CECL: What’s New, and What Some Community Banks are Doing

By: Tommy Troyer, Executive Vice President

I have been writing about CECL in this newsletter and providing CECL educational programs to community banks for several years. The overall theme I’ve tried to communicate in all of these settings has been: CECL is manageable for community banks, but it requires planning and preparation starting now.

I’m quite encouraged by the fact that the second part of that message, about the need to actively prepare for CECL now, seems to have been accepted by the majority of community bankers. In this article, I will provide a brief overview of a few noteworthy recent developments related to CECL, as well as some brief comments on what we are seeing from banks with respect to CECL preparation.

Regulatory FAQs Updated
On September 6, 2017, the federal financial regulators released an updated version of the interagency FAQs on CECL that were first issued in December 2016. All CECL FAQs are being consolidated into one document, so the most recent release includes both questions 1-23 from December and new questions 24-37. The information conveyed in the new questions is broadly consistent with the things I have tried to communicate in my articles and in my teaching about CECL and contains no surprises. This lack of surprises from the regulators is, of course, a good thing. I specifically recommend the expanded discussion in questions 28-33 regarding the definition of a Public Business Entity (PBE), as the PBE definition is a FASB concept that is fairly complex. The definition is important to understand because institutions can be PBEs without being “SEC Filers,” and PBE status determines the effective date of CECL for an institution. Questions 34-36 also include some helpful and fairly detailed examples of how the transition to CECL should work for call reporting purposes for institutions in various situations with respect to PBE status and whether or not an institution’s fiscal year lines up with a calendar year.

These are helpful clarifications since non-PBEs do not need to adopt CECL for interim periods, only for the year-end financials, in the first fiscal year of adoption and because call reports are completed on a calendar year basis irrespective of a bank’s fiscal year.

FASB TDR Decisions
The final CECL standard has been in place and has been public for over 15 months at this point. CECL is not going to magically disappear before implementation, and there will not be substantial changes to CECL’s requirements. However, there are still some decisions related to CECL that are being made by FASB, specifically through its Transition Resource Group (TRG), which exists to help identify potential challenges to implementing the standard as written. The TRG met in June and a number of issues were discussed, though many of the issues discussed are unlikely to have an impact on the average community bank. However, several issues related to Troubled Debt Restructurings (TDRs) were discussed and ultimately clarified by FASB in September. These issues are relevant to community banks and are worth noting.
The first decision that community banks should be aware of is one that will generally be viewed favorably by community banks. The issue at hand is that CECL requires estimating expected losses over the contractual term of loans and states that the contractual term does not include “expected extensions, renewals, and modifications unless [there is] a reasonable expectation” that a TDR will be executed. The issue FASB considered was just how expected TDRs should factor into an institution’s allowance.

The options presented were, essentially, to estimate losses associated with some level of overall TDRs that you expect to have in your portfolio even though you don’t know on what loans these TDRs might occur, or to only account for expected TDRs when you reasonably expect that a specific loan in your portfolio will result in a TDR being executed. FASB chose the latter option, which should prove to be much more manageable for community banks.

The second decision that FASB made is one that might generally be viewed less favorably by community banks. The CECL standard, when released, seemed to provide more flexibility around measuring expected losses on TDRs than current rules, which requires a discounted cash flow approach unless the practical expedients related to the fair market value of the collateral or the market price of the loan apply. The CECL rules essentially said that any approach to estimating losses on TDRs that was consistent with CECL’s principles was acceptable. However, FASB ultimately decided that the cumulative requirements in the CECL standard and in existing accounting rules for TDRs require that all concessions granted to a borrower in a TDR be accounted for through the allowance. The brief summary of FASB’s decision is that, in fact, a discounted cash flow approach to measuring the impact of TDRs will still be required under CECL in any circumstance where such an approach is the only way to measure the impact of the concession (the best example of such a concession is an interest rate concession). The TRG memo dated September 8 and available on FASB’s website is a good resource for a more detailed discussion of the above issues.

What Community Banks are Doing
What are some of your peer community banks doing to prepare for CECL? There does of course remain a wide range of preparation and some banks still haven’t gotten started in any serious way. However, many banks have at least informally assembled the team that will work on CECL, and while not as many have adopted simple project plans as we might wish, many do at least have informal steps and deadlines in mind. Many have started giving thought to data availability and needs, though again perhaps not enough have yet gotten very serious about fully evaluating the data they have, how they will store and use it on an ongoing basis, and what additional data they would like to begin capturing. Nearly all banks have undertaken at least some educational efforts around CECL, and this is an area of focus that should continue through implementation and even beyond. Options for third-party solutions are being explored by some banks, though in order to make sure that an informed decision is made, it is critical that banks go into these explorations with a good fundamental understanding of CECL as well as with an awareness of the regulatory position that such solutions are perfectly fine options but are neither required nor necessary for CECL implementation.

How We Can Help
We have presented and will continue to present webinars, seminars, and talks on CECL. Please visit our website or call or email me for an overview of these sessions, which are specifically designed for the community banker and which are not designed to try to sell any particular software solution.

Additionally, we are ready and willing to work with banks in a consultative role on CECL. Like everything else we do, there is no fee associated with an initial phone conversation or email exchange about CECL, and if we can help provide you with clarity about something related to CECL, then we are happy to do so. We are of course also happy to discuss various approaches in which we might provide consulting support in one or more capacities to assist your institution in preparing for CECL.

To discuss CECL further, contact Tommy Troyer at ttroyer@younginc.com or 330.422.3475.

