Skip to main content

Author: admin

A Look to the Future

Written by admin on . Posted in Compliance & Regulations, Information Technology, Lending & Loan Review, Management & Planning, Uncategorized.

By: Jerry Sutherin, President & CEO, Young & Associates, Inc.

On January 31, 2018, I was fortunate to have the opportunity to purchase Young & Associates, Inc. from Mr. Gary Young, the company’s founder and current Chairman. Nearly 40 years ago, Gary created this organization with a vision of providing community banks with consulting services that were typically cost-prohibitive to perform internally. Since its inception in 1978, Young & Associates has evolved from a small start-up organization offering select outsourcing and educational services to one of the premier bank consulting firms with clients nationwide and overseas. We now offer consulting, education, and outsourcing services for nearly every aspect of banking.

From the outset of our acquisition discussions, Gary and I agreed that the greatest asset of the company is its employees. Over the years, not only has Gary developed unique servicing platforms for the industry but more importantly, he has assembled an employee base that is second to none. These employees provide a level of expertise and service to our clients that remains unparalleled in the community banking industry.

To quote Gary, “I founded Young & Associates with the goal of assisting community banks while maintaining a family atmosphere that valued and respected the people that I work with.” Going forward, it is my primary objective to carry on this legacy that Gary has created. I look forward to making this a seamless transition building on the solid foundation that Gary has built over the years. With the work of our employees and support of our clients, there is no doubt that Gary’s legacy will continue for years to come.

Although the ownership of Young & Associates, Inc. has changed, the company’s name, mission, personnel, quality of service, and structure will not change in any way. Gary now serves as Chairman of the Board and will remain actively involved with the business through January 2019, providing the same high-quality service while also assisting me with the transition. In addition to ensuring a smooth internal transition, Gary and I remain focused on making sure that the relationship with our clients remains strong. Existing and new clients are encouraged to contact me, Gary, or any of our consultants to discuss this transition and how we might be able to earn your business.

Capital Market Commentary – 2018 Forecast and 2017 in Review

Written by admin on . Posted in Management & Planning.

By: Stephen Clinton, President, Capital Market Securities, Inc.

The stock market continued its climb to new heights in 2017. The stock market was propelled by the election of President Trump, which brought the expectation of lower taxes, less regulation, and an administration favorable to businesses. The Dow ended 2017 at 24,719.22, an increase of 25.08% for the year. The S&P 500 also improved nicely, ending up 19.42%. The market, despite a correction in early February, has increased further from 2017’s year-end values.

The Fed continued its plan to move short-term interest rates higher in 2017. The Fed moved short-term rates up 25 b.p. in March, June, and December. The three-month T-Bill ended December at 1.39%, an increase of 88 b.p. from year-end 2016. Longer-term interest rates were little changed from year-end 2016, resulting in a flatter yield curve.

Job creation continued in 2017, and the unemployment rate in December was 4.1%. The unemployment rate is at a level not seen in 17 years. The low unemployment rate would typically lead to rising wages, but wage growth was only around 2% in 2017.

As we enter 2018, there are a number of items worth monitoring:

  • Economic Growth. U.S. economic growth for 2017 came in at 2.5%, comparable to prior years. The slow but steady expansion that began in mid-2009 ranks as the third longest economic expansion in U.S. history. Should the recovery continue into the second half of 2019, it would become the longest recovery on record, surpassing the 1990’s economic boom.
  • Housing. Home prices continued to rise in 2017. The S&P/Case-Shiller National Home Price Index rose 6.2% in the 12 months ending in November. The rising price for homes has exceeded inflation and wage growth for several years. The limited housing inventory has aided the rise in prices along with historically low mortgage rates. U.S. single-family homebuilding surged to more than 10-year highs in November. Existing home sales were up 5.6% in December, while new home sales increased 17.5%.
  • Industrial Production. U.S. manufacturing activity remains strong. The Institute for Supply Management said its purchasing managers index rose to 59.7 in December, the second highest level since early 2011. A reading over 50 indicates expansion in the sector; below 50 suggests contraction. Boeing recently announced deliveries of 763 aircraft in 2017, a record for the company. Auto sales were down 1.8% in 2017, but with sales of 17.2 million vehicles, it marked the first time the industry has surpassed 17 million for three consecutive years.
  • Consumers. Consumer confidence is positive. The University of Michigan’s consumer sentiment index average level for 2017 was the highest since 2000. A sign of the strong consumer sentiment is reflected in consumer debt. In the fourth quarter, consumer debt, excluding mortgages and other home loans, rose 5.5% from a year earlier. That is the highest amount since the Federal Reserve Bank of New York began tracking the data in 1999. Moreover, consumers’ non-housing debts accounted for just over 29% of their overall debt load, also the highest amount on record.
  • Inflation. The Fed’s preferred measure of inflation in January was 2.1%, moving above the Fed’s target of 2% for the first time in a while. The anticipated 3% growth of the economy along with the tight labor market and rising interest rates is expected to finally push inflation upward.
  • Political Risks. There are a number of geo-political risks that could significantly change the outlook for 2018. Among these are the ongoing Brexit process, North Korea nuclear saber rattling, and President Trump’s plans to renegotiate NAFTA. Furthermore, the dysfunction in Washington creates uncertainty.

Predictions for 2018

  • Lending Activity. We anticipate an increase in lending activity. We think the lower tax rate for businesses will encourage businesses to expand their operations.
  • Interest Rates. The Fed has indicated that three rate increases are probable in 2018. We think that we will get those increases.
  • Home Prices. We expect the growth rate in home prices to be lower than in the past several years. We think higher interest rates will come into play and make housing less affordable. We also think that the less favorable tax status of the deductibility of mortgage interest will have an impact on some home buyers.
  • Inflation. We do see inflation moving up in 2018. As mentioned above, we expect wage increases to heighten. The low unemployment rate and the shortage of skilled labor in many markets will put pressure on employers to increase wages to attract and retain workers. We also think the growing economy will impact commodity prices.
  • Jobs. We envision unemployment to remain low as businesses expand.
  • Regulation. We expect bankers to be disappointed about the lack of regulatory relief in 2018. It will be difficult for regulatory relief to filter down the bank regulatory bureaucracy.

Merger and Acquisition Activity
Merger activity in 2017 was slightly higher than the activity in 2016. In 2017, there were 267 announced mergers of banks and thrifts compared to 244 deals in 2016. In terms of deal size, the total assets of sellers totaled $147 billion in 2017, compared to $188 billion in 2016 and $459 billion in 2015. Pricing on 2017 bank sales improved significantly from 2016’s pricing, recording a median price to book multiple of 162% and a price to earnings multiple of 20.9 times. We believe that 2018 will see increased merger activity spurred, in part, by bank buyers’ enhanced profitability from reduced corporate taxes

Capital Market Services
Young & Associates, Inc. has a successful track record of working with our bank clients in the development and implementation of capital strategies. Through our affiliate, Capital Market Securities, Inc., we have assisted clients in a variety of capital market transactions. For more information on our capital market services, please contact Stephen Clinton at sclinton@younginc.com or 1.800.376.8662.

