Skip to main content

Author: admin

Network Vulnerability Management – Don’t Be a Soft Target for Attackers

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

As the recent Equifax breach illustrates, failing to remediate known vulnerabilities in a timely manner can have significant consequences. In the case with Equifax, reports indicate that a patch was issued approximately two months prior to the May 2017 breach for the vulnerability that was exploited during this breach. While financial institutions have been quick to criticize Equifax for their vulnerability management practices, they should also take some time to evaluate their own vulnerability management practices and enhance them as needed to help prevent a breach at their own institutions.

During the vulnerability assessments that we perform for community banks, it is not uncommon to see systems that are missing patches that have existed for a year or more. While these are typically internal systems, this can still present a significant risk to the bank based on the role(s) of the affected systems. It should also be noted that vulnerability management for internal systems is as critical as ever, as attackers are able to use social engineering tactics to bypass perimeter controls such as firewalls and gain direct access to the internal network by compromising an employee’s workstation. In addition, many community banks are only having vulnerability assessments performed on an annual basis, which means that a number of vulnerabilities may go undetected for nearly a year.

Community banks need to improve their vulnerability management practices to remediate vulnerabilities in a timely manner rather than allowing them to exist for months or even years. We often hear community bankers comment that they are too small to be the target of an attack, but they must also consider that an attacker may purposely go after a soft target like a community bank with poor vulnerability management practices that makes it easier to accomplish his or her mission.

Patch Management Vs. Vulnerability Management
Patch management is a significant aspect of vulnerability management, but patch management alone will not mitigate every vulnerability on the bank’s network. An example of this is an internal server that houses reports from the core system and allows anonymous access, meaning that no username and password is required to access this data using a File Transfer Protocol (FTP) client. In this example, the server may be completely up-to-date with the latest security patches, but this insecure configuration may allow unauthorized access to the data on this system. Another concern is the systems and applications that may be missing from a bank’s patch management program. We still see banks that are only performing Microsoft and limited third-party patching. Failing to patch the software on other devices such as ATMs, routers, switches, and printers will leave these devices vulnerable to attacks.

Developing a Vulnerability Management Program
The process to develop a vulnerability management program starts with a complete inventory of the devices connected to the bank’s network. Even small community banks now have a significant number of network-connected devices such as ATMs, DVRs, alarm panels, time clocks, and environmental monitors in addition to the commonly known devices such as workstations, servers, printers, and routers. During this step, it may be helpful for the bank’s staff to scan the network with a network mapping tool to help identify devices that may not be included in the current network inventory. At a minimum, the inventory should identify the location, IP address, manufacturer, and model for each device. In the case of servers, workstations, and mobile devices, the bank must understand what applications are installed on each device to ensure that each application is patched in addition to the operating system.

The second step is to ensure that a comprehensive patch management program is in place at the bank. As noted above, a bank’s patch management program may not currently include all network-connected devices. Special attention should be given to devices that are connected to the bank’s network that are vendor-managed to ensure that the vendor has appropriate patch management procedures in place. Some examples of vendor-managed systems include: routers that are managed by the core system provider, DVRs, ATMs and alarm panels.

A comprehensive patch management program will include all devices that are connected to the network, and it will prescribe: ƒƒ

  • A method to identify the availability of new patches that apply to the devices on the bank’s network
  • An evaluation and testing process for each patch
  • A procedure to backup critical systems before installing a patch
  • Timing for the installation of each patch based on its risk rating

The third step is to identify the vulnerabilities that currently exist on each device. This is most easily accomplished by performing a vulnerability scan on the internal network and against any internet-facing devices that are owned by the bank. The vulnerability scan can be performed by a consulting firm or the bank’s staff can perform the scan using an automated vulnerability scanner.

There are typically two basic types of vulnerability scans that can be performed, credentialed and un-credentialed. A credentialed scan uses administrative credentials to log on to each device to perform a more in-depth evaluation of the vulnerabilities that may exist. An un-credentialed scan does not use credentials and therefore only identifies vulnerabilities that can be detected without logging on to each device.

The number of vulnerabilities identified by a credentialed scan will typically be significantly higher than those identified by an un-credentialed scan. It is important to note that if the bank only performs un-credentialed scans, the vulnerabilities that would have been identified by a credentialed scan will still exist on the network; they just will not appear in the un-credentialed vulnerability scan report. In addition, a credentialed scan will typically identify many privilege escalation vulnerabilities that an un-credentialed scan is unable to detect.

The results of the vulnerability scan will be provided within a report that the bank’s staff or managed services provider can work through to install patches or make configuration changes to remediate the detected vulnerabilities. The vulnerability scan report will assign a risk rating to each vulnerability that is identified to help the bank’s staff prioritize its response to each vulnerability.

As the bank’s staff or managed services provider works through the list of vulnerabilities, a tracking process should be in place to identify the patches that are installed and configuration changes that are made to remediate each vulnerability. Once the tracking document identifies that all of the vulnerabilities are remediated, it is time to perform another vulnerability scan to verify that all of the previously identified vulnerabilities are remediated. If this is the first or most recent vulnerability scan, this process will help the bank’s staff establish a baseline to work from as they continue to identify vulnerabilities and correct them.

The fourth step is to determine the frequency with which vulnerability scans will be performed. The scan frequency will be dependent on the size and complexity of the bank; however, based on the rate at which vulnerabilities are being discovered, a minimum scan frequency of once each quarter should be strongly considered. Monthly or even weekly vulnerability scans are highly recommended for more complex environments.

