, email phishing might be a starter for a social engineering attack to build that larger dossier of information. The attacker would be hoping that perhaps yourself of myself would be willing to click on a link in an email to take us to a website that was built to mock a website that maybe we're familiar with or maybe that we would typically trust. In reality, they're wanting to get one piece of information from us. The attacker wants to have login credential information to our networks, our systems, within the workplace.
They don’t really care what other information we provide, but sometimes we provide additional information that they don’t really ask for but help them to build that case. For instance, if I then provide them with a user name and a password or other types of login credentials to a network or a system, they obviously can then use that information to assist them in hacking into that system. The word hacking from an information security perspective or cyber security perspective is somewhat clouded by the fact that social engineering methods and techniques are many times one of the leading methods used to get to a “cyber attack” to “hack” into a system. There aren't that many individuals that are literally sitting there in front of their laptop computer, trying to brute force hack their way into a network. Social engineering is a much easier way, because what we're looking to do is just very easily and inconspicuously have the victim, or one of the victims, provide us the information that we need to do our bad work, to do the attack. And from that perspective, social engineering is very useful to a more intelligent attacker. And that's quite honestly, why so many foreign entities are using social engineering to get sensitive information.
Give me some examples of that. Keep in mind, the audience is community and regional banks. What are some of the techniques? What are some examples that you've seen where this manipulation occurs successfully?
Well, email phishing is the low-hanging fruit in terms of an example for a social engineering attack. Many of us have seen that on a personal level as well. But yes, vishing, starting with the letter V, vishing is a legitimate social engineering attack method. And vishing is the telephone equivalent of email phishing. It's simply picking up the phone and perhaps pretending to be someone with a help desk or with, perhaps it's an outsourced company that the financial institution has engaged with, that caller is hoping that the person that picks up that phone is going to feel pressure to provide them an answer that they're asking for. It might be that they're going to try and elicit an attack based on patch management, for example. Maybe I work for a third-party data management company and I call XYZ Community Bank and I call Sally. And Sally answers and I tell her, Hi, I'm Kyle with ABC Data Management Services. We see that your desktop computer didn't have the patches updated on it last week. All the other terminals did. We can take care of that patch for you right now if you just provide us with your user name and password for your desktop computer. That way, you don’t have to mess with it and you’ll be able to continue doing your work.
Kelly, it's something as simple as that. While the broader population might scoff at that scenario and think that it's not possible, the social engineering attackers needs one person, and you'd be surprised that many, many times, people fall for those attacks because a, again remember the true definition of social engineering, the natural tendency, the manipulation of the natural tendency to trust one another. They don’t want to inconvenience another human being from doing their job, or what's perceived to be them just doing their job. They want to do something that's helpful to them. So, therefore, the pressure is enough to where they just provide the information and hope that their day can go on without any further interruption, and that that person that in perception, is on the other end of the phone, trying to get information is truly trying to help them out. That's one example.
Well, I've never had that kind of luck, because if I get a bounced email from like a CFO or a CEO and I try to call secretary and say, hey, what's Joe’s email? I got a bounced one. And they won't even give that to me. So, I'm not a very good hacker, I suppose. I'm going to do a quiz for you, Kyle, since you started showing off on some of these terms. We're going to play Jeopardy! with Kyle. Dumpster diving.
Dumpster diving is literally me and/or my crew, our staff, getting into the large metal dumpster out in the parking lot behind the financial institution, in the middle of the night, usually. This is one of the more intriguing services that we provide. And again, keep in mind as I describe, social engineering is about getting tidbits of information through different attack vectors and building that dossier of information. In a dumpster dive, going out in the middle of the night with the rubber gloves on—yes, Kelly, I carry latex gloves with me at all times, and I travel a lot. The TSA hasn’t said anything yet, but one day they will.
What are you diving into the dumpsters for?
We're actually getting in the dumpsters and looking for things like social security numbers, bank account numbers, anything like that. And you might say, well, what financial institution’s putting that kind of information in the trash? A lot of them. We have had so many clients over the years where this is the first test that they fail. When they ask us to come in and perform social engineering testing, this is the first one they fail. And many of them fail it miserably.
You're diving in as your internal audit function.
Absolutely. Kelly, you know, one of the things that, from a dumpster diving perspective that I think is really important to stress is that documentation as simple as a phone listing for the organization or an email listing for an organization, because they have a whole listing of people they can call to try and perform vishing on. Or even a vacation schedule for an executive or senior management person, because then they know that person’s gone for that period of time. In addition to that obvious personally identifiable information like social security number, account number, it's that other often overlooked information that becomes valuable. And let me tell you, just shredding that information and then putting it in a trash bag and putting it in the dumpster’s not good enough. We have taken shredded material from a dumpster, laid it out on our conference room table and taped it back together, and we have found full listings of user names and passwords that employees have kept over the years for access to not only their own systems and networks, but for some of their customers’ trust accounts. We've tested those, and they've been active. The amount of information that's out there is absolutely astonishing to me, and how easy it is to come across in a dumpster is even more terrifying to me, just as a human being.
That's amazing. All right. So, next question. What is phishing?
Phishing with a P. Kelly, that generally, when it's mentioned by itself, refers to email phishing, and that is essentially, you're receiving that unknown email or that unexpected email in your inbox that looks like it might be from someone that you would expect, but upon further inspection, if you really look, like if you hover your cursor over the link to the website that it wants to take you to, if you look at the URL address, it's actually going to take you somewhere else, which would be typically a website that was built specifically to look like XYZ Community Bank’s website. Vishing is the telephone equivalent of email phishing. Same thing, except that I'm picking up the phone and I'm calling you, trying to extract as much information out of you as I can. Maybe it's just to find out if Kelly’s out of town for the next two weeks.
What is pretexting?
Pretexting, that's the Hollywood that we like. The Hollywood version of social engineering is where we are basically disguising ourselves to walk in face-to-face and try and gain access to a secured area of a financial institution, whether it be the vault or the telephone closet or the server closet or the surveillance system. You would amazed at how easy it is to gain access to secured areas of financial institutions through pretexting.
What is baiting, B-A-I-T-I-N-G?
Baiting is when you would take a USB thumb drive or a CD, and you would pretend to put information on that media. If you're a true attacker, what you would put on that media would be some type of a virus or malware, but the key behind the baiting piece is that you write on the cover of the CD, it says, Bank Bosun 2016 annual bonuses. Or maybe you put the USB thumb drive in an envelope and you write something conspicuous on the outside that might get someone’s attention, and then you leave that item in a conspicuous place, in a hallway or on the corner of a desk or a conference room table, because what you're hoping is that a curious eye is going to catch that and say, oh, I want to know what so-and-so’s making. Well, that put that item in their CD drive or their USB port, and once they open up that file, bang. That virus has been installed, and they don’t know it. But in reality, there's nothing on there. So, that's all we're trying to do with baiting, is get that virus on there so they can then phone home and tell us all the information. Maybe it's a keystroke logger so we can user names and passwords that are put into that terminal.
Wow. What is piggybacking?
Today would be a good day to do piggybacking, Kelly. It's about 18 degrees here in Kansas City. Maybe I want to go piggyback into a multi-tenant building. Smaller organizations with a few employees are not as easy to perform this test with, but if there are more than 50 or so employees, it's generally possible. Basically, take a cold day like today, have a heavy backpack over one arm and maybe have a box of donuts or something or a coffee in the other hand. And then, you're trying to watch for someone to come in through a secured exterior door, as an example. What you're wanting them to do is just hold that door open for you, because your hands are full. It's cold. They don’t want to leave you out in the cold and make you get our your keycard to badge your way in. This can happen inside, as well. Again, the more employees, the better, because they don’t necessarily know all the faces, and they're more willing to trust strangers.
Okay. Now, the trick question. What’s the difference between phone phishing and vishing?
No difference whatsoever, Kelly.
