Skip to main content

Author: admin

Developing a Consensus on Capital Adequacy – The First Step in Strategic Planning

Written by admin on . Posted in Management & Planning.

By: Gary J. Young, Founder and CEO

The most critical component of every strategic plan is a thorough understanding of your position on capital adequacy and your target for capital. They are not the same.

The Regulator View of Capital
As community bankers, we have all heard the mantra that we need to increase capital. It may be an over simplification, but to the regulator more is always better. The regulator does not have interest in your shareholders. And as I will discuss later in this article, an increase in capital lowers the return on equity, or the return to shareholders. The regulator’s #1 job is to ensure a safe and sound banking system. Your job is to satisfy the regulators and your shareholders. You have to balance the interests of both. You need to proactively communicate your bank’s opinion regarding capital.

An example of the need to balance is shown below. There are four banks with a 1% ROA. However, the equity/asset ratio at each is different ranging from an 8.0% leverage ratio to a 12.0% leverage ratio. By dividing the ROA by the leverage ratio, you get the ROE. By multiplying the ROE by an assumed PE, you get the multiple of book. In this example, the bank with an 8.0% leverage ratio has a value of $30 million while the bank with a 12.0% leverage ratio has a value of $20 million. The amount of capital provides a significant difference in the return to shareholders.

Capital Adequacy
I agree with the OCC. Capital adequacy at each bank is uniquely based on the current and planned risk within the bank. And, it is the responsibility of the bank board to determine capital adequacy with the input from executive management. Capital adequacy is the point that if capital falls below, the Capital Contingency Plan must be implemented. In other words, let’s assume capital adequacy has been defined as a 7.5% leverage ratio, or an 11.25% total risk-based ratio. If actual capital falls below either measure the bank should implement the methodology for improving capital as described in the Capital Contingency Plan.

Capital Target
A bank’s target or goal for capital is higher than capital adequacy. It is an estimate of the amount the board of directors has decided is desired to take advantage of opportunities such as additional organic growth, branch expansion, purchase of a bank or branch, stock repurchase, etc., or to use as additional insurance or protection against negative events that could hurt profitability and capital. As an example, a 7.5% leverage ratio could be defined as capital adequacy, but the target level of capital is 9.0%.

The Right Amount
There is no right amount. The average $300 million – $1 billion bank has a 10.3% leverage ratio and a 15.4% total risk-based capital ratio. Most everyone would agree that banks do not need that level of capital. But, every bank is unique with different levels of risk and different levels of risk appetite. The important thing is that executive management and the board of directors understand that there is a shareholder cost to holding excess capital. That doesn’t make it wrong. The board of directors has multiple responsibilities and at times these can be conflicting. From the shareholder perspective, you want to maximize the return on equity and shareholder value which assumes leveraging capital, but you must also oversee the operation of a safe and sound bank. And, at the heart of safety is capital adequacy. It takes balance and awareness of both to determine the right level of capital for your bank. My concern is that through the Great Recession and after, the capital mantra has been more is better. Well frankly, more is not necessarily better. I am suggesting that it is time to balance the capital need for risk management with the capital need for improving shareholder value.

Strategic Planning
After there is agreement on capital based on risk, planning can begin on the methodology or methodologies to best utilize any existing or planned excess capital. The recommended considerations that follow do not address all of the issues within your mission statement or vision statement. Rather, these address your desire to maximize shareholder return and to maintain your bank’s independence.

Consider the following:ƒƒ

  • Ways to generate additional organic growth. This means growth from your market without any significant increases in infrastructure. This is normally the most profitable short-term methodology.
  • Expansion opportunities. I would suggest looking for opportunities that begin turning a profit in two years or less. While this is long-term, most bankers are in for the long haul. Remember, a branch that increases net income by $500,000 increases shareholder value by $6,500,000, assuming a 13 price-earnings ratio.
  • The purchase of another bank or branches. This can significantly impact capital, but once the target is effectively absorbed by your bank, the value rewards can be great. But, also make sure you adequately consider the risks.
  • A stock repurchase plan. This is a win for the shareholders that want to sell and the shareholders that want to hold. Everyone wins and shareholder value should increase. I look at this as buying your bank as opposed to buying another bank. I recommend to every client that has a tier-1 leverage ratio in excess of 9% that they should at least consider a stock repurchase.
  • A slow, steady increase in dividends to shareholders. If after all other approaches to capital utilization excess capital remains, then increase the dividend. This will increase dividend income to shareholders without jeopardizing capital adequacy.

Consider how all of these items might impact your capital adequacy, return on equity, and shareholder value over a 3-5 year period. Remember, the goal of executive management is to maximize profitability and shareholder value within capital guidelines approved by your board of directors.

Contact
If you would like to discuss this article with me, you can reach me by phone at 330.422.3480 or e-mail at gyoung@younginc.com.

HMDA 2018

Written by admin on . Posted in Compliance & Regulations.

