Skip to main content

Author: admin

Excess Capital is Hurting Shareholder Return

Written by admin on . Posted in Management & Planning.

By: Gary J. Young, President and CEO

The Mantra
As community bankers, we have all heard the mantra to increase capital. This is heard by the banker that has an 8% leverage ratio who needs to increase capital to 9%, by the banker who has a 9% leverage ratio that needs to increase capital to 10%, and by the banker who has a 10% leverage ratio that needs to increase capital to 11%. Based on this view regarding capital, more is always better. I disagree.

Capital Adequacy
I agree with the OCC. Capital adequacy at each bank is uniquely based on the current and planned risk within the bank. And, it is the responsibility of the bank board to determine capital adequacy with the input from executive management. Capital adequacy is the point in which a capital contingency plan is implemented if actual capital falls below that level. In other words, let’s assume capital adequacy has been defined as a 7.5% leverage ratio, or an 11.25% total risk-based ratio. If actual capital falls below either measure the bank should implement the methodology for improving capital as described in the capital contingency plan.

Capital Target
A bank’s target or goal for capital is higher than capital adequacy. It is an estimate of the amount the board of directors has decided is needed to take advantage of opportunities such as additional organic growth, branch expansion, purchase of a bank or branch, stock repurchase, etc., or to use as additional insurance or protection against negative events that could hurt profitability and capital. As an example, a 7.5% leverage ratio could be defined as capital adequacy, but the target level of capital is 9.0%.

Cost
Excess capital has a cost. Let’s assume you had to eliminate $1 million of excess capital. To balance that transaction, you would also eliminate $1 million in assets which would be investments. Let’s assume that the investments had an average yield of 1.5%. After taxes, that would be approximately 1.0%. Based on this example, the return on equity of the $1 million of excess capital is 1.0%. We must agree that 1.0% is unacceptable. Well, it is unacceptable unless that is your return for opportunity capital or insurance capital as described above.

Another example of the cost of excess capital can be seen in the table on page 2. There are four banks with a 1% ROA. However, the equity/asset ratio at each is different, ranging from an 8.0% leverage ratio to a 12.0% leverage ratio. By dividing the ROA by the leverage ratio, you get the ROE. By multiplying the ROE by an assumed PE, you get the multiple of book. In this example, the bank with an 8.0% leverage ratio has a value of $30 million while the bank with a 12.0% leverage ratio has a value of $20 million. This is a simplified example that provides information on the cost of excess capital.

The Right Amount
There is no right amount. The average $300 million – $1 billion bank has a 10.3% leverage ratio and a 15.4% total risk-based capital ratio. Most everyone would agree that banks do not need that level of capital. But, every bank is unique with different levels of risk and different levels of risk appetite. The important thing is that executive management and the board of directors understand that there is a shareholder cost to holding excess capital. That doesn’t make it wrong.

The board of directors has multiple responsibilities and at times they can be conflicting. From the shareholder perspective, you want to maximize the return on equity and shareholder value, which assumes leveraging capital, but you must also oversee the operation of a safe and sound bank. And, at the heart of safety is capital adequacy. It takes balance and awareness of both to determine the right level of capital for your bank. My concern is that through the Great Recession and after, the capital mantra has been “more is better.” Well frankly, more is not necessarily better. I am suggesting that it is time to balance the capital need for risk management with the capital need for improving shareholder value.

Best Practices
The question for executive management is what should I do? It is my opinion that best practices would indicate that every bank develop a definition of capital adequacy based on inherent risk. Furthermore, a capital contingency plan should be part of that plan that indicates the steps the bank might take if capital falls below or is projected to fall below the bank’s definition of capital adequacy. You should then have a frank discussion at the board level on the amount of capital that is your goal or meets your comfort level. If you then find that your capital is above that consider the following:

  • Focus on additional organic growth, if possible.
  • Consider expansion opportunities. I would suggest looking for opportunities that begin turning a profit in two years or less.
  • Develop a stock repurchase plan. This is a win for the shareholders that want to sell and the shareholders that want to hold. Everyone wins and shareholder value should increase.
  • Achieve a slow, steady increase in dividends to shareholders.

Consider how all of these items might impact your capital adequacy, return on equity, and shareholder value over a 3-5 year period. Remember, the goal of executive management is to maximize profitability and shareholder value within capital guidelines approved by your board of directors.

Conclusion
If you would like to discuss this article with me, you can reach me by phone at 330.422.3480 or by email at gyoung@younginc.com.

Regulatory Compliance Update

Written by admin on . Posted in Compliance & Regulations.

By: Bill Elliott, Senior Consultant and Manager of Compliance

We usually try to use this space to share information that will help you prepare for what has been released, and for what will be required in the coming months. However, at this writing we find ourselves in a unique position; almost nothing (at least in the near term) is changing is the world of compliance. That does not mean that we can relax too much, just that we have a little time to catch up and get ready for the next round of changes.

