Skip to main content

Author: admin

CDs Maturing in Q2: Impact on Interest Rate Risk Management

Written by admin on . Posted in Advice, Blog, Consultation, Contingency Planning, CRE & AG Stress Testing, Interest Rate Review, Interest Rate Risk, Lending & Loan Review, Liquidity Management, Liquidity Review, Management & Planning, Regulatory Enforcement, Risk Management.

By: Michael Gerbick, President at Young & Associates

Interest rate risk (IRR) is the exposure of a bank or credit union’s current or future earnings and capital to adverse changes in market rates. Management of that risk is critical to community financial institutions and since the pandemic and rates went to zero, due to the rapid pace of change, effective management of that risk has been difficult due to the rapid increase in interest rates.

Navigating Market Volatility: The Role of ALM Models 

Most banks and credit unions utilize asset liability management (ALM) models to assist in the modeling of interest rate increases and decreases, typically +/- 400 bp shock scenarios. Similar to the parallel rate shock scenarios of the ALM models designed to identify risk exposure in a rapidly changing rate environment, the Fed raised rates between March 2022 and July 2023 from 0% to 5.25–5.50%.  

The yield curve shape changed significantly, putting additional stress on the Asset Liability Committees (ALCO) responsible for managing the ALM function of financial institutions, and has not let up. Yes, the inverted yield curve has flattened from 12 months ago, however in March this year, the Treasury yield curve for the two-year and ten-year yields hit a consecutive day record for being inverted 625 days, besting the previous record set in 1978.  

The chart shown below1 illustrates the difference between the higher yield 2-year and the lower yield 10-year. 

Strategies Amidst Rising Rates: Insights for Community Banks and Credit Unions 

Amongst many of the strategies employed during the rising rate environment of 2022 and 2023 was offering certificates of deposit (CDs) to maintain and grow deposits on the balance sheet. However, the funding mix began to shift as consumers migrated towards the higher interest-bearing accounts or the Bank increased Federal Home Loan borrowing which caused the cost of funds to increase.  

Industry research for the last two years shows interest-bearing deposits up 5.1% and non-interest-bearing deposits down 28%2. Rates have not risen since July 2023, however many of the CDs offered in 2023 are due to mature in 2024 in a different rate environment than when they were issued. Financial institutions are monitoring this closely.  

Strategic Considerations for ALCOs: Addressing Interest Rate Risk 

ALCOs are tasked with predicting the interest rate exposure in the elevated rate environment. Currently, we are in a unique environment and banks and credit unions should be cautious about using historical data only to predict future activity. In addition to non-bank competitors competing for deposits, community financial institutions need to continue improving their approach to cost of funds, net interest margin compression, and how the institution will effectively manage their exposure to interest rate risk. A few strategies and actions financial institutions can employ related to deposits are: 

Optimizing Interest Rate Exposure

Increase the frequency in which ALCO meets to review the interest rate environment. This may currently be semi-annual or quarterly at your institution. The financial institution may consider meeting monthly to stay abreast of any changes in the environment or new products the Bank is releasing. 

Policy Revision

Review your policy limits approved by the Board. Your policy may only have -100 bp or -200 bp scenarios listed given the previous low-rate environment. Not only review the existing policy limits with the Board but increase the stress range to account for -300 bp and -400 bp. 

Trigger Points

In addition to the policy limits, consider thresholds for the rate of change of the risk measures that consider risks associated with liquidity, interest rate risk, and capital. These rate of change thresholds are designed to commence action or additional investigation into the source of the significant movement ahead of falling outside of policy limits. 

Stress Your Assumptions

ALM models have built-in assumptions and are likely based on historical industry averages supplemented by data supplied by your institution. Common key assumptions outlined by the FDIC3: 

  • Asset Prepayment – represents the change in cash flows from an asset’s contractual repayment schedule. The severity of prepayments fluctuates with various interest rate scenarios. Mortgage loans are a prime example of assets subject to prepayment fluctuations.
  • Non-Maturity Deposits
    • Sensitivity or Beta Factor – describes the magnitude of change in deposit rates compared to a driver rate.
    • Decay Rate – estimates the amount of existing non-maturity deposits that will run off over time.
    • Weighted Average Life – estimates the average effective maturity of the deposits.
  • Driver Rate – represents the rate, or rates, which drive the re-pricing characteristics of assets and liabilities. Examples include Fed funds rate, LIBOR, U.S. Treasury yields, and the WSJ Prime rate.

Have discussions with your team and understand what is going on broadly in the economic environment as well as items specific to your bank or credit union. Address changes or concerns in your modeling assumptions or at the very least, be aware of their potential impact. Spend time to learn the assumptions. Do not accept the defaults as correct, make sure your team understands them.

