In late 2019, Bank Director issued its 2020 Bank M&A Survey. The report was largely positive: 44 percent of firms said they “expect to acquire a bank in 2020,” and 68 percent pointed to the potential for cost savings and revenue as driving factors.
Then COVID-19 arrived. Daily routines were thrown into chaos as the world suddenly shifted to remote work — as noted by American Banker, the number of merger and acquisition agreements fell by 70 percent through June 2020 compared with the year before, with some mergers postponed but most canceled outright. According to Fitch Ratings, current conditions speak to both negative sector and ratings outlooks through Q2 2020, making many banks understandably nervous when it comes to aggressive M&A.
But it’s not all bad news. As public health efforts evolve, there’s hope on the horizon for a slow but steady return to work. Even in the best of times, however, this is a complicated and potentially costly process, especially when it comes to IT integration at scale. To help your firm make this financial move as quickly and easily as possible, we’ve created a checklist for M&A that covers three key stages for tech integration: target identification, public announcement and initial systems integration.
First up: Survey a target bank’s existing IT infrastructure.
WATCH: Looking to rein in IT infrastructure costs, especially amid business disruption? Watch this free session to learn how.
Banks Should Start By Assessing Existing Security
Once an acquisition target has been identified, it’s critical to conduct IT due diligence. This starts with a thorough analysis of existing security processes and policies, because lacking controls could put the acquiring bank in harm’s way when it comes to ensuring financial compliance.
Here, it’s critical to assess key security functions, including:
- Perimeter defense. With network perimeters expanding thanks to increasing fintech adoption of both cloud and mobile-first frameworks, acquiring banks must take stock of perimeter defenses. Do target firms have agile and adaptable tools in place to detect, identify and report potential attacks as they occur? Are they hampered by current reliance on legacy solutions that naturally partition key security data?
- Permissions and access. The more users with access to financial information, the less secure it becomes. Acquiring IT teams must examine current access models to determine if they’re excessively permissive and potentially nonsecure.
- Prescriptive response. Security controls tell only half the story: How do target IT teams respond to potential privacy or permissions issues? Here, acquiring banks must assess current incident response plans (if any) to help identify gaps in coverage.
- Persistent protections. From end-to-end encryption to zero-trust models and two-factor authentication, persistent and prevalent protections are essential for effective security. If they’re not present, acquiring firms must be prepared to spend time and money integrating and deploying them at scale to protect new assets.
Analyze Your Bank's IT Management for Improvements
Different doesn’t mean wrong, but it can be problematic. For example, while your firm might leverage in-house expertise to handle emerging security issues and target companies, smaller banks and credit unions may rely on managed IT services that won’t carry over when the merger is complete. As a result, it’s essential for acquiring banks to create a management framework that incorporates new systems and accounts for potential service shortfalls.