That was the trick question. Good job. All right. I give you 100% on that. Where are the biggest human vulnerabilities? Is it new employees? Is it the older employees that, presumably are less tech savvy? Or are they the younger, heavy tech users that are certainly more tech savvy, but because they use it more? Or is it kind of the third-party consultants that are working inside a bank? Do they create more vulnerabilities?
Based on statistics that we know of, anyway, new employees are the number one weakness for falling for social engineering attack. The reason why they don’t want to do anything to disrupt the culture of their brand-new employer. They don’t necessarily know everyone. They don’t necessarily know if the person sitting next to them is a person of importance or not. May or may not be. They're more likely to both fall for email phishing, vishing, and occasionally face-to-face social engineering attacks, just from the perspective of not understanding the culture, not being completely versed to all of the policies. And also just wanting to please everyone. As a new employee, you want to be a pleaser. You want to come across as positive and liked and all those good things. From that perspective, new employees are the number one threat. After that, it's third-party service providers. It might not necessarily be your auditor that's coming in once a year, but think about all the other vendors that are engaged to do business with the financial institution. It's not necessarily just IT vendors, either.
That's the other issue that we run across is that so many organizations want to focus on all of the vendors that they use to outsource IT to. It might be a data center, but it could also be a payroll company. Payroll companies have access to a lot of information. Let's not forget about the sensitive information of our own employees. It's not just our customers, but also our employees. So, we need to be cognizant to that as well. New employees and third-party service providers are the top two most likely to fall for a social engineering attack. The way that someone outside the organization would find out that there's new employees that have been hired on? Dumpster diving. There might be some on boarding information that got in the trash and shouldn't have been. You can kind of start to see how all of these different types of social engineering attacks work together to build that bigger dossier of information for a larger type of attack. I think it's important for all employers of all sizes to have some form of consistent and periodic information security training. If those employers are providing that training, then it is appropriate to test those employees. And when we do social engineering testing, we have to be very clear, because we are not testing to identify the bad eggs within the employee group. That is not the point. Social engineering testing, or any types of test on information security, is designed to identify weaknesses in the culture, in the policies, the procedures that are performed. The employees are just the vessels by which those items are implemented and executed.
Email phishing tests. Those are an easy one, fairly expensive for an organization. They can even be done internally by the organization. Spending $25 on a domain name, a website domain name that looks similar to a financial institution’s actual domain name and then setting up a fake website. An example of a good fake website to use in an email phishing campaign would be from HR, or if there's some type of HR function. Send out an email to a group of employees that says, good afternoon. We have just implemented a new human resource information system, and we want to make sure that all of our vacation accrual balances are up to date. Why would we choose vacation accrual balances? Well, because it's something that is impactful to the employee as an individual. They want to make sure they get their vacation time.
That email phish is going to go out with a link to that fake website, and what we're trying to see is if those employees actually click that link and then, do they actually go to that website and enter in their user name and password that we've requested so they can get to that fake website. Well, they're doing it in the hopes that they can make sure their vacation accrual’s correct. We just want to see if they're following policy. And again, if they fail, and nine times out of 10, they do fail, it's not a poor reflection on that individual unless they fail that same test 15 times. It's more a reflection on the level of effort and quality of the information security training that management has provided to those employees.
Now, I assume that you guys at CBIZ MHM have engagements where you’ll do training, testing there, too, if that's called for?
Yes, absolutely. From the training perspective, we actually partner with a company in Minneapolis named InteProIQ. They do a lot of online information security training for organizations of all sizes. Then, we come in and test how employees react after having that training. Sometimes, it's valuable to do a test before the training and after so that you can then compare to see if there's been improvement in the employee base in terms of how they handled those types of attacks, breach efforts. Then, kind of the third leg of that is cyber security insurance. CBIZ Property and Casualty does provide cyber security insurance, and that's also a key component. If an organization performs social engineering testing and jumps through other certain hoops, many times, they can get a discount on their cyber security insurance if they've demonstrated that they have gone through tests of controls and that they have validation that controls work.
Why don’t we wrap it up? What's your favorite dumpster diving story? Where you were in a dumpster and you're thinking, what the heck have I done with my career? What am I doing in a dumpster?
Well, Kelly, honestly, our CBIZ office here in Kansas City has about 400 people that work in our office space. In our financial service division where I am, there's about 150 to 200 people, so, I think that just to kind of give scope to the workplace. Now, most of the people on our financial services division are traditional audit and traditional tax CPAs. I am not, obviously. From this phone conversation, you've learned that. However, when we talk to our internal management about some of the services we offer and we mention dumpster diving, we just get these cold, blank stares, because they're wondering how in the world is a CPA firm paying us to go out and get in our clients’ dumpsters? And do our clients actually value that? Well, they absolutely do, and the reason why is because we're in harm’s way, Kelly.
We've found ourselves in large dumpsters that, come to find out, are actually big trash compactors. And then once we learn that, we do everything we can to scramble out of that dumpster as quickly as possible. We've been in that situation before. Fortunately, those trash compactors have not turned on, but those are the types of stories and little details that sometimes we don’t tell management about. Another dumpster diving story that we've kind of run across is that in speaking with local law enforcement, they actually encourage us to carry handguns, because some of the different areas, not just Kansas City, but all across the country that we do this work, they're not in the best areas. And we're also doing it late at night. Do we carry handguns? Absolutely not.
Well, you haven’t seen any dead bodies in the dumpster, have you?
No. We have not seen any dead bodies in the dumpster. We found some deer parts during hunting season.
All right. That's just, that's terrific. I really appreciate your time on this. How can people get ahold of you? CBIZ has got, I don't know, 1,000 offices, I can't remember the number, all over the country. Are they best just to contact one of the local offices and then they get directed to you? Or do you want them to call you?
You know, it's best if they just call me directly, because our Kansas City office is the primary location for this particular type of service. My direct number is (816) 945-5512, and I can certainly be reached by email. My CBIZ email address is my first initial K, and my full last name spelled out, Konopasek, which is K-O-N-O-P-A-S-E-K at CBIZ.com
That's excellent. All right, Kyle. You're the man. I really enjoyed it. Thank you for your time.
Kelly, thank you very much.
We want to thank you for listening to the syndicated audio program bankbosun.com. The audio content is produced and syndicated by Seth Green, Market Domination with the help of Kevin Boyle. Video content is produced by The Guildmaster Studio, Keenan Bobson Boyle. Voice introduction is me, Karim Kronfil. The program is hosted by Kelly Coughlin. If you like this program, please tell us. If you don’t, please tell us how we can improve it. Now, some disclaimers. Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant. The views expressed here are solely those of Kelly Coughlin and his guests in their private capacity and do not in any way, represent the views of any other agent, principal, employer, employee, lender, or supplier.
Two horses were carrying two loads. The front horse went well, but the rear horse was lazy. The men began to pile the rear horse's load on the front horse. When they had transferred it all, the rear horse found it easygoing and he said to the front horse, "Toil and sweat. The more you try, the more you have to suffer." When they reached the tavern, the owner said, "Why should I feed two horses when one horse carries all? I'd better give the one all the food it wants and cut the throat of the other." And so he did.
Fables - Leo Tolstoy.
Kelly Coughlin is CEO of BankBosun, a management consultant firm, helping banks see level offices, navigate risk, and discover reward. He's the host of this indicated audio podcast, BankBosun.com. Kelly brings over 25 years of experience with companies like PWC, Lloyd's Bank, and Merrill Lynch. On the podcast, Kelly interviews key executives in the banking ecosystem; provides banks' C-Suite officers, risk management, technology, and investment ideas, and solutions to help them navigate risks and discover reward. Now your host, Kelly Coughlin.
Good morning, everybody. This is Kelly Coughlin, CEO of BankBosun. Helping bank C-Suite executives navigate risk and discover reward. Competing for and retaining high quality executive and senior management talent, requires a combination of a good fit between a company and the people in the following three areas. I call them the Three C's: Culture, Capabilities, and Compensation. Today is related to compensation.
