Skip to main content

Author: admin

5 Ways to Create Compliance Depth

By: Adam Witmer, CRCM, Compliance Consultant

As football season is now in full swing, many die-hard fans find themselves viewing the player roster of their favorite teams. They do this because they are curious, not about the obvious starters, but about those who are there to back up the starters. Football fans are often interested in the depth of skill their team has retained.

Just like an NFL team has a depth chart of skilled back-up players, it is important to have compliance “depth” within our financial institutions. This is especially true today as examiners have been shifting their expectations of compliance from a one-person dictatorship approach to a fully functioning “compliance management system” (CMS).

With so many new rule changes coming out by the Consumer Financial Protection Bureau, financial institutions can no longer depend on a single individual to be the sole person knowledgeable of compliance regulations. Having a depth of compliance knowledge ̶ both in quantity (number of employees) and quality (individual knowledge) ̶ is more important today than ever before. Therefore, financial institution leaders should consider building greater depth of compliance within their teams.

The following are five ways that every financial institution can build depth into the compliance function of their organizations.

A Formal Compliance Management System (CMS) Model
One of the best ways to infuse compliance depth into a financial institution is to develop a formal compliance management system (CMS) model which ultimately steers the institution’s compliance activities. While most financial institutions have some sort of compliance management system in place – a risk assessment, training, audit and/or monitoring, designating a compliance officer, and managing complaints – we have found that many of these programs are often informal in nature and don’t always establish depth in the overall program.

A formal CMS model is an intentionally designed program that goes above and beyond the core elements of a compliance management system – the model acts as the infrastructure for a compliance program. Generally, a CMS model will produce certain results:

  • Continuity of compliance, regardless of change
  • Pro-active compliance management
  • Clear communication of the CMS to examiners, directors, and additional parties
  • Integration of compliance into applicable job functions of the organization
  • Early detection of compliance issues
  • Strong regulatory change management

The idea is that a formal CMS model helps to ensure that systems, controls, and procedures are effectively implemented and maintained, which helps to naturally build depth into the compliance structure of an organization.

Integration
Another way any financial institution can create compliance depth is to proactively integrate compliance into applicable job functions of the organization. Years ago, compliance could often be approached as an add-on or after-thought to the main task at hand. For example, prior to the late 1960’s and 1970’s, creditors didn’t really have to worry about lending fairly among minorities, protected classes, or even different income levels. Over the years, however, fair lending has evolved so much that organizations that don’t have effective systems, procedures, and controls to ensure fair lending compliance can easily place themselves in a high-risk position for fair lending violations.

Integration can occur in a number of ways. First, policies and procedures can be enhanced to include compliance components. Secondly, controls and testing can include applicable compliance elements. Finally, compliance can become an essential part of employee expectations, such as the requirement of training and even consideration in performance evaluations.

When a financial institution integrates compliance into each applicable job function, a depth of compliance is naturally infused into the organization. This is exactly why many financial institutions are adopting a formal CMS model under which they operate.

Compliance Council
For well over a decade now, we at Young and Associates, Inc. have been advocating for the creation of a Compliance Council in many of our client financial institutions. A compliance council is a group of employees, often middle to senior management, who come together on a regular basis to provide oversite of the compliance function of the organization. While only a few financial institutions operate with just a compliance council (rather than having a designated compliance officer), many of those that do have a designated compliance officer also operate with a compliance council.

There are several reasons why a financial institution will operate with a compliance council in addition to having a designated compliance officer. First, the compliance council helps to provide support for the compliance officer. In today’s regulatory environment, it is often unreasonable for any financial institution to place all responsibility of regulatory compliance on the shoulders of one compliance officer. Therefore, a compliance council can help to distribute the compliance burden and help support the compliance officer.

In addition to providing support, a compliance council also helps to enhance communication in relation to compliance activities. While different departments within a financial institution often operate somewhat independently, a compliance council can help to bring various department managers together while focusing on a uniform goal of compliance.

A compliance council can be an integral component for building compliance depth and this is why many CMS models have a compliance council at the center of their model.

Succession Planning
Just as every NFL team has a depth chart that outlines who is ready to play a certain position, financial institutions can create compliance depth by establishing and maintaining a formal
succession plan for each applicable compliance function. While a compliance succession plan doesn’t need to be complex or even robust, having a clearly designated back-up person for each major compliance function helps to establish greater depth.

To establish depth, a succession plan should designate a back-up person for each significant area of compliance and outline who would assume responsibility in the event that the primary employee responsible for that area is unable to perform their duties. When a back-up person is formally designated and appropriately cross-trained, a CMS model will effectively continue without any major breaches in continuity, meaning that a greater depth of compliance is established.