Here is a sampling of where we are today: ƒƒ

  • Expedited Funds Availability (Regulation CC) Update: The CFPB promised it for late last fall, but have not yet released it. (Note: this is maybe their fifth release date.) They have been working on it for about 6 years.
  • Privacy (Regulation P) Update: This was also promised for last fall, but it has not yet appeared. In the interim, the prudential regulators have stated that banks that do not share (and therefore have no opt out) can follow the new privacy law. This means no annual privacy notice mailings of any kind, unless your privacy notice has to change. If you do change your notice and/or start to share, you will have to mail the new notice to all customers annually, so you may want to think about the mailing expense before you make any changes that would require the annual mailing.
  • Prepaid Cards Update: The new prepaid card rule has been delayed for six months (April 2018) to allow for the changes that will essentially turn all prepaid cards that have the ability to be reloaded into an “account.” They will then have rights similar to an account holder; they can ask for transaction histories, dispute items, etc. This is probably going to make these cards more expensive and therefore less attractive to your customers, and may end up not being a profitable item for many banks.
  • TRID Update: They have published a proposal, but we will have to wait to see what the final rule looks like. It will be a number of months at least before anything is finalized on this subject.
  • Home Mortgage Disclosure Act Update: The major item on the compliance agenda for 2017 is the Home Mortgage Disclosure Act. Management needs to assure that staff training occurs – and soon. We created a manual for our live seminars that runs 210 pages. We also created a listing of every possible code that might be needed, and that runs 33 pages in Excel. So this will not be an easy transition, and waiting until December to think about it does not seem like a good idea. If you do not have an LEI number and you are a HMDA bank, you should get it very soon. It will be required for 2018. We should also mention that the CFPB published a 150-page update with changes and corrections to the HMDA rule. These changes should be final by the first of the year.

Stay Tuned
We will continue to use the newsletter to keep you informed as the CFPB finally publishes updates and new regulations. But in the near term, the staff can work on absorbing what already has been issued. If we can help in any way, please feel free to call Karen Clower at 330.422.3444 for assistance. She can also be reached at kclower@younginc.com. 

ADA Website Audits

Written by admin on . Posted in Management & Planning.

By: Mike Lehr, HR Consultant

Clients of Young & Associates, Inc. have been receiving demand letters from plaintiffs’ law firms, alleging that their websites aren’t accessible to individuals with disabilities. In effect, these letters claim that they are violating
Title III of the Americans with Disabilities Act (ADA). More press and training have surfaced on this issue too.
If your bank has received such a letter, don’t ignore it. Attorneys we know have had to defend their clients in court over these letters. If your bank has not received one, it’s best to begin working with your legal counsel and reviewing
your website before you do. Proactivity can help here. In our audits to date, the main problem has been clients relying too heavily on assurances from their website vendors and on results from compliance software. Auditing software is a tool, not a judge. As a result, individuals with disabilities might be able to access the website, but they have unreasonable difficulty doing so. The website still isn’t in the clear.

That’s why Young & Associates audits employ four tests:

  1.  Compliance software tests
  2. Manual audit of home pages, main navigation pages, and high problematic pages
  3. Screen reader test by Young & Associates consultant
  4. Screen reader test by a sight-impaired person observed by Young & Associates consultant

Young & Associates audits use the Web Content Accessibility Guidelines (WCAG) 2.0 and the Section 508 Standards for federal agencies as their baselines. To meet our clients’ many different needs, we have three different audits to select from:

  1. ADA Developmental Website Audit: The purpose of this audit is to assist the bank in the development of a new website or to provide a cost-effective first look at a current website that has never been audited or tested in any manner. It employs the compliance software test, the manual audit, and a modified screen reading test.
  2. ADA Compliance Website Audit: The purpose of this audit is to perform a formal compliance audit of the website. It employs the full complement of tests.
  3. ADA Follow-Up Website Audit: The purpose of this audit is to review the changes made to the website in response to the findings of other audits. It usually employs just the compliance software test or a modified application of the full complement of tests.

For more information on ADA Website Accessibility Compliance or how Young & Associates, Inc. can assist your bank in this area, download our “Better Understanding ADA Website Compliance & Young Associates Audit,” or contact Mike Lehr, Human Resources Consultant at 1.330.777.0094 or mlehr@younginc.com.

The Director’s Role in Information Security

Written by admin on . Posted in Information Technology.

By: Mike Detrow, Senior Consultant and Manager of IT

Technology has changed significantly at community banks over the past 15 years. For many years, banks only had to manage a core processing system, a standalone Fedline PC, and a few workstations that were used for word processing and maintaining spreadsheets. These systems were relatively easy to secure as data was maintained in-house and connectivity to external networks was limited. Fast forward to 2017 and community banks now have connections to numerous outside networks including the internet and those of core processing vendors. Services are being offered to customers through cell phones and tablets, customer data is processed through websites, and data is stored in many locations that are not controlled by the bank.

Whether making a loan, depositing a check, or checking a customer’s account balance, nearly every function within the bank now relies on some form of technology. To remain competitive, the implementation of new technology is necessary to meet the needs of customers and to reduce a bank’s operating expenses. However, information security has often been an afterthought rather than being incorporated during the implementation process.

Regulators are emphasizing the need for a change to the security culture within community banks to make information security a higher priority, and this change must begin with the board of directors. The board must take a more active role in the oversight of the bank’s information security program. All too often, information security is treated as something that only the “IT person” can understand, and directors do not properly scrutinize the decisions made by the IT Manager or an outsourced technology support provider. The board of directors is ultimately responsible for the security of the customer information maintained by the bank and the third parties that the bank uses. As such, directors must have a clear understanding of the regulatory requirements for protecting customer information, as well as defining and monitoring the bank’s information security program. While directors may not fully understand all of the technical aspects, I have provided some general recommendations for overseeing the information security program within this article.

Recommended Documents
The following documents should be reviewed and approved by the board of directors on an annual basis, or more frequently depending on the changes that occur within the bank. While much of the information in these documents will not change, there will typically be some changes each year due to employee turnover, technological changes, or new regulatory guidance. These changes should be clearly documented to allow directors to evaluate the changes before approving the updated documents. If there are no recommended changes to these documents over a period of several years, directors should request an explanation from management.