ADA Website Compliance Notes from the Field

By: Mike Lehr, Human Resources Consultant

About this time last year, the topic of website accessibility and accommodation under Title III of the Americans with Disabilities Act (ADA) hit the community banking industry with full fury. Since that time both banks and service providers have upped their game. So, now is a good time for us to assess and share what we have learned in our ADA website audits.

There are two ways to assess sites. The more common and less expensive way involves scanning the site using software. Based on the logic coded into it, the software identifies potential issues. The second, less common, and more expensive way involves professionals or sight-impaired people using the site with a screen reader. A screen reader is software that converts a site page to text and reads it to the user.

Both ways involve a professional overseeing the process to interpret the results. Yet, something else drives both ways that tend to lead clients astray – measurability. The old adage of “what gets measured gets done” hits full force here. However, just because it’s a number doesn’t mean it’s more important. We are finding that the software scan, because of its beautifully quantifiable graphics, is causing many of our clients to focus on minor, even insignificant aspects of their sites that have little to no impact on the site’s overall accessibility.

In the end, if a bank ever ends up in court, it’s not about software being able to access the site. It’s about individuals with disabilities. Yet, it is much harder to quantify that into an eye-catching chart. For instance, a client called worried about their PDFs. The software scan showed them inaccessible. Moreover, they spent a lot of time trying to fix them. The nature of the documents were such that they required a professional printer. In short, it wasn’t a Word document. Upon closer look, there were only a dozen of them. All but one were on the same page of the site. Furthermore, the page saw little traffic from customers and prospects. Plainly, the page wasn’t important.

Yet, since bankers can be conscientious to a fault, it bugged them that these PDFs kept showing up “red” as an issue. By itself it’s not bad. In context of the whole site though, it is. This was energy, time, and money diverted from far more important issues. One was whether a sight-impaired person can navigate the site. Software can’t determine this. One can only determine this reliably by using a screen reader or by observing a sight-impaired person trying.

For instance, it’s not uncommon these days to find sites that have multiple ways to navigate them. On one hand, you have the traditional horizontal navigation. On the other, you have the more recent mobile friendly navigation (“hamburger menu”). Still yet, some sites use vertical left-hand (or less common right-hand) navigation. That’s three ways to navigate the site. We’ve seen these on a couple of sites already. This doesn’t even include all the links and smaller menus that might be contained within the page.

Now, to a sight-impaired person, this is nothing but chaos. Keep in mind, a non-sight-impaired person can see the whole site at once. It’s two-dimensional. He/she can select whatever menu they like. A sight-impaired person doesn’t have this luxury. That’s because a screen reader can only read one word at a time. It’s a linear process, one-dimensional.

Also, he/she might tell the screen reader to only read navigation menus. So, if he/she starts hearing two or three different menus, it becomes hard to visualize in his/her mind how he/she might use the site. To a sight impaired person, they blend together as one. That’s frustrating. It’s also something else . . . inaccessible.

Yet, in most cases, as long as these menus are coded and tagged right, the software scan won’t catch them. Moreover, and back to the original point about measurability, it’s hard to quantify this user experience. The solution then is to code one of these menus invisible to screen readers. Of course, that means the remaining one has to be comprehensive and robust.

In the end, it’s a battle between easily measurable but unimportant PDFs and unmeasurable but important navigation. What gets measured gets done. Thus, the unimportant gets done and the important doesn’t. That’s why we can give compliance ratings to clients who still have issues on their software scans and non-compliant ones to clients whose scans show no issues.

In short then, invest in a screen reader. If not, partner with someone who has one. Banks can generate much goodwill by reaching out to groups and societies that support Americans with Disabilities. Remember, computers don’t use sites. People do. People also testify in court.

For more information on this article or to learn how Young & Associates, Inc. can assist your bank with its ADA website compliance, contact Mike Lehr at 1.800.525.9775 or mlehr@younginc.com.

Network Vulnerability Management – Don’t Be a Soft Target for Attackers

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

As the recent Equifax breach illustrates, failing to remediate known vulnerabilities in a timely manner can have significant consequences. In the case with Equifax, reports indicate that a patch was issued approximately two months prior to the May 2017 breach for the vulnerability that was exploited during this breach. While financial institutions have been quick to criticize Equifax for their vulnerability management practices, they should also take some time to evaluate their own vulnerability management practices and enhance them as needed to help prevent a breach at their own institutions.

During the vulnerability assessments that we perform for community banks, it is not uncommon to see systems that are missing patches that have existed for a year or more. While these are typically internal systems, this can still present a significant risk to the bank based on the role(s) of the affected systems. It should also be noted that vulnerability management for internal systems is as critical as ever, as attackers are able to use social engineering tactics to bypass perimeter controls such as firewalls and gain direct access to the internal network by compromising an employee’s workstation. In addition, many community banks are only having vulnerability assessments performed on an annual basis, which means that a number of vulnerabilities may go undetected for nearly a year.

Community banks need to improve their vulnerability management practices to remediate vulnerabilities in a timely manner rather than allowing them to exist for months or even years. We often hear community bankers comment that they are too small to be the target of an attack, but they must also consider that an attacker may purposely go after a soft target like a community bank with poor vulnerability management practices that makes it easier to accomplish his or her mission.