Training
The final and probably most obvious way to create compliance depth is to conduct enhanced compliance training. Compliance depth can be added through training in two main ways: organizational training and individual training.
First, organizational training can be expanded to integrate compliance into the training rather than treating compliance as an afterthought. Therefore, compliance components should be included in new employee orientations, annual training initiatives, and even sales and other employee specific training sessions.

Secondly, training can increase compliance depth when employees, other than just the compliance team, receive in-depth training on compliance regulations that affect their job functions. For example, a loan processor manager may be able to greatly benefit from in-depth training on Regulation Z, while a lender may benefit on training specific to Regulation O.

Regardless of the type, training is a tool that helps to build compliance depth within an organization.

Summary
Creating compliance depth is going to become an even more important strategy for financial institutions as regulatory expectations continue to expand and evolve. In creating compliance depth, organizations will enhance their overall compliance posture by ensuring compliance continuity when employee positions change, providing better communication regarding the compliance function, infusing necessary components of compliance into each job function, and providing better communication to affected parties regarding the organizations compliance program.

Just as every sports team works to ensure that they have a depth of skilled players, financial institutions who establish compliance depth – through steps like establishing a formal CMS model – are going to fair much better in the long run than those who do not.

The Community Bank Capital Problem – Too Much

By: Gary J. Young, President & CEO

The Mantra
As community bankers, we have all heard the mantra to increase capital. This is heard by the banker who has an 8% leverage ratio and needs to increase capital to 9%, by the banker who has a 9% leverage ratio and needs to increase capital to 10%, and by the banker who has a 10% leverage ratio and needs to increase capital to 11%. Based on this view regarding capital, more is always better. I disagree.

Capital Adequacy
I agree with the OCC. Capital adequacy at each bank is uniquely based on the current and planned risk within the bank. And, it is the responsibility of the bank board to determine capital adequacy with the input from executive management. Capital adequacy is the point at which a capital contingency plan is implemented if actual capital falls below that point. In other words, let’s assume capital adequacy has been defined as a 7.5% leverage ratio, or a 11.25% total risk-based ratio. If actual capital falls below either measure, the bank should implement the methodology for improving capital as described in the capital contingency plan.

Capital Target
A bank’s target or goal for capital is higher than capital adequacy. It is an estimate of the amount the board of directors has decided is desired to take advantage of opportunities such as additional organic growth, branch expansion, purchase of a bank or branch, stock repurchase, etc.; or to use as additional insurance or protection against negative events that could hurt profitability and capital. As an example, a 7.5% leverage ratio could be defined as capital adequacy, but the target level of capital is 9.0%.

Cost
Excess capital has a cost. Let’s assume you had to eliminate $1 million of excess capital. To balance that transaction, you would also eliminate $1 million in assets which would be investments. Let’s assume that the investments had an average yield of 1.5%. After taxes, that would be approximately 1.0%. Based on this example, the return on equity of the $1 million of excess capital is 1.0%. We must agree that 1.0% is unacceptable. Well, it is unacceptable unless that is your return for opportunity capital or insurance capital as described above.

Another example of the cost of excess capital can be seen here. There are four banks with a 1% ROA. However, the equity/asset ratio at each is different, ranging from an 8.0% leverage ratio to a 12.0% leverage ratio. By dividing the ROA by the leverage ratio, you get the ROE. By multiplying the ROE by an assumed PE, you get the multiple of book. In this example, the bank with an 8.0% leverage ratio has a value of $30 million while the bank with a 12.0% leverage ratio has a value of $20 million. This is a simplified example that provides information on the cost of excess capital.

The Right Amount
There is no right amount. The average less than $1 billion bank has a 10.8% leverage ratio and a 16.6% total risk-based capital ratio. Most everyone would agree that banks do not need that level of capital. But, every bank is unique with different levels of risk and different levels of risk appetite. The important thing is that executive management and the board of directors understand that there is a shareholder cost to holding excess capital.
That doesn’t make it wrong. The board of directors has multiple responsibilities and at times they can be conflicting. From the shareholder perspective, you want to maximize the return on equity and shareholder value which assumes leveraging capital, but you must also oversee the operation of a safe and sound bank. And, at the heart of safety is capital adequacy. It takes balance and awareness of both to determine the right level of capital for the bank. My concern is that through the Great Recession and after, the capital mantra has been “more is better.” Well frankly, more is not necessarily better. I am suggesting that it is time to balance the capital need for risk management with the capital need for improving shareholder value.

Best Practices
The question for executive management is what should I do? It is my opinion that best practices would indicate that every bank develop a definition of capital adequacy based on inherent risk. Furthermore, a capital contingency plan should be part of that plan that indicates the steps the bank might take if capital falls below or is projected to fall below your definition of capital adequacy. You should then have a frank discussion at the board level on the amount of capital that is your goal or comfort level. If you then find that your capital is above that, consider the following:

  • Focus on additional organic growth, if possible.
  • Expansion opportunities. I would suggest looking for opportunities that begin turning a profit in two years or less.
  • A stock repurchase plan. This is a win for the shareholders that want to sell and the shareholders that want to hold. Everyone wins and shareholder value should increase.
  • A slow, steady increase in dividends to shareholders.

