PNC CEO Bill Demchak talks cybersecurity, growth strategies

Listen to this article

Many bankers would answer cybersecurity – and that’s certainly front of mind for Bill Demchak, who has served as CEO of PNC Financial Service Group Inc. since 2013.

“But it isn’t necessarily our No. 1 concern,” Demchak said while in the midstate for a meeting last Tuesday. “I’m concerned about any number of things, from our employees’ development to the health of the economy to all sorts of different things. Having a good cyber defense is table stakes if you want to be in financial services.”

PNC, based in Pittsburgh, has about $370 billion in assets and a presence in 19 states and Washington, D.C.

Here is what Demchak, along with PNC Central Pennsylvania regional president Jim Hoehn, had to say about cybersecurity and an array of other topics during an interview with the Central Penn Business Journal last week.

Some responses have been edited for length and clarity.

PNC has recently pruned its branch presence in the midstate and elsewhere around the country. What do you see as the future of the brick-and-mortar bank office?

Demchak: If you look at trends in the industry, it’s very clear that banks overbuilt branches during the course of the ‘80s and ‘90s. You’ve seen it trend down in terms of the number of branches that exist, and we’re not immune to that. It’s driven by the simple fact that the activity in our branch, the number of people who come visit, has declined through time as more and more people bank primarily digitally. I think we’re probably over or approaching 60 percent where our clients would describe themselves as primarily digital clients of the bank. So we react to that, and we change our organization structure, our physical structure, to reflect what clients need.

We have any number of clients who prefer to bank at a branch using a teller, and we’ll always have that. In fact, our most profitable customers tend to be the ones that use the branch. I always use my mother as an example. She’s in a branch three times a week, whether she needs to be or not because she knows all the employees, she has a coffee, she has a discussion. But she has all of her IRA, her checking account and everything she does with us. That’s the perfect client for us.

At the same time, my daughter is never going to go in a bank. She’s 13; she was born with an iPad. So our challenge is to be relevant to both. I can’t just serve my mother and not be ready for my daughter. But I certainly can’t ignore my mother – for a variety of reasons. But I think the whole industry is going through that change. In the end, if we stay focused on what our clients want and how they behave and deliver products and services that are of value to them, we’ll do fine.

A lot of bankers are worrying right now about cybersecurity risks. How are you handling those concerns?

Demchak: We invest a lot of time and energy to be as good as we can be at protecting our clients’ information and their money.

Having said that, cyber will be a forever project. You’ll never say that you’re done with it. For everything that we build a defense against, the fraudsters have seven things in their pocket that they’ll pull out next. So it’s always about being able to, if someone gets in, to be able to spot it, to stop it, to correct it and, to the extent that there are any client issues, make them aware and remediate it.

Cyber as much as anything is about employee training. For all the fancy technology systems we have, it takes one person clicking on a bad email that somehow gets to our screen to cause problems.

Are you doing anything specifically in response to the Equifax breach?

Demchak: The breach was substantial enough that it effectively probably impacts the client base of every bank in the country … The real issue with Equifax is less about credit card numbers – it wasn’t that many of them. (It’s the information people provide) when you go in and people say what high school did you go to, what’s your mother’s maiden name, all the verification questions. (The hackers) got that type of information.

So beyond Social Security and credit card numbers, all of a sudden they have this ability to go through the personal knowledge check that people always use the same questions for. It’s gotten everybody pretty concerned that we can no longer rely on sort of personal knowledge verification in identifying customers and caused us to speed up some of the deployment of other ways that we can verify that, in fact, this is the same person who’s applying for credit or trying to open an account. And we’re doing that as a company, and the whole industry’s talking about it.

The one thing about cyber is, we’re not in competition to be better than the next guy. All the banks are working together to kind of make sure that, as an industry, we keep information safe for our clients.

What is PNC’s strategy for growth right now?

Demchak: We’re almost entirely focused on organic growth. We will buy and invest in certain technologies or product capabilities, but we haven’t been focused at all on buying other banks. We are expanding geographically in our corporate institutional banking businesses. We just recently entered Denver and Minneapolis, Kansas City, Dallas, Houston, Nashville … so we’re doing that, sort of organically investing, in new markets. Interestingly, what we’ll call our legacy markets, places where we’ve been for years and years, we continue to grow clients.

Hoehn: I would just add that Central Pennsylvania, while we’ve been in this market a long time, the expectation of PNC is this is a growth market for us, too. And it has been and I think it will continue to be if we continue to do the right thing.

What makes Central Pennsylvania a growth market?

Hoehn: I think we follow the demographic trends first of all. We provide the solutions that meet the digital age, but we understand that there’s different needs as we take great care of those folks who use the branch network. Central Pennsylvania is blessed with a number of great businesses and companies … By taking great care of them, and helping them achieve their growth goals, by the very nature we’ll grow with them.

One of the areas (of growth) is taking care of clients with their individual wealth needs. So as they transition in their life stages, if we help them prepare, say, for their kids’ college or, say, for retirement, those are those ongoing knowledge base solutions and conversations that we’re having through our branch network, that we’re having through our wealth management group, that are really helping us grow.

How has PNC been affected by any of the changes that have come with the new presidential administration?

Demchak: There hasn’t been that much of an impact. They have confirmed and are now waiting for dates for some and still need to appoint others, some of the new appointments to the Fed, to the SEC, to the OCC, perhaps to the CFPB. So you’ll have different personalities in the seat, which my guess is they will have a different interpretation of Dodd-Frank. I don’t think they’ll change the law, but there’s degrees of freedom in the way they implement it.

We’ve learned a lot since the crisis, and there’s ways to refine and do things better without necessarily making the system any less safe than it is today … But by and large, when you’re honest with yourself, the things that were suggested and implemented have made the system better. So we said kind of since day one that our job is to understand the rule book and win by the rule book. Don’t complain about it. These are the new rules. We’re going to figure out how to follow them explicitly and make sure that we win inside of that environment.

If you could talk to President Trump or any of the head regulators, what would be one change you would request they try to implement?

Demchak: On a technical basis, a lot of the regulation is based on the size of the institution as opposed to what the institution does. So they have some bright-line tests inside of Dodd-Frank at $50 billion, at $250 billion, at $700 billion. And they don’t necessarily look at the activities an organization is involved in when they look at an institution that fits that size. So we’re over $250 billion in assets as a company, but our business model is more similar to people smaller than $250 billion than it is to a J.P. Morgan or Goldman Sachs. And we would like the regulators to regulate us as a function of our risk as opposed to saying, ‘You’re this big, so you get this.’

I think longer term, and people talk openly about this, we have too much overlap among the regulatory agencies, multiple agencies doing the same thing in a slightly different way. It doesn’t make us any more safe, and it burns up a lot of resources that could otherwise be put to use serving clients.