Patch Management Vs. Vulnerability Management
Patch management is a significant aspect of vulnerability management, but patch management alone will not mitigate every vulnerability on the bank’s network. An example of this is an internal server that houses reports from the core system and allows anonymous access, meaning that no username and password is required to access this data using a File Transfer Protocol (FTP) client. In this example, the server may be completely up-to-date with the latest security patches, but this insecure configuration may allow unauthorized access to the data on this system. Another concern is the systems and applications that may be missing from a bank’s patch management program. We still see banks that are only performing Microsoft and limited third-party patching. Failing to patch the software on other devices such as ATMs, routers, switches, and printers will leave these devices vulnerable to attacks.

Developing a Vulnerability Management Program
The process to develop a vulnerability management program starts with a complete inventory of the devices connected to the bank’s network. Even small community banks now have a significant number of network-connected devices such as ATMs, DVRs, alarm panels, time clocks, and environmental monitors in addition to the commonly known devices such as workstations, servers, printers, and routers. During this step, it may be helpful for the bank’s staff to scan the network with a network mapping tool to help identify devices that may not be included in the current network inventory. At a minimum, the inventory should identify the location, IP address, manufacturer, and model for each device. In the case of servers, workstations, and mobile devices, the bank must understand what applications are installed on each device to ensure that each application is patched in addition to the operating system.

The second step is to ensure that a comprehensive patch management program is in place at the bank. As noted above, a bank’s patch management program may not currently include all network-connected devices. Special attention should be given to devices that are connected to the bank’s network that are vendor-managed to ensure that the vendor has appropriate patch management procedures in place. Some examples of vendor-managed systems include: routers that are managed by the core system provider, DVRs, ATMs and alarm panels.

A comprehensive patch management program will include all devices that are connected to the network, and it will prescribe: ƒƒ

  • A method to identify the availability of new patches that apply to the devices on the bank’s network
  • An evaluation and testing process for each patch
  • A procedure to backup critical systems before installing a patch
  • Timing for the installation of each patch based on its risk rating

The third step is to identify the vulnerabilities that currently exist on each device. This is most easily accomplished by performing a vulnerability scan on the internal network and against any internet-facing devices that are owned by the bank. The vulnerability scan can be performed by a consulting firm or the bank’s staff can perform the scan using an automated vulnerability scanner.

There are typically two basic types of vulnerability scans that can be performed, credentialed and un-credentialed. A credentialed scan uses administrative credentials to log on to each device to perform a more in-depth evaluation of the vulnerabilities that may exist. An un-credentialed scan does not use credentials and therefore only identifies vulnerabilities that can be detected without logging on to each device.

The number of vulnerabilities identified by a credentialed scan will typically be significantly higher than those identified by an un-credentialed scan. It is important to note that if the bank only performs un-credentialed scans, the vulnerabilities that would have been identified by a credentialed scan will still exist on the network; they just will not appear in the un-credentialed vulnerability scan report. In addition, a credentialed scan will typically identify many privilege escalation vulnerabilities that an un-credentialed scan is unable to detect.

The results of the vulnerability scan will be provided within a report that the bank’s staff or managed services provider can work through to install patches or make configuration changes to remediate the detected vulnerabilities. The vulnerability scan report will assign a risk rating to each vulnerability that is identified to help the bank’s staff prioritize its response to each vulnerability.

As the bank’s staff or managed services provider works through the list of vulnerabilities, a tracking process should be in place to identify the patches that are installed and configuration changes that are made to remediate each vulnerability. Once the tracking document identifies that all of the vulnerabilities are remediated, it is time to perform another vulnerability scan to verify that all of the previously identified vulnerabilities are remediated. If this is the first or most recent vulnerability scan, this process will help the bank’s staff establish a baseline to work from as they continue to identify vulnerabilities and correct them.

The fourth step is to determine the frequency with which vulnerability scans will be performed. The scan frequency will be dependent on the size and complexity of the bank; however, based on the rate at which vulnerabilities are being discovered, a minimum scan frequency of once each quarter should be strongly considered. Monthly or even weekly vulnerability scans are highly recommended for more complex environments.

Summary
Once the steps listed above are complete, the bank should have established: ƒƒ

  • A complete network device inventory that must be maintained as changes occur within the bank’s network
  • A comprehensive patch management program
  • A schedule for performing automated vulnerability scans
  • Procedures to review the vulnerability scan reports and remediate the identified vulnerabilities

As I mentioned in “The Changing Role of the Community Bank IT Manager” in last quarter’s 90 Day Note, community banks must adapt to the changing threat landscape and budget for additional information security resources. While some may view these additional expenses as unnecessary, they will most likely be miniscule in comparison to the costs associated with a data breach at the bank.

Young & Associates, Inc. can assist your bank with its vulnerability management program by performing quarterly or monthly vulnerability assessments to identify the vulnerabilities that exist on your network and recommend remediation procedures. Please contact Mike Detrow for more information about our vulnerability assessment services at mdetrow@younginc.com or 330.422.3447.

CFPB Amends HMDA Rule

By: William J. Showalter, CRCM, CRP; Senior Consultant

The Consumer Financial Protection Bureau (CFPB) issued a final rule making several technical corrections and clarifications to the expanded data collection under Regulation C, which implements the Home Mortgage Disclosure Act (HMDA). The regulation is also being amended to temporarily raise the threshold at which banks are required to report data on home equity lines of credit (HELOC).

These amendments take effect on January 1, 2018, along with compliance for most other provisions of the newly expanded Regulation C.

Background
Since the mid-1970s, HMDA has provided the public and public officials with information about mortgage lending activity within communities by requiring financial institutions to collect, report, and disclose certain data about their mortgage activities. The Dodd-Frank Act amended HMDA, transferring rule-writing authority to the CFPB and expanding the scope of information that must be collected, reported, and disclosed under HMDA, among other changes.