  • IT Strategic Plan. An IT Strategic Plan should be in place to align IT initiatives with the bank’s overall strategic plan. This may include the implementation of additional products and services to compete with other financial institutions or the implementation of technologies to create internal efficiencies. The IT Strategic Plan may also identify systems that are approaching the end of their manufacturer’s support lifecycle and identify upgrade/replacement strategies.
  • IT Budget. The budgeting process should include information technology and information security expenses such as hardware and software maintenance, technology service provider expenses, contract renewals, recently approved project expenses, training expenses, and risk mitigation expenses.
  • Information Security Program. The Information Security Program identifies the technical, physical, and administrative safeguards that must be implemented to maintain the confidentiality, integrity, and availability of the bank’s information systems.
  • Information Security Risk Assessment. The Information Security Risk Assessment should identify the information systems that are in use, classify the data that the information systems store or process, identify the threats and vulnerabilities associated with each information system, identify the likelihood and impact of the risks, identify the mitigating controls that have been implemented, and evaluate the effectiveness of the mitigating controls. The risk assessment should be updated before implementing new information systems and as new threats are discovered.
  • Incident Response Plan. The Incident Response Plan should identify the procedures to be performed in response to an incident involving loss of data availability, confidentiality, and/or integrity, such as a breach. The steps of this plan should include containing the incident, recovering from the incident, the investigation process, and the notification process. This plan should be tested on a regular basis to evaluate the effectiveness of the response procedures for various types of incidents.
  • Business Continuity/Disaster Recovery Plans. The Business Continuity and Disaster Recovery Plans identify procedures for performing the bank’s business processes during or following various types of operational interruptions. These procedures must be tested on a regular basis to ensure the continuity of these business processes during a variety of disruptive events, such as natural disasters, service provider interruptions, and cyber-attacks.
  • Cybersecurity Assessment. A formal Cybersecurity Assessment should be performed to evaluate the bank’s inherent cyber risk and the effectiveness of its cybersecurity controls. If the bank is utilizing the FFIEC’s Cybersecurity Assessment Tool, an understanding of the relationship between the Inherent Risk Profile and the Cybersecurity Maturity Level is required. Plans for attaining the recommended Cybersecurity Maturity Level should be developed and the status of this process should be monitored. The Cybersecurity Assessment should be reviewed annually and updated when changes occur that affect the bank’s Inherent Risk Profile.

Recommended Reports
The Information Security Officer should provide information security program status reports to the board of directors on at least an annual basis. These reports should identify the risk assessment process, risk management and control decisions, service provider arrangements, results of independent testing of the information security program, security breaches, and recommendations for updates to the program. While some of the content within these reports will not change, these reports should reflect the actual activity since the last report and should not just be the same report with a new date at the top.

While many community banks have implemented a steering committee to manage their information security programs, directors still need to ensure that the program is effectively managed. If a steering committee is used, a formal charter should be in place to define the committee’s purpose and responsibilities. The board of directors should receive copies of the steering committee’s meeting minutes to monitor committee activities and to ensure that it is fulfilling its requirements.

Information system reports and service provider reports should be regularly monitored to identify any events that require further investigation. Some examples of the reports that should be reviewed by the steering committee or the board of directors include: ƒƒ

  • Patch management
  • Firewall
  • Intrusion detection system
  • Intrusion prevention system
  • Anomalous operating system events
  • Malware/virus protection
  • Managed services provider tickets
  • Vendor management

If the reports that are provided never indicate any anomalous activity that requires further investigation, directors should question the validity of the reports and request a review of the reporting parameters for the system(s).

Independent Audits
To assist the board of directors with its evaluation of the effectiveness of the bank’s information security program, periodic independent audits should be performed. These audits are typically performed on an annual basis depending on the size and complexity of the bank and its risk assessment. The board of directors or the audit committee should be involved in the external auditor selection process and the audit scoping process. At least one director should participate in the auditor’s exit meeting to ensure an understanding of any recommendations made by the auditor.

Conclusion
The use of a top-down approach to manage information security and holding employees accountable for complying with the bank’s information security program will greatly strengthen the security culture within the bank. A strong security culture will help to enhance the bank’s reputation among its customers, community, and the financial industry.
For more information on this article or on how Young & Associates, Inc. can assist you in this process, contact me at 330.422.3447 or mdetrow@younginc.com.

Capital Market Commentary – May 2017

Written by admin on . Posted in Management & Planning.

By: Stephen Clinton, President, Capital Market Securities, Inc.

Market Update – The Trump Effect
The election of President Donald Trump was followed by a strong upward movement in the market. Hopes related to lower taxes, less regulation, and economic stimulus led the market to new highs. Since the election, the Dow Jones Industrial Average moved up 14.22% through April 30th. Banks moved upward even more, increasing 21.29% (as measured by the Nasdaq Bank Index). Much has been made of the first 100 days of the new administration, with many Executive Orders being issued but no real legislative actions accomplished. The March failure to pass legislation to repeal the Affordable Care Act was a stark reminder that enacting legislation is a difficult process. However, the market appears to remain optimistic that President Trump’s initiatives will be delivered.