By: Bill Elliott, CRCM, Senior Consultant and Manager of Compliance and Adam Witmer, CRCM, Senior Consultant

Beginning in 2018, you will be faced with two major changes to Home Mortgage Disclosure Act (Regulation C 12 CFR § 1003). They are:

  1. Changes to the existing rules
  2. Addition of new rules

While the new rules will be challenging to navigate, the changes to the existing rules could prove to be extremely challenging, as long-established procedures and understandings are going to change. The following are a list of some of the biggest modifications.

Reporting Changes
Loan Volume Test. The new rules have two separate loan volume tests, one for closed-end and one for open-end.
The closed-end test is 25 covered loans. If your bank originates 25 “covered” loans (defined as not excluded closed-end loans or open-end loans), you will then report closed-end loans.

The open-end test is 100 covered loans. If your bank originates 100 open-end covered loans, then you will report open-end loans. There is a regulatory proposal to change this to 500 open-end for a couple of years, and we expect that to occur. The challenge here relates to business purpose loans.

All consumer purpose loans (generally HELOCs) will count, but business purposes loans may also count. Excluded loans will be open-end loans (such as an equity loan for operating expenses) that are not for a purchase, refinance, or home improvement purpose. But open-end loans such as this are refinanced, and will become reportable.

If your financial institution only meets one test, you only report the type of loans for the test you meet. This means some institutions will only report closed-end loans. Some will only report open-end loans. And others will report both.

Dwelling Secured. Under prior HMDA rules, one definition of Home Improvement included loans that were not secured by a dwelling. Under the new rules, only loans secured by a dwelling will be reportable.

Temporary Financing. The rules now only talk about financing that will be replaced by new financing. The old rules specifically excluded construction and bridge loans.

Agricultural Loans. The new rules now exempt all agricultural loans. In the past, the agricultural loan exemption only applied to purchases, which meant that when an agricultural loan was refinanced, it required HMDA reporting. Now, all agricultural purpose loans are exempt.

Preapproval Requests. Preapproval requests that are approved but not accepted are now required reporting rather than optional reporting.

Submission Process. The CFPB is going to use a cloud-based program for HMDA submissions. This means that reporters using the FFIEC software are going to have a much more difficult time. You will want to think about software options. If you are not using third-party software already, you will need to work out logistics of using the new reporting system.

Items to Consider
Our training manual for our live HMDA presentation runs 210 pages, so this is just an overview of some of the items that must be considered. Time is growing short. If your institution is going to be subject to the new rules, then training for everybody involved in the process is necessary. And for most readers, this will include more than one person.

For the future, if you are not subject to the HMDA regulation, be careful of expansion. If you open a branch in an MSA, suddenly HMDA will become part of your life. So beware of a good deal on the land or the lease – the costs of HMDA could easily dwarf the savings. If you are a HMDA reporter already, remember that any compliance requirement only gets paid for one of two ways – the applicants/customers pay for it, or it comes out of the stockholder’s pocket. Fee changes may be in your future.

HMDA Tools – Coming Soon
Young & Associates, Inc. is currently developing a HMDA Toolkit which will be available shortly, as well as a customizable HMDA policy. As there is HMDA text that the CFPB is changing and correcting (due out soon, we hope), we are not ready for release just yet. But we hope to keep the timetable reasonable. The HMDA policy will be available to purchase September 1, 2017.

We will also be offering an off-site HMDA Review beginning in 2018. We will review as many or as few loans as you would like to make sure you are on track. Billing will be based on the number of files reviewed, so you will control your costs.

Detailed information for all of these items will be available soon. If you are interested in the HMDA toolkit, HMDA policy, or HMDA reviews, we will be happy to discuss these products and services with you at any time.

Good luck – we will all need it. For more information on this article or how Young & Associates, Inc. can assist you in this process, contact us at compliance@younginc.com or 330.422.3450.

Mary Green Earns CAFP Designation

Written by admin on . Posted in Compliance & Regulations.

Young & Associates, Inc. is pleased to announce that Mary Green, Consultant, has earned the industry designation of Certified AML and Fraud Professional (CAFP) by the Institute of Certified Bankers, a subsidiary of the American Bankers Association (ABA). This certification demonstrates the ability to detect, prevent, monitor, and report current and emerging money laundering and fraud risks.

Where is the UCA/FAS 95 Analysis?

Written by admin on . Posted in Lending & Loan Review.

By: David Dalessandro, Senior Consultant

In the summer of 1987, the savings and loan I was working for at the time sent me to a “cash flow” seminar in Norman, OK. I had graduated from Penn State a few years before and had recently accepted my first of what would prove to be many positions in banking as a credit analyst. At that point, my experience at financial analysis was limited to what I had absorbed from two accounting firms I had worked for and studying for (and passing) the CPA exam. The seminar topic was “The Implications of FASB 95.”