Consider how all of these items might impact your capital adequacy, return on equity, and shareholder value over a 3-5 year period. Remember, the goal of executive management is to maximize profitability and shareholder value within capital guidelines approved by your board of directors.

For More Information
If you would like to discuss this article with me, you can contact me 1.800.525.9775 or click here to send an email.

Employee Retirement Income Security Act (ERISA) Compliance — Recent Changes

By: Sharon Jeffries, Human Resources Manager

Did you know?

Recent changes to the health and welfare side of the federal Employee Retirement Income Security Act (ERISA) now mandates that all employers/plan administrators provide a Summary Plan Description (SPD) to each plan participant and that ERISA-covered plans be maintained in accordance with a written Wrap Plan Document.

The SPD is an important document that tells participants what the plan provides and how it operates. If a plan is changed, participants must be informed, either through a revised summary plan description, or in a separate document, called a summary of material modification, which also must be given to participants free of charge.

A Wrap Plan Document is designed to meet plan documentation requirements under ERISA and other federal laws and to incorporate all other welfare plans, insurance contracts and other relevant documents into a single plan. These materials can be kept together for administrative ease. The Wrap Plan Document provides additional legal protection for the employer and plan fiduciaries and can simplify plan administration.

What does that mean?

In the past, much of the regulatory focus was on the retirement side of the ERISA legislation. However, with the implementation of the Patient Protection and Affordable Care Act (PPACA) that has changed.  Much of the current government monitoring, oversight, and auditing relates to the health and welfare side of the ERISA regulation.

ERISA now requires employers who are plan administrators of their group health plans to comply with two (2) critical requirements or they will risk potential penalties and possible government audits.

Those requirements are:

  • Maintain and distribute SPD’s to plan participants which accurately reflect the contents of the plan and which include specific information as required under federal law.
  •  Group health plans must be administered in accordance with a written Plan Document which must be made available to plan participants and beneficiaries upon request.

Are you at risk?

Yes, and the reason is this: Many banks will mistakenly assume that insurance contracts, certificates of insurance and benefit summaries fulfill the ERISA requirements for an SPD and Plan Document, but they do not.  And, the primary reason is they do not include the required or recommended provisions that protect the plan and the employer.

What should you do?

Recognize that:

  • Failure to provide an SPD or Plan Document within 30 days of receiving a request from a plan participant or beneficiary will result in a penalty of up to $110/day for each violation
  • Lack of an SPD could trigger a plan audit by the United States Department of Labor (DOL)
  •  The United States DOL has increased its audit staff and national enforcement initiatives to investigate employers’ compliance with Health Care Reform, resulting in companies of all sizes  being audited and being required to provide an SPD and Plan Document

The Solution

Do not try to create these in house. Allow experts in the areas of benefits and benefits regulations assist you with this monumental effort.  Young & Associates, Inc. has partnered with The Alpha Group Agency, Inc. to offer our clients this unique service.  The Alpha Group Agency, Inc. is a highly skilled, reputable organization involved in the management of health insurance services as well as other related subjects.

The Alpha Group Agency, Inc. has been an advisor to Young & Associates, Inc. for almost fifteen (15) years in the management of its group health insurance plans. For additional information on how you can become compliant with these critical ERISA regulations and also lower the risk of a DOL audit, contact Sean Nehlsen, The Alpha Group Agency at 800-886-3315 or snehlsen@thealphaga.com.

HELOC End-of-Draw Risk Remains Worthy of Attention

By: Tommy Troyer, Consultant and Loan Review Manager

In “Agencies Issue New HELOC Guidance,” published in the August 2014 issue of the 90 Day Note, we presented an overview of what was at that time brand new safety and soundness guidance for HELOC portfolios (Interagency Guidance on Home Equity Lines of Credit Nearing Their End-of-Draw Periods). We also presented a few practical steps for community banks to consider in order to address the issues raised in the guidance. As a brief reminder, the guidance was issued by the regulatory agen­cies to encourage financial institutions to properly manage the risk associated with HELOCs that were reaching the end of their contractual draw period. The draw pe­riod is the time during which the borrower has access to the line of credit feature of the HELOC. Minimum monthly payments during this time can be quite low, in many cases interest-only. When the draw period ends, HELOC structures either require a transition to payments that amortize the outstanding debt over a defined number of years or require a balloon payment to repay the outstanding balance in full. The risk associated with this transition is that the borrower will experience a “payment shock” because the terms after the draw period ends can require significantly higher minimum monthly payments than were required during the draw period. Higher monthly debt service, all else equal, increases the risk of delinquency and default.