A Current Perspective on Concentrations of Credit

Written by admin on . Posted in Lending & Loan Review.

By: Tommy Troyer, Executive Vice President

Concentrations of credit are certainly not a new risk for community banks, but for many banks they are an increasing challenge. While effective concentration risk management involves much more than we have room to discuss here, we would like to use this article to highlight a few timely considerations related to concentration risk management.

Growing Concentrations
We all know that, though we can calculate statistical averages for various measures across community banks, there is no “average community bank” in the real world. Each bank has its own unique combination of characteristics. However, concentrations of certain types of credit do seem to be increasing across community banks as average loan-to-asset ratios have been increasing and banks are, for the most part, still trying to stick to in-market lending and to loan types with which they have experience.

Continued regulatory emphasis on prudent concentration risk management practices, especially related to CRE, has been one result of these trends. One of the ways some banks have experienced this attention is to have examiners note a greater interest in measures of total CRE exposure, including owner occupied loans, as opposed to the more traditional measures of non-owner occupied concentrations described in the well-known 2006 interagency guidance on CRE concentrations. (This emphasis has been driven in part by the growing realization that the industry’s loss history on these two types of CRE loans has not been that different over the last decade.)

As a simple example of the growth in credit concentrations for community banks, I collected some data on commercial banks and savings banks in four Midwestern states (Ohio, Michigan, Indiana, and Illinois) with less than $2 billion in total assets. While we work with community banks nationwide and with some banks larger than this threshold, I thought this would be a sample of banks of interest to many of the readers of this newsletter. Of these banks, 700 met these criteria as of 2017Q3. I compared selected concentration levels for these banks to their levels five years earlier, as of 2012Q3.

  • The number of banks with construction and land development loans totaling 100% or more of total capital doubled, though it certainly remains low at just 2% of the sample.
  • The number of banks with non-owner occupied loans totaling 300% or more of total capital increased from 29 to 42.
  • The number of banks with total CRE loans totaling 400% or more of total capital increased from 50 to 66.

None of the figures above total even 10% of the banks in the sample, but I have also chosen to test quite significant concentration levels. Our consulting work indicates that many more banks, which have chosen to set their internal concentration limits at more conservative levels than described above, are experiencing challenges as they near internal limits. This applies for both broad categories of concentrations, such as non-owner occupied CRE, and for more narrowly defined categories, such as hotels.

In some other cases, concentrations that banks have always understood were necessary given the community they serve have become more concerning. For example, many community banks operate in markets where agriculture is a dominant industry. Such banks have always accepted the risk associated with heightened ag concentrations, but continued challenging ag conditions have made such concentrations more of a concern in recent years.

Risk Management Considerations
The fundamentals of effective management of concentration risk are well-known, and can be found in a variety of regulatory sources. I will not rehash all of them here, though I do feel obliged to emphasize that concentration risk must be factored into capital planning and must be appropriately evaluated as a qualitative factor impacting the ALLL. I would also like to highlight a couple of trends in concentration risk management we have noted recently:

  • Incorporating concentration considerations into strategic planning. Yes, detailed analysis of concentration risk and recommendations for concentration limits will likely be provided to the board by management. However, such limits should reflect the board’s risk appetite and desired strategic direction for the bank. It has been encouraging to me to hear in several recent strategic planning retreats thoughtful, forward-looking discussion about what the bank should look like in the future and what that means for the bank’s approach to credit concentrations.
  • Incorporating a proactive approach to monitoring and managing relationship levels. We have seen an increasing number of clients take what can be described as a more proactive and sophisticated approach to monitoring and actively managing concentration levels. Instead of testing concentration levels quarterly and simply “turning off the spigot” when a limit has been reached, these banks incorporate a proposed loan’s impact on their concentration profile into their underwriting analysis. They also use their pipeline and runoff projections to forecast their various concentration levels in coming quarters, and then manage prospective and existing borrowers to maximize the quality and profitability of a given portfolio. This can help prevent, for example, a couple of marginally profitable and purely transactional deals that may be easy to “win” from crowding out prospective deals that can lead to profitable long-term banking relationships.
  • Utilizing portfolio stress testing. Portfolio stress testing has long been a tool for evaluating concentration risk, but more community banks seem to be making efforts to implement forms of portfolio stress testing than ever before.
  • Utilizing collateral valuation and collateral management. One important way of ensuring that downturns in an industry in which a bank has a concentration do not cause excessive losses is to have in place effective practices for both managing the initial valuation and assessment of the collateral (especially for real estate collateral) and for monitoring collateral on an ongoing basis. The ongoing monitoring of the status and value of collateral can be especially important for banks with ag concentrations. While we see plenty of good work done by banks in both of these areas, we would also note that these seem to be some of the most common areas about which we, and also often examiners, provide recommendations for improvements in practices.

Conclusion
Effectively managing concentrations of credit will remain important for as long as lending remains a primary source of income for banks (in other words, forever). Young & Associates, Inc. has assisted clients by providing portfolio stress testing services (both CRE and ag), loan reviews, and more targeted consulting focused on enhancing collateral valuation processes or credit policies. We also assist clients by facilitating strategic planning sessions that encourage the board and management to think about and plan for the future of the bank. This can result in a bank better defining its lending strategy and ensuring its lending approach is consistent with its overall strategy. To discuss this article or any of our services further, please contact Tommy Troyer at ttroyer@younginc.com or 330.422.3475.

Community Bank IT Staffing – Doing More with Less

Written by admin on . Posted in Information Technology.

By: Mike Detrow, Senior Consultant and Manager of IT

Over the past two years, we have seen a significant increase in the number of community bank IT managers that have voiced substantial concerns about the ability of their bank’s current staff to properly secure their information systems and maintain regulatory compliance. These concerns are the result of IT managers trying to meet the requirements of new regulatory guidance related to information security and working to prevent potential damage from evolving cyber threats without supplemental staffing or other resources.

Some of the potential risks for a community bank with insufficient resources to properly maintain and secure its information systems include:

  • A data breach resulting from inadequate configuration management or security monitoring
  • A system outage, disruption, or data loss due to inadequate maintenance or system monitoring
  • The resignation of an overwhelmed IT manager, leaving an unusable IT infrastructure for a bank with an insufficient succession plan
  • Regulatory compliance issues due to repeat audit and examination findings

In many cases, it will be difficult for a community bank to add internal staff to address these risks, especially those that are located in rural areas. However, there are a number of cost-effective ways for a community bank to make its current IT staff more efficient and its information systems more secure through the use of automation and by adding additional expertise through education and/or the use of service providers.