FASB 95, for those of you asking, was issued in November 1987 and was to be utilized in all financial statements finalized in fiscal years ending after July 15, 1988. The requirement replaced the famous APB 19, Statement of Changes in Financial Position, which we all knew and loved as a pretty worthless financial statement at the time, because no one without a CPA attached to their name understood it, and most CPAs had difficulty explaining it.

The seminar turned out to be one of the most beneficial events in my life. As it was explained, the Statement of Cash Flows, as required by FASB 95, was a financial disclosure that would trace every dollar of cash through an accounting period. How awesome, I thought, because only cash pays back loans. So now if I have a tool to trace every dollar of cash, credit analysis would be a cinch.

Well, fast forward 30 years…and the Statement of Cash Flows is still not a household name in Credit Analysis. Most financial institutions, even the largest, still hang onto EBITDA for “cash flow” or multiples of EBITDA for “value.” The EBITDA analysis may approximate real cash flow for real estate rental properties, but for those thousands of enterprises that carry Accounts Receivable, Accounts Payable, Inventory, Other Assets, and Other Liabilities, pay distributions, report gains and losses on sales of assets, take charge downs on intangibles, write off bad debts, and enter into other “non-cash” transactions, the Statement of Cash Flows is the only real way to “follow the money.”

The question here is, why would any financial institution NOT at least include FASB 95/UCA in cash flow analysis when it was appropriate? EBITDA, or even EBITDA adjusted for one-time items, may give the analyst an estimate of total cash flow, but true operating cash flow can only be obtained from a properly and timely prepared Statement of Cash Flows. The Statement separates the movement of cash into three primary categories: Operations, Investment, and Financing. From a bank or financial institution standpoint, if there is positive cash flow from the Investing segment or from the Financing segment, then the enterprise is selling assets or obtaining more loans or selling stock in order to make its loan payments. Are those sources sustainable? Are those sources where you want your customer to come up with the funding to make your loan payments? Is the quality of cash flow from Investing or Financing equal to that of Operating Cash Flow? Probably not. But if the cash flow from operations is positive, and it has been positive for a number of years and it is sufficiently positive to fund all loan payments, then that should be a sustainable source of cash flow far into the future. If the Operating Cash Flow is positive enough to fund loan payments, pay distributions/dividends, AND fund capital expenditures, then that enterprise is more than likely to enjoy a very strong financial condition with relatively easy debt coverage.

If your underwriting protocols do not include UCA/FAS 95/Statement of Cash Flow analysis, then you risk being surprised when a borrower who had “good” EBITDA coverage shows up past due or comes to you needing more money. Use this tool in conjunction with your standard analysis and it will enable you to rethink loan structures where the expected cash flows do not match up.

If you would like to discuss incorporating UCA/FAS 95/Statement of Cash Flow analysis in your institution, please contact me at 330.422.3487 or ddalessandro@younginc.com.

FFIEC Cybersecurity Assessment Tool Update – New Version of the Cybersecurity Assessment Workbook Released

Written by admin on . Posted in Information Technology.

On May 31, 2017, the FFIEC announced an update to the Cybersecurity Assessment Tool which includes a change within the cybersecurity maturity section of the tool and an updated mapping of the baseline statements to the FFIEC IT Examination Handbooks.

The update to the cybersecurity maturity section of the tool allows institutions to select “Yes with Compensating Controls”, meaning that an institution has implemented a control or controls that protect an information system in a manner that is comparable or equivalent to a recommended security control within a declarative statement. Appendix A was revised to incorporate the updates to the Information Security and Management booklets.
Version 2.0 of the Cybersecurity Assessment Workbook (see below) incorporates the changes within the cybersecurity maturity section of the tool, as well as the content of Appendix A.

Cybersecurity Assessment Workbook
(#310) – $299

This electronic workbook allows a financial institution to easily complete the FFIEC Cybersecurity Assessment Tool and generate the needed summaries for analysis and board reporting. The workbook is setup with two main sections: 1) Inherent Risk Profile and 2) Cybersecurity Maturity.

Inherent Risk Profile. Includes five worksheets for the five categories of inherent risk identified in the Cybersecurity Assessment Tool. This section also contains a summary worksheet to assist the reviewer with the identification of an Overall Inherent Risk Profile.

Cybersecurity Maturity. Includes five worksheets for the five domains identified by the Cybersecurity Assessment Tool. A summary worksheet for each of the five domains allows the reviewer to identify the maturity level for each domain.

Easy to Use and Understand
All of the required data entry is completed through the use of drop down boxes and provisions are included to allow the reviewer to enter notes and comments as needed throughout the workbook. Colorful summaries are included to simplify analysis and include in a report to the Board.

The Cybersecurity Assessment Workbook is available for $299.

Excess Capital is Hurting Shareholder Return

Written by admin on . Posted in Management & Planning.