It was the potential for payment shock risk associated with end-of-draw HELOCs, coupled with the fact that across the industry the peak of HELOCs reaching end-of-draw was expected to occur from 2014-2017, that prompted the interagency guid­ance. We are now about a year down the road from the issuance of the guidance, and the idea of elevated risk embedded in some HELOC portfolios continues to receive regulatory, media, and analyst attention. We wanted to briefly revisit the issue to point out two important facts for community banks with HELOC portfolios. First, the avail­able evidence is suggesting that regulators and bankers were right to worry about payment shock risk, as borrowers who have reached the end-of-draw period thus far have demonstrated, in the aggregate, the intuitively expected decline in timely pay­ments. Secondly, it is important to note that it is not too late to take important steps to help mitigate end-of-draw risk.

End-of-Draw Performance Thus Far
Aggregate data on HELOC and mortgage delinquencies does not demonstrate any notable increases that we can attribute to end-of-draw risk. However, one needs to dig deeper to measure the issue with any accuracy, primarily because end-of-draw HE­LOCs still represent a relatively small share of the overall mortgage market (and even the HELOC market), and any increases in delinquency due to end-of-draw payment shocks can easily be masked by the overall improvements in mortgage delinquency rates associated with continued economic improvement and continued progress in most states in working through foreclosure backlogs (which reduces the number of long-term, seriously delinquent loans and improves overall delinquency rates).

Several more specific pieces of data on end-of-draw risk are worth noting:

  • The OCC’s Semiannual Risk Perspective for Spring 2015, published June 30, 2015, shows that 30+-day delinquency rates for loans that have reached end-of-draw at the nine largest OCC-regulated banks have essentially doubled in the three-months following the end of the draw period, and have remained persis­tently high. The OCC also notes that, “many lenders have found the early stages more challenging than expected,” which should provide a wake-up call for any banks that still believe this issue will take care of itself without proactive man­agement on the part of the bank.
  • Data provided by Equifax, which was cited in a front-page Wall Street Journal article in June, indicated that just four months after reaching the end-of-draw pe­riod, HELOC borrowers from the 2004 vintage saw 30+-day delinquency rates increase by over 50% from the month prior to when they reached end-of-draw (2.7% to 4.3%). Similar increases are shown for vintages from 2000-2003 as well.
  • A study by Experian, reported on its website, showed that 90-day delinquency rates increased three-fold during the 12 months of 2014 for those borrowers that reached their end-of-draw period between December 2013 and March 2014.
  • Research published in the May 2015 RMA Journal by the other primary credit reporting agency, TransUnion, does not provide as directly comparable data as the previously mentioned studies, but does indicate that its data set of HELOCs showed overall 30+-day delinquencies of 2.2% while HELOCs 12 months after their payment shock showed a 60+-day delinquency rate of 3.1%.

The overall takeaway from all of this data is that the intuitive and expected impact of HELOC payment shock—increases in delinquency and eventually default and loss rates—does in fact appear to be occurring.

Impact on Community Banks and Risk Management Steps
The experience of any individual community bank will by no means mirror the overall industry experience. For one thing, the minimum payment required during the draw period does vary across banks, and banks that require significant principal reduction each month during the draw period may be less vulnerable to payment shock than those that required just interest-only payments. (Requiring principal reduction during the draw period certainly does not make a bank immune from payment shock, as it is important to keep in mind that the borrower also loses access to the line of credit as a source of funds when the draw period ends.) Further, community banks may have some advantages over larger lenders in terms of customer familiarity that may assist in working through end-of-draw issues with borrowers.

With that said, it is important to recognize that both the theory and the data are in line on this issue so far: all else equal, payment shock results in increased risk for the lender. In fact, the credit reporting agency research cited above also provides data indicating that the negative effects of payment shocks carry over to other credit facili­ties of borrowers, which presents an additional source of risk to relationship-minded community banks who may have multiple loans with a HELOC borrower. For these reasons, it is important that all community banks with HELOC exposures evaluate the interagency guidance’s recommendations and take the actions appropriate for their portfolio. We discussed these issues in more detail last year, but important steps include: 1) defining consistent and prudent options for borrowers approaching the end of their draw period that take into account the borrowers’ current financial and home value positions; 2) proactively initiating contact with borrowers who are ap­proaching the end of their draw periods; 3) ensuring that all relevant parties within the bank have a voice in the bank’s approach to mitigating risk and are well-versed in the steps to follow with end-of-draw borrowers; and 4) gathering and analyzing enough data specific to your bank to fully understand the nature of the risk your bank faces.