Economic Developments of Note ƒƒ

  •  April marks the 94th month for the current economic expansion, the third longest in U.S. history (1960’s and 1990’s were the two longest).
  • The U.S. economy grew at its weakest pace in three years in the first quarter as consumer spending barely increased and businesses invested less on inventories. Gross domestic product increased at a 0.7% annual rate, the weakest performance since the first quarter of 2014. The economy grew at a 2.1% pace in the fourth quarter of 2016.
  • The latest annual inflation rate for the United States is 2.1%, exceeding the Fed’s target of 2% for the first time in nearly five years. The increase in inflation may provide support for the Fed to continue its plans to move interest rates up in 2017.
  • In March, it was reported that employers slowed their pace of hiring. However, unemployment was reported at 4.5%. The March unemployment rate was the lowest in almost a decade. It was also reported that private-sector workers saw average earnings rise 2.7% in March compared to the previous year. This is a sign that we are nearing “full employment” and competition is heating up to attract and retain employees.
  • Activity in the manufacturing sector remained solid in April marking the eighth consecutive month of industrial expansion. One concern for the future, however, is the auto industry. After seven straight years of sales gains, including two consecutive record performances, auto demand has cooled in 2017 despite soaring discounts. Overall, auto makers sold 1.43 million vehicles in the U.S. in April, down 4.7% from a year earlier. A record 17.55 million vehicles were sold in 2016.
  • Exports were reported to be higher by 7.2% this year. This is a positive sign to future economic growth.
  • Home prices have continued their impressive climb upward. The S&P/Case-Shiller Home Price Index, covering the entire nation, rose 7% in the 12 months ending in February. We anticipate that these gains will continue, perhaps at a slower rate, due to high demand, low inventories, as well as the overall positive financial condition of home buyers.

We expect that the economy will remain on a positive trend this year. We project GNP to be at 2% for the year as a whole. Job growth should remain positive this year. We expect home building and home sales to be positive. We think that the Fed will increase rates, but anticipate them to be cautious in how quickly they raise rates and reduce their holdings of securities.

Interesting Tid Bits ƒƒ

  • It has been reported that several large auto lenders have decreased their emphasis on auto lending due to concerns about credit quality issues and auto resale values. A portion of this concern is related to the length of new car loans being made. Loans with original terms of between 73 and 84 months accounted for 18.2% of the market. It was further reported that 31% of consumers who traded in a car in 2016 did so in a negative equity position.
  • China’s banking system was reported as the largest by assets, reaching $33 trillion at the end of 2016. This compares to $16 trillion for the U.S. banking market.
  • U.S. household net worth was reported at a record $92.8 trillion at year-end 2016. U.S. households lost approximately $13 trillion during the 2007-2009 recession. The eight-year rally since has added $38 trillion in net worth principally from rising stock prices and climbing real estate values.
  • The Farm Credit System (a government sponsored enterprise) has over $314 billion in assets which would place it as one of the country’s ten largest banks.
  • A bankruptcy judge recently issued a $45 million fine against Bank of America. The action was in connection with a $590,000 residential mortgage loan and servicing issues related to its delinquency.
  • We have been led to believe that small businesses employ the majority of Americans. This is no longer the case. Large companies (10,000 employees or more) employ over 25% of the workforce. Employers with more than 2,500 workers employ 65% of total employees.
  • Nonbank lenders (i.e., Quicken Loans) were responsible for 51.4% of the consumer mortgage loans originated in the third quarter of 2016. This is up from 9% in 2009.
  • People in the United States ages 65 to 74 hold more than five times the debt Americans held two decades ago.

Short-term interest rates ended April 30 up 29 b.p. from year-end with the 3-Month T-Bill at 0.80%. The 10-Year T-Note ended April at 2.29%. This is lower than December 31, 2016, when they were at 2.45%. This reflects a flattening of the yield curve.

The general stock market continued to climb to record levels in the first four months of 2017. The Dow Jones Industrial Index ended April up 5.96% for the year. Banks, after their spectacular rise after the election, retreated somewhat in the first four months of 2017. The broad Nasdaq Bank Index fell 4.05%. Larger banks were more fortunate (as measured by the KBW Bank Index) falling only 0.60%. Banks appear to have been more impacted by the uncertainty surrounding proposed tax cuts and less regulation than other companies.

Merger and Acquisition Activity
For the first four months of 2017, there were 77 bank and thrift announced merger transactions. This compares to 83 deals in the same period of 2016. The median price to tangible book for transactions involving bank sellers was 159% compared to the 133% median value for all of 2016.

Phishing: Understanding the Risks and Implementing an Effective Employee Training Program

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of I.T.
Assessments show that the human element is always the weakest link in the security chain. It is not uncommon for a community bank to fare well during external network vulnerability scans due to appropriately configured firewall rules controlling inbound traffic and/or limited internally hosted services. While controls may be implemented to mitigate technical vulnerabilities, humans are still susceptible to social engineering attacks such as phishing. This vulnerability may be compounded by community banking values, such as customer service and employee accessibility. One example of employee accessibility is placing employee email addresses on the bank’s website. While it is not a bad practice to provide employee contact information on the bank’s website, placing email addresses directly within a webpage, rather than utilizing a contact form to hide the email address from automated tools and website visitors, simplifies the email address harvesting process.

One of the activities that we perform during the majority of our vulnerability assessments is a social engineering test, where we send a phishing email to the client’s employees to evaluate the effectiveness of the bank’s information
security training program. Through our assessments, we frequently demonstrate the ease with which an attacker can convince multiple employees to visit a malicious link or provide information system login credentials.

Many community banks utilize technology service providers for services such as email hosting, loan documentation, document imaging, and online mortgage applications. These services are often accessed through a web browser. As a result of the phishing emails that we send during our assessments, we are typically able to obtain email login credentials. If the bank is using a hosted email service with webmail capabilities, we can then use the provided login credentials to access an employee’s email account and view any non-public data that the employee has sent or received. You may be thinking, “No worries here, we have a policy that instructs employees not to send customer information through unencrypted email so they are surely following this policy.” Even so, it is very common to see customer information sent through unencrypted email between bank employees and in some cases between bank employees and customers.