Summary
Once the steps listed above are complete, the bank should have established: ƒƒ

  • A complete network device inventory that must be maintained as changes occur within the bank’s network
  • A comprehensive patch management program
  • A schedule for performing automated vulnerability scans
  • Procedures to review the vulnerability scan reports and remediate the identified vulnerabilities

As I mentioned in “The Changing Role of the Community Bank IT Manager” in last quarter’s 90 Day Note, community banks must adapt to the changing threat landscape and budget for additional information security resources. While some may view these additional expenses as unnecessary, they will most likely be miniscule in comparison to the costs associated with a data breach at the bank.

Young & Associates, Inc. can assist your bank with its vulnerability management program by performing quarterly or monthly vulnerability assessments to identify the vulnerabilities that exist on your network and recommend remediation procedures. Please contact Mike Detrow for more information about our vulnerability assessment services at mdetrow@younginc.com or 330.422.3447.

CFPB Amends HMDA Rule

Written by admin on . Posted in Compliance & Regulations.

By: William J. Showalter, CRCM, CRP; Senior Consultant

The Consumer Financial Protection Bureau (CFPB) issued a final rule making several technical corrections and clarifications to the expanded data collection under Regulation C, which implements the Home Mortgage Disclosure Act (HMDA). The regulation is also being amended to temporarily raise the threshold at which banks are required to report data on home equity lines of credit (HELOC).

These amendments take effect on January 1, 2018, along with compliance for most other provisions of the newly expanded Regulation C.

Background
Since the mid-1970s, HMDA has provided the public and public officials with information about mortgage lending activity within communities by requiring financial institutions to collect, report, and disclose certain data about their mortgage activities. The Dodd-Frank Act amended HMDA, transferring rule-writing authority to the CFPB and expanding the scope of information that must be collected, reported, and disclosed under HMDA, among other changes.

In October 2015, the CFPB issued the 2015 HMDA Final Rule implementing the Dodd-Frank Act amendments to HMDA. The 2015 HMDA Final Rule modified the types of institutions and transactions subject to Regulation C, the types of data that institutions are required to collect, and the processes for reporting and disclosing the required data. In addition, the 2015 HMDA Final Rule established transactional thresholds that determine whether financial institutions are required to collect data on open-end lines of credit or closed-end mortgage loans.

The CFPB has identified a number of areas in which implementation of the 2015 HMDA Final Rule could be facilitated through clarifications, technical corrections, or minor changes. In April 2017, the agency published a notice of proposed rulemaking that would make certain amendments to Regulation C to address those areas. In addition, since issuing the 2015 HMDA Final Rule, the agency has heard concerns that the open-end threshold at 100 transactions is too low. In July 2017,  the CFPB published a proposal to address the threshold for reporting open-end lines of credit. The agency is now publishing final amendments to Regulation C pursuant to the April and July HMDA proposals.

HELOC Threshold
Under the rule as originally written, banks originating more than 100 HELOCs would have been generally required to report under HMDA, but the final rule temporarily raises that threshold to 500 HELOCS for data collection in calendar years 2018 and 2019, allowing the CFPB time to assess whether to make the adjusted threshold permanent.

In addition, the final rule corrects a drafting error by clarifying both the open-end and closed-end thresholds so that only financial institutions that meet the threshold for two years in a row are required to collect data in the following calendar years. With these amendments, financial institutions that originated between 100 and 499 open-end lines of credit in either of the two preceding calendar years will not be required to begin collecting data on their open-end lending (HELOCs) before January 1, 2020.

Technical Amendments and Clarifications
The final rule establishes transition rules for two data points – loan purpose and the unique identifier for the loan originator. The transition rules require, in the case of loan purpose, or permit, in the case of the unique identifier for the loan originator, financial institutions to report “not applicable” for these data points when reporting certain loans that they purchased and that were originated before certain regulatory requirements took effect. The final rule also makes additional amendments to clarify certain key terms, such as “multifamily dwelling,” “temporary financing,” and “automated underwriting system.” It also creates a new reporting exception for certain transactions associated with New York State consolidation, extension, and modification agreements.

In addition, the 2017 HMDA Final Rule facilitates reporting the census tract of the property securing or, in the case of an application, proposed to secure a covered loan that is required to be reported by Regulation C. The CFPB plans to make available on its website a geocoding tool that financial institutions may use to identify the census tract in which a property is located. The final rule establishes that a financial institution would not violate Regulation C by reporting an incorrect census tract for a particular property if the financial institution obtained the incorrect census tract number from the geocoding tool on the agency’s website, provided that the financial institution entered an accurate property address into the tool and the tool returned a census tract for the address entered.

Finally, the final rule also makes certain technical corrections. These technical corrections include, for example, a change to the calculation of the check digit and replacement of the word “income” with the correct word “age” in one comment.

The HMDA final rule is available at www.consumerfinance.gov/policy-compliance/rulemaking/final-rules/regulation-c-home-mortgage-disclosure-act/.

Updated HMDA Resources
The CFPB also has updated its website to include resources for financial institutions required to file HMDA data. The updated resources include filing instruction guides for HMDA data collected in 2017 and 2018, and HMDA loan scenarios. They are available at www.consumerfinance.gov/data-research/hmda/for-filers.

For More Information
For more information on this article, contact Bill Showalter at 330-422-3473 or
wshowalter@younginc.com.

For information about Young & Associates, Inc.’s newly updated HMDA Reporting
policy, click here. In addition, we are currently updating our HMDA Toolkit.

To be notified when the HMDA Toolkit is available for purchase, contact Bryan
Fetty at bfetty@younginc.com.

Capital Market Commentary – August 2017

Written by admin on . Posted in Management & Planning.

By: Stephen Clinton, President, Capital Market Securities, Inc.

Market Update
The U.S. has entered the ninth year of economic expansion. While the growth has not been spectacular, it has been steady. GDP expanded at a 2.6% annual rate in the second quarter. The GDP growth in the current recovery has averaged 2.1%. This compares to the 3.6% average of the 1990’s recovery and the 4.9% average for the 1960’s expansion. (These are the most recent economic recoveries of comparable length to the current expansion.)