End-of-draw risk does not need to lead to a massive amount of charge-offs to ma­terially impact a community bank’s performance, especially given the low level of charge-offs many banks have been experiencing in that portfolio. Though there are very few, if any, banks for which end-of-draw concerns may represent an existential risk, a failure to properly manage end-of-draw risk could easily have a notable im­pact on earnings over the next several years, and could also result in weak regula­tory assessments of a bank’s risk management. The OCC has publicly noted that it is pursuing a review of HELOC practices, and while this targeted horizontal review is unlikely to directly affect community banks, it would be a good bet that HELOC end-of-draw practices will be a point of emphasis in many community banks’ next safety and soundness exam, regardless of the examining agency.

Conclusion
The evidence continues to suggest that proper risk management of end-of-draw HELOCs is important. One consideration not directly mentioned above is that some banks may also find it beneficial to use their end-of-draw experience to consider whether any changes to their existing HELOC product’s structure would be appro­priate. If you have questions or would like to discuss your end-of-draw risk manage­ment, please contact me at ttroyer@younginc.com or 1.800.525.9775.

Moving Closer to a Guaranteed Statement of Costs – Integrated Disclosures

By: Bill Elliott, CRCM, Senior Consultant and Manager of Compliance

The new Integrated Disclosures will be upon us in a few short months and will create some unique difficulties for financial institutions. In the distant past, creditors gave the applicants a Good Faith Estimate. However, the United States Department of Housing and Urban Development (HUD) decided that the information was too scattered, etc., and in 2009 announced a new more consolidated format. The goal that HUD had was laudable, but their form really did not improve the situation much, if at all.

Upon the passage of the Dodd-Frank Act, a new federal agency, the Consumer Financial Protection Bureau was told to remedy this situation once again, and specifically to combine the Good Faith Estimate and early Truth in Lending Disclosure (into the Loan Estimate), as well as combine the HUD-1 and final Truth in Lending Disclosure (into the Closing Disclosure). The new forms are an improvement from the current forms, but are also quite complex. The teaching manual that Young & Associates is using for live training runs several hundred pages to explain how to complete the 8 pages of new forms.

Creditors currently have three categories of charges that exist on the Good Faith Estimate – those that have to be correct, those that (as a group) have to increase no more than 10%, and those that represent the creditor’s best guess (typically escrow, insurance, and odd days interest).

The new forms and instructions maintain the “best guess” category as it exists in the current format, so we will not discuss this category further. The issue is with the first two categories – settlement service charges that must be correct and those that must as a group be within 10%.

Settlement Service Charges

Under the current rule, some settlement service charges must be correct. These items include charges that are fully within the creditor’s control – typically their own charges or the mortgage broker’s charges. Beginning August 1, the new rule will still include the creditor’s own charges, but also expand this area as follows:

  • Amounts payable to the creditor’s affiliates and the mortgage broker’s affiliates
  • Settlement services for which the creditor will not allow the consumer to shop.  These would include:
    • Appraiser
    • Credit bureau
    • Tax service companies
    • PMI companies
    • Governmental fees for government programs
    • Flood determination fees
    • And perhaps others.

These fees will have to be correct. This is not likely to create much difficulty, as these charges are rarely an issue. For instance, if the creditor only uses two appraisers, every Good Faith Estimate generated now will list the fee for the appraiser that charges the highest amount.

The problem is that all of these items now are removed from the 10% calculation, meaning that the “cushion” that creditors have had for 10% tolerance items will decrease, as the calculation relies on items subject to the 10% tolerance, and those items are shrinking.

You will note that the second bullet point above included settlement services for which the consumer is not permitted to shop. This creates another level of risk for creditors. For instance, if the creditor does not allow the consumer to shop for a title company, then the title company fees also must be accurate, as this fee moves from the “10%” category to the “must be correct” category. This would apply to any other service for which the consumer is not permitted to shop. So the reality is that if you decide to not allow your consumer to shop for any settlement service, every fee will have to be correct, and the only settlement service charge that will appear in your “10%” category will be filing fees.

The only protection here is to allow the consumer to shop. The phrase “allowing the consumer to shop” does not mean giving them a list and making them pick settlement service providers off the list. If creditors do that, then the creditor has not allowed the consumer to shop. Allowing them to shop means giving them a list of settlement service providers (which you should already have at least partially developed), and telling the consumer that they can shop for these services. Often, the response from the consumer will be to say, “I don’t care, use whoever you want.” If this happens, then the creditor may use their “regular” provider, and the settlement service remains in the 10% category. There is a difference between forcing them to choose off a list and the consumer abdicating their shopping rights.

Of course, the best position for the creditor is when the consumer does shop and hires another competent provider for a settlement service. As soon as they decide to do so, the consumer agrees to assume the entire liability for paying that provider. The creditor discloses what the creditor’s provider would charge, and whatever the final fee is, the consumer must pay it with no risk to the creditor.

The regulation is quite clear that in order to explain to the consumer that they have a right to shop for a specific settlement service, the service and one provider must appear on the settlement service provider list. This list, and what needs to appear on it, will now be dictated by a new form, which will become part of the application disclosures.