In addition to your base case, stress the assumptions – double or triple the decay rates, assume a high sensitivity to driver rates in the change in deposit rates, and cut the prepayment speeds in half. The alternate scenarios with severe assumptions will assist ALCO in understanding potential value creation and risks.  

Interest Rate Risk Review

Regulatory guidance indicates that every bank should have an annual third-party assessment of the interest rate risk system. Similar to other audits, this review should be delivered to the Board of Directors or the Board’s audit committee and is a critical component of the Board’s responsibility for bank oversight. 

Educate the Board on Interest Rate Risk

There are educational videos available through the FDIC website. In addition, there are IRR modeling vendors that will attend meetings to provide perspective to your institution on the current economic environment and your modeling results. Leverage them. 

Managing Interest Rate Risk in 2024 and Beyond 

There is always an opportunity for significant value creation in any environment. The rapidly increasing rate environment experienced in 2022-2023 brought forth significant risks and opportunities. The 2024 environment possesses new challenges, and I am excited to see our community banks and credit unions adjust their balance sheets, act on the highest value opportunities, and limit their interest rate exposure.  

Assess Your Interest Rate Risk 

Ready to proactively manage your institution’s interest rate risk? Young & Associates offers comprehensive interest rate risk reviews tailored to your needs. Ensure your bank or credit union is prepared to navigate market volatility with confidence. Reach out to us now to schedule your consultation!

 

 

1Federal Reserve Economic Data (FRED) 10-Year Treasury Constant Maturity Minus 2-Year Treasury Constant Maturity
2S&P Global US Bank Market Report 2024
3FDIC Developing Key Assumptions for Analysis of Interest Rate Risk

Implementing Compliance: Key Principles & Practices

Written by admin on . Posted in Advice, Blog, Compliance & Regulations, Consultation.

By: Bill Elliott, CRCM, Director of Compliance Education at Young & Associates

There is no question that laws and regulations materially change the way banks do business. The recent new laws and regulations have, more than ever before, crossed over the consumer protection regulatory line and into bank management. This complicates your life, and the starts and stops do not make it easier. 

Consider the “1071 Rule,” which amounted to HMDA for commercial loans, with even more invasive questions. The underlying law was passed in 2010 (the Dodd-Frank Act), and the CFPB took almost 13 years to implement it, only to be stopped by the courts for stepping way beyond the requirements of the law. The updated CRA regulation is also now being challenged in the courts. 

Compliance does not happen in a vacuum. Many of the regulations cover multiple disciplines within the bank, and many departments have to be involved in implementing the solution. This article discusses some of the basics of implementing compliance within your organization, as well as an approach that we believe is critical to the success of any bank. 

The Key Ingredients

To establish a successful compliance program, the following ingredients must exist:  

  • Board of Directors support 
  • Management support 
  • Staff development 
  • A viable and structured compliance network (compliance council) 
  • Compliance monitoring  

Board of Directors Support

The board is ultimately responsible for the success or failure of the compliance program, just as they are for any other aspect of the bank’s risk management. The board needs a flow of information to assist them in understanding the compliance function and the current status of the program. The board must also understand the stresses for compliance and ensure that there are adequate resources to facilitate success. 

Management Support

Management must be actively involved in the development of the compliance program. Although management may not design and develop the program, they should provide direction and ensure that there are resources to support its establishment and maintenance. Management must stay involved by monitoring the progress of the program through requiring periodic reports. 

Staff Development

Staff development involves providing staff with the necessary background to understand the purpose of compliance, the structure to support the program, and the technical skills to it out effectively. Management must direct the designated person or council and allow them the resources, including the resource of time, to fully implement the compliance program. 

A Practical Solution: The Compliance Council

In order to address the compliance burden, we believe banks should use a compliance council. This is NOT a committee. It is a reporting mechanism, where each area of the bank is responsible for the compliance duties that impact their jobs. At the council, they report progress or lack thereof in meeting those requirements.  

The results of the compliance council meeting are reduced to writing. Those minutes then go to management and the board so that they understand the current compliance situation in which the bank finds itself. A compliance council aids the institution in the following ways: 

  • The compliance council is comprised of representatives from each major area of the institution, thereby building continuity into the program. 
  • The compliance council builds compliance into the daily operational procedures of each area so that the institution can function from a practical and preventive focus. 
  • The compliance council incorporates comprehensive compliance coverage through its composition, i.e., lending, customer service, and operations. 
  • The compliance council establishes a compliance link to planning for new products and services. Each area of the institution can establish the compliance details during the planning and implementation stages. 
  • The compliance council allows the institution to include monitoring procedures in the daily workflow that integrates compliance without creating unnecessary work burdens i.e., the use of checklists and most common concern policies. 
  • The compliance council enables the institution to create an effective training and communications channel for all compliance issues. The council members will be able to take information back to their respective areas. 