In October 2015, the CFPB issued the 2015 HMDA Final Rule implementing the Dodd-Frank Act amendments to HMDA. The 2015 HMDA Final Rule modified the types of institutions and transactions subject to Regulation C, the types of data that institutions are required to collect, and the processes for reporting and disclosing the required data. In addition, the 2015 HMDA Final Rule established transactional thresholds that determine whether financial institutions are required to collect data on open-end lines of credit or closed-end mortgage loans.

The CFPB has identified a number of areas in which implementation of the 2015 HMDA Final Rule could be facilitated through clarifications, technical corrections, or minor changes. In April 2017, the agency published a notice of proposed rulemaking that would make certain amendments to Regulation C to address those areas. In addition, since issuing the 2015 HMDA Final Rule, the agency has heard concerns that the open-end threshold at 100 transactions is too low. In July 2017,  the CFPB published a proposal to address the threshold for reporting open-end lines of credit. The agency is now publishing final amendments to Regulation C pursuant to the April and July HMDA proposals.

HELOC Threshold
Under the rule as originally written, banks originating more than 100 HELOCs would have been generally required to report under HMDA, but the final rule temporarily raises that threshold to 500 HELOCS for data collection in calendar years 2018 and 2019, allowing the CFPB time to assess whether to make the adjusted threshold permanent.

In addition, the final rule corrects a drafting error by clarifying both the open-end and closed-end thresholds so that only financial institutions that meet the threshold for two years in a row are required to collect data in the following calendar years. With these amendments, financial institutions that originated between 100 and 499 open-end lines of credit in either of the two preceding calendar years will not be required to begin collecting data on their open-end lending (HELOCs) before January 1, 2020.

Technical Amendments and Clarifications
The final rule establishes transition rules for two data points – loan purpose and the unique identifier for the loan originator. The transition rules require, in the case of loan purpose, or permit, in the case of the unique identifier for the loan originator, financial institutions to report “not applicable” for these data points when reporting certain loans that they purchased and that were originated before certain regulatory requirements took effect. The final rule also makes additional amendments to clarify certain key terms, such as “multifamily dwelling,” “temporary financing,” and “automated underwriting system.” It also creates a new reporting exception for certain transactions associated with New York State consolidation, extension, and modification agreements.

In addition, the 2017 HMDA Final Rule facilitates reporting the census tract of the property securing or, in the case of an application, proposed to secure a covered loan that is required to be reported by Regulation C. The CFPB plans to make available on its website a geocoding tool that financial institutions may use to identify the census tract in which a property is located. The final rule establishes that a financial institution would not violate Regulation C by reporting an incorrect census tract for a particular property if the financial institution obtained the incorrect census tract number from the geocoding tool on the agency’s website, provided that the financial institution entered an accurate property address into the tool and the tool returned a census tract for the address entered.

Finally, the final rule also makes certain technical corrections. These technical corrections include, for example, a change to the calculation of the check digit and replacement of the word “income” with the correct word “age” in one comment.

The HMDA final rule is available at www.consumerfinance.gov/policy-compliance/rulemaking/final-rules/regulation-c-home-mortgage-disclosure-act/.

Updated HMDA Resources
The CFPB also has updated its website to include resources for financial institutions required to file HMDA data. The updated resources include filing instruction guides for HMDA data collected in 2017 and 2018, and HMDA loan scenarios. They are available at www.consumerfinance.gov/data-research/hmda/for-filers.

For More Information
For more information on this article, contact Bill Showalter at 330-422-3473 or
wshowalter@younginc.com.

For information about Young & Associates, Inc.’s newly updated HMDA Reporting
policy, click here. In addition, we are currently updating our HMDA Toolkit.

To be notified when the HMDA Toolkit is available for purchase, contact Bryan
Fetty at bfetty@younginc.com.

Capital Market Commentary – August 2017

By: Stephen Clinton, President, Capital Market Securities, Inc.

Market Update
The U.S. has entered the ninth year of economic expansion. While the growth has not been spectacular, it has been steady. GDP expanded at a 2.6% annual rate in the second quarter. The GDP growth in the current recovery has averaged 2.1%. This compares to the 3.6% average of the 1990’s recovery and the 4.9% average for the 1960’s expansion. (These are the most recent economic recoveries of comparable length to the current expansion.)

  • American’s largest companies were reported to be on pace to post two consecutive quarters of double-digit profit growth for the first time since 2011. Factors explaining the growth in profitability include a weaker dollar that helped U.S. exports, limited wage growth, and cost cutting programs.
  • Unemployment was reported at 4.4% in June, near the lowest rate in a decade.
  • Despite nearing full employment, wage growth has increased only modestly. It was reported that wages increased .5% in the second quarter.
  • At the Federal Reserve meeting in July, the Fed held interest rates unchanged but announced that it soon will begin to shrink its securities portfolio. The Fed currently holds more than $4 trillion of investments; a large portion of these were purchased as part of the Fed’s quantitative easing programs.
  • Consumer spending rose at a 2.8% pace in the second quarter, an increase from 1.9% in the first quarter. However, concerns remain about the spending outlook at a time of soft wage growth, stalling car sales, and a growing overhang of auto and student-loan debt.
  • U.S. business investment rose for the second straight quarter. In the second quarter, nonresidential fixed investment advanced at a 5.2% pace. That comes on the heels of a 7.2% gain the prior quarter. The continuation of strong business spending suggests firms have confidence in the durability of the economic expansion.
  • The U.S. housing market continues to improve. After falling throughout the usually busy spring season, the monthly index of signed contracts to purchase existing homes increased 1.5% in June compared with May. The Case-Shiller Index, which measures the increase in home prices across the country, rose 5.6% in the 12 months ending in May.
  • Overall, inflation continues to be held in check. The U.S. inflation index was 1.4% in May, well below the Fed’s 2% target.