By: Gary J. Young, President and CEO

The Mantra
As community bankers, we have all heard the mantra to increase capital. This is heard by the banker that has an 8% leverage ratio who needs to increase capital to 9%, by the banker who has a 9% leverage ratio that needs to increase capital to 10%, and by the banker who has a 10% leverage ratio that needs to increase capital to 11%. Based on this view regarding capital, more is always better. I disagree.

Capital Adequacy
I agree with the OCC. Capital adequacy at each bank is uniquely based on the current and planned risk within the bank. And, it is the responsibility of the bank board to determine capital adequacy with the input from executive management. Capital adequacy is the point in which a capital contingency plan is implemented if actual capital falls below that level. In other words, let’s assume capital adequacy has been defined as a 7.5% leverage ratio, or an 11.25% total risk-based ratio. If actual capital falls below either measure the bank should implement the methodology for improving capital as described in the capital contingency plan.

Capital Target
A bank’s target or goal for capital is higher than capital adequacy. It is an estimate of the amount the board of directors has decided is needed to take advantage of opportunities such as additional organic growth, branch expansion, purchase of a bank or branch, stock repurchase, etc., or to use as additional insurance or protection against negative events that could hurt profitability and capital. As an example, a 7.5% leverage ratio could be defined as capital adequacy, but the target level of capital is 9.0%.

Cost
Excess capital has a cost. Let’s assume you had to eliminate $1 million of excess capital. To balance that transaction, you would also eliminate $1 million in assets which would be investments. Let’s assume that the investments had an average yield of 1.5%. After taxes, that would be approximately 1.0%. Based on this example, the return on equity of the $1 million of excess capital is 1.0%. We must agree that 1.0% is unacceptable. Well, it is unacceptable unless that is your return for opportunity capital or insurance capital as described above.

Another example of the cost of excess capital can be seen in the table on page 2. There are four banks with a 1% ROA. However, the equity/asset ratio at each is different, ranging from an 8.0% leverage ratio to a 12.0% leverage ratio. By dividing the ROA by the leverage ratio, you get the ROE. By multiplying the ROE by an assumed PE, you get the multiple of book. In this example, the bank with an 8.0% leverage ratio has a value of $30 million while the bank with a 12.0% leverage ratio has a value of $20 million. This is a simplified example that provides information on the cost of excess capital.

The Right Amount
There is no right amount. The average $300 million – $1 billion bank has a 10.3% leverage ratio and a 15.4% total risk-based capital ratio. Most everyone would agree that banks do not need that level of capital. But, every bank is unique with different levels of risk and different levels of risk appetite. The important thing is that executive management and the board of directors understand that there is a shareholder cost to holding excess capital. That doesn’t make it wrong.

The board of directors has multiple responsibilities and at times they can be conflicting. From the shareholder perspective, you want to maximize the return on equity and shareholder value, which assumes leveraging capital, but you must also oversee the operation of a safe and sound bank. And, at the heart of safety is capital adequacy. It takes balance and awareness of both to determine the right level of capital for your bank. My concern is that through the Great Recession and after, the capital mantra has been “more is better.” Well frankly, more is not necessarily better. I am suggesting that it is time to balance the capital need for risk management with the capital need for improving shareholder value.

Best Practices
The question for executive management is what should I do? It is my opinion that best practices would indicate that every bank develop a definition of capital adequacy based on inherent risk. Furthermore, a capital contingency plan should be part of that plan that indicates the steps the bank might take if capital falls below or is projected to fall below the bank’s definition of capital adequacy. You should then have a frank discussion at the board level on the amount of capital that is your goal or meets your comfort level. If you then find that your capital is above that consider the following:

  • Focus on additional organic growth, if possible.
  • Consider expansion opportunities. I would suggest looking for opportunities that begin turning a profit in two years or less.
  • Develop a stock repurchase plan. This is a win for the shareholders that want to sell and the shareholders that want to hold. Everyone wins and shareholder value should increase.
  • Achieve a slow, steady increase in dividends to shareholders.

Consider how all of these items might impact your capital adequacy, return on equity, and shareholder value over a 3-5 year period. Remember, the goal of executive management is to maximize profitability and shareholder value within capital guidelines approved by your board of directors.

Conclusion
If you would like to discuss this article with me, you can reach me by phone at 330.422.3480 or by email at gyoung@younginc.com.

Regulatory Compliance Update

Written by admin on . Posted in Compliance & Regulations.

By: Bill Elliott, Senior Consultant and Manager of Compliance

We usually try to use this space to share information that will help you prepare for what has been released, and for what will be required in the coming months. However, at this writing we find ourselves in a unique position; almost nothing (at least in the near term) is changing is the world of compliance. That does not mean that we can relax too much, just that we have a little time to catch up and get ready for the next round of changes.