Even if no customer information is sent through email, there is still plenty of other useful information within an employee’s email box. Some examples of this useful information include bank policies, employee schedules, and welcome emails with temporary login credentials for accessing web-based services. By obtaining a list of the web-based services available to the compromised email account’s owner, we can now access the websites for these services and use the password reset function which sends a link to the compromised email account to allow a new password to be set. We now have access to this web-based service which will provide access to a significant amount of customer information depending on the type of service provided. In addition, systems that rely on the user’s email address for the purpose of one-time passwords or password recovery would be compromised.

The compromised email account scenario above is just one example of the result of a phishing email. Some other examples of phishing emails include links to malicious websites for the purpose of installing malicious code onto the visitor’s workstation, and emails that instruct the recipient to perform a task such as sending a wire transfer to the attacker.

Phishing Training
While many community banks provide some form of phishing training to employees on an annual basis, this training usually consists of a policy review or a few examples of phishing emails during a presentation. This type of training is not as effective as exposing employees to actual phishing emails throughout the year.

To assist community banks with their employee training program, Young & Associates, Inc. offers a quarterly Phishing Training service. The intent of this service is to simulate real-world phishing scenarios during the normal business day and require each employee to respond individually to the email. Employees that respond negatively can receive additional training from a supervisor or materials can be provided after a link is clicked or after credentials are provided. Unlike do-it-yourself services that require someone at your institution to develop their own phishing scenarios, send emails and monitor the results, our consultants do all of the work. Our consultants will send the phishing emails, monitor the results, and provide a report of the results to your institution’s management team.
Our consultants will work with your institution to develop a customized phishing training program for your employees which will establish:

  • Expectations for the training program
  • A baseline of the effectiveness of the current employee training program based on the first quarterly email
  • A schedule for sending the remaining quarterly emails
  • Increases to the complexity of each remaining email
  • Development of ongoing training materials

For information about our Phishing Training service, please contact Mike
Detrow at 1.800.525.9775 or click here to send an email.

Implementing a Threat Intelligence Program

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

As part of its continued focus on cybersecurity, the Federal Financial Institutions
Examination Council’s (FFIEC) September 2016 Information Security
Handbook emphasizes the need for institutions to implement procedures for
obtaining, monitoring, assessing, and responding to evolving threat and vulnerability
information.

Institutions have typically implemented a number of preventative controls such as firewalls, intrusion prevention systems, and antivirus applications to protect their information systems. However, these systems are not always effectively managed and monitored. Even in cases where perimeter devices are well managed and monitored, it is not uncommon to see security weaknesses within the internal network such as missing patches, system misconfigurations, and default passwords. Advanced attacks may not be prevented by perimeter network controls alone and may only be identified through information obtained from external intelligence sources and by monitoring internal detection systems.

An advanced attack typically follows these general steps to achieve the attacker’s goal:

1. Active and passive reconnaissance is performed to learn about the target organization and to identify weaknesses.
2. Based on the identified weaknesses, the attacker obtains or develops malicious code and attempts to deliver this code to the organization through social engineering techniques, exploitation of vulnerable services or applications, or other means.
3. If the attacker is successful, malware and/or backdoors are then installed on the organization’s systems for the attacker to establish control.
4. If needed, privilege escalation is performed through exploiting vulnerable systems or misconfigurations.
5. The attacker performs the intended activities, such as data exfiltration from the organization’s information systems.

To comply with the FFIEC’s guidance, financial institutions must implement a Threat Intelligence Program that documents the following:ƒƒ

  • Employee Responsibilities. Employee responsibilities for monitoring, analysis, response, and reporting should be clearly defined to ensure accountability and appropriate approval for any recommended changes. In addition, the responsibilities for monitoring accounts with administrative capabilities should be documented to ensure independence.
  • Monitoring Threat Intelligence Sources. External threat intelligence sources may include the Financial Services Information Sharing and Analysis Center (FS-ISAC), hardware vendors, or software vendors. Internal sources may include intrusion prevention systems, intrusion detection systems, firewall logs, server event logs, antivirus alerts, or a Security Information and Event Management (SIEM) system. The process for monitoring internal systems begins with the development of a network activity baseline, or in other words, an understanding of the normal daily activity within the institution’s IT environment. Once the institution understands the baseline, monitoring systems can be implemented and tuned to provide alerts to activity that is outside of the baseline and requires additional analysis. A list of the intelligence sources that are monitored and the procedures for monitoring these sources should be documented. Monitoring procedures may indicate that emails are sent to specific employees when an alert is issued or they may indicate that an employee reviews a system management console on a daily basis. Monitoring procedures may also indicate the process for determining the applicability of an alert to the institution’s environment.
  • Analysis and Response. Analysis and response procedures should identify the steps to be taken to assess the risk of a specific threat, determine a mitigation strategy, and implement the mitigation strategy.
  • Reporting. Reporting procedures should identify the type and frequency of reports that will be provided to the board of directors to evaluate the effectiveness of the threat intelligence program. Reports may include a list of the threat notifications received, applicability to the financial institution, and management’s responses to the applicable threats.

Conclusion
By implementing a Threat Intelligence Program and actively monitoring evolving threats, institutions can prevent or limit a threat’s impact on the institution and its customers.

Young & Associates, Inc., has developed Threat Intelligence Program templates to assist with the implementation of a Threat Intelligence Program. For more information, click here.

Capital Market Commentary – November 2016

Written by admin on . Posted in Management & Planning.

By: Stephen Clinton, President, Capital Market Securities, Inc.