Choosing the Compliance Council

The compliance council’s objective is to spread the duties among a small group of individuals to reduce the burden on anyone and increase coverage of the compliance function. Compliance has expanded far beyond just “letting the compliance officer deal with it.” 

The persons who are chosen might be representatives from: 

  • real estate lending, 
  • consumer lending, 
  • customer service, 
  • deposit operations, and 
  • compliance administration. 

Of course, banks are free to add others, such as BSA, branch administration, etc. 

The use of management in an advisory capacity can help to ensure accountability. It is difficult to say “I did not have time” or something similar in front of a senior manager. But hopefully, this is not necessary in most banks. The “minutes” of the meeting become a useful tool for management and the board to understand the current compliance position of the bank. 

If there is a regulatory change that involves multiple disciplines, then and only then does the “council” become a “committee” to address the common issue. 

Authority and Credibility

It is important for the compliance officer and the compliance council to develop sufficient authority to operate within the bank. Without this authority, the officer and the council will be ineffective.  

Assuming that the board of directors and executive management have clearly granted the compliance officer and the compliance council sufficient authority with which to operate, the compliance officer and the compliance council must ensure their own credibility to retain any authority that the board of directors and management have granted them. 

The compliance council’s biggest barrier involves establishing credibility with the bank’s employees. For example, if in the eyes of the employees, the compliance council is an informational source to help them do their job, the council will succeed. If communication channels are established but never work, the council will fail. The key to the success of the compliance council is to establish, implement, monitor, and enforce the compliance function throughout the bank. 

Effective Compliance Implementation

Navigating the dynamic landscape of banking regulations requires proactive strategies and a collaborative approach across all levels of an institution. As the regulatory environment continues to evolve, compliance becomes increasingly complex, necessitating a robust framework, dedicated oversight, and effective implementation to ensure adherence. 

Empowering Banks for Regulatory Compliance Success

At Young & Associates, we understand the challenges banks face in implementing and maintaining effective compliance programs. Our team of experts is committed to providing tailored solutions that empower banks to navigate regulatory requirements with confidence and efficiency. 

Ready to streamline your compliance efforts and fortify your institution against compliance risk? Partner with Y&A for comprehensive regulatory compliance consulting services. Contact us today to learn more about how we can support your bank in alleviating regulatory burdens. 

Qualities of a Good Managed Services Provider (MSP)

Written by admin on . Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation.

By: Mike Detrow, CISSP, Director of IT & IT Audit at Young & Associates

Due to the challenges of finding qualified employees to fill internal IT positions and the increased complexity of technology solutions, many community financial institutions have either outsourced the management of their information systems to a managed services provider (MSP), or they are considering this move.  

But how do you know that you currently have, or you are choosing the right partner? In this article, we will discuss the qualities you should look for in an MSP to help you evaluate your current MSP and select the right partner if you want to outsource the management of your information systems. 

Understanding Financial Institution Needs 

First, it is important to understand that financial institutions are unique from other industries, and a local MSP that primarily works with manufacturing companies may not understand the security requirements of a financial institution. Financial institutions are highly regulated and undergo routine IT audits/assessments due to the significant amount of sensitive and personally identifiable information that they maintain, alongside the substantial financial assets under their protection. 

Many MSPs may not be familiar with the regulatory and security requirements associated with banking and therefore may not be prepared to work with examiners/auditors or respond effectively to exam/audit recommendations. 

The Drawbacks of National MSPs 

A national MSP may not be appropriate for a small community financial institution either as you may end up being a little fish in a big pond and may not get the attention that you need. Financial institutions that we work with have already experienced this with some of the large core processing vendors where it is difficult to get good support as a small institution. Additionally, obtaining managed IT services from your core processing vendor may make converting to a different core processor more challenging. 

The Value of Local and Regional MSPs 

So, how do you find a good partner? Based on our experience working with numerous MSPs through the IT Audit process, we typically see that community financial institutions get the most value from working with local or regional MSPs that have existing experience working with numerous financial institutions.  

These MSPs already understand the regulatory and security requirements that financial institutions face, and they have experience with the appropriate tools and configuration practices to secure the institution’s information systems.  