  • American’s largest companies were reported to be on pace to post two consecutive quarters of double-digit profit growth for the first time since 2011. Factors explaining the growth in profitability include a weaker dollar that helped U.S. exports, limited wage growth, and cost cutting programs.
  • Unemployment was reported at 4.4% in June, near the lowest rate in a decade.
  • Despite nearing full employment, wage growth has increased only modestly. It was reported that wages increased .5% in the second quarter.
  • At the Federal Reserve meeting in July, the Fed held interest rates unchanged but announced that it soon will begin to shrink its securities portfolio. The Fed currently holds more than $4 trillion of investments; a large portion of these were purchased as part of the Fed’s quantitative easing programs.
  • Consumer spending rose at a 2.8% pace in the second quarter, an increase from 1.9% in the first quarter. However, concerns remain about the spending outlook at a time of soft wage growth, stalling car sales, and a growing overhang of auto and student-loan debt.
  • U.S. business investment rose for the second straight quarter. In the second quarter, nonresidential fixed investment advanced at a 5.2% pace. That comes on the heels of a 7.2% gain the prior quarter. The continuation of strong business spending suggests firms have confidence in the durability of the economic expansion.
  • The U.S. housing market continues to improve. After falling throughout the usually busy spring season, the monthly index of signed contracts to purchase existing homes increased 1.5% in June compared with May. The Case-Shiller Index, which measures the increase in home prices across the country, rose 5.6% in the 12 months ending in May.
  • Overall, inflation continues to be held in check. The U.S. inflation index was 1.4% in May, well below the Fed’s 2% target.

The stock market has reached all-time highs. This has occurred despite the lack of action on President Trump’s plans for lowering taxes and economic stimulus. Should these initiatives be enacted, 2017 should be a very good year for investors.

Interesting Tid Bits ƒƒ

  • The New York Times recently reported that homeowners now stay in their homes for an average of 8½ years, up from the 3½ year average in 2008.
  • Twenty years ago, there were 7,322 listed public companies in the U.S. At the end of 2016, there were only 3,671 companies publicly traded on U.S. exchanges.
  • Deer & Co., the maker of farming equipment, is the fifth largest agricultural lender. This is in addition to the billions that they lend to farmers to fund purchases of their farming equipment.
  • It is widely anticipated that the Libor index will be phased out over the next five years. Libor is used to set the price on trillions of dollars of loans.

Short-term interest rates have moved up in response to the Fed’s actions of increasing short-term rates with the 3-month T-Bill ending July at 1.07%.

The 10-year T-Note ended July at 2.30%. The yield curve has flattened this year with the 10-year T-Note falling 14 basis points while short-term rates moved up 56 basis points.

The general stock market reached historic highs in July. The Dow Jones Industrial Index ended July 31 at an all-time high and was up 10.77% for the year. The Nasdaq Index closed up 17.93% for the year. Banks have under-performed the general stock market this year. The Nasdaq Bank index was down 3.10% for the year. However, since the election, bank stocks are up 22.50%, which is a larger increase than the Dow Jones Industrial Index since the election.

Merger and Acquisition Activity
Through July there were 147 bank and thrift announced merger transactions. This compares to 151 deals for the comparable period in 2016. Despite the slightly lower number of deals, the total assets involved in transactions increased from $109 billion to $124 billion. The median price to tangible book for transactions involving bank sellers was 162%.

The Changing Role of the Community Bank IT Manager

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

At small community banks, the IT Manager role was once, and in some cases still is, one of many hats worn by the President or CFO. However, this role is quickly evolving into a nearly full-time position even at smaller community banks. There are a number of factors that are contributing to this change, including increased use and sophistication of technology, increased regulatory scrutiny for cybersecurity, and the rapidly changing threat landscape.

It was not long ago that the IT Manager only needed to support a few internal servers and workstations. Over time, technology and customer expectations have evolved, leading to increased network complexity through the requirement for additional internal servers to support new services, the use of server virtualization, and connectivity to additional outside networks. In addition, the use of mobile technology has expanded dramatically leading to employees using mobile devices to access internal network resources, and banking services being provided to customers through their mobile devices.

The amount of time required to properly manage and monitor a bank’s information systems has increased dramatically. However, in many cases, community banks have not significantly increased the human resources assigned to the management of their IT environment. We have had numerous discussions with bank IT personnel indicating that they do not believe that they have enough time and resources to properly address the changing IT regulatory requirements and new cyber risks. While some community banks have outsourced the management of their network and other systems to a service provider, this does not relieve the bank of its role in the oversight of these systems. Additionally, outsourcing increases the time that the bank must spend to manage these vendor relationships.

Here are some of the areas where we have seen community banks spending additional time to perform IT and information security functions:

  • Vendor Management. As the bank implements new services or engages service providers to manage existing services, additional time is required to monitor these vendors. Significant time is needed to obtain the required documentation from each vendor and to review and analyze this documentation.
  • Threat Intelligence. Threat intelligence sources are monitored to identify threat sources and their current activities to identify and implement mitigating controls that will limit the potential impact of these activities on the bank. Significant time can be spent analyzing the data from threat intelligence sources to determine its applicability to the bank and to then implement or modify mitigating controls.
  • Risk Assessment and Policy Maintenance. As the bank adds or changes technologies or services, risk assessments and policies must be created or updated to address their risks. In addition, risk assessments need to be updated periodically to ensure that the risks associated with new or changing threats are evaluated and mitigated. A cybersecurity assessment must be completed and reviewed periodically based on changes within the bank’s IT environment.
  • Ongoing Employee Information Security Awareness Training. With most banks providing external email access and internet access to all of their employees, each employee has become a critical link in the security chain where the result of one employee clicking on a malicious link in an email can be an organization-wide catastrophe. Annual training is no longer adequate to keep employees apprised of current threats such as ransomware and phishing scenarios. A significant amount of time can be spent developing training materials and distributing them to employees on an ongoing basis.
  • Event Management and Monitoring. Network devices, operating systems, and applications must be monitored to identify malicious activity. In the past, many banks were only monitoring perimeter devices such as firewalls and believing that the perimeter devices would stop any threats. However, many current attacks start with the installation of malicious code on an employee’s workstation to bypass the controls imposed by the firewall and then the attacker moves around, potentially undetected on the internal network. Monitoring for malicious activity on all of the bank’s internal network devices can require significant resources. ƒ ƒ Patch Management. Patch management is more than just patching Microsoft operating systems and applications such as Adobe Acrobat and Java. Patch management includes updating the software running on network devices such as firewalls, routers, switches, DVRs, and printers to address any known vulnerabilities. Additional time must be spent to identify the release of new patches, and in many cases the patches must be installed manually on each network device.
  • Disaster Recovery / Business Continuity Planning and Testing. A bank’s increased dependence on technology requires formal documentation for maintaining business continuity and testing the selected plans to ensure that the bank can recover from a disaster within a reasonable time frame to allow for the continued performance of its daily functions. Additional time is required to initially document recovery strategies and then modify the strategies based on system or vendor changes. Time is also required to prepare testing strategies, coordinate testing schedules with vendors, and analyze the test results. ƒ ƒ Incident Response Planning and Testing. Many experts say that it is not a question of if a business will be hit by some form of breach, but a question of when it will happen. Banks must have a well-documented plan in place to detect and respond to an information security incident. In addition, the plan needs to be tested periodically to ensure that all employees are aware of their roles to effectively and efficiently respond to an incident.

Potential Costs of a Breach
Why should changes to the technology used by the bank, changes to regulatory requirements, and the evolving threat landscape be a significant concern for the board of directors? The board of directors is ultimately responsible for the management of the information security program, and failing to provide the appropriate resources to manage the IT and information security functions at the bank can lead to regulatory enforcement actions, harm to the bank’s reputation, and significant costs associated with a data breach.

According to the Ponemon Institute’s 2017 Cost of Data Breach Study: United States, performed June 2017, the average cost for each lost or stolen record containing sensitive and confidential information is $225. This study also indicated that breaches involving businesses within the financial services industry had a per capita cost of $336.

Insurance Coverage
Another consideration for the board of directors is insurance coverage. While a bank may have a cyber insurance policy, management needs to thoroughly understand the requirements for this policy and ensure that it is meeting all of the minimum security requirements of the policy. Insurance companies may reject a claim or even seek repayment of a settlement if defined controls were not in place at the bank at the time of a breach.

Using the example of a community bank with assets of 100 million and 12,000 customer records, a breach of those 12,000 records could cost the bank 4 million dollars. This would be a substantial loss for the bank if insurance coverage is not appropriate, and even more significant if an insurance claim is denied due to the bank’s failure to maintain the minimum security requirements defined within the policy.

Continuing Education
With the rapid changes in technology and the changing threat landscape, continuing education for the bank’s IT staff is also a critical consideration. A bank’s IT Manager must learn how to change the bank’s mitigation strategies to address evolving cyber threats rather than relying solely on the strategies that have been used in the past. There are numerous options for continuing education such as cybersecurity conferences sponsored by state banking associations and webinars.

Cybersecurity Assessment Tool Staffing Requirements
With the regulatory focus on cybersecurity, another illustration of the need to evaluate the human resources required to effectively manage the bank’s information systems can be found in the declarative statements within the staffing section of the FFIEC’s Cybersecurity Assessment Tool as shown below. Attainment of the baseline cybersecurity maturity level is required for all banks as this level identifies the minimum expectations required by law, regulations, or supervisory guidance. The declarative statements within the evolving cybersecurity maturity level will also need to be attained by small community banks as they increase their maturity level over time.

     Baseline ƒƒ

  • Information security roles and responsibilities have been identified.
  • Processes are in place to identify additional expertise needed to improve information security defenses.

     Evolving ƒƒ

  • A formal process is used to identify cybersecurity tools and expertise that may be needed.
  • Management with appropriate knowledge and experience leads the institution’s cybersecurity efforts.
  • Staff with cybersecurity responsibilities have the requisite qualifications to perform the necessary tasks of the position.
  • Employment candidates, contractors, and third parties are subject to background verification proportional to the confidentiality of the data accessed, business requirements, and acceptable risk.

Conclusion
In summary, the board of directors and senior management must carefully consider the resources required to appropriately manage its information systems based on the rapid technological, regulatory, and threat landscape changes. Strategic plans should consider the additional workload that will be created to support changes within the bank’s IT environment to achieve management’s strategic goals, and ensure that appropriate human resources are included within its plans.

For more information on this article or how Young & Associates, Inc. can assist you, contact me at 330.422.3447 or mdetrow@younginc.com.

 

Developing a Consensus on Capital Adequacy – The First Step in Strategic Planning

Written by admin on . Posted in Management & Planning.

By: Gary J. Young, Founder and CEO

The most critical component of every strategic plan is a thorough understanding of your position on capital adequacy and your target for capital. They are not the same.

The Regulator View of Capital
As community bankers, we have all heard the mantra that we need to increase capital. It may be an over simplification, but to the regulator more is always better. The regulator does not have interest in your shareholders. And as I will discuss later in this article, an increase in capital lowers the return on equity, or the return to shareholders. The regulator’s #1 job is to ensure a safe and sound banking system. Your job is to satisfy the regulators and your shareholders. You have to balance the interests of both. You need to proactively communicate your bank’s opinion regarding capital.