  1. Education. Providing opportunities for the bank’s IT staff to attend training classes or to participate in peer discussions during industry conferences or forums will help them to learn best practices and gain other valuable insights that will increase their efficiency and improve security practices. Many state banking associations host annual technology conferences that can be an invaluable resource for the IT staff of a community bank, especially those that do not have a formal IT background.
  2. Automation. Tools to automate labor-intensive tasks such as patch management, capacity and performance monitoring, and event management can be implemented. Many manual tasks can be automated by implementing a remote monitoring and management (RMM) solution. By installing a management agent on each of the bank’s workstations and servers, the bank’s IT staff can manage all of the servers and workstations through a single dashboard. Some of the features of an RMM solution include: patch management, antivirus management, event monitoring, software installation monitoring, automated tasks, email alerts, and remote access. An RMM solution also assists with proactive monitoring to identify issues before they cause downtime.
  3. Engage a Consultant. Engaging a consultant to assist with policy updates and other compliance tasks can provide valuable insight and eliminate hours of research time spent by the bank’s staff. An experienced consultant will be familiar with regulatory requirements and he/she will have valuable insight, sample templates, and policy language to share.
  4. Outsource Network Management. Outsourcing the management and monitoring of the bank’s in-house servers, workstations, and other network devices to a managed services provider (MSP) can free up a significant amount of time for the internal IT staff and also offers additional expertise for complex systems such as virtual servers. In addition, having a team of professionals from the MSP supporting the bank mitigates the risks associated with relying on a single bank employee to maintain the entire IT infrastructure. There are even service providers that can move all of the bank’s critical information systems to their secure datacenter, which can significantly enhance the ability for a bank to recover from and function during a disaster.
  5. Outsource Firewall Monitoring. While we still see some banks utilizing internal staff or their MSP to monitor their firewall, most lack the expertise and 24x7x365 availability to properly monitor this critical system. Early detection and eradication of a threat can drastically reduce the potential damage caused to the bank’s information systems and its reputation. A managed security services provider (MSSP) maintains the appropriate expertise and staffing levels within its security operations center to quickly identify a threat and follow agreed upon response procedures.
  6. Outsource Vendor Management. Gathering all of the required documents from each of the bank’s service providers and properly reviewing all of this documentation can require a significant amount of time and expertise. There are a number of service providers that can perform the majority of this work on the bank’s behalf and provide a summary of their findings for management’s review.

Just like moving from in-house to outsourced core processing, utilizing service providers to assist with the management of the bank’s IT infrastructure and compliance needs can provide additional expertise and allow the bank to operate efficiently and securely with limited internal resources. As with any outsourced relationship, it is critical for management to perform appropriate due diligence for any service providers that the bank may consider for the services listed above. During the due diligence process, it is very important to ensure that the service provider has experience working with financial institutions and understands the regulatory requirements that must be met.

With cyber risks remaining a significant concern for community banks for the foreseeable future, failing to address staffing limitations now will only compound these risks in the future. If you have any questions about this article or you would like to discuss the ways that Young & Associates, Inc. can assist your bank through a consulting relationship, please contact Mike Detrow at mdetrow@younginc.com or 330.422.3447.

Young & Associates, Inc. Changes Ownership on 1/31/18

Written by admin on . Posted in Management & Planning.

We are pleased to announce that Young & Associates, Inc. has been sold by Gary J. Young, the company’s founder, to Jerry Sutherin, a Senior Consultant with the firm, effective January 31, 2018. While ownership has changed, the company’s name, mission, personnel, quality of services, and structure will not change in any way.

Upon the effective date of the sale, Mr. Young became Chairman of the Board, and Mr. Sutherin became President and CEO. Young will remain actively involved with the firm for one year, continuing to provide the same high quality service he has provided for the past 40 years. Mr. Young said, “I founded Young & Associates with a goal of assisting community banks while maintaining a family atmosphere that valued and respected all of the people that I work with. After 39+ years, I have accomplished that goal, and that mission will continue through Jerry’s leadership.”

Tommy Troyer, Executive Vice President, will continue to serve in that position, where he successfully uses his professional expertise, detail-oriented management style, and excellent people skills while working with both clients and employees.

Mr. Sutherin has worked at Young & Associates, Inc. for nearly four years. Mr. Sutherin said, “I look forward to making a seamless transition at Young & Associates, building upon the solid foundation that Gary has built over the past 40 years. It is my goal that our clients and employees will continue to receive the same professional, high-quality experience that they have come to expect here over the years.”

With over 30 years in the financial services industry, Sutherin has worked primarily in the company’s Lending and Loan Review Division where he provided community banks throughout the U.S. with third-party loan review, lending policies and procedures, loan portfolio due diligence, and ALLL Review services. Prior to joining Young & Associates, Inc., Sutherin worked in varying capacities ranging from overseeing an Asset Quality/Loan Review function at a large regional bank, to managing a $2.5 billion loan portfolio responsible for loan performance, credit quality, and departmental efficiency.

Young & Associates, Inc. has provided practical products and services to community financial institutions since 1978, and we look forward to serving our clients for many years to come. Please join us in congratulating both Jerry and Gary on this sale.

Compliance Outlook: 2018

Written by admin on . Posted in Compliance & Regulations.

By: Bill Elliott, CRCM, Manager of Compliance Services

For those of us who are news junkies, the current environment is interesting. Unfortunately, the environment is also so toxic that it is difficult to determine what actually may or may not happen during 2018.

We do know that some items that are being considered. For instance, bills are pending regarding issues like HMDA, flood, qualified mortgages, and call reports for smaller institutions. It remains to be seen whether any of these bills (or any of the other bills pending) actually will become law, or whether Congress will continue the infighting that has resulted in a haphazard and uncertain regulatory and law environment.

Home Mortgage Disclosure Act (HMDA)
Based on the questions we have received at Young and Associates, Inc., it would appear that that the 2018 HMDA implementation (so far) is going fairly well. However, we have received numerous questions regarding issues that were not addressed directly in the “HMDA Instructions.” This is not new or surprising, as not every situation can be covered in a rule as massive as HMDA.

For HMDA, as with every other new/updated regulation, preparation was the key. The regulatory world is getting so complicated that it is necessary for banks to really consider all processes and procedures to avoid either duplication of work or unnecessary work.