Certainly, base cash salary, cash incentive compensations are the easy components. When you get into additional forms of compensation that begin to address the unique needs of both the company and the individual - and these needs could be tax planning from both the employer and employee perspective; cash management - again, from both perspectives in terms of cash disbursement needs and cash receipt needs, and long-term legacy in the state needs. You begin to get into a more complex world that requires the expertise of professionals to help create structure and implement suitable plans.
Frequently, these are referred to as non-qualified benefit plans and they address the needs of both the employers and the employees. In the previous podcast, I interviewed David Shoemaker, President of Equias Alliance, who talked about how banks can create non-qualified benefit plans to help the bank recruit and retain executives. And then they fund these plans with bank owned life insurers. Today I'm going to interview Greg Ochalek Greg is the National Director of Non-qualified Benefits Consulting at CBIZ Retirement Plan Services. He has over 25 years' of experience in the consulting expertise with Fortune 1000 companies.
The mission of CBIZ is to help the clients prosper by providing them with the professional business and individual services, products, and solutions to better manage their finances and employees. And to accomplish this, CBIZ has three operating practice groups. One of which is employee services and that's where Greg operates out of. Greg has got a degree in economics. He used to work at Arthur Andersen. I'm going to let Greg pick it up from there. Greg, are you on the line?
Yes I am, Kelly. Good morning.
You're up in Cleveland. How's the weather today?
Well, that's another story. We're having some big storms up here, but it's pretty typical being this close to Lake Erie. Getting all that lake effect weather. We've actually had some huge car pileups on our shore way and that's something we're dealing with now.
Greg, anything else you want to add to the short bio I presented there?
Sure. To correct it, I've been specializing in non-qualified executive benefits for over 25 years. I got my start and training at Arthur Andersen in their Los Angeles office, when I was asked to be a member of the Charter Executive Financial Planning team. Part of the Executive Financial Planning led me into dealing with the non-qualified benefits that were made available to the executive group. It was during that time at Arthur Andersen that I really started to focus on it and actually became the west coast specialist for Arthur Andersen for a number of years while I was there.
We helped clients in the design of non-qualified plans. We consulted with them on accounting issues, tax issues. We helped our clients in analyzing different funding strategies to consider what would be best for a particular company. The administration of non-qualified plans is a lot different than administration for qualified plans, so we had to become familiar with the different types of administrators who are in the marketplace, so that we could recommend the best type of administration for our clients based on their need.
For the past few years I've been working with CBIZ for two years, as an outside resource to them for their plan and for plans of their clients. It was just in April of this year that I was asked to come inside of CBIZ, be part of the team and I accepted the position as National Director of their Non-Qualified Benefits Consulting firms. That's where I am today and it's been a lot of fun.
Great. Well, let's get right into it here. Is there a typical company profile, bank profile, that you think they should begin to look at some sort of non-qualified benefit plan? Is there a profile based on assets, or business lines, or revenue size? Is there anything that strikes you as being kind of a trigger point that a bank would look at?
I think it's a very good question. The answer really is, that a bank is still a corporation or a business that has similar needs as companies in other industries. As it applies to non-qualified benefit plans, specifically volunteering deferral plans and supplemental executive retirement plans, banks really are not any different than other companies and other industries. These types of plans are really suited for mostly public companies or at least companies that are for-profit companies, that are paying taxes, because the benefits of the non-qualified plans really is heavily weighted for tax benefits.
If you're a company that's not paying taxes, then a lot of these qualified plans may not be as suitable for those types of companies. We like to deal with banks and companies that have at least ten to 15 highly compensated or management people that would be considered participants for the plan.
Okay. Why public companies?
Because public companies are owned by a wide variety of shareholders. The corporation really is an entity that stands on its own. When you have companies that are privately owned, you may have only one or two owners of those companies and a lot of times, those companies are set up as pass-through entities so, all the tax benefits, the deferred tax savings, would end up flowing into individual tax returns. And it's a heavier burden for companies that are private, that are owned by a few people, to carry those deferred tax savings over a period of time. As opposed to a corporation that have a long life ahead and can carry the burden of deferring their tax savings.
Okay. So I'm going to summarize what I heard you say. No, there's no typical bank in terms of assets, business revenues, but ideally, profitable. Ideally, it's not a sub S bank, but a C corporation that's held by more than the executive management of the company.
Yeah, that's correct. Let me clarify one point on non-qualified plans. That is that when a non-qualified plan is put together and participants are deferring dollars into the plan, or if the company is promising to pay a benefit in the future, that benefit or those monies that are being deferred, are not taxed currently to the planned participant. At the same time, the company does not get a tax deduction like it does with a qualified plan.
An example is, a 401(k) plan, people can defer money into it but the company gets a tax deduction in the current year. In a non-qualified plan, the company does not get that tax deduction, it defers that tax savings into the future and that's what I was referring to.
What is your business model there at CBIZ? What's your business process? How does it work?
Well, first of all, I'd like to discuss the events that would trigger a reason why people would create these plans for their bank and for their company. That usually is when you have a company or a bank that you may be losing some of your key people to your competitors, or if you are going to be increasing your executive talent internally and you're trying to attract key talent into your company. These types of plans are very good for doing that because there are benefits that could help them personally, financially. It's just a way of helping them manage their compensation to benefit their families and them personally.
Also, there are companies that have discrimination testing issues with their qualified plan. Where a plan participant may not be able to put in the full amount into the qualified plans because of the discrimination testing issues, or you may have executives that are putting the maximum they can into their 401(k) plans and they have other dollars that they'd like to put away on a deferred basis. It's these reasons that are the main triggers for putting these plans in.
Now, when companies identify these events and are looking for solutions, that's when we can step in and help them. The way that we're set up as a company and what our platform is, is that we really try to have an unbiased approach to designing these plans and recommending things for our clients. We have what we call an open architecture platform. The open architecture performs on two levels. The first level is with the plan administrator of the non-qualified plan we have eight, nine, maybe ten different administrators that we work with across the country.
Now, each of those administrators have designed their platforms for certain markets. Depending on the size of the bank; where it is in the country; what it's trying to achieve one administrator might be better than another. We actually help our clients select a plan administrator and going through an interviewing process to determine which would be the best plan administrator.
In the interest of full disclosure, the company I do work with, Equias Alliance, could potentially be one of those administrators.
Yes, absolutely. Especially in certain areas more than others. Equias has a great reputation in the BOLI market and accessing those types of investing products. We would work with Equias for those types of situations. Part of our platform is to help banks and companies go through an investment analysis, so that they would have the information, be able to make a decision on whether they should even fund these plans at all. Some companies have these plans and they go unfunded. Most companies will actually fund the plans, but they have to make a decision what they're going to fund using managed funds or using a tax advantaged vehicle like a bank owned, or a corporate owned life insurance policy to provide benefits for the company or the bank.
We help them with that process. And with that process there's various insurance companies that provide these types of polices or managed investments. We're very agnostic as to which company they use, but we have access to all of them and can help a bank or a company decide which of those products may be the best to help fund in on a qualified plan.
Right. To summarize that, you helped the company fine-tune their needs requirements and then secondly, you helped them fulfill that need with - you say you're agnostic, but you have your open architecture, that is limited to high quality providers. You don’t open it to everybody, but you've done some due diligence and vetting of the providers that you will recommend to fulfill that need. Correct?
Yeah, that's absolutely correct. But I also want to just make a point that before we do those two things, is that we do a lot of consulting in the design of plan with the different features that are available, so that the planned design meets the objectives of the company. This whole thing starts with clarifying: What is the company trying to accomplish? Who are they trying to attract? Who are they trying to retain… or other objectives that the company may have by offering these benefits to their select group of management or highly compensated people? So that's where it starts. Then part of the process is the administration and then part of it is the funding and security, and that's what we had just talked about.
Right. If I use the metaphor of building a house. You help them design the blueprint for the house, the architectural part of it, so you're like, what do you need? You want granite counter-tops, do you want this type of wood? Windows? You help them on the design and then you create the blueprint based on what they told you they need. Then you get the OK on that, and then you go out and get it fulfilled with subs and that sort of thing. Is that how you look at it?