Here is a sampling of where we are today: ƒƒ

  • Expedited Funds Availability (Regulation CC) Update: The CFPB promised it for late last fall, but have not yet released it. (Note: this is maybe their fifth release date.) They have been working on it for about 6 years.
  • Privacy (Regulation P) Update: This was also promised for last fall, but it has not yet appeared. In the interim, the prudential regulators have stated that banks that do not share (and therefore have no opt out) can follow the new privacy law. This means no annual privacy notice mailings of any kind, unless your privacy notice has to change. If you do change your notice and/or start to share, you will have to mail the new notice to all customers annually, so you may want to think about the mailing expense before you make any changes that would require the annual mailing.
  • Prepaid Cards Update: The new prepaid card rule has been delayed for six months (April 2018) to allow for the changes that will essentially turn all prepaid cards that have the ability to be reloaded into an “account.” They will then have rights similar to an account holder; they can ask for transaction histories, dispute items, etc. This is probably going to make these cards more expensive and therefore less attractive to your customers, and may end up not being a profitable item for many banks.
  • TRID Update: They have published a proposal, but we will have to wait to see what the final rule looks like. It will be a number of months at least before anything is finalized on this subject.
  • Home Mortgage Disclosure Act Update: The major item on the compliance agenda for 2017 is the Home Mortgage Disclosure Act. Management needs to assure that staff training occurs – and soon. We created a manual for our live seminars that runs 210 pages. We also created a listing of every possible code that might be needed, and that runs 33 pages in Excel. So this will not be an easy transition, and waiting until December to think about it does not seem like a good idea. If you do not have an LEI number and you are a HMDA bank, you should get it very soon. It will be required for 2018. We should also mention that the CFPB published a 150-page update with changes and corrections to the HMDA rule. These changes should be final by the first of the year.

Stay Tuned
We will continue to use the newsletter to keep you informed as the CFPB finally publishes updates and new regulations. But in the near term, the staff can work on absorbing what already has been issued. If we can help in any way, please feel free to call Karen Clower at 330.422.3444 for assistance. She can also be reached at kclower@younginc.com. 

ADA Website Audits

Written by admin on . Posted in Management & Planning.

By: Mike Lehr, HR Consultant

Clients of Young & Associates, Inc. have been receiving demand letters from plaintiffs’ law firms, alleging that their websites aren’t accessible to individuals with disabilities. In effect, these letters claim that they are violating
Title III of the Americans with Disabilities Act (ADA). More press and training have surfaced on this issue too.
If your bank has received such a letter, don’t ignore it. Attorneys we know have had to defend their clients in court over these letters. If your bank has not received one, it’s best to begin working with your legal counsel and reviewing
your website before you do. Proactivity can help here. In our audits to date, the main problem has been clients relying too heavily on assurances from their website vendors and on results from compliance software. Auditing software is a tool, not a judge. As a result, individuals with disabilities might be able to access the website, but they have unreasonable difficulty doing so. The website still isn’t in the clear.

That’s why Young & Associates audits employ four tests:

  1.  Compliance software tests
  2. Manual audit of home pages, main navigation pages, and high problematic pages
  3. Screen reader test by Young & Associates consultant
  4. Screen reader test by a sight-impaired person observed by Young & Associates consultant

Young & Associates audits use the Web Content Accessibility Guidelines (WCAG) 2.0 and the Section 508 Standards for federal agencies as their baselines. To meet our clients’ many different needs, we have three different audits to select from:

  1. ADA Developmental Website Audit: The purpose of this audit is to assist the bank in the development of a new website or to provide a cost-effective first look at a current website that has never been audited or tested in any manner. It employs the compliance software test, the manual audit, and a modified screen reading test.
  2. ADA Compliance Website Audit: The purpose of this audit is to perform a formal compliance audit of the website. It employs the full complement of tests.
  3. ADA Follow-Up Website Audit: The purpose of this audit is to review the changes made to the website in response to the findings of other audits. It usually employs just the compliance software test or a modified application of the full complement of tests.

For more information on ADA Website Accessibility Compliance or how Young & Associates, Inc. can assist your bank in this area, download our “Better Understanding ADA Website Compliance & Young Associates Audit,” or contact Mike Lehr, Human Resources Consultant at 1.330.777.0094 or mlehr@younginc.com.

The Director’s Role in Information Security

Written by admin on . Posted in Information Technology.

By: Mike Detrow, Senior Consultant and Manager of IT

Technology has changed significantly at community banks over the past 15 years. For many years, banks only had to manage a core processing system, a standalone Fedline PC, and a few workstations that were used for word processing and maintaining spreadsheets. These systems were relatively easy to secure as data was maintained in-house and connectivity to external networks was limited. Fast forward to 2017 and community banks now have connections to numerous outside networks including the internet and those of core processing vendors. Services are being offered to customers through cell phones and tablets, customer data is processed through websites, and data is stored in many locations that are not controlled by the bank.