An example of the need to balance is shown below. There are four banks with a 1% ROA. However, the equity/asset ratio at each is different ranging from an 8.0% leverage ratio to a 12.0% leverage ratio. By dividing the ROA by the leverage ratio, you get the ROE. By multiplying the ROE by an assumed PE, you get the multiple of book. In this example, the bank with an 8.0% leverage ratio has a value of $30 million while the bank with a 12.0% leverage ratio has a value of $20 million. The amount of capital provides a significant difference in the return to shareholders.

Capital Adequacy
I agree with the OCC. Capital adequacy at each bank is uniquely based on the current and planned risk within the bank. And, it is the responsibility of the bank board to determine capital adequacy with the input from executive management. Capital adequacy is the point that if capital falls below, the Capital Contingency Plan must be implemented. In other words, let’s assume capital adequacy has been defined as a 7.5% leverage ratio, or an 11.25% total risk-based ratio. If actual capital falls below either measure the bank should implement the methodology for improving capital as described in the Capital Contingency Plan.

Capital Target
A bank’s target or goal for capital is higher than capital adequacy. It is an estimate of the amount the board of directors has decided is desired to take advantage of opportunities such as additional organic growth, branch expansion, purchase of a bank or branch, stock repurchase, etc., or to use as additional insurance or protection against negative events that could hurt profitability and capital. As an example, a 7.5% leverage ratio could be defined as capital adequacy, but the target level of capital is 9.0%.

The Right Amount
There is no right amount. The average $300 million – $1 billion bank has a 10.3% leverage ratio and a 15.4% total risk-based capital ratio. Most everyone would agree that banks do not need that level of capital. But, every bank is unique with different levels of risk and different levels of risk appetite. The important thing is that executive management and the board of directors understand that there is a shareholder cost to holding excess capital. That doesn’t make it wrong. The board of directors has multiple responsibilities and at times these can be conflicting. From the shareholder perspective, you want to maximize the return on equity and shareholder value which assumes leveraging capital, but you must also oversee the operation of a safe and sound bank. And, at the heart of safety is capital adequacy. It takes balance and awareness of both to determine the right level of capital for your bank. My concern is that through the Great Recession and after, the capital mantra has been more is better. Well frankly, more is not necessarily better. I am suggesting that it is time to balance the capital need for risk management with the capital need for improving shareholder value.

Strategic Planning
After there is agreement on capital based on risk, planning can begin on the methodology or methodologies to best utilize any existing or planned excess capital. The recommended considerations that follow do not address all of the issues within your mission statement or vision statement. Rather, these address your desire to maximize shareholder return and to maintain your bank’s independence.

Consider the following:ƒƒ

  • Ways to generate additional organic growth. This means growth from your market without any significant increases in infrastructure. This is normally the most profitable short-term methodology.
  • Expansion opportunities. I would suggest looking for opportunities that begin turning a profit in two years or less. While this is long-term, most bankers are in for the long haul. Remember, a branch that increases net income by $500,000 increases shareholder value by $6,500,000, assuming a 13 price-earnings ratio.
  • The purchase of another bank or branches. This can significantly impact capital, but once the target is effectively absorbed by your bank, the value rewards can be great. But, also make sure you adequately consider the risks.
  • A stock repurchase plan. This is a win for the shareholders that want to sell and the shareholders that want to hold. Everyone wins and shareholder value should increase. I look at this as buying your bank as opposed to buying another bank. I recommend to every client that has a tier-1 leverage ratio in excess of 9% that they should at least consider a stock repurchase.
  • A slow, steady increase in dividends to shareholders. If after all other approaches to capital utilization excess capital remains, then increase the dividend. This will increase dividend income to shareholders without jeopardizing capital adequacy.

Consider how all of these items might impact your capital adequacy, return on equity, and shareholder value over a 3-5 year period. Remember, the goal of executive management is to maximize profitability and shareholder value within capital guidelines approved by your board of directors.

Contact
If you would like to discuss this article with me, you can reach me by phone at 330.422.3480 or e-mail at gyoung@younginc.com.

HMDA 2018

Written by admin on . Posted in Compliance & Regulations.

By: Bill Elliott, CRCM, Senior Consultant and Manager of Compliance and Adam Witmer, CRCM, Senior Consultant

Beginning in 2018, you will be faced with two major changes to Home Mortgage Disclosure Act (Regulation C 12 CFR § 1003). They are:

  1. Changes to the existing rules
  2. Addition of new rules

While the new rules will be challenging to navigate, the changes to the existing rules could prove to be extremely challenging, as long-established procedures and understandings are going to change. The following are a list of some of the biggest modifications.

Reporting Changes
Loan Volume Test. The new rules have two separate loan volume tests, one for closed-end and one for open-end.
The closed-end test is 25 covered loans. If your bank originates 25 “covered” loans (defined as not excluded closed-end loans or open-end loans), you will then report closed-end loans.

The open-end test is 100 covered loans. If your bank originates 100 open-end covered loans, then you will report open-end loans. There is a regulatory proposal to change this to 500 open-end for a couple of years, and we expect that to occur. The challenge here relates to business purpose loans.

All consumer purpose loans (generally HELOCs) will count, but business purposes loans may also count. Excluded loans will be open-end loans (such as an equity loan for operating expenses) that are not for a purchase, refinance, or home improvement purpose. But open-end loans such as this are refinanced, and will become reportable.

If your financial institution only meets one test, you only report the type of loans for the test you meet. This means some institutions will only report closed-end loans. Some will only report open-end loans. And others will report both.