The stock market has reached all-time highs. This has occurred despite the lack of action on President Trump’s plans for lowering taxes and economic stimulus. Should these initiatives be enacted, 2017 should be a very good year for investors.

Interesting Tid Bits ƒƒ

  • The New York Times recently reported that homeowners now stay in their homes for an average of 8½ years, up from the 3½ year average in 2008.
  • Twenty years ago, there were 7,322 listed public companies in the U.S. At the end of 2016, there were only 3,671 companies publicly traded on U.S. exchanges.
  • Deer & Co., the maker of farming equipment, is the fifth largest agricultural lender. This is in addition to the billions that they lend to farmers to fund purchases of their farming equipment.
  • It is widely anticipated that the Libor index will be phased out over the next five years. Libor is used to set the price on trillions of dollars of loans.

Short-term interest rates have moved up in response to the Fed’s actions of increasing short-term rates with the 3-month T-Bill ending July at 1.07%.

The 10-year T-Note ended July at 2.30%. The yield curve has flattened this year with the 10-year T-Note falling 14 basis points while short-term rates moved up 56 basis points.

The general stock market reached historic highs in July. The Dow Jones Industrial Index ended July 31 at an all-time high and was up 10.77% for the year. The Nasdaq Index closed up 17.93% for the year. Banks have under-performed the general stock market this year. The Nasdaq Bank index was down 3.10% for the year. However, since the election, bank stocks are up 22.50%, which is a larger increase than the Dow Jones Industrial Index since the election.

Merger and Acquisition Activity
Through July there were 147 bank and thrift announced merger transactions. This compares to 151 deals for the comparable period in 2016. Despite the slightly lower number of deals, the total assets involved in transactions increased from $109 billion to $124 billion. The median price to tangible book for transactions involving bank sellers was 162%.

The Changing Role of the Community Bank IT Manager

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

At small community banks, the IT Manager role was once, and in some cases still is, one of many hats worn by the President or CFO. However, this role is quickly evolving into a nearly full-time position even at smaller community banks. There are a number of factors that are contributing to this change, including increased use and sophistication of technology, increased regulatory scrutiny for cybersecurity, and the rapidly changing threat landscape.

It was not long ago that the IT Manager only needed to support a few internal servers and workstations. Over time, technology and customer expectations have evolved, leading to increased network complexity through the requirement for additional internal servers to support new services, the use of server virtualization, and connectivity to additional outside networks. In addition, the use of mobile technology has expanded dramatically leading to employees using mobile devices to access internal network resources, and banking services being provided to customers through their mobile devices.

The amount of time required to properly manage and monitor a bank’s information systems has increased dramatically. However, in many cases, community banks have not significantly increased the human resources assigned to the management of their IT environment. We have had numerous discussions with bank IT personnel indicating that they do not believe that they have enough time and resources to properly address the changing IT regulatory requirements and new cyber risks. While some community banks have outsourced the management of their network and other systems to a service provider, this does not relieve the bank of its role in the oversight of these systems. Additionally, outsourcing increases the time that the bank must spend to manage these vendor relationships.

Here are some of the areas where we have seen community banks spending additional time to perform IT and information security functions:

  • Vendor Management. As the bank implements new services or engages service providers to manage existing services, additional time is required to monitor these vendors. Significant time is needed to obtain the required documentation from each vendor and to review and analyze this documentation.
  • Threat Intelligence. Threat intelligence sources are monitored to identify threat sources and their current activities to identify and implement mitigating controls that will limit the potential impact of these activities on the bank. Significant time can be spent analyzing the data from threat intelligence sources to determine its applicability to the bank and to then implement or modify mitigating controls.
  • Risk Assessment and Policy Maintenance. As the bank adds or changes technologies or services, risk assessments and policies must be created or updated to address their risks. In addition, risk assessments need to be updated periodically to ensure that the risks associated with new or changing threats are evaluated and mitigated. A cybersecurity assessment must be completed and reviewed periodically based on changes within the bank’s IT environment.
  • Ongoing Employee Information Security Awareness Training. With most banks providing external email access and internet access to all of their employees, each employee has become a critical link in the security chain where the result of one employee clicking on a malicious link in an email can be an organization-wide catastrophe. Annual training is no longer adequate to keep employees apprised of current threats such as ransomware and phishing scenarios. A significant amount of time can be spent developing training materials and distributing them to employees on an ongoing basis.
  • Event Management and Monitoring. Network devices, operating systems, and applications must be monitored to identify malicious activity. In the past, many banks were only monitoring perimeter devices such as firewalls and believing that the perimeter devices would stop any threats. However, many current attacks start with the installation of malicious code on an employee’s workstation to bypass the controls imposed by the firewall and then the attacker moves around, potentially undetected on the internal network. Monitoring for malicious activity on all of the bank’s internal network devices can require significant resources. ƒ ƒ Patch Management. Patch management is more than just patching Microsoft operating systems and applications such as Adobe Acrobat and Java. Patch management includes updating the software running on network devices such as firewalls, routers, switches, DVRs, and printers to address any known vulnerabilities. Additional time must be spent to identify the release of new patches, and in many cases the patches must be installed manually on each network device.
  • Disaster Recovery / Business Continuity Planning and Testing. A bank’s increased dependence on technology requires formal documentation for maintaining business continuity and testing the selected plans to ensure that the bank can recover from a disaster within a reasonable time frame to allow for the continued performance of its daily functions. Additional time is required to initially document recovery strategies and then modify the strategies based on system or vendor changes. Time is also required to prepare testing strategies, coordinate testing schedules with vendors, and analyze the test results. ƒ ƒ Incident Response Planning and Testing. Many experts say that it is not a question of if a business will be hit by some form of breach, but a question of when it will happen. Banks must have a well-documented plan in place to detect and respond to an information security incident. In addition, the plan needs to be tested periodically to ensure that all employees are aware of their roles to effectively and efficiently respond to an incident.