I've never heard that analogy. It's a good analogy. I like that. I think to understand the power of non-qualified plans, why they attract key talent and attain key talent – and that goes all the way back to the beginning of studying non-qualified plans and how they work within corporations or banks.
Greg, why don’t you talk for just a couple minutes about the difference between corporate owned life insurance and bank owned life insurance.
There's a funding vehicle the banks use called bank owned life insurance or BOLI. I think that it's fair to define really what BOLI is and I think there's a couple definitions. You've got bank owned life insurance that most banks are very familiar with, that they use to fund a wide variety of employee benefits. The bank owned life insurance by OCC regulations, they really have to be put in place to help the bank finance these benefits. You're really talking about benefits that would include post-retirement benefits, perhaps financial planning, maybe legal benefits, disability, other group benefits.
The typical BOLI type of product that banks are familiar with, they'll invest in that type of a product in addition to other things in their investment portfolio, to help pay for those benefits. They usually purchase it in single blocks of premium and it's designed as a modified endowment contract, which is a variation of a life insurance contract according to the Internal Revenue Regulations on Life Insurance. But then there is a different type of BOLI that is sometimes referred to as COLI, which stands for Corporate Owned Life Insurance, which is designed differently and would be more specific of a funding vehicle for the types of plans I discussed today.
Those are actually non-modified endowment contracts and the banks would be funding those with deferrals that they're getting from executives, or money that's coming from their operations that they're contributing to individual executives. Those premium payments into that type of a funding vehicle are paid on an annual basis. And the tax advantages are different between a modified endowment contract or what something would be referred to as a MEC compared to a non-MEC In most of the work that we do to fund non-qualified plans, we use the non-MEC approach.
Part of our business is working with companies like Equias to help place the other type of BOLI that I originally discussed, which would be the modified endowment contracts. We work very closely with a company like Equias and yourself, Kelly. But I do want to make the distinction that the funding vehicle for the types of non-qualified plans that I'm talking about and that we've talked about today are different. And it takes a different type of expertise and CBIZ provides that expertise to help companies make the right decision on how to fund these types of plans.
One of my very first clients was a cornerstone client of Arthur Andersen and as the person in charge of all the financial planning for the executives, I had to go in and understand all the non-qualified plans. Then when it came to retire, I got to see the benefits that the non-qualified plans provided for these executives. The one thing that just was startling, that jumped out, was that the participants were the executives that utilized the non-qualified plans to the maximum were actually retiring on incredible sums of money and in this case it was about $1.2 to $1.4 million a year for 15 years. I was struck to see how these non-qualified benefits were able to provide such a large amount of supplemental income in their retirement, in addition to the other benefits that the companies had.
Now, I compared that with those executives that did not participate in the non-qualified plans and those executives were retiring on $240,000 a year for 15 years. So you can see that the huge difference in how the non-qualified benefit plans affected the lives of the executives that took advantage of it. It helped them financially. They were able to help their children buy homes; set up education trusts for their grandchildren. It helped them socially with things that they wanted to do for their community. I saw them be philanthropic to the community and participating, things like their church, museums, other charities that they wanted to participate in.
That's really where I got sold and why I dedicated my whole career to non-qualified plans because of the difference that participating in these plans can affect peoples' lives. It was a good thing to see. That's one of my favorite stories to tell because it's very meaningful. Just another quick story. We had a bank in the Midwest that has been having some of their people being taken away by other banks in the area, just through competition. And this particular bank not only needed to keep their executives, but they were trying to add to them. They came to us, CBIZ, and talked to us about looking at their compensation package and the one thing that we did talk about was to add a non-qualified deferred compensation plan and possibly a supplemental executive retirement plan.
Then we helped them design a plan to keep it within their budgets, but to give their executives a way to defer dollars in addition to the monies that they were putting into the qualified plan. Then we helped promote that plan with their executives, so that they knew that their company was concerned about them personally and not just professionally. And then there was a group of people that they really wanted to keep around, so we created a plan through a supplemental executive retirement approach. That really was a way to put golden handcuffs on these people, so the bank had set aside funds into an account. The account could be managed by the executive. The executive could go online and see the value of that account.
But then that account would vest at certain points in their career. They saw that if they stayed with a bank, that they had this huge benefit that was waiting for them. If they left the bank, they would leave it on the table and have to walk away from it.
That's great. You've been doing this a long time. You must like your job. What is it about your job that you like? Why do you like it? What gets you up in the morning? What makes you smile when you work?
Well, Kelly, I am very fortunate that I am able to deal with different types of companies and different industries, different sizes. I get to work with some incredibly talented people that are clients. I work with people in the C-Suite. Get a chance to observe CEOs to see how their minds work and how they take a look at these things. The CFOs who look at the economics of these plans, to be able to wrap their minds around it very quickly. That's fascinating to me. I've worked with some creative human resource people that really see the benefits of these plans. And that's all stimulating as far as working with all these people and learning about different industries and different companies.
I think that even beyond that, when I see executives that have worked in their career and are getting ready to unwind, and take things a little bit slower, the benefits that these non-qualified plans provide to them and their families really takes them up a notch or two, as to where they are and what they can do with their families and retirement. And that's just very satisfying for me. Those are the reasons why this has just been a lot of fun for 25 years.
That's true. I like to hear people who like their job. How do people get a hold of you? I know that CBIZ has over 100 offices and 4,400 associates or so. If a company wants to explore this, should they talk to one of these associates or offices, or can they just get on the phone and call you?
Probably the best thing to do would be to contact me directly. We have offices all around the country. I actually travel quite a bit to our clients. My email is GOCHALEK @CBIZ, which is C-B-I-Z.com. My direct line is area code (440) 591-8581.
Okay, that's great. We'll post up your notes, so listeners can access that and get the written form of that as well. I want to finish with either one of your favorite quotes, or sayings, or a funny thing you've done in your career to add some levity to a very exciting interview on non-qualified plans.
In light of the political season we just went through, I think the first thing that comes to my mind is that, “We're here to help your bank be great again.”
Oh, good one. All right, we'll leave it at that. Thanks for your time, Greg. I appreciate it. We'll be in touch soon.
Thanks, Kelly. It's been a pleasure. Thank you very much.
We want to thank you for listening to this indicated audio program, BankBosun.com. The audio content is produced and syndicated by Seth Greene, market domination with the help of Kevin Boyle. Video content is produced by the The Guildmaster Studio, Keenan Bobson Boyle. Voice introduction is me, Karim Kronfil. We want to thank you for listening to the syndicated audio program bankbosun.com. The audio content is produced and syndicated by Seth Green, market domination with the help of Kevin Boyle. Video content is produced by The Guildmaster Studio, Keenan Bobson Boyle. Voice introduction is me, Karim Kronfil. The program is hosted by Kelly Coughlin. If you like this program, please tell us. If you don’t, please tell us how we can improve it. Now, some disclaimers. Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant. The views expressed here are solely those of Kelly Coughlin and his guests in their private capacity and do not in any way, represent the views of any other agent, principal, employer, employee, vendor, or supplier.
Kelly: My next guest lives in a town that was originally called "Mudsock" in Indiana because people would get off the train, step in a watery mess, and end up with a mud-covered sock.
Greetings! This is Kelly Coughlin.
Voiceover: Kelly Coughlin is CEO of BankBosun, a management consulting firm helping bank C-Level Officers navigate risk and discover reward. He is the host of the syndicated audio podcast, BankBosun.com. Kelly brings over 25 years of experience with companies like PWC, Lloyds Bank, and Merrill Lynch. On the podcast, Kelly interviews key executives in the banking ecosystem to provide bank C-Suite officers risk management, technology, and investment ideas and solutions to help them navigate risks and discover rewards. And now, your host, Kelly Coughlin.
Kelly: Greetings, this is Kelly Coughlin. I'm the CEO of BankBosun and program host. Today, I'm going to interview Todd Andritsch, a very smart and successful former bank executive, who’s working in the bank-owned life insurance and nonqualified benefit plans industry. He's a board member and principal at Equias Alliance.
