In late 2019, Bank Director issued its 2020 Bank M&A Survey. The report was largely positive: 44 percent of firms said they “expect to acquire a bank in 2020,” and 68 percent pointed to the potential for cost savings and revenue as driving factors.
Then COVID-19 arrived. Daily routines were thrown into chaos as the world suddenly shifted to remote work — as noted by American Banker, the number of merger and acquisition agreements fell by 70 percent through June 2020 compared with the year before, with some mergers postponed but most canceled outright. According to Fitch Ratings, current conditions speak to both negative sector and ratings outlooks through Q2 2020, making many banks understandably nervous when it comes to aggressive M&A.
But it’s not all bad news. As public health efforts evolve, there’s hope on the horizon for a slow but steady return to work. Even in the best of times, however, this is a complicated and potentially costly process, especially when it comes to IT integration at scale. To help your firm make this financial move as quickly and easily as possible, we’ve created a checklist for M&A that covers three key stages for tech integration: target identification, public announcement and initial systems integration.
First up: Survey a target bank’s existing IT infrastructure.
WATCH: Looking to rein in IT infrastructure costs, especially amid business disruption? Watch this free session to learn how.
Banks Should Start By Assessing Existing Security
Once an acquisition target has been identified, it’s critical to conduct IT due diligence. This starts with a thorough analysis of existing security processes and policies, because lacking controls could put the acquiring bank in harm’s way when it comes to ensuring financial compliance.
Here, it’s critical to assess key security functions, including:
- Perimeter defense. With network perimeters expanding thanks to increasing fintech adoption of both cloud and mobile-first frameworks, acquiring banks must take stock of perimeter defenses. Do target firms have agile and adaptable tools in place to detect, identify and report potential attacks as they occur? Are they hampered by current reliance on legacy solutions that naturally partition key security data?
- Permissions and access. The more users with access to financial information, the less secure it becomes. Acquiring IT teams must examine current access models to determine if they’re excessively permissive and potentially nonsecure.
- Prescriptive response. Security controls tell only half the story: How do target IT teams respond to potential privacy or permissions issues? Here, acquiring banks must assess current incident response plans (if any) to help identify gaps in coverage.
- Persistent protections. From end-to-end encryption to zero-trust models and two-factor authentication, persistent and prevalent protections are essential for effective security. If they’re not present, acquiring firms must be prepared to spend time and money integrating and deploying them at scale to protect new assets.
Analyze Your Bank's IT Management for Improvements
Different doesn’t mean wrong, but it can be problematic. For example, while your firm might leverage in-house expertise to handle emerging security issues and target companies, smaller banks and credit unions may rely on managed IT services that won’t carry over when the merger is complete. As a result, it’s essential for acquiring banks to create a management framework that incorporates new systems and accounts for potential service shortfalls.
This is especially critical if you’re planning to bring over target IT staff, which is often a good idea owing to their in-depth knowledge of existing systems. These newly acquired employees must clearly understand new reporting structures and role assignments to minimize functional friction.
Get the Right Data to Make Good IT Decisions
When considering an acquisition, IT teams need to conduct a thorough review of existing data-related systems to ensure they acquire all relevant details. This includes the physical location of servers that contain client data, and a complete list of all third-party applications and partners used to store or process this data. It’s also critical to obtain a detailed history of any data compromise, the target company’s response and evidence that issues were effectively remediated.
Put simply, information is power when it comes to systems inventory: More knowledge means less chance of unexpected risk.
Making the most of mergers and achieving positive acquisition outcomes requires a strong security start: By conducting a complete assessment of acquisition targets’ in-house security infrastructure, current IT management and existing data inventory, banks can set the stage for merger success.
This article is part of BizTech's EquITy blog series. Please join the discussion on Twitter by using the #FinanceTech hashtag.