Potential Costs of a Breach
Why should changes to the technology used by the bank, changes to regulatory requirements, and the evolving threat landscape be a significant concern for the board of directors? The board of directors is ultimately responsible for the management of the information security program, and failing to provide the appropriate resources to manage the IT and information security functions at the bank can lead to regulatory enforcement actions, harm to the bank’s reputation, and significant costs associated with a data breach.

According to the Ponemon Institute’s 2017 Cost of Data Breach Study: United States, performed June 2017, the average cost for each lost or stolen record containing sensitive and confidential information is $225. This study also indicated that breaches involving businesses within the financial services industry had a per capita cost of $336.

Insurance Coverage
Another consideration for the board of directors is insurance coverage. While a bank may have a cyber insurance policy, management needs to thoroughly understand the requirements for this policy and ensure that it is meeting all of the minimum security requirements of the policy. Insurance companies may reject a claim or even seek repayment of a settlement if defined controls were not in place at the bank at the time of a breach.

Using the example of a community bank with assets of 100 million and 12,000 customer records, a breach of those 12,000 records could cost the bank 4 million dollars. This would be a substantial loss for the bank if insurance coverage is not appropriate, and even more significant if an insurance claim is denied due to the bank’s failure to maintain the minimum security requirements defined within the policy.

Continuing Education
With the rapid changes in technology and the changing threat landscape, continuing education for the bank’s IT staff is also a critical consideration. A bank’s IT Manager must learn how to change the bank’s mitigation strategies to address evolving cyber threats rather than relying solely on the strategies that have been used in the past. There are numerous options for continuing education such as cybersecurity conferences sponsored by state banking associations and webinars.

Cybersecurity Assessment Tool Staffing Requirements
With the regulatory focus on cybersecurity, another illustration of the need to evaluate the human resources required to effectively manage the bank’s information systems can be found in the declarative statements within the staffing section of the FFIEC’s Cybersecurity Assessment Tool as shown below. Attainment of the baseline cybersecurity maturity level is required for all banks as this level identifies the minimum expectations required by law, regulations, or supervisory guidance. The declarative statements within the evolving cybersecurity maturity level will also need to be attained by small community banks as they increase their maturity level over time.

     Baseline ƒƒ

  • Information security roles and responsibilities have been identified.
  • Processes are in place to identify additional expertise needed to improve information security defenses.

     Evolving ƒƒ

  • A formal process is used to identify cybersecurity tools and expertise that may be needed.
  • Management with appropriate knowledge and experience leads the institution’s cybersecurity efforts.
  • Staff with cybersecurity responsibilities have the requisite qualifications to perform the necessary tasks of the position.
  • Employment candidates, contractors, and third parties are subject to background verification proportional to the confidentiality of the data accessed, business requirements, and acceptable risk.

Conclusion
In summary, the board of directors and senior management must carefully consider the resources required to appropriately manage its information systems based on the rapid technological, regulatory, and threat landscape changes. Strategic plans should consider the additional workload that will be created to support changes within the bank’s IT environment to achieve management’s strategic goals, and ensure that appropriate human resources are included within its plans.

For more information on this article or how Young & Associates, Inc. can assist you, contact me at 330.422.3447 or mdetrow@younginc.com.

 

Developing a Consensus on Capital Adequacy – The First Step in Strategic Planning

By: Gary J. Young, Founder and CEO

The most critical component of every strategic plan is a thorough understanding of your position on capital adequacy and your target for capital. They are not the same.

The Regulator View of Capital
As community bankers, we have all heard the mantra that we need to increase capital. It may be an over simplification, but to the regulator more is always better. The regulator does not have interest in your shareholders. And as I will discuss later in this article, an increase in capital lowers the return on equity, or the return to shareholders. The regulator’s #1 job is to ensure a safe and sound banking system. Your job is to satisfy the regulators and your shareholders. You have to balance the interests of both. You need to proactively communicate your bank’s opinion regarding capital.

An example of the need to balance is shown below. There are four banks with a 1% ROA. However, the equity/asset ratio at each is different ranging from an 8.0% leverage ratio to a 12.0% leverage ratio. By dividing the ROA by the leverage ratio, you get the ROE. By multiplying the ROE by an assumed PE, you get the multiple of book. In this example, the bank with an 8.0% leverage ratio has a value of $30 million while the bank with a 12.0% leverage ratio has a value of $20 million. The amount of capital provides a significant difference in the return to shareholders.