Todd brings over 12 years of experience in designing customized benefit and BOLI programs. His prior experience includes 17 years in the banking industry. He earned his undergraduate degree from Drake University. And an MBA from DePaul University. I think that means he lived in Des Moines and Chicago. Todd lives in the Fishers, Indiana which is, I believe, a suburb of Indianapolis, Indiana.
We're going to start out with "Let's Play Fishers, Indiana Trivia". I haven't rehearsed these with Todd, so I'm going to throw him a couple curveballs. Todd, are you on the line there?
Todd: I'm here and ready.
Kelly: Now, you can confirm we did not rehearse this, correct?
Todd: Absolutely. I'm interested here what you come up with them and see what these questions are.
Kelly: Okay. What was the previous name of Fishers?
Todd: Could be one of two answers. I think the real answer is Fishers Switch, which was named after the switching station in Fishers at the train line. But it's also known as Mudsocks. It's one of the areas because the horses in the area had mudlines about a foot up their feet because it was just muddy and is known as the Mudsocks area. So I'm not sure what answer, but those are two common answers.
Kelly: Fishers Switch is what I had in mind. Okay, here's question number 2. What do you Todd think the population of Fishers was in 1963, about 50 years ago?
Todd: Since the first neighborhood had not been platted in any, at all Fishers, it was all country, I would say less than probably 500.
Kelly: Good one. It was 350.
Todd: The neighborhood that I live in was the first platted neighborhood and that was platted in 1970 so you were well before that.
Kelly: That's great. Now it’s 65,000. That's a pretty affluent suburb, isn't it?
Todd: I don't know about affluent, but it's been rated as one of the best places to live in the country by numerous organizations over the years just based on income levels, affordable housing, high quality education, education levels…. So it's a good place to live and raise a family.
Kelly: Yeah, that's great. So I covered little bit on your education. Do you want to pick up your business background a little bit and maybe talk about some family, living, married, number of kids, that kind of stuff.
Todd: Sure. Yeah, well you mentioned 17 years in banking in Chicago on the commercial lending side, both as a business development person as well as a manager of commercial lending unit and then went to actually work for a company, that was a friend of mine was their lead banker called Clark Consulting. So that kind of got me into the industry and that Clark Consulting was also based in Barrington, Illinois, which is where I lived at that time. So I was familiar with the company. Just made a change and got out of banking. For number of reasons it was a good move for me. Five kids today and been raising them here in Fishers and ages range from 22 down to about 10. So it’s kind of spread across age ranges there.
Kelly: Yeah that’s great. So that's how you went from banking directly into Clark, which was in the BOLI business, correct?
Todd: Correct. It was almost a predecessor company to Equias Alliance now. BOLI, nonqualified benefit plans, so always working with banks across the country. My emphasis was really in the Midwest; Midwestern banks and just developing relationships with those banks and bankers and trying to help them achieve their objectives.
Kelly: Alright. That's great. Now one thing we did talk about is kind of getting into the difference between general account, separate account, and hybrid portfolios. There was a conference that you and I were at and you gave a brief talk on the hybrid portfolio and I was kind of focusing more on just the general account and you said to me, “ Well, Kelly, you’ve got to keep your eyes open, because the hybrid is something to look out for.” So I’m wondering if you could just talk for a couple of minutes on what’s the general account portfolio; what’s separate account portfolio; but then give a little more attention to the uniqueness of the hybrid portfolio. Some of the features of it, and some of the benefits, and in which markets they are most beneficial and which markets they're not so attractive.
Todd: Sure. As you mentioned, there’s three different general types of bank owned life insurance. I think of it as a three-column chart. On the left side of the chart is the oldest type of product, the General Account Product. The General Account Product means that you’re an unsecured creditor of the insurance carrier when you give them the bank’s money. In return, you get some basic guarantees. The guarantees include, a guaranteed minimum interest rate, interest default protection and no mark-to-market asset which is a book value guarantee by the carrier. General Account is simple, safe and weighted 100% from risk based capital purposes. But the down side is that you’re an unsecured creditor of that carrier, so the carrier’s credit rating and financial strength is very important. That was the left chart on the column, now let’s describe the right chart of that column. It’s a BOLI product kown as Variable Separate Account. Variable Separate Account is typically a bigger bank product and as such is more complex than the other products. The reason it’s a “bigger bank” product, and I’m putting that in quotes “bigger bank” and that has some variants in it, there’s no set hard line as to what “bigger bank” means. But it’s a bigger bank product because the minimum purchase amounts are typically much larger, as well as the complexity of the product.
It’s a literal security, so that product is a security, it’s covered by securities law, in addition to insurance laws. So, you end up getting into much more documentation and complexity, as I said. It can be a good product for bigger banks, but you also have to have a staff that’s willing to and capable of administering it. So, just having more moving parts makes it more complex.
Kelly: So, with that in mind, what are some of the advantages of the separate accounts?
Todd: Well the advantages of Variable Separate Accounts, include separate asset protection, which is off the carrier’s balance sheet and often time lower expenses due to the bigger dollar amounts. There’s also possibly a lower risk based capital rating. These products are more flexible, allowing the bank to change investment philosophies over time, but there’s no guarantees. And again, it’s much more complex than the other forms.
Kelly: When you use the term a big bank product what do you mean by that…a big bank product?
Todd: Well, that's a good question. And I would put it not to necessarily on asset size but more of a complexity of the institution. But typically, I don't see that variable separate account product in a bank that’s less than billion and a half to two billion dollars. At that point, they're typically getting enough accounting staff and financial management staff to monitor and manage that type of asset. So, that's a general rule but it's really based more on complexity in institution that it is on size of institution.
Kelly: And now the Hybrid Account, how does that fit into this chart?
Todd: So far, what we’ve described is the left and the right columns of that chart. Those two columns. But what’s left is the combination of the two in the middle, which is the hybrid. Which makes sense, a hybrid between the General Account and the Variable Separate Account. This product is called a Hybrid Separate Account, thus the hybrid name. It’s what falls between the two and brings the best of both of those other products to the middle and together. What it does is it brings the simplicity and guarantees of the General Account from the left-hand product into the hybrid, which includes the guarantees such as the guaranteed minimum crediting rate, investment default protection and book value guarantees and it is 100% risk rated. But, the hybrid also has many and most of the advantages of the Variable Separate Account in this middle column on the chart and that’s the separate asset protection and much of the flexibility to investment philosophies and changes in investments over time.
The advantages here are you are getting the guarantees of the general account, you're getting the much of the flexibility and the separate account collateral effectively…it’s not collateral but it’s effectively what it is, backing you up from the separate account side. And you do get the opportunity to move between funds and pick the right fund and investment management philosophy to fit the bank's balance sheet needs overtime. But as I said, it’s because of the guarantees from the carrier backing it up it still is a 100% risk weighted. But it does provide much more flexibility with the simplicity like a general account.
Kelly: And who assumes the balance sheet risk on those assets?
Todd: It’s part of the carriers guarantees and part of what they’re bringing similar to the general account. If market interest rates change, which obviously we continue to see quite a bit in the market and the interest rates are a big deal today and will continue to be. But if rates rise, what happens to value of those bonds on that carriers balance sheet? Well they’ll decline a bit. But that’s not the bank's issue. The guaranteed book value that the carrier is guaranteeing, that investment risk in that mark to market risk, is the carrier's risk, not the individual bank owner of this hybrid separate account BOLI policy.
Kelly: From what I’m hearing from you, there are advantages in the general account, and there are advantages for big banks in the separate account. So this is kind of right in between there. Is that what I'm hearing you say?
