The Polish banking sector is feeling the pressure of rising personnel costs and costs related to IT investments. Burdens are growing while the rate of return on equity declines, thus the consolidation of the sector may accelerate.
The past year has clearly highlighted certain trends which have already been visible for several years. The profitability of banks is clearly falling — the ROE ratio fell to 7.07 per cent — even though the period of the lowest interest rates in history has now lasted over three years, it is increasingly expensive for customers to borrow money, while depositors are offered at ever-lowest interest. While banking services are not exorbitantly expensive, all customers pay high charges for banking services. For many years, Polish banks fought with each other by offering their services for free, but today they are gradually raising their fees.
The consolidation of the industry clearly accelerated in 2017. It’s possible that as a result competition will suffer. Some of the large European players, like Deutsche Bank, UniCredit or Societe Generale, exited the Polish market. At the same time, the two biggest Polish banks are controlled by the state.
“The Polish market is overbanked, which means that there are too many banks while the margins and the return on equity are too low. ROE levels in Europe are starting to exceed those recorded in Poland. Consolidation is a response to this process (…) International institutions have to decide whether they want to be a medium-sized or a small bank, or whether they want to enter the premier league,” says Przemysław Gdański, the CEO of BGŻ BNP Paribas. “Consolidation is not good for the customer. Consolidation forced by such factors will lead to higher prices,” adds Cezary Stypułkowski, the CEO of mBank (owned by Commerzbank).
Why are costs rising?
Let’s put aside the regulatory burdens, such as capital requirements and additional capital surcharges or the fees paid for the security of the system and deposits. These burdens are borne by all banks in Europe. Let’s also leave out specific burdens, such as the bank assets’ tax paid by Polish banks, which generated PLN3.63bn (EUR839m) in tax revenues in 2017. Let’s instead take a look at the sources of the costs which depend on banks, and they ways in which they can be neutralized. Let’s consider the factors which could possibly lead to an explosion in costs incurred by the banks.
After the shock resulting from the cycle of interest rate cuts in 2013-2015, banks quickly became accustomed to the environment of the lowest, albeit stable, interest rates in history. Already in 2017, they achieved a record-high interest income of PLN42.6bn (EUR9.8bn) (i.e. a rise of PLN4.6bn or EUR1.06bn, or 12.1 per cent from the previous year). This was the result of changes introduced in the banks’ deposit-taking and lending policies, as part of which they had lowered the interest rates on deposits and increased their interest rates on loans. It’s worth adding that over the last three years this trend has not been broken, except for small institutions entering the Polish market.
Consequently, in 2017 interest income increased by PLN4.27bn (EUR987m), or 7.9 per cent, while interest expenses decreased by PLN338m (EUR78.1m), or 2.1 per cent. According to the calculations of the Polish Financial Supervision Authority (PFSA), the amount of interest on household deposits paid out by banks in 2017 fell by nearly PLN600m (EUR139m). The interest paid on deposits decreased by more than a half compared to 2013, despite the spectacular increase in the volume of deposits during this period. Due to this policy, the net interest margin rose to 2.44 per cent from 2.29 per cent in 2016, getting close to the 2014 level.
The fee and commission income also rose significantly in 2017 — by almost PLN1.2bn (EUR277.3m), or 9.1 per cent. It exceeded the amount of PLN4.2bn (EUR970.7m) and was better than before the reduction of the interchange fee. The banks raised their fees and commissions in all product categories: granted loans and credits, operation of bank accounts, payment and credit cards, sale of insurance products, management of investment funds and brokerage services.
These activities are supposed to cover the banks’ rising costs, and in particular the costs of employing IT specialists and investing in IT. In 2017, personnel costs in banks grew by over PLN900m (EUR208m), or 5.8 per cent. This was in spite of the fact that banks cut their employment by almost 4.5 thousand people, or 2.6 per cent. There are fewer workers in bank branches, but the number of employees in bank headquarters is increasing. People employed at the headquarters cost the companies much more than those who are made redundant, as a result of the branch network reduction and the digitization of customer services.
In 2017, the IT-related costs rose by PLN188m (EUR43.45m), or 10.5 per cent. And we can already see that this is just the beginning. In total, the increase in employee and IT costs across the entire sector is only slightly lower than the increase in fee and commission income. We can put forth a hypothesis that for the time being the profits that banks derive from digitization are not sufficient to cover the costs of digital transformation.