Dwelling Secured. Under prior HMDA rules, one definition of Home Improvement included loans that were not secured by a dwelling. Under the new rules, only loans secured by a dwelling will be reportable.

Temporary Financing. The rules now only talk about financing that will be replaced by new financing. The old rules specifically excluded construction and bridge loans.

Agricultural Loans. The new rules now exempt all agricultural loans. In the past, the agricultural loan exemption only applied to purchases, which meant that when an agricultural loan was refinanced, it required HMDA reporting. Now, all agricultural purpose loans are exempt.

Preapproval Requests. Preapproval requests that are approved but not accepted are now required reporting rather than optional reporting.

Submission Process. The CFPB is going to use a cloud-based program for HMDA submissions. This means that reporters using the FFIEC software are going to have a much more difficult time. You will want to think about software options. If you are not using third-party software already, you will need to work out logistics of using the new reporting system.

Items to Consider
Our training manual for our live HMDA presentation runs 210 pages, so this is just an overview of some of the items that must be considered. Time is growing short. If your institution is going to be subject to the new rules, then training for everybody involved in the process is necessary. And for most readers, this will include more than one person.

For the future, if you are not subject to the HMDA regulation, be careful of expansion. If you open a branch in an MSA, suddenly HMDA will become part of your life. So beware of a good deal on the land or the lease – the costs of HMDA could easily dwarf the savings. If you are a HMDA reporter already, remember that any compliance requirement only gets paid for one of two ways – the applicants/customers pay for it, or it comes out of the stockholder’s pocket. Fee changes may be in your future.

HMDA Tools – Coming Soon
Young & Associates, Inc. is currently developing a HMDA Toolkit which will be available shortly, as well as a customizable HMDA policy. As there is HMDA text that the CFPB is changing and correcting (due out soon, we hope), we are not ready for release just yet. But we hope to keep the timetable reasonable. The HMDA policy will be available to purchase September 1, 2017.

We will also be offering an off-site HMDA Review beginning in 2018. We will review as many or as few loans as you would like to make sure you are on track. Billing will be based on the number of files reviewed, so you will control your costs.

Detailed information for all of these items will be available soon. If you are interested in the HMDA toolkit, HMDA policy, or HMDA reviews, we will be happy to discuss these products and services with you at any time.

Good luck – we will all need it. For more information on this article or how Young & Associates, Inc. can assist you in this process, contact us at compliance@younginc.com or 330.422.3450.

Mary Green Earns CAFP Designation

Written by admin on . Posted in Compliance & Regulations.

Young & Associates, Inc. is pleased to announce that Mary Green, Consultant, has earned the industry designation of Certified AML and Fraud Professional (CAFP) by the Institute of Certified Bankers, a subsidiary of the American Bankers Association (ABA). This certification demonstrates the ability to detect, prevent, monitor, and report current and emerging money laundering and fraud risks.

Where is the UCA/FAS 95 Analysis?

Written by admin on . Posted in Lending & Loan Review.

By: David Dalessandro, Senior Consultant

In the summer of 1987, the savings and loan I was working for at the time sent me to a “cash flow” seminar in Norman, OK. I had graduated from Penn State a few years before and had recently accepted my first of what would prove to be many positions in banking as a credit analyst. At that point, my experience at financial analysis was limited to what I had absorbed from two accounting firms I had worked for and studying for (and passing) the CPA exam. The seminar topic was “The Implications of FASB 95.”

FASB 95, for those of you asking, was issued in November 1987 and was to be utilized in all financial statements finalized in fiscal years ending after July 15, 1988. The requirement replaced the famous APB 19, Statement of Changes in Financial Position, which we all knew and loved as a pretty worthless financial statement at the time, because no one without a CPA attached to their name understood it, and most CPAs had difficulty explaining it.

The seminar turned out to be one of the most beneficial events in my life. As it was explained, the Statement of Cash Flows, as required by FASB 95, was a financial disclosure that would trace every dollar of cash through an accounting period. How awesome, I thought, because only cash pays back loans. So now if I have a tool to trace every dollar of cash, credit analysis would be a cinch.

Well, fast forward 30 years…and the Statement of Cash Flows is still not a household name in Credit Analysis. Most financial institutions, even the largest, still hang onto EBITDA for “cash flow” or multiples of EBITDA for “value.” The EBITDA analysis may approximate real cash flow for real estate rental properties, but for those thousands of enterprises that carry Accounts Receivable, Accounts Payable, Inventory, Other Assets, and Other Liabilities, pay distributions, report gains and losses on sales of assets, take charge downs on intangibles, write off bad debts, and enter into other “non-cash” transactions, the Statement of Cash Flows is the only real way to “follow the money.”

The question here is, why would any financial institution NOT at least include FASB 95/UCA in cash flow analysis when it was appropriate? EBITDA, or even EBITDA adjusted for one-time items, may give the analyst an estimate of total cash flow, but true operating cash flow can only be obtained from a properly and timely prepared Statement of Cash Flows. The Statement separates the movement of cash into three primary categories: Operations, Investment, and Financing. From a bank or financial institution standpoint, if there is positive cash flow from the Investing segment or from the Financing segment, then the enterprise is selling assets or obtaining more loans or selling stock in order to make its loan payments. Are those sources sustainable? Are those sources where you want your customer to come up with the funding to make your loan payments? Is the quality of cash flow from Investing or Financing equal to that of Operating Cash Flow? Probably not. But if the cash flow from operations is positive, and it has been positive for a number of years and it is sufficiently positive to fund all loan payments, then that should be a sustainable source of cash flow far into the future. If the Operating Cash Flow is positive enough to fund loan payments, pay distributions/dividends, AND fund capital expenditures, then that enterprise is more than likely to enjoy a very strong financial condition with relatively easy debt coverage.