Capital Adequacy
I agree with the OCC. Capital adequacy at each bank is uniquely based on the current and planned risk within the bank. And, it is the responsibility of the bank board to determine capital adequacy with the input from executive management. Capital adequacy is the point that if capital falls below, the Capital Contingency Plan must be implemented. In other words, let’s assume capital adequacy has been defined as a 7.5% leverage ratio, or an 11.25% total risk-based ratio. If actual capital falls below either measure the bank should implement the methodology for improving capital as described in the Capital Contingency Plan.

Capital Target
A bank’s target or goal for capital is higher than capital adequacy. It is an estimate of the amount the board of directors has decided is desired to take advantage of opportunities such as additional organic growth, branch expansion, purchase of a bank or branch, stock repurchase, etc., or to use as additional insurance or protection against negative events that could hurt profitability and capital. As an example, a 7.5% leverage ratio could be defined as capital adequacy, but the target level of capital is 9.0%.

The Right Amount
There is no right amount. The average $300 million – $1 billion bank has a 10.3% leverage ratio and a 15.4% total risk-based capital ratio. Most everyone would agree that banks do not need that level of capital. But, every bank is unique with different levels of risk and different levels of risk appetite. The important thing is that executive management and the board of directors understand that there is a shareholder cost to holding excess capital. That doesn’t make it wrong. The board of directors has multiple responsibilities and at times these can be conflicting. From the shareholder perspective, you want to maximize the return on equity and shareholder value which assumes leveraging capital, but you must also oversee the operation of a safe and sound bank. And, at the heart of safety is capital adequacy. It takes balance and awareness of both to determine the right level of capital for your bank. My concern is that through the Great Recession and after, the capital mantra has been more is better. Well frankly, more is not necessarily better. I am suggesting that it is time to balance the capital need for risk management with the capital need for improving shareholder value.

Strategic Planning
After there is agreement on capital based on risk, planning can begin on the methodology or methodologies to best utilize any existing or planned excess capital. The recommended considerations that follow do not address all of the issues within your mission statement or vision statement. Rather, these address your desire to maximize shareholder return and to maintain your bank’s independence.

Consider the following:ƒƒ

  • Ways to generate additional organic growth. This means growth from your market without any significant increases in infrastructure. This is normally the most profitable short-term methodology.
  • Expansion opportunities. I would suggest looking for opportunities that begin turning a profit in two years or less. While this is long-term, most bankers are in for the long haul. Remember, a branch that increases net income by $500,000 increases shareholder value by $6,500,000, assuming a 13 price-earnings ratio.
  • The purchase of another bank or branches. This can significantly impact capital, but once the target is effectively absorbed by your bank, the value rewards can be great. But, also make sure you adequately consider the risks.
  • A stock repurchase plan. This is a win for the shareholders that want to sell and the shareholders that want to hold. Everyone wins and shareholder value should increase. I look at this as buying your bank as opposed to buying another bank. I recommend to every client that has a tier-1 leverage ratio in excess of 9% that they should at least consider a stock repurchase.
  • A slow, steady increase in dividends to shareholders. If after all other approaches to capital utilization excess capital remains, then increase the dividend. This will increase dividend income to shareholders without jeopardizing capital adequacy.

Consider how all of these items might impact your capital adequacy, return on equity, and shareholder value over a 3-5 year period. Remember, the goal of executive management is to maximize profitability and shareholder value within capital guidelines approved by your board of directors.

Contact
If you would like to discuss this article with me, you can reach me by phone at 330.422.3480 or e-mail at gyoung@younginc.com.

HMDA 2018

By: Bill Elliott, CRCM, Senior Consultant and Manager of Compliance and Adam Witmer, CRCM, Senior Consultant

Beginning in 2018, you will be faced with two major changes to Home Mortgage Disclosure Act (Regulation C 12 CFR § 1003). They are:

  1. Changes to the existing rules
  2. Addition of new rules

While the new rules will be challenging to navigate, the changes to the existing rules could prove to be extremely challenging, as long-established procedures and understandings are going to change. The following are a list of some of the biggest modifications.

Reporting Changes
Loan Volume Test. The new rules have two separate loan volume tests, one for closed-end and one for open-end.
The closed-end test is 25 covered loans. If your bank originates 25 “covered” loans (defined as not excluded closed-end loans or open-end loans), you will then report closed-end loans.

The open-end test is 100 covered loans. If your bank originates 100 open-end covered loans, then you will report open-end loans. There is a regulatory proposal to change this to 500 open-end for a couple of years, and we expect that to occur. The challenge here relates to business purpose loans.

All consumer purpose loans (generally HELOCs) will count, but business purposes loans may also count. Excluded loans will be open-end loans (such as an equity loan for operating expenses) that are not for a purchase, refinance, or home improvement purpose. But open-end loans such as this are refinanced, and will become reportable.

If your financial institution only meets one test, you only report the type of loans for the test you meet. This means some institutions will only report closed-end loans. Some will only report open-end loans. And others will report both.

Dwelling Secured. Under prior HMDA rules, one definition of Home Improvement included loans that were not secured by a dwelling. Under the new rules, only loans secured by a dwelling will be reportable.

Temporary Financing. The rules now only talk about financing that will be replaced by new financing. The old rules specifically excluded construction and bridge loans.

Agricultural Loans. The new rules now exempt all agricultural loans. In the past, the agricultural loan exemption only applied to purchases, which meant that when an agricultural loan was refinanced, it required HMDA reporting. Now, all agricultural purpose loans are exempt.

Preapproval Requests. Preapproval requests that are approved but not accepted are now required reporting rather than optional reporting.