Whether making a loan, depositing a check, or checking a customer’s account balance, nearly every function within the bank now relies on some form of technology. To remain competitive, the implementation of new technology is necessary to meet the needs of customers and to reduce a bank’s operating expenses. However, information security has often been an afterthought rather than being incorporated during the implementation process.

Regulators are emphasizing the need for a change to the security culture within community banks to make information security a higher priority, and this change must begin with the board of directors. The board must take a more active role in the oversight of the bank’s information security program. All too often, information security is treated as something that only the “IT person” can understand, and directors do not properly scrutinize the decisions made by the IT Manager or an outsourced technology support provider. The board of directors is ultimately responsible for the security of the customer information maintained by the bank and the third parties that the bank uses. As such, directors must have a clear understanding of the regulatory requirements for protecting customer information, as well as defining and monitoring the bank’s information security program. While directors may not fully understand all of the technical aspects, I have provided some general recommendations for overseeing the information security program within this article.

Recommended Documents
The following documents should be reviewed and approved by the board of directors on an annual basis, or more frequently depending on the changes that occur within the bank. While much of the information in these documents will not change, there will typically be some changes each year due to employee turnover, technological changes, or new regulatory guidance. These changes should be clearly documented to allow directors to evaluate the changes before approving the updated documents. If there are no recommended changes to these documents over a period of several years, directors should request an explanation from management.

  • IT Strategic Plan. An IT Strategic Plan should be in place to align IT initiatives with the bank’s overall strategic plan. This may include the implementation of additional products and services to compete with other financial institutions or the implementation of technologies to create internal efficiencies. The IT Strategic Plan may also identify systems that are approaching the end of their manufacturer’s support lifecycle and identify upgrade/replacement strategies.
  • IT Budget. The budgeting process should include information technology and information security expenses such as hardware and software maintenance, technology service provider expenses, contract renewals, recently approved project expenses, training expenses, and risk mitigation expenses.
  • Information Security Program. The Information Security Program identifies the technical, physical, and administrative safeguards that must be implemented to maintain the confidentiality, integrity, and availability of the bank’s information systems.
  • Information Security Risk Assessment. The Information Security Risk Assessment should identify the information systems that are in use, classify the data that the information systems store or process, identify the threats and vulnerabilities associated with each information system, identify the likelihood and impact of the risks, identify the mitigating controls that have been implemented, and evaluate the effectiveness of the mitigating controls. The risk assessment should be updated before implementing new information systems and as new threats are discovered.
  • Incident Response Plan. The Incident Response Plan should identify the procedures to be performed in response to an incident involving loss of data availability, confidentiality, and/or integrity, such as a breach. The steps of this plan should include containing the incident, recovering from the incident, the investigation process, and the notification process. This plan should be tested on a regular basis to evaluate the effectiveness of the response procedures for various types of incidents.
  • Business Continuity/Disaster Recovery Plans. The Business Continuity and Disaster Recovery Plans identify procedures for performing the bank’s business processes during or following various types of operational interruptions. These procedures must be tested on a regular basis to ensure the continuity of these business processes during a variety of disruptive events, such as natural disasters, service provider interruptions, and cyber-attacks.
  • Cybersecurity Assessment. A formal Cybersecurity Assessment should be performed to evaluate the bank’s inherent cyber risk and the effectiveness of its cybersecurity controls. If the bank is utilizing the FFIEC’s Cybersecurity Assessment Tool, an understanding of the relationship between the Inherent Risk Profile and the Cybersecurity Maturity Level is required. Plans for attaining the recommended Cybersecurity Maturity Level should be developed and the status of this process should be monitored. The Cybersecurity Assessment should be reviewed annually and updated when changes occur that affect the bank’s Inherent Risk Profile.

Recommended Reports
The Information Security Officer should provide information security program status reports to the board of directors on at least an annual basis. These reports should identify the risk assessment process, risk management and control decisions, service provider arrangements, results of independent testing of the information security program, security breaches, and recommendations for updates to the program. While some of the content within these reports will not change, these reports should reflect the actual activity since the last report and should not just be the same report with a new date at the top.

While many community banks have implemented a steering committee to manage their information security programs, directors still need to ensure that the program is effectively managed. If a steering committee is used, a formal charter should be in place to define the committee’s purpose and responsibilities. The board of directors should receive copies of the steering committee’s meeting minutes to monitor committee activities and to ensure that it is fulfilling its requirements.

Information system reports and service provider reports should be regularly monitored to identify any events that require further investigation. Some examples of the reports that should be reviewed by the steering committee or the board of directors include: ƒƒ

  • Patch management
  • Firewall
  • Intrusion detection system
  • Intrusion prevention system
  • Anomalous operating system events
  • Malware/virus protection
  • Managed services provider tickets
  • Vendor management

If the reports that are provided never indicate any anomalous activity that requires further investigation, directors should question the validity of the reports and request a review of the reporting parameters for the system(s).