Todd: Yes, it’s bringing advantages on both sides into the middle in that chart description I had before. A typical hybrid will have at least two, maybe three or four, different investment philosophies you can choose from and again you can have that flex with the needs of the bank’s balance sheet over time. Do you want only a government fund, where you want absolute credit protection and have a very conservative portfolio or would you rather get more aggressive and move into more of a Lehmann aggregate type of approach; or even further maybe even a small equity upside within that BOLI portfolio. All of those are available within hybrid type of products. It just depends on what you are trying to look for in terms of your risk profile and appetite on the bank’s balance sheet, and you got the opportunity to move in and out of those over time.
Kelly: Okay. Well, there must be a cost of having that kind of flexibility. Would it be safe in assuming that the expense ratios are a little higher in the hybrid vs. the general account?
Todd: In general, they are very similar. There is a cost difference
between the hybrid and the general account. One of the major differences is the carriers have to have some type of payment to the other general account that’s the best way to put it up to pay for the guarantee they’re providing to the hybrid fund. And often times, it’s about a 10 basis point cost. There’s a couple of carriers actually have it literally at 10 basis point. But that's the payment from that hybrid account to the actual carrier for those guarantees backing it up. But really the yield differences over time are more driven by less the costs there than it is kind of what the market rates are; and what’s being invested in; and where new money is flowing in. It’s driving more kind of the yields that are obtained. But the cost of insurance, cost of investment management, really there's no difference there at all between those different types of funds.
Kelly: Aren't the underlying assets or securities that the insurance investment team invest in...aren’t they going to be pretty much the same?
Todd: Pretty much. All the funds are going to be bank eligible BOLI assets because they’re investing for banks in this bank-owned life insurance policies. They're very much similar. But does the general account products necessarily have as much governments in it? In dollar amount it might, but the hybrid fund could have a government only fund, where that’s all that the banks want to be and that’s a very conservative government fund. So it could have a particular fund may have a higher emphasis on one thing or another, depending on what the investment objectives are of that fund. And therefore, that’s why it fits the balance sheet and the risk management profile of the bank depeding on what the needs are over time in the hybrid a little bit differently and you could just match that a little bit closer to what the bank’s needs are. If your investment portfolio really doesn’t have much governments, but you want to have that in the BOLI fund, you can manage the risk profile, the bank's balance sheet overall differently and use that as a piece of the puzzle.
Kelly: What's going on now in the market? Is hybrid an attractive alternative now? Is general account where all the money's going or is hybrid still an attractive investment for banks these days?
Todd: It’s a good question. And the answer to that really depends on market timing and kind of when you're looking. Today, you're right, there’s really, in the last year there’s been very little variable separate account, the big bank products as I described it earlier, really kind of new purchases being done.
General account has been getting a majority of new business, about twice that of the hybrid separate accounts today. And that’s really just based on yield. As the hybrid separate accounts are smaller portfolios, new money going in is being bought at new money rates. So there isn’t as much as a block of an existing insurance and cash value out there to kind of leverage off of older investments as there is in general account.
So general account as of June of 2016 had almost $70 billion in cash value and to put that in perspective in terms of the hybrid separate account, there’s about $17 billion as of the end of June in hybrid separate accounts. So new money going in is going to dilute an existing portfolio less in a larger portfolio, which is the general account.
So, the bulk of the growth has been in general accounts over the last year or two, but there's still is a good amount of money going into the hybrid separate accounts and really the reasons that I went through before: collateral protection, diversification, and diversifying carriers as well product types is still putting a lot of money into hybrid separate account.
As a rate environment changes and long term rates increase, I think you’ll see that flip back to what it was a couple of years ago and probably more going into hybrid separate account than into general account. I think it’s just an issue of what the rate environment is doing right now and kind of where most money is going today. But I think that will change with new money rates over time.
Kelly: Okay. You had mentioned early on in the podcast that separate accounts tended to be kind of big bank product. Is there a certain type of bank profile that you think is appropriate for the hybrid or is it mainly the internal culture of the bank and the appetite for control that you think influences that?
Todd: Yeah, I'm not sure it’s an asset size, or charter type or anything like that...that's going to dictate a hybrid separate account purchase versus another type. I think it’s going to get to what are yields, that credit protection or lack thereof, offset buy an enhanced yield. I think it’s going to get to that risk reward trade-off that bankers are used to making every single day as banks aren’t in the risk avoidance business; they’re in a risk mitigation business.
Are we taking on a risk and are we getting paid for it? That’s a risk mitigation business in trying to figure out how to get their money back in a safe and sound way. That's the same thing in BOLI. There is advantages and disadvantages to the different structures, having assets backing you up and having flexibility on a product with carrier guarantees is better than not having those things. But what is the return trade off?
In today's environment, as I mentioned many banks are saying that return trade off isn't worthwhile. I’m better off going with general account and giving up some of those additional protections. But as rates rise, I think we'll start seeing a different mix in the market. So it's about whether those things are helping mitigate risks internally. Is flexibility good and important? Is the asset protection backing up off-balance sheet of that carrier important? Those things, if the answer to those is yes, hybrid product is absolutely the way to go and depending on market timing, it’s going to be a little below, at, or higher than that general account equivalent.
Kelly: Great. Based on your background, you are at your core primarily a banker and secondarily you are an insurance guy. When you look at BOLI, do you think banks allocate assets to BOLI for investment reasons or insurance reasons? Or some look at it as it’s a loan to insurance company. What's your perspective on that and when you work with a bank, do you emphasize one or the other, or do you stick with…it’s an insurance product?
Todd: Banks are allowed to own or have an assignment of life insurance for three reasons and three reasons only: First is key man coverage on key officers and executives and that’s a temporary need. The executive or the officer leaves the bank, you have to get rid of the policy.
Second is an assignment of a policy for a loan. Got a loan; it doesn’t have enough collateral, not good enough, something's going to happen when you're relying on the individual in terms of repayment you're going to have an assignment, a policy pays off or it moves to another bank, you let go of that assignment.
The third and only other reason that a bank can own or hold a life insurance policy is to offset and recover benefit liabilities it’s all per the regulators. So what banks do is they buy life insurance on a group of executives or directors. The enhanced yields on those policies that's available is really recovering existing benefit expense. It could be pension costs. It could be 401(k) match. It could be health care costs. It could be other nonqualified type plans. It’s for recovering those benefit liabilities and expense.
So while we're talking about some investment aspects here, the reason their bank buys is to offset and recover those benefit liabilities. That is the business purpose. That’s why it’s there. And it’s the only, effectively permanent need. If you and I are both insured at a bank and we leave, our seats and positions are replaced by somebody else. Those benefit expenses continue. So that’s the only effectively permanent need that the bank has and reason to keep that life insurance on the book is to support those benefit liabilities.
And that's really what it revolves around with these banks and again it’s a risk mitigation tool. Benefit expenses are rising. Banks want to keep key employees and have benefit programs that do that. So in order to do that they have to pay for it. One way to mitigate those expenses and keep them down is to have bank-owned life insurance on the books to help pay for those things, because the only difference between Bank A and Bank B isn’t the color of their green money. It’s no different. The difference is the people and how they’re serving their clients. There’s obviously other marketing differences. But it really gets down to the people. Keeping, attracting, retaining, rewarding your key people is important. So then how do you pay for those programs? Bank-owned life insurance is a way to help support those. Because they’re really the only permanent need, and the reason you can own it is to offset and recover those benefit liabilities.
Kelly: You seem pretty passionate about this business. Was that your reason to get into it, to help these banks better compete?
Todd: Yeah, that's the tool. My motivation for getting into this business and anything I do, it's just working with people and continue to develop relationships. Having strong relationships with people you like working with, and developing that bond and trust over time. Whether that would have been in my commercial lending days, or today in this arena, it's about helping people achieve their objectives and then building those relationships. So helping someone with their retirement programs and be able to live comfortably in retirement; helping a bank maintain its profitability by keeping key people; growing the institution by adding new people; that all gets down to compensation and keeping people and the way they pay for it. So bank-owned life insurance and nonqualified benefits are just tools to help build and maintain relationships and help the organization have the tools to grow internally and grow itself and that's just the tool I’m bringing to the table that I can help them with.