Preparing for the New System

To prepare for this new system, creditors need to assure that they do the following:

  • Determine settlement service providers for each service that the creditor might EVER require, even if it only is required once a year.
  • Determine what the charge will be, or determine a method to calculate the charge so that the creditor can get it “right” on the Loan Estimate. Creditors will have to understand that for settlement services that are only required every few months, they may have to telephone the provider prior to completing the Loan Estimate if they have not used that provider recently.
  • Work with settlement service providers who add on multiple fees from closing to closing. This area is mostly limited to title companies who have all sorts of small and miscellaneous fees. The discussion should probably be about how to remove these fees, because sooner or later the creditor may well have to pay them, given the smaller “10%” window.

This new structure need not create a massive increase in risk, provided you prepare for it now. Think about the providers, how they calculate their charges, and how you will assure that your staff will know what these charges will be. Just like the current Good Faith Estimate, if the first Loan Estimate has fatal flaws, there will be no legal way to repair the damage.

Integrated Disclosure Review

Young & Associates, Inc. offers an Integrated Disclosure Review service for sample documents and sample loans as you prepare for this transition and set up your loan types. You will need to provide an appropriate narrative to us that explains the loan and its terms, then provide the Loan Estimate and the Closing Disclosure. The purpose of this review is to determine that the loan type is properly set up and ready to go before the mandatory August 1 deadline. Young & Associates, Inc. will not validate APRs and other similar items. For more information, click here.

Reg Z Policy

We will also be releasing our new Regulation Z mortgage loan policy on or about June 15, allowing time for customization of the policy and board approval prior to the mandatory August 1, 2015 date. For more information, contact Bryan Fetty at bfetty@younginc.com or 1.800.525.9775.

The Importance of User Access Reviews

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

The FFIEC has emphasized the importance of reviewing user access granted within all of the IT systems in use at a financial institution, including but not limited to: the network operating system (Active Directory®), core processing system, new account and lending platforms, document imaging system, internet banking system, and wire transfer system through its recent statement about compromised credentials. The frequency of these reviews will depend on the size and complexity of the financial institution; however, it is a good practice to perform an annual review at a minimum. User access reviews will help to identify accounts that have been assigned excessive privileges, accounts with access that have not been updated to reflect job position changes, accounts that do not require password changes in accordance with the institution’s policies, and dormant accounts. Failing to perform user access reviews on a regular basis will place the institution at a higher risk for:

  • A terminated employee gaining remote access to the network or email system
  • Segregation of duties issues if an employee moves to a new department, but retains system privileges from the previous department
  • Misuse of dormant administrative accounts that are still active
  • System compromise through the use of vendor passwords that never expire

The user access review process should include an employee that is independent of the system administration role for each IT system to verify that an administrator is not assigning excessive privileges to users or creating hidden accounts to use for illicit activities.

For some systems, the process to obtain all of the security details in an easy-to-understand report can be difficult. This is the case with Active Directory unless additional tools are used to compile the information into a simple report. To simplify the process of reviewing Active Directory accounts, Young & Associates, Inc. has developed the Account Auditor for Active Directory. This tool makes it easy for financial institutions to generate the following security reports:

  • A listing of all of the user accounts within Active Directory
  • Group memberships for each account
  • Dormant accounts
  • Disabled accounts
  • Accounts with passwords that do not expire
  • Accounts with passwords that have not been changed within the past year

The Account Auditor for Active Directory will simplify your network operating system user account review process, reduce IT Audit findings, and is designed to work with your Windows® server operating system to generate your information quickly and easily. There’s no new software to install! It available for just $100.  Click here for more details.

The Overlooked Risks of VOIP

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

We are seeing financial institutions continue to expand their use of VOIP (Voice Over Internet Protocol) to reduce expenses and increase efficiencies for voice communications. VOIP is a technology that refers to transmitting voice communications over the internet, LAN (Local Area Network), or WAN (Wide Area Network), rather than through the PSTN (Public Switched Telephone Network). We have found that the risks associated with a VOIP system are not always properly evaluated prior to implementation.

Some of the risks associated with the use of VOIP include:

  • Denial of service attacks
  • Emergency services inability to use automatic location services (depending on configuration)
  • Customer service issues during power or network outages
  • Interception of telephone conversations
  • Unauthorized or fraudulent use of the telephone system

We have seen situations where public safety personnel were not able to respond to an emergency in a timely manner due to the misconfiguration of E911 physical address information. In addition, we have seen multiple VOIP system outages due to problems at vendor data-centers or the lack of backup plans for data line failures.