Independent Audits
To assist the board of directors with its evaluation of the effectiveness of the bank’s information security program, periodic independent audits should be performed. These audits are typically performed on an annual basis depending on the size and complexity of the bank and its risk assessment. The board of directors or the audit committee should be involved in the external auditor selection process and the audit scoping process. At least one director should participate in the auditor’s exit meeting to ensure an understanding of any recommendations made by the auditor.

Conclusion
The use of a top-down approach to manage information security and holding employees accountable for complying with the bank’s information security program will greatly strengthen the security culture within the bank. A strong security culture will help to enhance the bank’s reputation among its customers, community, and the financial industry.
For more information on this article or on how Young & Associates, Inc. can assist you in this process, contact me at 330.422.3447 or mdetrow@younginc.com.

Capital Market Commentary – May 2017

Written by admin on . Posted in Management & Planning.

By: Stephen Clinton, President, Capital Market Securities, Inc.

Market Update – The Trump Effect
The election of President Donald Trump was followed by a strong upward movement in the market. Hopes related to lower taxes, less regulation, and economic stimulus led the market to new highs. Since the election, the Dow Jones Industrial Average moved up 14.22% through April 30th. Banks moved upward even more, increasing 21.29% (as measured by the Nasdaq Bank Index). Much has been made of the first 100 days of the new administration, with many Executive Orders being issued but no real legislative actions accomplished. The March failure to pass legislation to repeal the Affordable Care Act was a stark reminder that enacting legislation is a difficult process. However, the market appears to remain optimistic that President Trump’s initiatives will be delivered.

Economic Developments of Note ƒƒ

  •  April marks the 94th month for the current economic expansion, the third longest in U.S. history (1960’s and 1990’s were the two longest).
  • The U.S. economy grew at its weakest pace in three years in the first quarter as consumer spending barely increased and businesses invested less on inventories. Gross domestic product increased at a 0.7% annual rate, the weakest performance since the first quarter of 2014. The economy grew at a 2.1% pace in the fourth quarter of 2016.
  • The latest annual inflation rate for the United States is 2.1%, exceeding the Fed’s target of 2% for the first time in nearly five years. The increase in inflation may provide support for the Fed to continue its plans to move interest rates up in 2017.
  • In March, it was reported that employers slowed their pace of hiring. However, unemployment was reported at 4.5%. The March unemployment rate was the lowest in almost a decade. It was also reported that private-sector workers saw average earnings rise 2.7% in March compared to the previous year. This is a sign that we are nearing “full employment” and competition is heating up to attract and retain employees.
  • Activity in the manufacturing sector remained solid in April marking the eighth consecutive month of industrial expansion. One concern for the future, however, is the auto industry. After seven straight years of sales gains, including two consecutive record performances, auto demand has cooled in 2017 despite soaring discounts. Overall, auto makers sold 1.43 million vehicles in the U.S. in April, down 4.7% from a year earlier. A record 17.55 million vehicles were sold in 2016.
  • Exports were reported to be higher by 7.2% this year. This is a positive sign to future economic growth.
  • Home prices have continued their impressive climb upward. The S&P/Case-Shiller Home Price Index, covering the entire nation, rose 7% in the 12 months ending in February. We anticipate that these gains will continue, perhaps at a slower rate, due to high demand, low inventories, as well as the overall positive financial condition of home buyers.

We expect that the economy will remain on a positive trend this year. We project GNP to be at 2% for the year as a whole. Job growth should remain positive this year. We expect home building and home sales to be positive. We think that the Fed will increase rates, but anticipate them to be cautious in how quickly they raise rates and reduce their holdings of securities.

Interesting Tid Bits ƒƒ

  • It has been reported that several large auto lenders have decreased their emphasis on auto lending due to concerns about credit quality issues and auto resale values. A portion of this concern is related to the length of new car loans being made. Loans with original terms of between 73 and 84 months accounted for 18.2% of the market. It was further reported that 31% of consumers who traded in a car in 2016 did so in a negative equity position.
  • China’s banking system was reported as the largest by assets, reaching $33 trillion at the end of 2016. This compares to $16 trillion for the U.S. banking market.
  • U.S. household net worth was reported at a record $92.8 trillion at year-end 2016. U.S. households lost approximately $13 trillion during the 2007-2009 recession. The eight-year rally since has added $38 trillion in net worth principally from rising stock prices and climbing real estate values.
  • The Farm Credit System (a government sponsored enterprise) has over $314 billion in assets which would place it as one of the country’s ten largest banks.
  • A bankruptcy judge recently issued a $45 million fine against Bank of America. The action was in connection with a $590,000 residential mortgage loan and servicing issues related to its delinquency.
  • We have been led to believe that small businesses employ the majority of Americans. This is no longer the case. Large companies (10,000 employees or more) employ over 25% of the workforce. Employers with more than 2,500 workers employ 65% of total employees.
  • Nonbank lenders (i.e., Quicken Loans) were responsible for 51.4% of the consumer mortgage loans originated in the third quarter of 2016. This is up from 9% in 2009.
  • People in the United States ages 65 to 74 hold more than five times the debt Americans held two decades ago.

