Skip to main content

Author: admin

The Importance of User Access Reviews

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

The FFIEC has emphasized the importance of reviewing user access granted within all of the IT systems in use at a financial institution, including but not limited to: the network operating system (Active Directory®), core processing system, new account and lending platforms, document imaging system, internet banking system, and wire transfer system through its recent statement about compromised credentials. The frequency of these reviews will depend on the size and complexity of the financial institution; however, it is a good practice to perform an annual review at a minimum. User access reviews will help to identify accounts that have been assigned excessive privileges, accounts with access that have not been updated to reflect job position changes, accounts that do not require password changes in accordance with the institution’s policies, and dormant accounts. Failing to perform user access reviews on a regular basis will place the institution at a higher risk for:

  • A terminated employee gaining remote access to the network or email system
  • Segregation of duties issues if an employee moves to a new department, but retains system privileges from the previous department
  • Misuse of dormant administrative accounts that are still active
  • System compromise through the use of vendor passwords that never expire

The user access review process should include an employee that is independent of the system administration role for each IT system to verify that an administrator is not assigning excessive privileges to users or creating hidden accounts to use for illicit activities.

For some systems, the process to obtain all of the security details in an easy-to-understand report can be difficult. This is the case with Active Directory unless additional tools are used to compile the information into a simple report. To simplify the process of reviewing Active Directory accounts, Young & Associates, Inc. has developed the Account Auditor for Active Directory. This tool makes it easy for financial institutions to generate the following security reports:

  • A listing of all of the user accounts within Active Directory
  • Group memberships for each account
  • Dormant accounts
  • Disabled accounts
  • Accounts with passwords that do not expire
  • Accounts with passwords that have not been changed within the past year

The Account Auditor for Active Directory will simplify your network operating system user account review process, reduce IT Audit findings, and is designed to work with your Windows® server operating system to generate your information quickly and easily. There’s no new software to install! It available for just $100.  Click here for more details.

The Overlooked Risks of VOIP

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

We are seeing financial institutions continue to expand their use of VOIP (Voice Over Internet Protocol) to reduce expenses and increase efficiencies for voice communications. VOIP is a technology that refers to transmitting voice communications over the internet, LAN (Local Area Network), or WAN (Wide Area Network), rather than through the PSTN (Public Switched Telephone Network). We have found that the risks associated with a VOIP system are not always properly evaluated prior to implementation.

Some of the risks associated with the use of VOIP include:

  • Denial of service attacks
  • Emergency services inability to use automatic location services (depending on configuration)
  • Customer service issues during power or network outages
  • Interception of telephone conversations
  • Unauthorized or fraudulent use of the telephone system

We have seen situations where public safety personnel were not able to respond to an emergency in a timely manner due to the misconfiguration of E911 physical address information. In addition, we have seen multiple VOIP system outages due to problems at vendor data-centers or the lack of backup plans for data line failures.

During the process of evaluating and implementing a VOIP system, financial institutions should consider the following steps:

  • Perform a risk assessment to identify the risks associated with the VOIP system and the mitigating controls that will be used.
  • Perform due diligence steps for any vendors involved with the VOIP system and include these vendors in the ongoing vendor review process.
  • Develop contingency plans for communications during power or network outages.
  • Develop processes to test the contingency plans and to test E911 physical address assignments.
  • Verify that VOIP communications that pass over public networks or the internet are encrypted.
  • Develop system hardening processes for the VOIP system equipment.
  • Develop patch management processes for the VOIP system equipment.
  • Develop security procedures for the VOIP system to prevent denial of service attacks and unauthorized use of the system.
  • Include the VOIP system in ongoing vulnerability assessments.

With the appropriate planning and ongoing risk management procedures, a financial institution can develop and maintain a secure VOIP system that will reduce expenses and improve customer service.

For more information on this topic or on how Young & Associates, Inc. can assist your bank with its IT needs, contact Mike Detrow at 1.800.525.9775 or click here to send an email.

Executive Search and Interim Management Services

Written by admin on . Posted in Management & Planning.

By: Sharon Jeffries, Human Resources Manager

All banks face changes in management and other key positions from time to time. These changes can be due to retirements, relocations, unsatisfactory work performance, as well as other factors. All of these situations can put your bank in difficult and unique situations that generally cannot be quickly resolved.