During the process of evaluating and implementing a VOIP system, financial institutions should consider the following steps:

  • Perform a risk assessment to identify the risks associated with the VOIP system and the mitigating controls that will be used.
  • Perform due diligence steps for any vendors involved with the VOIP system and include these vendors in the ongoing vendor review process.
  • Develop contingency plans for communications during power or network outages.
  • Develop processes to test the contingency plans and to test E911 physical address assignments.
  • Verify that VOIP communications that pass over public networks or the internet are encrypted.
  • Develop system hardening processes for the VOIP system equipment.
  • Develop patch management processes for the VOIP system equipment.
  • Develop security procedures for the VOIP system to prevent denial of service attacks and unauthorized use of the system.
  • Include the VOIP system in ongoing vulnerability assessments.

With the appropriate planning and ongoing risk management procedures, a financial institution can develop and maintain a secure VOIP system that will reduce expenses and improve customer service.

For more information on this topic or on how Young & Associates, Inc. can assist your bank with its IT needs, contact Mike Detrow at 1.800.525.9775 or click here to send an email.

Executive Search and Interim Management Services

By: Sharon Jeffries, Human Resources Manager

All banks face changes in management and other key positions from time to time. These changes can be due to retirements, relocations, unsatisfactory work performance, as well as other factors. All of these situations can put your bank in difficult and unique situations that generally cannot be quickly resolved.

Don’t rush to fill the vacancy by placing a candidate/current employee in a position that may provide temporary support, but results in a poor fit for the long-term, lacking the skills and experience needed to meet the ever changing regulatory banking climate.

What should you do?
If you find yourself in this situation, Young & Associates, Inc. can help by becoming an extension of your Human Resources Department. We will work with management and discuss options for your bank to meet both its short-term and long-term staffing needs.

If we find that the skill set/experience level desired is such that it will take additional time to source the “right” candidate for the position, we will present “interim” solutions, while beginning to search for a candidate that will be a more long-term solution for your organization.

One “interim” solution may be contracting with Young & Associates to put one of our accomplished consultants on-site at your bank to assist in covering those critical areas while continuing the search for a more permanent option. Another option would be for Young & Associates to provide you with a seasoned individual who may be looking for project and/or short-term work. Through years of experience in the financial services industry, we have developed an extensive network of contacts and resumes of individuals with a broad knowledge base in critical areas that are needed in banking today.

We can customize the services we offer to meet the ever-changing workforce needs of your bank. Although some of what we offer is similar to traditional search firms, several differences set us apart from other firms. Our knowledge of the skills necessary to be successful in banking today, along with the ability to utilize our in-house experts throughout the process, are key differences. Also, our professional fee structure is generally lower than traditional placement firms. However, most importantly, our reputation is proven effective. Young & Associates is reliable with more than 35 years successfully serving banking clients.

To learn more about these unique staffing services, contact Sharon Jeffries, Young & Associates, Inc.’s Manager of Human Resources. Sharon has over 25 years of experience in Human Resources Management and can be contacted at 800.525.9775 or you can click here to send her an email.

Young & Associates Employees Donate for Thanksgiving Food Drive

During the months of October and November, Young & Associates employees have generously donated to a canned food drive to benefit Kent Social Services for the Thanksgiving holiday. These donations will be used to provide food bags for Thanksgiving and throughout the coming year. Thank you to all who participated in this important corporate initiative to give back to our community!

Young & Associates Launches New Brand and Website

By: Jerry Sutherin, President & CEO

In a year marked by change, Young & Associates continues to adapt and find new and improved ways to serve our clients. Our firm has several announcements that I’m excited to share with you.

In July, we unveiled a refreshed brand identity, including a new logo and tagline, “Financial industry expertise. Proven results.” This rebrand marks the start of a new era for our firm. Rest assured that while our logo has changed, our values, corporate mission, and exceptional service remain the same. We’re here to serve our clients and provide the strong expertise to drive results.

Coinciding with this rebrand, we have launched a new website at the same address (www.younginc.com), which features easy-to-navigate information, improved functionality, and a sleek, modern design. Our goal is to make it easier for you to access the information you need about our services and the industry. We’ve also updated our online store, where you can shop customizable policies and toolkits for your financial institution.

I encourage you to visit our website at younginc.com to see the improvements for yourself. We always welcome your feedback, so please send our team a note to let us know your thoughts. We appreciate your continued support, and we look forward to hearing from you.

Compliance Reviews in These Uncertain Times

By: Bill Elliott, CRCM, Director of Compliance Education

The world of regulatory compliance is in turmoil. Rules are announced, approved, “kind of” enforced, and then the regulators back away and say, “just kidding.” Perhaps the most recent example of this is the OCC’s decision to back away from their interpretation of the Community Reinvestment Act. They have suspended their version of CRA (issued in mid-2020) and decided to join with the Federal Reserve and the FDIC in a rulemaking to update the regulation. Clearly, this is what should have happened initially, but it did not. While this situation only impacted national banks, federal savings associations, and federal branches of foreign banks, it is an example of the ongoing turmoil that takes place in Washington D.C.