Kelly: Great. What type of banks should contact you? I know you’ve got a geographical focus clearly in Indiana, what other states do you work? What profile do you look for? Do you want to help banks that have BOLI on the books from other providers, and then you enhance their reporting or servicing? Who do you want to work with? Who should be contacting you?
Todd: Primarily focus: Indiana, Michigan, Ohio, Kentucky, are my cores states and I got a couple people helping me with that, that are employed by me but again, building those relationships. But again, size of the bank, the charter type, irrelevant. We work with banks from $30 million in assets to over $15 billion, a wide range. And what we do for those different institutions varies, but really, any and all of the above.
Look, we’d love to help banks that have BOLI right now, maintain those portfolios and become a little more efficient with that, maybe enhance yields slightly, if they’ve got it already. We help with M&A activities in terms of reviewing a target’s nonqualified plans and BOLI portfolio and how it can be rolled into existing client. It could be a bank that’s never had any of the above, but it wants to explore it and understand how to retain a key employee and to grow their business and/or just to become more profitable. Any or all of those, again these are just tools to help banks achieve their objectives.
Each bank's objectives are a little bit different and vary. There is no one size fits all. It’s about getting in and understanding the people, understanding the board, understanding what makes the institution tick, what their objectives are, and then structuring something around that.
Just like bankers know that a loan is not a loan is not a loan. A line of credit is not the same as a term loan is not the same as mortgage. They have different needs. They have different objectives, and different ways to structure to make sure that it achieves their clients' objectives. That's the same thing with BOLI and nonqualified benefit plans. And that’s why we talked about hybrid vs. general account. We can go and structure around the particular needs to help the individual bank regardless of size or geographic location achieve their objectives and to help them drive down that course they want to go on.
Kelly: That's great. Sounds like you like what you do.
Todd: I do. It's fun helping people. And no matter what business you're in, and that's what I do and that's what I enjoy.
Kelly: That's great. All right. Now, I gave you a heads up. I was going to ask you either your favorite quote or the dumbest thing you’ve done or said in your career. And I’ll let you know that your business partner, Glenn, answered the dumbest thing by giving a summary of a presentation he made with his zipper down. So, that was pretty dumb, so you might be able to top that.
Todd: Mine isn’t necessarily what I’ve done in my career, but probably the dumbest thing I ever said was "Sure, I'll go skydiving with you.” As I'm holding on to the strut of the plane thinking, I can hold on to this thing and land, but then letting go and having a whole different type of reaction. So dumbest thing I ever said was "Sure, I'll go skydiving with you". Favorite quote? Yeah, I thought about that one a little bit and yeah, it varies and shifts over time, but I think right now it would probably be a quote from the Bible. Proverbs 27:17. “As iron sharpens iron, so one man sharpens another.” I've been thinking about that one a lot recently and I think it applies to not only our faith but all our personal relationships as well as business.
Kelly: That's a good one. Read it again.
Todd: Proverbs 27:17. “As iron sharpens iron, so one man sharpens another.”
Kelly: That's quite good. I’ve never heard that. Very good.
Todd: As we deal with other people, and challenge each other and question each other. And the more we challenge each other, the sharper we get and the better we get. So, I really like that one.
Kelly: Well, that's all I have, Todd. Is there anything else you want to sign off with or shall we conclude this?
Todd: No, thank you. That was great, appreciate the time.
Kelly: Thank you very much. Keep sharpening your iron. We'll be in touch soon. Thank you.
Voiceover: We want to thank you for listening to the syndicated audio program, BankBosun.com The audio content is produced and syndicated by Seth Greene, Market Domination, with the help of Kevin Boyle.
Video content is produced by The Guildmaster Studio, Keenan Bobson Boyle. The voice introduction is me, Karim Kronfli. The program is hosted by Kelly Coughlin.
If you like this program, please tell us. If you don’t, please tell us how we can improve it. And now, some disclaimers.
Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant. The views expressed here are solely those of Kelly Coughlin and his guests in their private capacity and do not in any way represent the views of any other agent, principal, employer, employee, vendor or supplier.
Kelly: This is Part 2 of my interview with Glenn Blackwood, who was a member of the “Killer Bees”. This wasn’t the much feared Africanized bees, rather it was the equally feared defense of the Miami Dolphins in the early 80s.
Greetings! This is Kelly Coughlin.
Voiceover: Kelly Coughlin is CEO of BankBosun, a management consulting firm helping bank C-Level Officers navigate risk and discover reward. He is the host of the syndicated audio podcast, BankBosun.com. Kelly brings over 25 years of experience with companies like PWC, Lloyds Bank, and Merrill Lynch. On the podcast, Kelly interviews key executives in the banking ecosystem to provide bank C-Suite officers, risk management, technology, and investment ideas and solutions to help them navigate risks and discover rewards. And now, your host, Kelly Coughlin.
Kelly: Hello! This is Kelly Coughlin, CEO of BankBosun and program host. This is the second in a two-part interview series with Glenn Blackwood, a former NFL safety for 10 years with the Miami Dolphins and a current 25-year executive, board member and principal in the bank-owned life insurance industry with Equias Alliance.
In Part 1, I talked with Glenn about some of his experiences in the NFL and how his ability to face competition, sometimes quiet fearfully enabled him to have quite a successful career in the NFL and with the Dolphins and ultimately in business.
Glenn was coached by Don Shula, who instilled two things in his players: competition and integrity. Glenn said that Shula instilled in them the concept that winning wasn’t the only thing but winning with integrity was the only thing. And because of this, Glenn has become a very successful businessman.
I think Lombardi said, “Winning isn’t everything. It’s the only thing.” Well, that might work well on the gridiron but in the boardroom, integrity is equally important and as fierce a competitor as Glenn was and is now; he is equally fierce in his adherence to good business ethics and a high level of integrity.
In Part 2, we will talk about how Glenn works in the bank-owned life insurance business and why he is so successful with his clients and why his clients truly like working with him.
So Glenn, what’s your approach to helping community banks compete and succeed in this environment where risk, regulation and revenue creation can be so challenging?
Glenn: Glad to be visiting with you. So the community bank has a niche that it fills in the ecosystem of banking, and I think the biggest battle with community banks is the regulatory environment they are having to deal with. They don’t have the scale that the big guys have to absorb it and it is a very difficult task for a community bank and this is just listening to all of my clients. And as you mentioned, I’ve worked probably 150 community banks in the southeast. And I stay in very, very close touch with those banks and it’s a common thing that their biggest battle right now is the regulatory burden that’s on them and the cost that it hits on them on an ongoing basis. And it’s very hard to get return to the shareholders, and I think that’s the biggest challenge they face.
Our goal and the way I’ve looked at it is I want to be an ally to them in helping them be able to be as successful as they can and one of the ways we do that – there are two primary ways.
One is helping them manage benefit expense. That’s the BOLI asset. And then, understanding when you put that on your balance sheet, there’s a lot more that goes into that than just sticking an asset on your balance sheet, which most bankers fully understand because there’s a regulatory issue, an accounting issue, a legal issue, etc.
And the other piece of it is helping them to put in programs that allows them to retain, reward and ultimately retire their key executives. They’re called top hat or deferred compensation SERP plans, things like that. And they’re there for a reason. A lot of people say, “Oh that’s just another perk for these highly paid executives.”
But the reality is, it’s not another perk. It’s getting them to a level playing field due to the restrictions that are imposed upon what’s deemed to be highly compensated, which is anybody making over, basically $120,000. They can’t put enough aside in their retirement plans due to these ERISA and IRS limitations on both social security and qualified plans.
So allowing them to have a meaningful retirement benefit that’s commensurate with what they’re doing for everybody else in the rank and file. One banker called it, it’s good parenting. And then the other piece of it is that you use those programs to retain those executives. Because they’re non-qualified, you can structure the vesting in a way that allows you to say, “Look, if you stay here Mr. or Mrs. Executive until a certain date, then you get this benefit, but if you leave, you leave it behind.”