Customer Due Diligence
Speaking of duplication and unnecessary work, one of the items that must be addressed quickly is the new Customer Due Diligence rule under the Bank Secrecy Act, effective May 11, 2018. While many regulations can be handled by only one division of the bank, this regulation will impact almost everyone, as it requires updates regarding the ownership of a business every time a new account is opened. Accounts can be loans, deposits, safe deposit boxes, or any other kind of account that you may offer. It will require the customer to inform you of all individuals who own at least 25% of the business, as well as indicating a control person for the business.

For new loans, this will most likely be an inconvenience, although driver’s licenses and/or other methods of identification will be required every time a new commercial loan to a business with at least one 25% or more owner (LLC, partnership, corporation, etc.) is opened.

For deposits or other account types, this may mean what is now a 30-minute procedure to open a new account will become a multi-day ordeal, as the person opening the account may well not be the only owner, and certainly will not have identification information for all 25% owners and control persons with them (including identification). The only saving grace is that every financial institution will have to deal with this issue, so there will be no competitive advantage or disadvantage. With a May time limit, if your institution has not started the implementation process, time is running short.

Consumer Protection
As you well know, there has been a change in the administration of the Consumer Financial Protection Bureau (CFPB). With Mr. Cordray’s recent exit from the agency, it is likely that’s the CFPB will consider new approaches to the issue of consumer protection. To this end, the CFPB has announced steps to request information from the public and review how things are done, how they actually impact or help the consumer, and how they impact and create costs for the industry.

Some of the requests will be more useful than others. The first request to be issued by the CFPB will seek public comment on Civil Investigative Demands (CIDs), which are issued during an enforcement investigation. Comments received in response to this RFI and all others that follow will help the Bureau evaluate the existing framework and determine whether any changes are warranted. Make sure you are part of the process by commenting or otherwise making your voice heard.

Conclusion
If we can offer you training, implementation assistance, or any other compliance related service, please contact Karen Clower, Compliance Operations Manager, at kclower@younginc.com or 330.422.3444.

CECL: What’s New, and What Some Community Banks are Doing

Written by admin on . Posted in Lending & Loan Review.

By: Tommy Troyer, Executive Vice President

I have been writing about CECL in this newsletter and providing CECL educational programs to community banks for several years. The overall theme I’ve tried to communicate in all of these settings has been: CECL is manageable for community banks, but it requires planning and preparation starting now.

I’m quite encouraged by the fact that the second part of that message, about the need to actively prepare for CECL now, seems to have been accepted by the majority of community bankers. In this article, I will provide a brief overview of a few noteworthy recent developments related to CECL, as well as some brief comments on what we are seeing from banks with respect to CECL preparation.

Regulatory FAQs Updated
On September 6, 2017, the federal financial regulators released an updated version of the interagency FAQs on CECL that were first issued in December 2016. All CECL FAQs are being consolidated into one document, so the most recent release includes both questions 1-23 from December and new questions 24-37. The information conveyed in the new questions is broadly consistent with the things I have tried to communicate in my articles and in my teaching about CECL and contains no surprises. This lack of surprises from the regulators is, of course, a good thing. I specifically recommend the expanded discussion in questions 28-33 regarding the definition of a Public Business Entity (PBE), as the PBE definition is a FASB concept that is fairly complex. The definition is important to understand because institutions can be PBEs without being “SEC Filers,” and PBE status determines the effective date of CECL for an institution. Questions 34-36 also include some helpful and fairly detailed examples of how the transition to CECL should work for call reporting purposes for institutions in various situations with respect to PBE status and whether or not an institution’s fiscal year lines up with a calendar year.

These are helpful clarifications since non-PBEs do not need to adopt CECL for interim periods, only for the year-end financials, in the first fiscal year of adoption and because call reports are completed on a calendar year basis irrespective of a bank’s fiscal year.

FASB TDR Decisions
The final CECL standard has been in place and has been public for over 15 months at this point. CECL is not going to magically disappear before implementation, and there will not be substantial changes to CECL’s requirements. However, there are still some decisions related to CECL that are being made by FASB, specifically through its Transition Resource Group (TRG), which exists to help identify potential challenges to implementing the standard as written. The TRG met in June and a number of issues were discussed, though many of the issues discussed are unlikely to have an impact on the average community bank. However, several issues related to Troubled Debt Restructurings (TDRs) were discussed and ultimately clarified by FASB in September. These issues are relevant to community banks and are worth noting.
The first decision that community banks should be aware of is one that will generally be viewed favorably by community banks. The issue at hand is that CECL requires estimating expected losses over the contractual term of loans and states that the contractual term does not include “expected extensions, renewals, and modifications unless [there is] a reasonable expectation” that a TDR will be executed. The issue FASB considered was just how expected TDRs should factor into an institution’s allowance.

The options presented were, essentially, to estimate losses associated with some level of overall TDRs that you expect to have in your portfolio even though you don’t know on what loans these TDRs might occur, or to only account for expected TDRs when you reasonably expect that a specific loan in your portfolio will result in a TDR being executed. FASB chose the latter option, which should prove to be much more manageable for community banks.

The second decision that FASB made is one that might generally be viewed less favorably by community banks. The CECL standard, when released, seemed to provide more flexibility around measuring expected losses on TDRs than current rules, which requires a discounted cash flow approach unless the practical expedients related to the fair market value of the collateral or the market price of the loan apply. The CECL rules essentially said that any approach to estimating losses on TDRs that was consistent with CECL’s principles was acceptable. However, FASB ultimately decided that the cumulative requirements in the CECL standard and in existing accounting rules for TDRs require that all concessions granted to a borrower in a TDR be accounted for through the allowance. The brief summary of FASB’s decision is that, in fact, a discounted cash flow approach to measuring the impact of TDRs will still be required under CECL in any circumstance where such an approach is the only way to measure the impact of the concession (the best example of such a concession is an interest rate concession). The TRG memo dated September 8 and available on FASB’s website is a good resource for a more detailed discussion of the above issues.

What Community Banks are Doing
What are some of your peer community banks doing to prepare for CECL? There does of course remain a wide range of preparation and some banks still haven’t gotten started in any serious way. However, many banks have at least informally assembled the team that will work on CECL, and while not as many have adopted simple project plans as we might wish, many do at least have informal steps and deadlines in mind. Many have started giving thought to data availability and needs, though again perhaps not enough have yet gotten very serious about fully evaluating the data they have, how they will store and use it on an ongoing basis, and what additional data they would like to begin capturing. Nearly all banks have undertaken at least some educational efforts around CECL, and this is an area of focus that should continue through implementation and even beyond. Options for third-party solutions are being explored by some banks, though in order to make sure that an informed decision is made, it is critical that banks go into these explorations with a good fundamental understanding of CECL as well as with an awareness of the regulatory position that such solutions are perfectly fine options but are neither required nor necessary for CECL implementation.