Don’t rush to fill the vacancy by placing a candidate/current employee in a position that may provide temporary support, but results in a poor fit for the long-term, lacking the skills and experience needed to meet the ever changing regulatory banking climate.

What should you do?
If you find yourself in this situation, Young & Associates, Inc. can help by becoming an extension of your Human Resources Department. We will work with management and discuss options for your bank to meet both its short-term and long-term staffing needs.

If we find that the skill set/experience level desired is such that it will take additional time to source the “right” candidate for the position, we will present “interim” solutions, while beginning to search for a candidate that will be a more long-term solution for your organization.

One “interim” solution may be contracting with Young & Associates to put one of our accomplished consultants on-site at your bank to assist in covering those critical areas while continuing the search for a more permanent option. Another option would be for Young & Associates to provide you with a seasoned individual who may be looking for project and/or short-term work. Through years of experience in the financial services industry, we have developed an extensive network of contacts and resumes of individuals with a broad knowledge base in critical areas that are needed in banking today.

We can customize the services we offer to meet the ever-changing workforce needs of your bank. Although some of what we offer is similar to traditional search firms, several differences set us apart from other firms. Our knowledge of the skills necessary to be successful in banking today, along with the ability to utilize our in-house experts throughout the process, are key differences. Also, our professional fee structure is generally lower than traditional placement firms. However, most importantly, our reputation is proven effective. Young & Associates is reliable with more than 35 years successfully serving banking clients.

To learn more about these unique staffing services, contact Sharon Jeffries, Young & Associates, Inc.’s Manager of Human Resources. Sharon has over 25 years of experience in Human Resources Management and can be contacted at 800.525.9775 or you can click here to send her an email.

Young & Associates Employees Donate for Thanksgiving Food Drive

Written by admin on . Posted in Uncategorized.

During the months of October and November, Young & Associates employees have generously donated to a canned food drive to benefit Kent Social Services for the Thanksgiving holiday. These donations will be used to provide food bags for Thanksgiving and throughout the coming year. Thank you to all who participated in this important corporate initiative to give back to our community!

Young & Associates Launches New Brand and Website

Written by admin on . Posted in Announcements, News.

By: Jerry Sutherin, President & CEO

In a year marked by change, Young & Associates continues to adapt and find new and improved ways to serve our clients. Our firm has several announcements that I’m excited to share with you.

In July, we unveiled a refreshed brand identity, including a new logo and tagline, “Financial industry expertise. Proven results.” This rebrand marks the start of a new era for our firm. Rest assured that while our logo has changed, our values, corporate mission, and exceptional service remain the same. We’re here to serve our clients and provide the strong expertise to drive results.

Coinciding with this rebrand, we have launched a new website at the same address (www.younginc.com), which features easy-to-navigate information, improved functionality, and a sleek, modern design. Our goal is to make it easier for you to access the information you need about our services and the industry. We’ve also updated our online store, where you can shop customizable policies and toolkits for your financial institution.

I encourage you to visit our website at younginc.com to see the improvements for yourself. We always welcome your feedback, so please send our team a note to let us know your thoughts. We appreciate your continued support, and we look forward to hearing from you.

Compliance Reviews in These Uncertain Times

Written by admin on . Posted in Compliance & Regulations.

By: Bill Elliott, CRCM, Director of Compliance Education

The world of regulatory compliance is in turmoil. Rules are announced, approved, “kind of” enforced, and then the regulators back away and say, “just kidding.” Perhaps the most recent example of this is the OCC’s decision to back away from their interpretation of the Community Reinvestment Act. They have suspended their version of CRA (issued in mid-2020) and decided to join with the Federal Reserve and the FDIC in a rulemaking to update the regulation. Clearly, this is what should have happened initially, but it did not. While this situation only impacted national banks, federal savings associations, and federal branches of foreign banks, it is an example of the ongoing turmoil that takes place in Washington D.C.

This makes the process of compliance much more difficult, as financial institutions do not know necessarily which set of rules will apply and for how long. The result is great difficulty in navigating the world of compliance and deciding what areas should be addressed in any compliance audit/review. When the regulations are in flux as they are now, uncertainty increases the risks of noncompliance.

Focus on Risk

When deciding on compliance audit/review topics, whether they are accomplished internally or externally, financial institutions must assure they focus on their largest risk items. Back in the early 2000s, the Federal Reserve posted a list of regulations by the most important to the least important. If you look at that list today, it would be clear that the world of compliance has changed dramatically, and financial institutions need to prepare and adjust. It sometimes seems as if this happens continuously.