Market Update
The current expansion began in June 2009 and has now continued for 88 months, making it the fourth longest period of growth since the data has been recorded. The third quarter growth in the U.S. economy was 2.9%. A tight job market, increasing wages, and low oil prices are aiding the economic growth. Additionally, stronger export growth added to the GNP. Corporate profits are expected to grow and businesses are showing interest in business expansion after sitting on the sidelines for some time.

The following summarize certain issues we think are worth watching:

  • Retail sales in September were up 2.7% from the prior year. Consumer spending, the primary driver for the U.S. economy, accounts for two-thirds of GDP.ƒƒ
  • The number of Americans applying for first-time unemployment benefits was reported at a four-decade low in early October. Initial jobless claims have now remained below 300,000 for seven years, the longest streak since 1970. Job growth has been spurred by a hiring streak that surpassed its previous record in March and is now at 70 straight months. Unemployment is now at 5%.
  • Median household incomes have risen, increasing 5% in the last year. This has led to the consumer confidence reading hitting its highest point in nine years.
  • The Fed continues to remain cautious. Despite fueling expectations for rising interest rates, the Fed has boosted rates only once since the last recession.
  • Home-price growth accelerated in August, as a lack of inventory and low interest rates helped push prices to near record levels. The S&P CoreLogic Case-Shiller Indices covering the entire nation rose 5.3% in the 12 months ending in August.
  • Inflation has remained below the Fed’s 2% annual target for more than four years, but has shown signs of firming recently. Now expectations are building that inflation may move above the Fed’s target.
  • Mr. Trump’s November election will usher in a new President who will have party majorities in both the House and Senate. This should help the new Administration enact programs and policies more readily.

Short-term interest rates remain historically low with the 3-month T-Bill ending September at 0.26%. The 10-year T-Note ended September at 1.56%, down 71 basis points from year-end 2015. This has led to a significant reduction in the slope of the yield curve.

The stock market performance in 2016 has been positive. The Dow Jones Industrial Index closed September up 5.07% for the year. The Nasdaq Index closed up 6.08%. The Nasdaq Bank index ended September up 5.15%. Larger U.S. bank pricing struggled, ending the first three quarters of 2016 down 3.05%.

The dichotomy between big bank pricing and smaller bank pricing can be seen by comparing pricing multiples for each. Since 1995, banks in the S&P Bank Index averaged a price-to-earnings multiple of 14.1. Currently they average 12.0. Conversely, smaller banks had a historical average of 15.9 and are now trading at a multiple of 17.8.

Interesting Tid Bitsƒƒ

  • New Competition. Goldman Sachs, the Wall Street giant, recently began offering consumer loans. An online consumer lending platform was rolled out offering personal loans up to $30,000.
  • CFPB. Thanks to a lawsuit brought by nonbank mortgage lender PHH Mortgage, a three-judge panel recently ruled that the single director structure of the CFPB was unconstitutional and limited the CFPB’s ability to ignore statute of limitations governing administrative enforcement actions.
  • The Big Get Bigger. It was recently reported that since Dodd-Frank was passed in 2010, large banks have grown by 30%. The six largest U.S. banks now hold assets of approximately $10 trillion. There are now at least 1,500 fewer banks with assets under $1 billion than prior to the financial crisis.
  • ƒBoom in Global Trade. The S&P 500 is up nearly nine-fold since October 1986. Among factors cited to explain this dramatic growth is the acceleration of global trade spurred by various trade agreements.
  • ƒƒMerger and Acquisition Activity. In the first nine months of the year, there were 185 bank and thrift announced merger transactions. This compares to 195 deals in the first three quarters of 2015. The median price to tangible book for transactions involving bank sellers was 129% which is down from the 141% median recorded in 2015.

Ag Lending in 2017

Written by admin on . Posted in Lending & Loan Review.

By: Bob Viering, Senior Consultant

In our loan review practice, we have an opportunity to work with ag banks throughout the Midwest. In general, our findings are similar to what you may have read from many ag economists. Working capital is dwindling quickly, and the debt to asset ratio is increasing as is short-term debt. Many banks have been refinancing intermediate- and long-term assets to fix working capital declines and carryover debt. Some borrowers have sold land to reduce debt. We have seen many instances where borrowers have been able to reduce input costs and, most importantly, cash rents to bring them back to the point where they are either producing positive debt service coverage or are coming much closer to positive debt service coverage than they were in 2014. But overall, balance sheets are weakening and repayment is a continuing challenge. Credits that were barely a pass credit in better times have, in many cases, dropped to Special Mention or Substandard. Solid pass credits from a couple of years ago are now one weak year from a criticized level.

For many bankers, having struggling ag borrowers is a relatively new experience. I have more recently been through the experience in working with struggling ag borrowers while working at a western bank that had many cattle ranches that were severely impacted by low cattle prices and drought conditions. Many of the lessons learned there are just as applicable to the situation many of us face here in the Midwest.

As you head into renewal season, here are a few items to consider:

1. Complete information is critical. There is an old Russian proverb, “Trust but verify.” This is good to keep in mind when analyzing your borrower. As things get tougher, there is a temptation by some borrowers to not include every liability or to see some liabilities as something not worth mentioning. When short-term borrowing gets tougher, some borrowers will turn to using the local co-op for some inputs, borrowing from family and friends, or using online lenders (FinTech has hit agriculture too) or credit cards. At renewal time at our bank, we would send out a renewal package that had not only financial statement requests but a complete debt schedule form and inquiry about other loans or bills from any source, including family. We ran a new credit bureau report and compared it to prior ones to see if any new credit card or other type of debt was taken out since the last renewal and looked for any significant increases in balances, especially on credit cards. We completed a new UCC search for the same reason. In the end, we wanted to be sure that all debts were accounted for and had a source of repayment.