How We Can Help
We have presented and will continue to present webinars, seminars, and talks on CECL. Please visit our website or call or email me for an overview of these sessions, which are specifically designed for the community banker and which are not designed to try to sell any particular software solution.

Additionally, we are ready and willing to work with banks in a consultative role on CECL. Like everything else we do, there is no fee associated with an initial phone conversation or email exchange about CECL, and if we can help provide you with clarity about something related to CECL, then we are happy to do so. We are of course also happy to discuss various approaches in which we might provide consulting support in one or more capacities to assist your institution in preparing for CECL.

To discuss CECL further, contact Tommy Troyer at ttroyer@younginc.com or 330.422.3475.

ADA Website Compliance Notes from the Field

Written by admin on . Posted in Management & Planning.

By: Mike Lehr, Human Resources Consultant

About this time last year, the topic of website accessibility and accommodation under Title III of the Americans with Disabilities Act (ADA) hit the community banking industry with full fury. Since that time both banks and service providers have upped their game. So, now is a good time for us to assess and share what we have learned in our ADA website audits.

There are two ways to assess sites. The more common and less expensive way involves scanning the site using software. Based on the logic coded into it, the software identifies potential issues. The second, less common, and more expensive way involves professionals or sight-impaired people using the site with a screen reader. A screen reader is software that converts a site page to text and reads it to the user.

Both ways involve a professional overseeing the process to interpret the results. Yet, something else drives both ways that tend to lead clients astray – measurability. The old adage of “what gets measured gets done” hits full force here. However, just because it’s a number doesn’t mean it’s more important. We are finding that the software scan, because of its beautifully quantifiable graphics, is causing many of our clients to focus on minor, even insignificant aspects of their sites that have little to no impact on the site’s overall accessibility.

In the end, if a bank ever ends up in court, it’s not about software being able to access the site. It’s about individuals with disabilities. Yet, it is much harder to quantify that into an eye-catching chart. For instance, a client called worried about their PDFs. The software scan showed them inaccessible. Moreover, they spent a lot of time trying to fix them. The nature of the documents were such that they required a professional printer. In short, it wasn’t a Word document. Upon closer look, there were only a dozen of them. All but one were on the same page of the site. Furthermore, the page saw little traffic from customers and prospects. Plainly, the page wasn’t important.

Yet, since bankers can be conscientious to a fault, it bugged them that these PDFs kept showing up “red” as an issue. By itself it’s not bad. In context of the whole site though, it is. This was energy, time, and money diverted from far more important issues. One was whether a sight-impaired person can navigate the site. Software can’t determine this. One can only determine this reliably by using a screen reader or by observing a sight-impaired person trying.

For instance, it’s not uncommon these days to find sites that have multiple ways to navigate them. On one hand, you have the traditional horizontal navigation. On the other, you have the more recent mobile friendly navigation (“hamburger menu”). Still yet, some sites use vertical left-hand (or less common right-hand) navigation. That’s three ways to navigate the site. We’ve seen these on a couple of sites already. This doesn’t even include all the links and smaller menus that might be contained within the page.

Now, to a sight-impaired person, this is nothing but chaos. Keep in mind, a non-sight-impaired person can see the whole site at once. It’s two-dimensional. He/she can select whatever menu they like. A sight-impaired person doesn’t have this luxury. That’s because a screen reader can only read one word at a time. It’s a linear process, one-dimensional.

Also, he/she might tell the screen reader to only read navigation menus. So, if he/she starts hearing two or three different menus, it becomes hard to visualize in his/her mind how he/she might use the site. To a sight impaired person, they blend together as one. That’s frustrating. It’s also something else . . . inaccessible.

Yet, in most cases, as long as these menus are coded and tagged right, the software scan won’t catch them. Moreover, and back to the original point about measurability, it’s hard to quantify this user experience. The solution then is to code one of these menus invisible to screen readers. Of course, that means the remaining one has to be comprehensive and robust.

In the end, it’s a battle between easily measurable but unimportant PDFs and unmeasurable but important navigation. What gets measured gets done. Thus, the unimportant gets done and the important doesn’t. That’s why we can give compliance ratings to clients who still have issues on their software scans and non-compliant ones to clients whose scans show no issues.

In short then, invest in a screen reader. If not, partner with someone who has one. Banks can generate much goodwill by reaching out to groups and societies that support Americans with Disabilities. Remember, computers don’t use sites. People do. People also testify in court.

For more information on this article or to learn how Young & Associates, Inc. can assist your bank with its ADA website compliance, contact Mike Lehr at 1.800.525.9775 or mlehr@younginc.com.

Network Vulnerability Management – Don’t Be a Soft Target for Attackers

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

As the recent Equifax breach illustrates, failing to remediate known vulnerabilities in a timely manner can have significant consequences. In the case with Equifax, reports indicate that a patch was issued approximately two months prior to the May 2017 breach for the vulnerability that was exploited during this breach. While financial institutions have been quick to criticize Equifax for their vulnerability management practices, they should also take some time to evaluate their own vulnerability management practices and enhance them as needed to help prevent a breach at their own institutions.

During the vulnerability assessments that we perform for community banks, it is not uncommon to see systems that are missing patches that have existed for a year or more. While these are typically internal systems, this can still present a significant risk to the bank based on the role(s) of the affected systems. It should also be noted that vulnerability management for internal systems is as critical as ever, as attackers are able to use social engineering tactics to bypass perimeter controls such as firewalls and gain direct access to the internal network by compromising an employee’s workstation. In addition, many community banks are only having vulnerability assessments performed on an annual basis, which means that a number of vulnerabilities may go undetected for nearly a year.

Community banks need to improve their vulnerability management practices to remediate vulnerabilities in a timely manner rather than allowing them to exist for months or even years. We often hear community bankers comment that they are too small to be the target of an attack, but they must also consider that an attacker may purposely go after a soft target like a community bank with poor vulnerability management practices that makes it easier to accomplish his or her mission.

Patch Management Vs. Vulnerability Management
Patch management is a significant aspect of vulnerability management, but patch management alone will not mitigate every vulnerability on the bank’s network. An example of this is an internal server that houses reports from the core system and allows anonymous access, meaning that no username and password is required to access this data using a File Transfer Protocol (FTP) client. In this example, the server may be completely up-to-date with the latest security patches, but this insecure configuration may allow unauthorized access to the data on this system. Another concern is the systems and applications that may be missing from a bank’s patch management program. We still see banks that are only performing Microsoft and limited third-party patching. Failing to patch the software on other devices such as ATMs, routers, switches, and printers will leave these devices vulnerable to attacks.