If your underwriting protocols do not include UCA/FAS 95/Statement of Cash Flow analysis, then you risk being surprised when a borrower who had “good” EBITDA coverage shows up past due or comes to you needing more money. Use this tool in conjunction with your standard analysis and it will enable you to rethink loan structures where the expected cash flows do not match up.

If you would like to discuss incorporating UCA/FAS 95/Statement of Cash Flow analysis in your institution, please contact me at 330.422.3487 or ddalessandro@younginc.com.

FFIEC Cybersecurity Assessment Tool Update – New Version of the Cybersecurity Assessment Workbook Released

Written by admin on . Posted in Information Technology.

On May 31, 2017, the FFIEC announced an update to the Cybersecurity Assessment Tool which includes a change within the cybersecurity maturity section of the tool and an updated mapping of the baseline statements to the FFIEC IT Examination Handbooks.

The update to the cybersecurity maturity section of the tool allows institutions to select “Yes with Compensating Controls”, meaning that an institution has implemented a control or controls that protect an information system in a manner that is comparable or equivalent to a recommended security control within a declarative statement. Appendix A was revised to incorporate the updates to the Information Security and Management booklets.
Version 2.0 of the Cybersecurity Assessment Workbook (see below) incorporates the changes within the cybersecurity maturity section of the tool, as well as the content of Appendix A.

Cybersecurity Assessment Workbook
(#310) – $299

This electronic workbook allows a financial institution to easily complete the FFIEC Cybersecurity Assessment Tool and generate the needed summaries for analysis and board reporting. The workbook is setup with two main sections: 1) Inherent Risk Profile and 2) Cybersecurity Maturity.

Inherent Risk Profile. Includes five worksheets for the five categories of inherent risk identified in the Cybersecurity Assessment Tool. This section also contains a summary worksheet to assist the reviewer with the identification of an Overall Inherent Risk Profile.

Cybersecurity Maturity. Includes five worksheets for the five domains identified by the Cybersecurity Assessment Tool. A summary worksheet for each of the five domains allows the reviewer to identify the maturity level for each domain.

Easy to Use and Understand
All of the required data entry is completed through the use of drop down boxes and provisions are included to allow the reviewer to enter notes and comments as needed throughout the workbook. Colorful summaries are included to simplify analysis and include in a report to the Board.

The Cybersecurity Assessment Workbook is available for $299.

Excess Capital is Hurting Shareholder Return

Written by admin on . Posted in Management & Planning.

By: Gary J. Young, President and CEO

The Mantra
As community bankers, we have all heard the mantra to increase capital. This is heard by the banker that has an 8% leverage ratio who needs to increase capital to 9%, by the banker who has a 9% leverage ratio that needs to increase capital to 10%, and by the banker who has a 10% leverage ratio that needs to increase capital to 11%. Based on this view regarding capital, more is always better. I disagree.

Capital Adequacy
I agree with the OCC. Capital adequacy at each bank is uniquely based on the current and planned risk within the bank. And, it is the responsibility of the bank board to determine capital adequacy with the input from executive management. Capital adequacy is the point in which a capital contingency plan is implemented if actual capital falls below that level. In other words, let’s assume capital adequacy has been defined as a 7.5% leverage ratio, or an 11.25% total risk-based ratio. If actual capital falls below either measure the bank should implement the methodology for improving capital as described in the capital contingency plan.

Capital Target
A bank’s target or goal for capital is higher than capital adequacy. It is an estimate of the amount the board of directors has decided is needed to take advantage of opportunities such as additional organic growth, branch expansion, purchase of a bank or branch, stock repurchase, etc., or to use as additional insurance or protection against negative events that could hurt profitability and capital. As an example, a 7.5% leverage ratio could be defined as capital adequacy, but the target level of capital is 9.0%.

Cost
Excess capital has a cost. Let’s assume you had to eliminate $1 million of excess capital. To balance that transaction, you would also eliminate $1 million in assets which would be investments. Let’s assume that the investments had an average yield of 1.5%. After taxes, that would be approximately 1.0%. Based on this example, the return on equity of the $1 million of excess capital is 1.0%. We must agree that 1.0% is unacceptable. Well, it is unacceptable unless that is your return for opportunity capital or insurance capital as described above.

Another example of the cost of excess capital can be seen in the table on page 2. There are four banks with a 1% ROA. However, the equity/asset ratio at each is different, ranging from an 8.0% leverage ratio to a 12.0% leverage ratio. By dividing the ROA by the leverage ratio, you get the ROE. By multiplying the ROE by an assumed PE, you get the multiple of book. In this example, the bank with an 8.0% leverage ratio has a value of $30 million while the bank with a 12.0% leverage ratio has a value of $20 million. This is a simplified example that provides information on the cost of excess capital.

The Right Amount
There is no right amount. The average $300 million – $1 billion bank has a 10.3% leverage ratio and a 15.4% total risk-based capital ratio. Most everyone would agree that banks do not need that level of capital. But, every bank is unique with different levels of risk and different levels of risk appetite. The important thing is that executive management and the board of directors understand that there is a shareholder cost to holding excess capital. That doesn’t make it wrong.

The board of directors has multiple responsibilities and at times they can be conflicting. From the shareholder perspective, you want to maximize the return on equity and shareholder value, which assumes leveraging capital, but you must also oversee the operation of a safe and sound bank. And, at the heart of safety is capital adequacy. It takes balance and awareness of both to determine the right level of capital for your bank. My concern is that through the Great Recession and after, the capital mantra has been “more is better.” Well frankly, more is not necessarily better. I am suggesting that it is time to balance the capital need for risk management with the capital need for improving shareholder value.