2. Restructure only if it helps. Often we see banks terming out any carryover debt or being quick to term out short-term debt to improve working capital. Before you restructure debt, make sure the underlying problem is fixed. Carryover debt usually occurs because the farmer didn’t make enough from crop/livestock sales to pay all term debt, operating lines, and living expenses. Given that revenue isn’t likely to grow in the next few years, improving cash flow is about expense control. Has the operation cut input costs, cash rents (this is the big one), and living costs to a level they can produce enough profits to cover their debt payments and family living? If so, then they are a perfect candidate for a restructure. If those tough choices have not been made and the operation won’t operate profitably, then you are likely to find yourself with even more carryover, more debt, and far fewer options not far down the road.

3. Income taxes may become an issue. Section 179 deductions were very helpful to reduce/eliminate income taxes in the past. But with far fewer pieces of equipment being purchased, those deductions have decreased significantly. Prepaying expenses and holding over grain sales can put off taxes for a while but, at some point, the timing can get tougher and some operations will now show taxable income when their accrual earnings may be negative. Those tax payments are often not planned for and can create a significant cash outflow at exactly the wrong time. It’s important that you encourage your borrowers to work with their tax professionals to plan as far ahead as possible to minimize any tax consequences.

4. Be empathetic and be realistic. Many of your borrowers were on top of the world a few short years ago. Everything they did went well and equipment dealers (and friendly bankers) made expansion with few tax consequences a reality. With today’s reality of weak (if any) earnings and less ability to add debt, it has become a very stressful time for many farmers and their families. It’s a lot tougher to be a banker too. Good bankers help their customers succeed. It’s not always easy and it’s often stressful, but letting customers operate unprofitably and not trying to help them make tough decisions usually only makes the problem get worse. It’s so important to be empathetic with your borrowers and to have a thick skin when they get mad. They may seem like they’re mad at you when they are really frustrated about their current situation. However difficult the conversation may seem today, it’s a far easier conversation than to have to tell someone that they have to quit farming and start over.

Ag lending is a key part of many banks’ loan portfolios and is important to their local market. Even in these tough times, it’s critical to work with your customers and do all you can to help them succeed. At Young & Associates, Inc., we work with many banks with ag portfolios. If we can help you with your loan review, policy reviews, process/underwriting reviews, and improvement plans, give us a call at 1.800.525.9775 or send an email to bviering@younginc.com.

Regulatory Initiative Provides Good Reminder of Importance of Credit Policies

Written by admin on . Posted in Lending & Loan Review.

By: Tommy Troyer, Executive Vice President
A look back over recent issues of the 90-Day Note, or a more general scan of industry news and regulatory comments, would reveal the industry’s focus on underwriting standards and possible industry-wide changes in underwriting standards over the last several years. As we have noted previously, for any individual community bank, the important consideration is not simply how conservative or liberal underwriting standards are or whether underwriting standards are loosening or tightening. Instead, the question that is critical for the ultimate health and profitability of the bank focuses much more on whether underwriting standards, and any changes in underwriting standards, are accurately understood and monitored, consistent with an institution’s risk management capabilities, and regularly assessed to ensure that the risk/return calculus and the institution’s level of capital are appropriate for the loan portfolio’s characteristics.

The above considerations, as well as overall industry trends in risk appetite and underwriting standards, are quite naturally of interest to regulators as well. In addition to other regulatory tools (such as loan officer surveys) for measuring underwriting standards, the OCC has launched within the last year an initiative to try to standardize and collect assessments of underwriting practices during safety and soundness examinations. We have heard OCC leadership discuss this initiative at banking conventions and have heard from clients who have had OCC safety and soundness exams over the last year. While the OCC’s overall approach to assessing underwriting can be informative or, at the minimum, a great reminder of critical factors for controlling credit risk, our intention here is to highlight an aspect of controlling underwriting standards and credit risk that should not be, but sometimes is, overlooked: the role of credit policies.

The Important Role of Credit Policies
Credit policies represent perhaps the most important tool for the board of directors and bank management to define underwriting standards and credit risk appetite. While it can be appropriate for some details of underwriting criteria to be maintained outside of formal loan policy, it is not appropriate or effective to employ an overly generic credit policy that provides little specific detail about the characteristics of credits the institution desires to originate. The OCC’s assessment of an institution’s underwriting considers the range of important factors one might expect (for example, loan structure, presence of appropriate covenants, etc.). Importantly, this assessment also extends to whether loan policy provides enough detail and information to control these important characteristics of credit underwriting. Without a policy that defines the bank’s limits on factors such as amortization periods, collateral advance rates, etc., underwriting standards can loosen and credit risk can grow without the intention or even the knowledge of the board. An appropriately detailed policy sets limits on the extent of any loosening that might occur and, assuming exception tracking and reporting is effective, allows for the board to receive better information about any changes in underwriting quality.

Some institutions try to avoid having too much specificity in policy because they do not want to create too many policy exceptions or provide examiners or auditors with more opportunities to “catch” them in violation of their own policy. There certainly is such a thing as a policy that is too specific or detailed to be effective, as at a certain level of detail it is not possible for lenders and analysts to actually know or easily find all of the policy requirements. However, it is also important to recognize the risks that come with overly generic policies, primarily, the inability to effectively control the terms of credit extended and the possibility of regulatory concern about the bank’s effectiveness in defining risk appetite and controlling risk.

The amount of detail is certainly not the only factor that determines the effectiveness of a credit policy. The content of the actual details certainly matters (a well-defined minimum debt service coverage ratio of 0.75 and maximum collateral advance rate against work-in-process inventory of 150%, for two extreme examples, are specific but do not effectively control credit risk). The organization and consistency of policy also matter, as a credit policy can only be effective if it is a usable tool for lenders and credit personnel.