Developing a Vulnerability Management Program
The process to develop a vulnerability management program starts with a complete inventory of the devices connected to the bank’s network. Even small community banks now have a significant number of network-connected devices such as ATMs, DVRs, alarm panels, time clocks, and environmental monitors in addition to the commonly known devices such as workstations, servers, printers, and routers. During this step, it may be helpful for the bank’s staff to scan the network with a network mapping tool to help identify devices that may not be included in the current network inventory. At a minimum, the inventory should identify the location, IP address, manufacturer, and model for each device. In the case of servers, workstations, and mobile devices, the bank must understand what applications are installed on each device to ensure that each application is patched in addition to the operating system.

The second step is to ensure that a comprehensive patch management program is in place at the bank. As noted above, a bank’s patch management program may not currently include all network-connected devices. Special attention should be given to devices that are connected to the bank’s network that are vendor-managed to ensure that the vendor has appropriate patch management procedures in place. Some examples of vendor-managed systems include: routers that are managed by the core system provider, DVRs, ATMs and alarm panels.

A comprehensive patch management program will include all devices that are connected to the network, and it will prescribe: ƒƒ

  • A method to identify the availability of new patches that apply to the devices on the bank’s network
  • An evaluation and testing process for each patch
  • A procedure to backup critical systems before installing a patch
  • Timing for the installation of each patch based on its risk rating

The third step is to identify the vulnerabilities that currently exist on each device. This is most easily accomplished by performing a vulnerability scan on the internal network and against any internet-facing devices that are owned by the bank. The vulnerability scan can be performed by a consulting firm or the bank’s staff can perform the scan using an automated vulnerability scanner.

There are typically two basic types of vulnerability scans that can be performed, credentialed and un-credentialed. A credentialed scan uses administrative credentials to log on to each device to perform a more in-depth evaluation of the vulnerabilities that may exist. An un-credentialed scan does not use credentials and therefore only identifies vulnerabilities that can be detected without logging on to each device.

The number of vulnerabilities identified by a credentialed scan will typically be significantly higher than those identified by an un-credentialed scan. It is important to note that if the bank only performs un-credentialed scans, the vulnerabilities that would have been identified by a credentialed scan will still exist on the network; they just will not appear in the un-credentialed vulnerability scan report. In addition, a credentialed scan will typically identify many privilege escalation vulnerabilities that an un-credentialed scan is unable to detect.

The results of the vulnerability scan will be provided within a report that the bank’s staff or managed services provider can work through to install patches or make configuration changes to remediate the detected vulnerabilities. The vulnerability scan report will assign a risk rating to each vulnerability that is identified to help the bank’s staff prioritize its response to each vulnerability.

As the bank’s staff or managed services provider works through the list of vulnerabilities, a tracking process should be in place to identify the patches that are installed and configuration changes that are made to remediate each vulnerability. Once the tracking document identifies that all of the vulnerabilities are remediated, it is time to perform another vulnerability scan to verify that all of the previously identified vulnerabilities are remediated. If this is the first or most recent vulnerability scan, this process will help the bank’s staff establish a baseline to work from as they continue to identify vulnerabilities and correct them.

The fourth step is to determine the frequency with which vulnerability scans will be performed. The scan frequency will be dependent on the size and complexity of the bank; however, based on the rate at which vulnerabilities are being discovered, a minimum scan frequency of once each quarter should be strongly considered. Monthly or even weekly vulnerability scans are highly recommended for more complex environments.

Summary
Once the steps listed above are complete, the bank should have established: ƒƒ

  • A complete network device inventory that must be maintained as changes occur within the bank’s network
  • A comprehensive patch management program
  • A schedule for performing automated vulnerability scans
  • Procedures to review the vulnerability scan reports and remediate the identified vulnerabilities

As I mentioned in “The Changing Role of the Community Bank IT Manager” in last quarter’s 90 Day Note, community banks must adapt to the changing threat landscape and budget for additional information security resources. While some may view these additional expenses as unnecessary, they will most likely be miniscule in comparison to the costs associated with a data breach at the bank.

Young & Associates, Inc. can assist your bank with its vulnerability management program by performing quarterly or monthly vulnerability assessments to identify the vulnerabilities that exist on your network and recommend remediation procedures. Please contact Mike Detrow for more information about our vulnerability assessment services at mdetrow@younginc.com or 330.422.3447.

CFPB Amends HMDA Rule

Written by admin on . Posted in Compliance & Regulations.

By: William J. Showalter, CRCM, CRP; Senior Consultant

The Consumer Financial Protection Bureau (CFPB) issued a final rule making several technical corrections and clarifications to the expanded data collection under Regulation C, which implements the Home Mortgage Disclosure Act (HMDA). The regulation is also being amended to temporarily raise the threshold at which banks are required to report data on home equity lines of credit (HELOC).

These amendments take effect on January 1, 2018, along with compliance for most other provisions of the newly expanded Regulation C.

Background
Since the mid-1970s, HMDA has provided the public and public officials with information about mortgage lending activity within communities by requiring financial institutions to collect, report, and disclose certain data about their mortgage activities. The Dodd-Frank Act amended HMDA, transferring rule-writing authority to the CFPB and expanding the scope of information that must be collected, reported, and disclosed under HMDA, among other changes.

In October 2015, the CFPB issued the 2015 HMDA Final Rule implementing the Dodd-Frank Act amendments to HMDA. The 2015 HMDA Final Rule modified the types of institutions and transactions subject to Regulation C, the types of data that institutions are required to collect, and the processes for reporting and disclosing the required data. In addition, the 2015 HMDA Final Rule established transactional thresholds that determine whether financial institutions are required to collect data on open-end lines of credit or closed-end mortgage loans.

The CFPB has identified a number of areas in which implementation of the 2015 HMDA Final Rule could be facilitated through clarifications, technical corrections, or minor changes. In April 2017, the agency published a notice of proposed rulemaking that would make certain amendments to Regulation C to address those areas. In addition, since issuing the 2015 HMDA Final Rule, the agency has heard concerns that the open-end threshold at 100 transactions is too low. In July 2017,  the CFPB published a proposal to address the threshold for reporting open-end lines of credit. The agency is now publishing final amendments to Regulation C pursuant to the April and July HMDA proposals.

HELOC Threshold
Under the rule as originally written, banks originating more than 100 HELOCs would have been generally required to report under HMDA, but the final rule temporarily raises that threshold to 500 HELOCS for data collection in calendar years 2018 and 2019, allowing the CFPB time to assess whether to make the adjusted threshold permanent.

In addition, the final rule corrects a drafting error by clarifying both the open-end and closed-end thresholds so that only financial institutions that meet the threshold for two years in a row are required to collect data in the following calendar years. With these amendments, financial institutions that originated between 100 and 499 open-end lines of credit in either of the two preceding calendar years will not be required to begin collecting data on their open-end lending (HELOCs) before January 1, 2020.