The effectiveness of projects
The increase in personnel costs and IT costs is also associated with new regulations and public services provided by banks, from which they hope to benefit in the future. Bankers claim that there are some periods — like recent months, among other things, due to the implementation of the General Data Protection Regulation (GDPR) — when all development projects are suspended and the teams working on these tasks focus exclusively on the regulatory projects.
“We have about 1,000 people who deal with product development, and they have recently been working almost exclusively on regulatory issues,” said the deputy CEO of ING BŚK Justyna Kesler. “Some 40 per cent of last year’s projects concerned regulatory matters. This requires time, capabilities, costs and resources,” adds Adam Marciniak, the deputy CEO of PKO BP (Poland’s the largest, state-owned bank).
In addition to regulatory projects, such as the GDPR, in recent months banks have also carried out other tasks required by the state. In July 2018, they implemented the split payment procedure, and before that they also introduced the STIR system, which is supposed to help identify suspicious transactions carried out for the purpose of a VAT fraud. Banks would also like to use the STIR system to ensure their safety and would like to enhance its functionalities.
“We should use the STIR system to combat money laundering or fraud. Such a solution would create value for banks,” believes Piotr Alicki, the President of the National Clearing House. “We perform a lot of activities at the request of the state,” added Mr. Stypułkowski.
Over the past several years banks have also become involved in e-government services and can boast of some success in this area, such as the availability of the “Family 500+” program (child benefits program) via bank accounts. The scale of the success is limited, however, as the development of the digital accessibility of administrative services still has a long way to go. Meanwhile, the Polish state increasingly hopes that banks will cover a significant part of the associated costs.
In 2017, approximately 2 million people set up the Trusted Profile which is one of the solutions that the Polish digital administration prides itself with. The profile can be used, among other things, to submit applications for the “Family 500+” program, an identity card, the European Health Insurance Card, copies of certain records from the Civil Registry Offices, the registration of a newborn child or a residence registration. It is difficult to say whether critical mass has been reached.
Access to the administrative databases would be very important for banks from the point of view of risk assessment or confirmation of the customers’ identity. Therefore, banks will probably become involved in subsequent projects, but it may take a lot more time for them to get the rewards they were hoping for.
However, it is the development of business activity in the digital world that will be the main driver of cost increases in the long run. It has already caused an enormous demand for IT specialists from these institutions. According to a report prepared by the Sedlak&Sedlak, a headhunting company, developers with several years of experience earn from PLN 8,000 (EUR1,849) to over two times as much. “I haven’t seen such a hot job market in the IT industry in 20 years. Some 40 per cent of the people do not want to work on the basis of an employment contract (due to the 19 per cent CIT rate). These specialists earn several times more than their parents,” says Michał Plechawski, the managing director for technology at mBank. “We give them foosball tables, we bring in food trucks and they still don’t want to work for us,” complains a representative of one of the largest banks in Poland.
The sky-high salaries of IT specialists explain the increase in banks’ personnel costs in 2017. This is a persistent trend and there are no signs that it could change. IT professionals will be earning more and more money, and banks will have to pay them. They will, in turn, attempt to pass these costs on to the customer. “There is a structural shortage of skilled professionals. There are simply too few of them around, and this is an entirely new situation for us,” said Ms. Kesler.
In 2017, the opening of a shared services center of the consulting company PwC in Katowice dealt a strong blow to the position of the ING BŚK bank in the labor market. The bank had to raise salaries three times in just over a year. Other institutions, which were lagging behind, will certainly be forced to follow suit.
The trouble with sharing banking
In light of the soaring costs, banks think what they could do together to share costs and what elements of their core business could be outsourced for the purpose of cost reduction. Polish banks have already implemented several joint projects in various areas, linked by a common technological thread. These were the National Clearing House, the Credit Information Bureau, and more recently the BLIK payment system, the Bank Cyber Security Centre. There are also plans for the Polish API, i.e. an access interface for third party providers, whose introduction is associated with the implementation of the PSD 2 Directive. “The question is what can be outsourced to infrastructure companies within the sector,” said Mr. Marciniak.
This issue can be resolved by the PFSA, but that institution has not provided a clear answer yet. This is due to the fact that the PFSA has to look at specific projects and has to consider what threats they generate by multiplying vulnerability in many institutions.
This is not a simple matter. Let’s imagine that all banks implement the same solution which has one and the same vulnerability because, as we know, there are no systems completely free of gaps. The problem is who will detect it first. If it turns out that cyber criminals were faster, then not only one bank, but the whole sector would be in trouble.