Many credit policies at community banks have been in place for a long time, with small or ad hoc updates put in place as needed. Young & Associates, Inc. offers a policy review service that takes advantage of our exposure to the credit policies of many community banks around the country to evaluate the adequacy of a bank’s policy and to make recommendations for enhancements. We will not tell you what your risk appetite should be, but we can and will assess the content of your policy against regulatory expectations, compare your specific risk limits to what is common across the industry so that you can have better information about where your risk appetite stands relative to peers, and evaluate the effectiveness of your policy’s layout, language, and internal consistency.

If you would like to discuss the importance of credit policies or believe your institution may benefit from a policy review, please contact Tommy Troyer at ttroyer@younginc.com or 1.800.525.9775.

New Prepaid Rule

Written by admin on . Posted in Compliance & Regulations.

By: Bill Elliott, CRCM, Senior Consultant and Manager of Compliance

On October 5, 2016, the CFPB issued a final rule amending Regulations E and Z to create comprehensive consumer protections for prepaid financial products. The result of this rule is that many of you may not continue to offer these accounts, and those of you who do not currently offer the accounts may not want to start. The purpose of this article is not to talk you into or out of these products, but to give you the basic facts so that you can make the best decision for your institution.

The Prepaid Rule runs 1,501 pages, so we can only do an overview in this article. You may also want to look at the following: http://www.consumerfinance.gov/policy-compliance/guidance/implementation-guidance/prepaid

Another site worth your time might be: http://www.consumerfinance.gov/policy-compliance/rulemaking/final-rules/prepaid-accounts-under-electronic-fund-transfer-act-regulation-e-and-truth-lending-act-regulation-z/

Prepaid Accounts
The Prepaid Rule adds the term “prepaid account” to the definition of “account” in Regulation E. Payroll card accounts and government benefit accounts are prepaid accounts under the Prepaid Rule’s definition. Additionally, a prepaid account includes a product that is either of the following, unless a specific exclusion in the Prepaid Rule applies:

  1. An account that is marketed or labeled as “prepaid” and is redeemable upon presentation at multiple, unaffiliated merchants for goods and services or usable at automated teller machines (ATMs); or
  2. An account that meets all of the following:
    1. Is issued on a prepaid basis in a specified amount or is capable of being loaded with funds after issuance
    2. Whose primary function is to conduct transactions with multiple, unaffiliated merchants for goods or services, to conduct transactions at ATMs, or to conduct person-to-person (P2P) transfers
    3. Is not a checking account, a share draft account, or a negotiable order of withdrawal (NOW) account

There are exceptions to the rule. Under the existing definition of account in Regulation E, an account is subject to Regulation E if it is established primarily for a personal, household, or family purpose. Therefore, an account established for a commercial purpose is not a prepaid account.

Pre-Acquisition Disclosures
The Prepaid Rule contains pre-acquisition disclosure requirements for prepaid accounts. The requirements are detailed. However, there often will be a reseller of these products, meaning that the seller must prepare this disclosure for you. This “short form” disclosure includes general information about the account.

Outside but in close proximity to the short form disclosure, a financial institution must disclose its name, the name of the prepaid account program, any purchase price for the prepaid account, and any fee for activating the prepaid account.

There is also a long form disclosure which sets forth comprehensive fee information as well as certain other key information about the prepaid account.

The Prepaid Rule includes a sample form for the long form disclosure. The long form disclosure must include a long laundry list of items that details every nook and cranny of the account’s use. The Prepaid Rule also requires financial institutions to make disclosures on the access device for the prepaid account, such as a card. If the financial institution
does not provide a physical access device for the prepaid account, it must include these disclosures on the website, mobile application, or other entry point the consumer uses to electronically access the prepaid account.

All these disclosures are in addition to your standard Regulation E initial disclosure. The initial disclosures must include all of the information required to be disclosed in the pre-acquisition long form disclosure.

Error Resolution and Limitations on Liability
Prepaid accounts must comply with Regulation E’s limited liability and error resolution requirements, with some modifications. This may or may not be your problem, depending on who owns the account. But if your third-party vendor must give the customer these rights, the cost will likely go up, possibly making selling these cards a problem.

Periodic Statements and the Periodic Statement Alternative
The Prepaid Rule requires financial institutions to provide periodic statements for prepaid accounts, such as payroll accounts. However, a financial institution is not required to provide periodic statements for a prepaid account if it makes certain information available to a consumer, such as:

  • Account balance information by telephone
  • ƒElectronic account transaction histories for the last 12 months
  • ƒƒWritten account transaction histories for the last 24 months

Overdraft Credit Features
The Prepaid Rule amends Regulations E and Z to regulate overdraft credit features that are offered in connection with prepaid accounts. It adds the term “hybrid prepaid credit card” to Regulation Z and sets forth specific requirements
that apply to hybrid prepaid-credit cards. Doing something like this will materially increase your costs. Of course, there are many more rules on the subject that we cannot include in this article.

Effective Dates
The Prepaid Rule is generally effective on October 1, 2017.

What Should You Do?
Over the next few months, you need to talk with any existing companies that you do business with for this kind of product. They may still be struggling with how they are going to approach this, so you may not get all your answers immediately. But you need to know what your role is going to be after October 1, 2017 so that you can make the best decision for your institution. And all new product offerings, whether internal or external, need to be examined carefully to make sure that you can comply with the rules.

For more information about this article, contact Bill Elliott at 1.800.525.9775
or compliance@younginc.com.

 

 

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question