Technical Amendments and Clarifications
The final rule establishes transition rules for two data points – loan purpose and the unique identifier for the loan originator. The transition rules require, in the case of loan purpose, or permit, in the case of the unique identifier for the loan originator, financial institutions to report “not applicable” for these data points when reporting certain loans that they purchased and that were originated before certain regulatory requirements took effect. The final rule also makes additional amendments to clarify certain key terms, such as “multifamily dwelling,” “temporary financing,” and “automated underwriting system.” It also creates a new reporting exception for certain transactions associated with New York State consolidation, extension, and modification agreements.

In addition, the 2017 HMDA Final Rule facilitates reporting the census tract of the property securing or, in the case of an application, proposed to secure a covered loan that is required to be reported by Regulation C. The CFPB plans to make available on its website a geocoding tool that financial institutions may use to identify the census tract in which a property is located. The final rule establishes that a financial institution would not violate Regulation C by reporting an incorrect census tract for a particular property if the financial institution obtained the incorrect census tract number from the geocoding tool on the agency’s website, provided that the financial institution entered an accurate property address into the tool and the tool returned a census tract for the address entered.

Finally, the final rule also makes certain technical corrections. These technical corrections include, for example, a change to the calculation of the check digit and replacement of the word “income” with the correct word “age” in one comment.

The HMDA final rule is available at www.consumerfinance.gov/policy-compliance/rulemaking/final-rules/regulation-c-home-mortgage-disclosure-act/.

Updated HMDA Resources
The CFPB also has updated its website to include resources for financial institutions required to file HMDA data. The updated resources include filing instruction guides for HMDA data collected in 2017 and 2018, and HMDA loan scenarios. They are available at www.consumerfinance.gov/data-research/hmda/for-filers.

For More Information
For more information on this article, contact Bill Showalter at 330-422-3473 or
wshowalter@younginc.com.

For information about Young & Associates, Inc.’s newly updated HMDA Reporting
policy, click here. In addition, we are currently updating our HMDA Toolkit.

To be notified when the HMDA Toolkit is available for purchase, contact Bryan
Fetty at bfetty@younginc.com.

Capital Market Commentary – August 2017

Written by admin on . Posted in Management & Planning.

By: Stephen Clinton, President, Capital Market Securities, Inc.

Market Update
The U.S. has entered the ninth year of economic expansion. While the growth has not been spectacular, it has been steady. GDP expanded at a 2.6% annual rate in the second quarter. The GDP growth in the current recovery has averaged 2.1%. This compares to the 3.6% average of the 1990’s recovery and the 4.9% average for the 1960’s expansion. (These are the most recent economic recoveries of comparable length to the current expansion.)

  • American’s largest companies were reported to be on pace to post two consecutive quarters of double-digit profit growth for the first time since 2011. Factors explaining the growth in profitability include a weaker dollar that helped U.S. exports, limited wage growth, and cost cutting programs.
  • Unemployment was reported at 4.4% in June, near the lowest rate in a decade.
  • Despite nearing full employment, wage growth has increased only modestly. It was reported that wages increased .5% in the second quarter.
  • At the Federal Reserve meeting in July, the Fed held interest rates unchanged but announced that it soon will begin to shrink its securities portfolio. The Fed currently holds more than $4 trillion of investments; a large portion of these were purchased as part of the Fed’s quantitative easing programs.
  • Consumer spending rose at a 2.8% pace in the second quarter, an increase from 1.9% in the first quarter. However, concerns remain about the spending outlook at a time of soft wage growth, stalling car sales, and a growing overhang of auto and student-loan debt.
  • U.S. business investment rose for the second straight quarter. In the second quarter, nonresidential fixed investment advanced at a 5.2% pace. That comes on the heels of a 7.2% gain the prior quarter. The continuation of strong business spending suggests firms have confidence in the durability of the economic expansion.
  • The U.S. housing market continues to improve. After falling throughout the usually busy spring season, the monthly index of signed contracts to purchase existing homes increased 1.5% in June compared with May. The Case-Shiller Index, which measures the increase in home prices across the country, rose 5.6% in the 12 months ending in May.
  • Overall, inflation continues to be held in check. The U.S. inflation index was 1.4% in May, well below the Fed’s 2% target.

The stock market has reached all-time highs. This has occurred despite the lack of action on President Trump’s plans for lowering taxes and economic stimulus. Should these initiatives be enacted, 2017 should be a very good year for investors.

Interesting Tid Bits ƒƒ

  • The New York Times recently reported that homeowners now stay in their homes for an average of 8½ years, up from the 3½ year average in 2008.
  • Twenty years ago, there were 7,322 listed public companies in the U.S. At the end of 2016, there were only 3,671 companies publicly traded on U.S. exchanges.
  • Deer & Co., the maker of farming equipment, is the fifth largest agricultural lender. This is in addition to the billions that they lend to farmers to fund purchases of their farming equipment.
  • It is widely anticipated that the Libor index will be phased out over the next five years. Libor is used to set the price on trillions of dollars of loans.

Short-term interest rates have moved up in response to the Fed’s actions of increasing short-term rates with the 3-month T-Bill ending July at 1.07%.

The 10-year T-Note ended July at 2.30%. The yield curve has flattened this year with the 10-year T-Note falling 14 basis points while short-term rates moved up 56 basis points.

The general stock market reached historic highs in July. The Dow Jones Industrial Index ended July 31 at an all-time high and was up 10.77% for the year. The Nasdaq Index closed up 17.93% for the year. Banks have under-performed the general stock market this year. The Nasdaq Bank index was down 3.10% for the year. However, since the election, bank stocks are up 22.50%, which is a larger increase than the Dow Jones Industrial Index since the election.

Merger and Acquisition Activity
Through July there were 147 bank and thrift announced merger transactions. This compares to 151 deals for the comparable period in 2016. Despite the slightly lower number of deals, the total assets involved in transactions increased from $109 billion to $124 billion. The median price to tangible book for transactions involving bank sellers was 162%.

The Changing Role of the Community Bank IT Manager

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

At small community banks, the IT Manager role was once, and in some cases still is, one of many hats worn by the President or CFO. However, this role is quickly evolving into a nearly full-time position even at smaller community banks. There are a number of factors that are contributing to this change, including increased use and sophistication of technology, increased regulatory scrutiny for cybersecurity, and the rapidly changing threat landscape.

It was not long ago that the IT Manager only needed to support a few internal servers and workstations. Over time, technology and customer expectations have evolved, leading to increased network complexity through the requirement for additional internal servers to support new services, the use of server virtualization, and connectivity to additional outside networks. In addition, the use of mobile technology has expanded dramatically leading to employees using mobile devices to access internal network resources, and banking services being provided to customers through their mobile devices.