Submission Process. The CFPB is going to use a cloud-based program for HMDA submissions. This means that reporters using the FFIEC software are going to have a much more difficult time. You will want to think about software options. If you are not using third-party software already, you will need to work out logistics of using the new reporting system.

Items to Consider
Our training manual for our live HMDA presentation runs 210 pages, so this is just an overview of some of the items that must be considered. Time is growing short. If your institution is going to be subject to the new rules, then training for everybody involved in the process is necessary. And for most readers, this will include more than one person.

For the future, if you are not subject to the HMDA regulation, be careful of expansion. If you open a branch in an MSA, suddenly HMDA will become part of your life. So beware of a good deal on the land or the lease – the costs of HMDA could easily dwarf the savings. If you are a HMDA reporter already, remember that any compliance requirement only gets paid for one of two ways – the applicants/customers pay for it, or it comes out of the stockholder’s pocket. Fee changes may be in your future.

HMDA Tools – Coming Soon
Young & Associates, Inc. is currently developing a HMDA Toolkit which will be available shortly, as well as a customizable HMDA policy. As there is HMDA text that the CFPB is changing and correcting (due out soon, we hope), we are not ready for release just yet. But we hope to keep the timetable reasonable. The HMDA policy will be available to purchase September 1, 2017.

We will also be offering an off-site HMDA Review beginning in 2018. We will review as many or as few loans as you would like to make sure you are on track. Billing will be based on the number of files reviewed, so you will control your costs.

Detailed information for all of these items will be available soon. If you are interested in the HMDA toolkit, HMDA policy, or HMDA reviews, we will be happy to discuss these products and services with you at any time.

Good luck – we will all need it. For more information on this article or how Young & Associates, Inc. can assist you in this process, contact us at compliance@younginc.com or 330.422.3450.

Mary Green Earns CAFP Designation

Young & Associates, Inc. is pleased to announce that Mary Green, Consultant, has earned the industry designation of Certified AML and Fraud Professional (CAFP) by the Institute of Certified Bankers, a subsidiary of the American Bankers Association (ABA). This certification demonstrates the ability to detect, prevent, monitor, and report current and emerging money laundering and fraud risks.

Where is the UCA/FAS 95 Analysis?

By: David Dalessandro, Senior Consultant

In the summer of 1987, the savings and loan I was working for at the time sent me to a “cash flow” seminar in Norman, OK. I had graduated from Penn State a few years before and had recently accepted my first of what would prove to be many positions in banking as a credit analyst. At that point, my experience at financial analysis was limited to what I had absorbed from two accounting firms I had worked for and studying for (and passing) the CPA exam. The seminar topic was “The Implications of FASB 95.”

FASB 95, for those of you asking, was issued in November 1987 and was to be utilized in all financial statements finalized in fiscal years ending after July 15, 1988. The requirement replaced the famous APB 19, Statement of Changes in Financial Position, which we all knew and loved as a pretty worthless financial statement at the time, because no one without a CPA attached to their name understood it, and most CPAs had difficulty explaining it.

The seminar turned out to be one of the most beneficial events in my life. As it was explained, the Statement of Cash Flows, as required by FASB 95, was a financial disclosure that would trace every dollar of cash through an accounting period. How awesome, I thought, because only cash pays back loans. So now if I have a tool to trace every dollar of cash, credit analysis would be a cinch.

Well, fast forward 30 years…and the Statement of Cash Flows is still not a household name in Credit Analysis. Most financial institutions, even the largest, still hang onto EBITDA for “cash flow” or multiples of EBITDA for “value.” The EBITDA analysis may approximate real cash flow for real estate rental properties, but for those thousands of enterprises that carry Accounts Receivable, Accounts Payable, Inventory, Other Assets, and Other Liabilities, pay distributions, report gains and losses on sales of assets, take charge downs on intangibles, write off bad debts, and enter into other “non-cash” transactions, the Statement of Cash Flows is the only real way to “follow the money.”

The question here is, why would any financial institution NOT at least include FASB 95/UCA in cash flow analysis when it was appropriate? EBITDA, or even EBITDA adjusted for one-time items, may give the analyst an estimate of total cash flow, but true operating cash flow can only be obtained from a properly and timely prepared Statement of Cash Flows. The Statement separates the movement of cash into three primary categories: Operations, Investment, and Financing. From a bank or financial institution standpoint, if there is positive cash flow from the Investing segment or from the Financing segment, then the enterprise is selling assets or obtaining more loans or selling stock in order to make its loan payments. Are those sources sustainable? Are those sources where you want your customer to come up with the funding to make your loan payments? Is the quality of cash flow from Investing or Financing equal to that of Operating Cash Flow? Probably not. But if the cash flow from operations is positive, and it has been positive for a number of years and it is sufficiently positive to fund all loan payments, then that should be a sustainable source of cash flow far into the future. If the Operating Cash Flow is positive enough to fund loan payments, pay distributions/dividends, AND fund capital expenditures, then that enterprise is more than likely to enjoy a very strong financial condition with relatively easy debt coverage.

If your underwriting protocols do not include UCA/FAS 95/Statement of Cash Flow analysis, then you risk being surprised when a borrower who had “good” EBITDA coverage shows up past due or comes to you needing more money. Use this tool in conjunction with your standard analysis and it will enable you to rethink loan structures where the expected cash flows do not match up.

If you would like to discuss incorporating UCA/FAS 95/Statement of Cash Flow analysis in your institution, please contact me at 330.422.3487 or ddalessandro@younginc.com.