So now, you’re doing something that’s balancing the playing field for them in benefits, but you’re also hooking them to the bank so that if they walk away, then they’re going to walk away from that benefit then there is economic pain for that. And that usually provides the deterrent for them going to greener pastures.
Kelly: Curious about in a bank-owned life insurance business, you mentioned there’s a lot of moving parts there, and that’s what you liked about it. You’ve got the legal part; you’ve got the accounting part; you got the insurance part; you got the investment part; you got all sorts of components there. But simplifying the message in a sales process has got to be critical to any sort of complex financial sale. What’s your approach to simplifying the sales message? Not trying to be the smartest guy in the room, but trying to be the guy that simplifies the message, because I know you’re good at it. I’ve heard you. I’ve heard you talk, so I know you’re quite good at that.
Glenn: I think the main thing for me is I want to be honest, especially if I’m working with a board. I want to be honest about what I’m laying out for them and I want to, I call it bringing all the skeletons out of the closet. I want to bring all the bones out. I want to lay it out there so they can understand their risk and understand the benefits that come with it as well. And then also understand what does it entail on an ongoing basis with these programs and whether you’re just putting BOLI in or whether you’re putting BOLI and benefits in.
There’s a lot of hair that comes on that stuff and you got to identify what that is and show them how those risks can be managed. I try to condense it down at the end of the day, if I’m speaking with a comp committee or board, what’s the benefit to the bank; what’s the benefit to the executive team and then what are the risks that they’re going to need to address as they put these programs in place.
Understanding that we are going to shepherd them through this process. We’re going to work with their accounting firm. We’re going to work with their legal counsel. We’re going to help them document it all from a regulatory standpoint. Which by the way is very important, the words that I used there “help them,” document it. There’s a lot a people out there that says, “Look, we’ll do all your regulatory documentation for you.” And that’s not a good answer. The good answer is, We’ll “assist you” through that process. We’re good at it. We know what you need to have answered.
But their bank needs to have their fingerprint all over that documentation. The regulators don’t want to know that we know what you did. They want to know that the bank knows what it did. And so, it’s really critical to let them know, we’re going to shepherd them through that process and make sure it’s done in a way that they’re not going to have criticism from their examiners.
And I can tell you that one of the things when you look back at our company, we’ve operated under the endorsement of the American Bankers Association and a number of states banking associations down in – Florida, South Carolina, Virginia, Texas, Tennessee and so on and so forth, California.
But with all of that and part of the reason that we’ve able to get those endorsements is that we are extremely thorough in what we do from a documentation and expertise standpoint. And I always look back, I had a bank that I was working with and they basically said, “Why should we work with you?”
I looked at this man and I said, “I’m going to give you four numbers and I’m going to tell you here’s why you should work with me.” And I said, “Number one is 26, number two is 150, number three is 99.9 and number four is 46. And here is what those numbers mean.”
I said, “The first one is 26 and that’s the number of years I’ve worked in this industry in the region that you’re in… in the South East; 26 years I’ve worked down here. Number two is 150. That’s the number of banks that I’ve worked with. You don’t work with that number of banks and have done a shoddy job; there’s consistency there. Number three, 99.9; that’s the persistency I’ve had with the clients that I’ve had. We don’t lose clients. We don’t lose them because we’re very good at what we do and we pay attention to details. And then, the least and the last thing, the number 46. That was the number BOLI consultants that I’ve watched over my 26 years come and go out of this business.
And that’s the reality. That’s not to be a knock on anybody else. It’s just the reality that you look for people that are committed long-term, to being able to not only take care of you but that long-term track record speaks to consistency and the knowledge of the market and knowledge of the product. So that’s kind of what I communicate with our banks. Let you understand what the benefit is to you, what your risks are and what we’re going to do to walk alongside you to make sure we manage those so that you don’t have a headache on an ongoing basis.
And I think our track records speaks for itself and we engage the CPA’s. We engage the attorneys, because we know what we’re doing is valuable and we know that working with them in partnership as advisors to the bank is going to make it a seamless process. So that’s basically what I do.
Kelly: You guys won a few games down in Miami. I did a rough count before this interview. You won about 114 games and lost 58. You were 11 times in the playoffs, and went to the Super Bowl twice. So guys you knew how to win. How did that help you in this business?
Glenn: One of the things that we were talking about earlier and I look back, I think why did you all win a lot down in Miami. And one of the things was that we were prepared. We were very well-prepared for the game. That speaks to our overall organization and primarily Don Shula preparing us. We were very well-prepared for the game. And then once you got past that team-wise, I had to look at it individually and I had to know what my responsibility was in the process.
But for me, I also had to know the responsibilities of others. As I talked about earlier, I had to know about the linebackers and linemen and the cornerbacks were doing and then coordinate all of that. And it’s the same process working with a bank. I’ve got to understand what the challenges are that the accounting firms have in working with their bank clients and the legal counsel; and the CFO having to do the regulatory documentation and the board, making sure they’ve asked all the right questions.
And that’s another thing, we try to ask questions for them. We want to turn over every rock so that they don’t have anything exposed. And then do what you say you’ll do. If you tell somebody you’re going to do something, then do it. And that’s the way our whole operation runs. We’re going to do what we say we’re going to do.
And if we can’t get there because sometimes glitches come up, communicate with the bank immediately, let them know the time frame. And then the last thing, and this was Coach Shula’s mantra, was you operate with integrity.
I remember for almost nine years in a row and we were the least penalized team in the NFL, and we were the least penalized because Coach Shula said, “You don’t just do it. You do it right, and you do it the right way. And winning isn’t the only thing. Winning with integrity is what matters.”
And I believe that’s the same way that we’ve operated as a company and certainly in my operation down here in the Southeast. I’ve always told my kids, “You never go wrong by doing right. And that’s the way we try and operate.”
Kelly: Glenn, what type of bank should contact you? What do you look for? Where is your sweet spot with banks? I know you’ve got a geographic focus down in Florida.
Glenn: Kind of that southeast quadrant.. typically, that bank that’s got a regional focus and has some programs in place that either retain or reward their key executives or that they want to make sure that they’re putting BOLI assets on their balance sheet in a way that’s not going to be a headache for them on a go-forward basis.
Kelly: I then asked Glenn, what was the dumbest thing he’s ever done in his business career, recall in Part 1 he talked about his worst play…whiffed on tight end who went in for the score. So I asked him in his business career what was the dumbest thing he’s ever done and we’re going to finish with that.
Glenn: This was kind of stupid. I was doing a board meeting for a bank and I was doing the presentation and it was back on a projector back then because we didn’t have the equipment, the technology we have now. And I had a chair right there, I put my foot up on the chair, and I got finished with the presentation.
I walked out and there was a rest room right to the left and I needed to use the restroom so I went in the rest room. And as I was preparing to go to the rest room, I realized I didn’t have to unzip my zipper and I thought, “Oh my gosh! It must have been down during the whole board presentation.”
And so, the head of the comp. committee came out, which was a lady, a very nice lady, very pleasant, and she said, “Great job on everything! You answered our questions, blah-blah-blah, and I said, “Nancy, can I ask you a question? Was my zipper down during that presentation?” She said, “The whole embarrassing moment,” but we still got the deal done.
Kelly: Very good job! Well that is terrific! I think with that, we’ll sign off. Glenn, I want to thank you again for your time and I look forward to talking to you again.
Glenn: It is my pleasure. Thank you.
Kelly: Okay. Great.
Voiceover: We want to thank you for listening to the syndicated audio program, BankBosun.com The audio content is produced and syndicated by Seth Greene, Market Domination, with the help of Kevin Boyle.
Video content is produced by The Guildmaster Studio, Keenan Bobson Boyle. The voice introduction is me, Karim Kronfli. The program is hosted by Kelly Coughlin.
If you like this program, please tell us. If you don’t, please tell us how we can improve it. And now, some disclaimers.
Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant. The views expressed here are solely those of Kelly Coughlin and his guests in their private capacity and do not in any way represent the views of any other agent, principal, employer, employee, vendor or supplier.