Short-term interest rates ended April 30 up 29 b.p. from year-end with the 3-Month T-Bill at 0.80%. The 10-Year T-Note ended April at 2.29%. This is lower than December 31, 2016, when they were at 2.45%. This reflects a flattening of the yield curve.

The general stock market continued to climb to record levels in the first four months of 2017. The Dow Jones Industrial Index ended April up 5.96% for the year. Banks, after their spectacular rise after the election, retreated somewhat in the first four months of 2017. The broad Nasdaq Bank Index fell 4.05%. Larger banks were more fortunate (as measured by the KBW Bank Index) falling only 0.60%. Banks appear to have been more impacted by the uncertainty surrounding proposed tax cuts and less regulation than other companies.

Merger and Acquisition Activity
For the first four months of 2017, there were 77 bank and thrift announced merger transactions. This compares to 83 deals in the same period of 2016. The median price to tangible book for transactions involving bank sellers was 159% compared to the 133% median value for all of 2016.

Phishing: Understanding the Risks and Implementing an Effective Employee Training Program

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of I.T.
Assessments show that the human element is always the weakest link in the security chain. It is not uncommon for a community bank to fare well during external network vulnerability scans due to appropriately configured firewall rules controlling inbound traffic and/or limited internally hosted services. While controls may be implemented to mitigate technical vulnerabilities, humans are still susceptible to social engineering attacks such as phishing. This vulnerability may be compounded by community banking values, such as customer service and employee accessibility. One example of employee accessibility is placing employee email addresses on the bank’s website. While it is not a bad practice to provide employee contact information on the bank’s website, placing email addresses directly within a webpage, rather than utilizing a contact form to hide the email address from automated tools and website visitors, simplifies the email address harvesting process.

One of the activities that we perform during the majority of our vulnerability assessments is a social engineering test, where we send a phishing email to the client’s employees to evaluate the effectiveness of the bank’s information
security training program. Through our assessments, we frequently demonstrate the ease with which an attacker can convince multiple employees to visit a malicious link or provide information system login credentials.

Many community banks utilize technology service providers for services such as email hosting, loan documentation, document imaging, and online mortgage applications. These services are often accessed through a web browser. As a result of the phishing emails that we send during our assessments, we are typically able to obtain email login credentials. If the bank is using a hosted email service with webmail capabilities, we can then use the provided login credentials to access an employee’s email account and view any non-public data that the employee has sent or received. You may be thinking, “No worries here, we have a policy that instructs employees not to send customer information through unencrypted email so they are surely following this policy.” Even so, it is very common to see customer information sent through unencrypted email between bank employees and in some cases between bank employees and customers.

Even if no customer information is sent through email, there is still plenty of other useful information within an employee’s email box. Some examples of this useful information include bank policies, employee schedules, and welcome emails with temporary login credentials for accessing web-based services. By obtaining a list of the web-based services available to the compromised email account’s owner, we can now access the websites for these services and use the password reset function which sends a link to the compromised email account to allow a new password to be set. We now have access to this web-based service which will provide access to a significant amount of customer information depending on the type of service provided. In addition, systems that rely on the user’s email address for the purpose of one-time passwords or password recovery would be compromised.

The compromised email account scenario above is just one example of the result of a phishing email. Some other examples of phishing emails include links to malicious websites for the purpose of installing malicious code onto the visitor’s workstation, and emails that instruct the recipient to perform a task such as sending a wire transfer to the attacker.

Phishing Training
While many community banks provide some form of phishing training to employees on an annual basis, this training usually consists of a policy review or a few examples of phishing emails during a presentation. This type of training is not as effective as exposing employees to actual phishing emails throughout the year.

To assist community banks with their employee training program, Young & Associates, Inc. offers a quarterly Phishing Training service. The intent of this service is to simulate real-world phishing scenarios during the normal business day and require each employee to respond individually to the email. Employees that respond negatively can receive additional training from a supervisor or materials can be provided after a link is clicked or after credentials are provided. Unlike do-it-yourself services that require someone at your institution to develop their own phishing scenarios, send emails and monitor the results, our consultants do all of the work. Our consultants will send the phishing emails, monitor the results, and provide a report of the results to your institution’s management team.
Our consultants will work with your institution to develop a customized phishing training program for your employees which will establish:

  • Expectations for the training program
  • A baseline of the effectiveness of the current employee training program based on the first quarterly email
  • A schedule for sending the remaining quarterly emails
  • Increases to the complexity of each remaining email
  • Development of ongoing training materials

For information about our Phishing Training service, please contact Mike
Detrow at 1.800.525.9775 or click here to send an email.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question