The amount of time required to properly manage and monitor a bank’s information systems has increased dramatically. However, in many cases, community banks have not significantly increased the human resources assigned to the management of their IT environment. We have had numerous discussions with bank IT personnel indicating that they do not believe that they have enough time and resources to properly address the changing IT regulatory requirements and new cyber risks. While some community banks have outsourced the management of their network and other systems to a service provider, this does not relieve the bank of its role in the oversight of these systems. Additionally, outsourcing increases the time that the bank must spend to manage these vendor relationships.

Here are some of the areas where we have seen community banks spending additional time to perform IT and information security functions:

  • Vendor Management. As the bank implements new services or engages service providers to manage existing services, additional time is required to monitor these vendors. Significant time is needed to obtain the required documentation from each vendor and to review and analyze this documentation.
  • Threat Intelligence. Threat intelligence sources are monitored to identify threat sources and their current activities to identify and implement mitigating controls that will limit the potential impact of these activities on the bank. Significant time can be spent analyzing the data from threat intelligence sources to determine its applicability to the bank and to then implement or modify mitigating controls.
  • Risk Assessment and Policy Maintenance. As the bank adds or changes technologies or services, risk assessments and policies must be created or updated to address their risks. In addition, risk assessments need to be updated periodically to ensure that the risks associated with new or changing threats are evaluated and mitigated. A cybersecurity assessment must be completed and reviewed periodically based on changes within the bank’s IT environment.
  • Ongoing Employee Information Security Awareness Training. With most banks providing external email access and internet access to all of their employees, each employee has become a critical link in the security chain where the result of one employee clicking on a malicious link in an email can be an organization-wide catastrophe. Annual training is no longer adequate to keep employees apprised of current threats such as ransomware and phishing scenarios. A significant amount of time can be spent developing training materials and distributing them to employees on an ongoing basis.
  • Event Management and Monitoring. Network devices, operating systems, and applications must be monitored to identify malicious activity. In the past, many banks were only monitoring perimeter devices such as firewalls and believing that the perimeter devices would stop any threats. However, many current attacks start with the installation of malicious code on an employee’s workstation to bypass the controls imposed by the firewall and then the attacker moves around, potentially undetected on the internal network. Monitoring for malicious activity on all of the bank’s internal network devices can require significant resources. ƒ ƒ Patch Management. Patch management is more than just patching Microsoft operating systems and applications such as Adobe Acrobat and Java. Patch management includes updating the software running on network devices such as firewalls, routers, switches, DVRs, and printers to address any known vulnerabilities. Additional time must be spent to identify the release of new patches, and in many cases the patches must be installed manually on each network device.
  • Disaster Recovery / Business Continuity Planning and Testing. A bank’s increased dependence on technology requires formal documentation for maintaining business continuity and testing the selected plans to ensure that the bank can recover from a disaster within a reasonable time frame to allow for the continued performance of its daily functions. Additional time is required to initially document recovery strategies and then modify the strategies based on system or vendor changes. Time is also required to prepare testing strategies, coordinate testing schedules with vendors, and analyze the test results. ƒ ƒ Incident Response Planning and Testing. Many experts say that it is not a question of if a business will be hit by some form of breach, but a question of when it will happen. Banks must have a well-documented plan in place to detect and respond to an information security incident. In addition, the plan needs to be tested periodically to ensure that all employees are aware of their roles to effectively and efficiently respond to an incident.

Potential Costs of a Breach
Why should changes to the technology used by the bank, changes to regulatory requirements, and the evolving threat landscape be a significant concern for the board of directors? The board of directors is ultimately responsible for the management of the information security program, and failing to provide the appropriate resources to manage the IT and information security functions at the bank can lead to regulatory enforcement actions, harm to the bank’s reputation, and significant costs associated with a data breach.

According to the Ponemon Institute’s 2017 Cost of Data Breach Study: United States, performed June 2017, the average cost for each lost or stolen record containing sensitive and confidential information is $225. This study also indicated that breaches involving businesses within the financial services industry had a per capita cost of $336.

Insurance Coverage
Another consideration for the board of directors is insurance coverage. While a bank may have a cyber insurance policy, management needs to thoroughly understand the requirements for this policy and ensure that it is meeting all of the minimum security requirements of the policy. Insurance companies may reject a claim or even seek repayment of a settlement if defined controls were not in place at the bank at the time of a breach.

Using the example of a community bank with assets of 100 million and 12,000 customer records, a breach of those 12,000 records could cost the bank 4 million dollars. This would be a substantial loss for the bank if insurance coverage is not appropriate, and even more significant if an insurance claim is denied due to the bank’s failure to maintain the minimum security requirements defined within the policy.

Continuing Education
With the rapid changes in technology and the changing threat landscape, continuing education for the bank’s IT staff is also a critical consideration. A bank’s IT Manager must learn how to change the bank’s mitigation strategies to address evolving cyber threats rather than relying solely on the strategies that have been used in the past. There are numerous options for continuing education such as cybersecurity conferences sponsored by state banking associations and webinars.

Cybersecurity Assessment Tool Staffing Requirements
With the regulatory focus on cybersecurity, another illustration of the need to evaluate the human resources required to effectively manage the bank’s information systems can be found in the declarative statements within the staffing section of the FFIEC’s Cybersecurity Assessment Tool as shown below. Attainment of the baseline cybersecurity maturity level is required for all banks as this level identifies the minimum expectations required by law, regulations, or supervisory guidance. The declarative statements within the evolving cybersecurity maturity level will also need to be attained by small community banks as they increase their maturity level over time.

     Baseline ƒƒ

  • Information security roles and responsibilities have been identified.
  • Processes are in place to identify additional expertise needed to improve information security defenses.

     Evolving ƒƒ

  • A formal process is used to identify cybersecurity tools and expertise that may be needed.
  • Management with appropriate knowledge and experience leads the institution’s cybersecurity efforts.
  • Staff with cybersecurity responsibilities have the requisite qualifications to perform the necessary tasks of the position.
  • Employment candidates, contractors, and third parties are subject to background verification proportional to the confidentiality of the data accessed, business requirements, and acceptable risk.

Conclusion
In summary, the board of directors and senior management must carefully consider the resources required to appropriately manage its information systems based on the rapid technological, regulatory, and threat landscape changes. Strategic plans should consider the additional workload that will be created to support changes within the bank’s IT environment to achieve management’s strategic goals, and ensure that appropriate human resources are included within its plans.

For more information on this article or how Young & Associates, Inc. can assist you, contact me at 330.422.3447 or mdetrow@younginc.com.

 

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question