This makes the process of compliance much more difficult, as financial institutions do not know necessarily which set of rules will apply and for how long. The result is great difficulty in navigating the world of compliance and deciding what areas should be addressed in any compliance audit/review. When the regulations are in flux as they are now, uncertainty increases the risks of noncompliance.

Focus on Risk

When deciding on compliance audit/review topics, whether they are accomplished internally or externally, financial institutions must assure they focus on their largest risk items. Back in the early 2000s, the Federal Reserve posted a list of regulations by the most important to the least important. If you look at that list today, it would be clear that the world of compliance has changed dramatically, and financial institutions need to prepare and adjust. It sometimes seems as if this happens continuously.

For loans, Regulations Z and flood are probably at the top of the review list. On the deposit side, Regulation E seems to be the most important regulation, due to the tremendous volume of electronic transactions in financial institutions. We should note that Regulation E is far removed from our current electronic reality, making the process even more difficult.

Whether management is working with an internal auditor, external auditors or consultants, it is important to assure that attention is focused on those areas that are most critical and determine what resources should be expended on other compliance subjects.

The regulator that walks in your door to do an exam is in the same turmoil you are, and it is not their fault. Nonetheless, they must do the best they can to examine your institution based on the current regulatory environment. The more complete your internal or external compliance reviews/audits are, the easier their job will be. And regulators always appreciate an assist, as they are experiencing limited resource issues as well.

So, when preparing for reviews in 2022 and beyond, you need to assure that any compliance reviews that are completed focus on the subjects discussed earlier, as well as the following:

  1. New products
  2. New services
  3. Regulatory issues that you have had in the past, to assure that they are properly addressed prior to the exam

Only after these items are addressed should financial institutions include other regulations. That does not mean that financial institutions should ignore any regulation. For instance, Regulation DD (Truth in Savings) has not materially changed in over 20 years. However, it has been number two based on number of violations (behind Regulation Z) on the FDIC violation list for the past two years. So, management should never equate “no change” with “no risk.”

Not focusing appropriately results in potential difficulties. First, financial institutions can experience a colossal waste of time and money by continually reviewing insignificant items that are low risk. Secondly, the decision to cover a wide variety of compliance topics may mean less time and effort on those areas that need the most attention – and of course these are the most critical for your institution.

Our Approach

At Young & Associates, we always try to work with financial institutions to assure coverage that gives the institution the maximum protection for the dollar amount spent. This approach should be used whether you are using an external firm or internal auditors. Doing something merely because “we have always done it” is often not the best approach.

If we can be of any assistance in planning and executing your compliance reviews, please contact Dave Reno, Director – Lending and Business Development. He can be reached at 330.422.3455 and dreno@younginc.com.

Managing Fannie Mae’s Appraisal Guidance

By: Ollie Sutherin, Consultant and Manager of Secondary Market QC Services

On May 5, 2021, Fannie Mae announced a break from its traditional guidance regarding field review appraisals in favor of a more technological approach to the reverification of appraisals. These changes were effective immediately.

Historically, Fannie Mae required one field review appraisal to be ordered for every 10 loans reviewed. The revised guidance states that, “the lender must complete a collateral risk assessment for all mortgage loans with an appraisal as a part of its random QC sample. It is acceptable for the collateral risk assessment to be completed by an individual who is not a licensed or certified appraiser.” Further, the collateral risk assessor must be competent in appraisal theory and must be able to specifically:

  • Determine that a property meets eligibility requirements including the LTV, CLTV, and HCLTV ratios
  • Assess appropriateness of comparable sales
  • Assess appropriateness of the data presented in the appraisal report
  • Conclude that the rationale for the reconciliation of value is supported
  • Prescribe corrective actions for defects identified in the appraisal process
  • Reconcile flags and messages that were identified in Collateral Underwriter (CU) if the property was able to be scored in CU. If the property was not able to be scored in CU, then reconcile any known quality messages (messages, alerts, flags) that are reflected in other third-party tools if utilized.

If the lender is unable to complete the above assessment or appropriately determine the quality of the original appraisal, it may order either a desk review or field review from a licensed appraiser for each sampled loan. The desk review or field review must address all the points in the above requirements.

This is seen as a significant change in the industry as the costs for traditional field reviews were becoming comparable in most cases to traditional appraisals. Additionally, it has become increasingly challenging to contract a licensed appraiser to complete the field reviews, especially in rural areas.

As the industry transitions into effectuating these new changes, the key takeaway for financial institutions is to contemplate either 1) hiring competent staff or train existing personnel to complete the assessments in accordance with the guidelines, or 2) engage knowledgeable third-party vendors to coordinate the completion of the work.

If your institution needs assistance pertaining to these or other quality control requirements, please contact Dave Reno, Director of Business Development, at dreno@younginc.com or 330.422.3445.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question