Best Practices
The question for executive management is what should I do? It is my opinion that best practices would indicate that every bank develop a definition of capital adequacy based on inherent risk. Furthermore, a capital contingency plan should be part of that plan that indicates the steps the bank might take if capital falls below or is projected to fall below the bank’s definition of capital adequacy. You should then have a frank discussion at the board level on the amount of capital that is your goal or meets your comfort level. If you then find that your capital is above that consider the following:

  • Focus on additional organic growth, if possible.
  • Consider expansion opportunities. I would suggest looking for opportunities that begin turning a profit in two years or less.
  • Develop a stock repurchase plan. This is a win for the shareholders that want to sell and the shareholders that want to hold. Everyone wins and shareholder value should increase.
  • Achieve a slow, steady increase in dividends to shareholders.

Consider how all of these items might impact your capital adequacy, return on equity, and shareholder value over a 3-5 year period. Remember, the goal of executive management is to maximize profitability and shareholder value within capital guidelines approved by your board of directors.

Conclusion
If you would like to discuss this article with me, you can reach me by phone at 330.422.3480 or by email at gyoung@younginc.com.

Regulatory Compliance Update

Written by admin on . Posted in Compliance & Regulations.

By: Bill Elliott, Senior Consultant and Manager of Compliance

We usually try to use this space to share information that will help you prepare for what has been released, and for what will be required in the coming months. However, at this writing we find ourselves in a unique position; almost nothing (at least in the near term) is changing is the world of compliance. That does not mean that we can relax too much, just that we have a little time to catch up and get ready for the next round of changes.

Here is a sampling of where we are today: ƒƒ

  • Expedited Funds Availability (Regulation CC) Update: The CFPB promised it for late last fall, but have not yet released it. (Note: this is maybe their fifth release date.) They have been working on it for about 6 years.
  • Privacy (Regulation P) Update: This was also promised for last fall, but it has not yet appeared. In the interim, the prudential regulators have stated that banks that do not share (and therefore have no opt out) can follow the new privacy law. This means no annual privacy notice mailings of any kind, unless your privacy notice has to change. If you do change your notice and/or start to share, you will have to mail the new notice to all customers annually, so you may want to think about the mailing expense before you make any changes that would require the annual mailing.
  • Prepaid Cards Update: The new prepaid card rule has been delayed for six months (April 2018) to allow for the changes that will essentially turn all prepaid cards that have the ability to be reloaded into an “account.” They will then have rights similar to an account holder; they can ask for transaction histories, dispute items, etc. This is probably going to make these cards more expensive and therefore less attractive to your customers, and may end up not being a profitable item for many banks.
  • TRID Update: They have published a proposal, but we will have to wait to see what the final rule looks like. It will be a number of months at least before anything is finalized on this subject.
  • Home Mortgage Disclosure Act Update: The major item on the compliance agenda for 2017 is the Home Mortgage Disclosure Act. Management needs to assure that staff training occurs – and soon. We created a manual for our live seminars that runs 210 pages. We also created a listing of every possible code that might be needed, and that runs 33 pages in Excel. So this will not be an easy transition, and waiting until December to think about it does not seem like a good idea. If you do not have an LEI number and you are a HMDA bank, you should get it very soon. It will be required for 2018. We should also mention that the CFPB published a 150-page update with changes and corrections to the HMDA rule. These changes should be final by the first of the year.

Stay Tuned
We will continue to use the newsletter to keep you informed as the CFPB finally publishes updates and new regulations. But in the near term, the staff can work on absorbing what already has been issued. If we can help in any way, please feel free to call Karen Clower at 330.422.3444 for assistance. She can also be reached at kclower@younginc.com. 

ADA Website Audits

Written by admin on . Posted in Management & Planning.

By: Mike Lehr, HR Consultant

Clients of Young & Associates, Inc. have been receiving demand letters from plaintiffs’ law firms, alleging that their websites aren’t accessible to individuals with disabilities. In effect, these letters claim that they are violating
Title III of the Americans with Disabilities Act (ADA). More press and training have surfaced on this issue too.
If your bank has received such a letter, don’t ignore it. Attorneys we know have had to defend their clients in court over these letters. If your bank has not received one, it’s best to begin working with your legal counsel and reviewing
your website before you do. Proactivity can help here. In our audits to date, the main problem has been clients relying too heavily on assurances from their website vendors and on results from compliance software. Auditing software is a tool, not a judge. As a result, individuals with disabilities might be able to access the website, but they have unreasonable difficulty doing so. The website still isn’t in the clear.

That’s why Young & Associates audits employ four tests:

  1.  Compliance software tests
  2. Manual audit of home pages, main navigation pages, and high problematic pages
  3. Screen reader test by Young & Associates consultant
  4. Screen reader test by a sight-impaired person observed by Young & Associates consultant

Young & Associates audits use the Web Content Accessibility Guidelines (WCAG) 2.0 and the Section 508 Standards for federal agencies as their baselines. To meet our clients’ many different needs, we have three different audits to select from:

  1. ADA Developmental Website Audit: The purpose of this audit is to assist the bank in the development of a new website or to provide a cost-effective first look at a current website that has never been audited or tested in any manner. It employs the compliance software test, the manual audit, and a modified screen reading test.
  2. ADA Compliance Website Audit: The purpose of this audit is to perform a formal compliance audit of the website. It employs the full complement of tests.
  3. ADA Follow-Up Website Audit: The purpose of this audit is to review the changes made to the website in response to the findings of other audits. It usually employs just the compliance software test or a modified application of the full complement of tests.

For more information on ADA Website Accessibility Compliance or how Young & Associates, Inc. can assist your bank in this area, download our “Better Understanding ADA Website Compliance & Young Associates Audit,” or contact Mike Lehr, Human Resources Consultant at 1.330.777.0094 or mlehr@younginc.com.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question