This is what the supervisory authority fears and, because of that, it has adopted a very careful approach to industry-wide initiatives. The PFSA has already pointed out that banks purchase their core systems from a small number of suppliers, which means that several institutions may have identical vulnerabilities, and therefore a successful attack on one of them could be repeated in all the others.
There are several ideas for industry-wide projects. The first concerns the aforementioned utilization of the STIR system as an anti-fraud and AML system. Banks contemplate whether it would be possible to establish a cell involved in reverse engineering work, which would analyze and disable malicious software. Finally, they consider whether blockchain technology could be used to build a kind of a repository for various contracts.
However, it may well turn out that the greatest expenditures will have to be allocated on a project that each of the banks will have to carry out on their own. We mean the replacement of their core systems which have aged, and whose architecture hinders data integration and analysis. Several years ago, one of the largest Polish banks paid PLN100m (EUR23m) for a new core system. That is why banks are so supportive of the proposal to relax the regulations governing the use of cloud computing. For the time being, the supervisory body supports the position that it is necessary to set firm limits for outsourcing. It fears that if more freedom is provided in this area, banks will become “empty shells”. Meanwhile, their responsibility for customers’ money cannot be outsourced.
The institutions that implemented the European Union’s GD in recent months have become aware of the mess in their own databases. Now they have the opportunity to use this experience in a creative way, which, of course, will also cost them a lot of money.
How to assess cyber threats?
The regulators and financial institutions themselves also face a new question. How to “evaluate” operational risk associated with cybercrime, given that the banking business is continuing its migration to the internet. This question is not unreasonable, because the losses caused by cyberattacks are imminently measurable. In 2013, over 100 financial institutions lost about USD1bn in the famous Carbanak attack. Shortly after, the Polish hacker Polsilver stole approximately PLN4m (EUR924,515) from the customers of Plus Bank.
Customer money is just one side of the risk associated with cybercrime. Another side is the access to customer data, as in the case of the 2014 attack on J.P. Morgan, when information relating to over 83 million accounts was stolen.
At present, assets in the Polish banking sector multiplied by the relevant supervisory risk weights have a total value of PLN1.06 trillion (EUR245bn). The capital requirement is calculated based on this amount. Credit risk accounts for over 90 per cent of the requirement. Operational risk accounts for only 7.7 per cent of the requirement.
At the same time, banks have to strike a balance between two conflicting goals. On the one hand, they want to be able to offer to their customers innovative products and services that are friendly and “easy” to use, which improves the perception of customer service quality. On the other hand, they want to ensure customer security, including cybersecurity. “Risk management hurts the quality of customer service if the security requirements are too burdensome,” wrote the Fitch rating agency.
In its assessment, larger financial institutions, which have a more developed infrastructure, are more exposed to risks related to cyberattacks. This line of argument could lead us to the conclusion that the upcoming consolidation of the Polish sector will increase cybercrime-related risk for the banks which will grow in size as a result of the expected consolidation.
Numerous analysts predict that banking will evolve towards partnerships between banks and other service providers, including fintech companies and multi-service platforms. Fitch points out that such platforms may be more vulnerable to attacks. This is also due to the vulnerability of non-bank partners, as banks have no control over the level of security measures which they apply. This complicates the issue of liability and possible claims.
For now, there are no good measures of cyber threats. Criminals come up with dozens of attack methods to extort funds. We usually learn about such attacks only when their scale is so large that it is impossible to hide their effects. There are no rules for reporting and information exchange. All of this has to be sorted out, because when discussing the issue of cyber threats, we don’t really know what we’re talking about, claim Brussels-based think-tank CEPS analysts. “We need cyber-ratings and benchmarks for statistics,” says Sylvian Bouyon, an expert at CEPS-ECRI.
CEPS believes that it is necessary to ensure consistency in incident reporting and statistics concerning their impact — e.g. financial losses resulting from theft, but also from infrastructure damage, compensations and the costs of implementing compensation controls, technical investigations, breach notifications to customers, court litigations, loss of intellectual property etc. It is difficult to question the necessity of such actions, and it is certain that the costs of such activities will be borne by banks.
Taken together, all these elements form something that might be called an “innovation policy”, by analogy to a lending policy. It will probably determine the future value of the given institution and the rates of return it generates. It should be observed much more closely, and the market should pay more attention to its valuation.