For loans, Regulations Z and flood are probably at the top of the review list. On the deposit side, Regulation E seems to be the most important regulation, due to the tremendous volume of electronic transactions in financial institutions. We should note that Regulation E is far removed from our current electronic reality, making the process even more difficult.

Whether management is working with an internal auditor, external auditors or consultants, it is important to assure that attention is focused on those areas that are most critical and determine what resources should be expended on other compliance subjects.

The regulator that walks in your door to do an exam is in the same turmoil you are, and it is not their fault. Nonetheless, they must do the best they can to examine your institution based on the current regulatory environment. The more complete your internal or external compliance reviews/audits are, the easier their job will be. And regulators always appreciate an assist, as they are experiencing limited resource issues as well.

So, when preparing for reviews in 2022 and beyond, you need to assure that any compliance reviews that are completed focus on the subjects discussed earlier, as well as the following:

  1. New products
  2. New services
  3. Regulatory issues that you have had in the past, to assure that they are properly addressed prior to the exam

Only after these items are addressed should financial institutions include other regulations. That does not mean that financial institutions should ignore any regulation. For instance, Regulation DD (Truth in Savings) has not materially changed in over 20 years. However, it has been number two based on number of violations (behind Regulation Z) on the FDIC violation list for the past two years. So, management should never equate “no change” with “no risk.”

Not focusing appropriately results in potential difficulties. First, financial institutions can experience a colossal waste of time and money by continually reviewing insignificant items that are low risk. Secondly, the decision to cover a wide variety of compliance topics may mean less time and effort on those areas that need the most attention – and of course these are the most critical for your institution.

Our Approach

At Young & Associates, we always try to work with financial institutions to assure coverage that gives the institution the maximum protection for the dollar amount spent. This approach should be used whether you are using an external firm or internal auditors. Doing something merely because “we have always done it” is often not the best approach.

If we can be of any assistance in planning and executing your compliance reviews, please contact Dave Reno, Director – Lending and Business Development. He can be reached at 330.422.3455 and dreno@younginc.com.

Managing Fannie Mae’s Appraisal Guidance

Written by admin on . Posted in Lending & Loan Review.

By: Ollie Sutherin, Consultant and Manager of Secondary Market QC Services

On May 5, 2021, Fannie Mae announced a break from its traditional guidance regarding field review appraisals in favor of a more technological approach to the reverification of appraisals. These changes were effective immediately.

Historically, Fannie Mae required one field review appraisal to be ordered for every 10 loans reviewed. The revised guidance states that, “the lender must complete a collateral risk assessment for all mortgage loans with an appraisal as a part of its random QC sample. It is acceptable for the collateral risk assessment to be completed by an individual who is not a licensed or certified appraiser.” Further, the collateral risk assessor must be competent in appraisal theory and must be able to specifically:

  • Determine that a property meets eligibility requirements including the LTV, CLTV, and HCLTV ratios
  • Assess appropriateness of comparable sales
  • Assess appropriateness of the data presented in the appraisal report
  • Conclude that the rationale for the reconciliation of value is supported
  • Prescribe corrective actions for defects identified in the appraisal process
  • Reconcile flags and messages that were identified in Collateral Underwriter (CU) if the property was able to be scored in CU. If the property was not able to be scored in CU, then reconcile any known quality messages (messages, alerts, flags) that are reflected in other third-party tools if utilized.

If the lender is unable to complete the above assessment or appropriately determine the quality of the original appraisal, it may order either a desk review or field review from a licensed appraiser for each sampled loan. The desk review or field review must address all the points in the above requirements.

This is seen as a significant change in the industry as the costs for traditional field reviews were becoming comparable in most cases to traditional appraisals. Additionally, it has become increasingly challenging to contract a licensed appraiser to complete the field reviews, especially in rural areas.

As the industry transitions into effectuating these new changes, the key takeaway for financial institutions is to contemplate either 1) hiring competent staff or train existing personnel to complete the assessments in accordance with the guidelines, or 2) engage knowledgeable third-party vendors to coordinate the completion of the work.

If your institution needs assistance pertaining to these or other quality control requirements, please contact Dave Reno, Director of Business Development, at dreno@younginc.com or 330.422.3445.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question