5 Key Qualities of Good MSPs 

Some of the good qualities that we see from these MSPs include: 

  • Proactively identifying and presenting new tools to enhance the institution’s information security posture 
  • Working as a partner by learning about the institution and customizing solutions to its unique needs 
  • Maintaining detailed and accurate documentation for the institution’s system configurations and ongoing monitoring 
  • Being responsive to initial and follow up exam/audit documentation requests 
  • Being responsive to exam/audit recommendations by implementing remediation measures in a timely manner 

MSP Red Flags to Watch Out For  

Some of the red flags that we see from other MSPs include: 

  • Providing security status reports that contain errors or are hard to understand 
  • Lack of detailed and accurate documentation for the institution’s system configurations and ongoing monitoring 
  • Failing to notify the institution prior to making changes that may compromise security or impact system availability 
  • Slow response to documentation requests for exams/audits or charging additional fees to provide this information 
  • Refusing to implement exam/audit recommendations due to lack of technical knowledge or in cases where the recommendations do not fit into the MSP’s “standard configuration” 

Ensuring the Right Partnership 

In closing, it is important to remember that as a financial institution, you are ultimately responsible for any problems that occur from selecting the wrong MSP, whether this decision leads to an insecure environment or just makes your job more difficult as the liaison between the institution and the MSP.  

Just like any other vendor, you must continuously monitor your MSP to ensure that they are providing acceptable service levels for your institution and consider replacing the MSP if they are not meeting your expectations. While it may seem like a big task to replace your MSP, having the right partner will not only help to ensure that appropriate security controls are implemented, but it should also make your job easier as the liaison. 

Your Trusted IT Consulting Partner 

At Young & Associates, we understand the unique needs and challenges faced by financial institutions. Our IT consulting services are tailored to help you navigate the complexities of technology solutions while ensuring regulatory compliance and information security. Contact us today to learn more about how we can support your institution’s IT needs. 

ACH Risk Management: Understanding NACHA’s Rule Changes

Written by admin on . Posted in ACH, Advice, Blog, Compliance & Regulations, Consultation, News.

By: Mindy Shadoin, Consultant at Young & Associates

On March 15, 2024, Nacha (previously the National Automated Clearing House or NACHA) approved 15 new Automated Clearing House (ACH) rule changes surrounding ACH risk management. These changes are specifically targeted at reducing the incidence of successful fraud and improving the recovery of funds.  

Overview of NACHA’s Rule Changes 

These new rules establish a base-level of ACH payment monitoring on all parties in the ACH Network, except consumers. The new rules do not shift the liability for ACH payments; however, receiving financial institutions or RDFIs will have a defined role in monitoring the ACH payments they receive.  

Rule Changes Effective June 2024 

The following rule changes take effect June 21, 2024: 

  • General Rule Definitions for Web Entries: Rewords the WEB general rule and definition in Article Eight to make is clearer that the WEB SEC Code must be used for all consumer-to-consumer credits regardless of how the consumer communicates the payment instructions to the Originating Depository Financial Institution (ODFI) or P2P service provider.  
  • Definition of Originator: Clarifies changes and alignments to the definitions of Originator to include a reference to the Originator’s authority to credit or debit the Receiver’s account and that the Rules do not always require a receiver’s authorization (Reversals, Reclamations, Person-to-Person Entries).  
  • Originator Action on Notification of Change (NOC): Provides Originators discretion to make NOC changes for a Single Entry, regardless of the SEC Code.  
  • Data Security Requirements: Clarifies that, once a covered party meets the volume threshold for the first time, the requirement to render account numbers unreadable remains in effect, regardless of future volume.  
  • Use of Prenotification Entries: Aligns the prenote rules with industry practice by removing language that limits prenote use to only prior to the first credit or debit entry.  
  • Clarification of Terminology: Subsequent Entries: Replace references to “subsequent entry” in various Rules sections with synonymous terms to avoid any confusion with the new definition of “Subsequent Entry.” 

Rule Changes Effective October 2024  

The following rule changes take effect October 1, 2024: 

  • Additional Funds Availability Exceptions: Provide RDFIs with an additional exemption from the funds availability requirements to include credit ACH entries that the RDFI suspects are fraudulent. 
  • Codifying Use of Return Reason Code R17: Allow RDFIs to return an entry believed to be fraudulent using Return Reason Code R17. 
  • Expand Use of ODFI Request for Return/R06: Expand the permissible uses of the Request for Return Reason Code (R06) to allow an ODFI to request a return from the RFI for any reason. 
  • RDFI Must Promptly Return Unauthorized Debit: Require that when returning a consumer debit as unauthorized in the extended return timeframe, the RDFI must do so by the opening of the sixth Business Day following the completion of its review of the consumer’s signed Written Statement of Unauthorized Debit (WSUD).  
  • Timing of Written Statement of Unauthorized Debit (WSUD): Allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver, even if the debit has not yet been posted to the account.  

Rule Changes Effective 2026 

The following rule changes take effect March 20, 2026: 

  • Company Entry Description – Payroll: Establish a new standard description of Payroll for PPD Credits for payment of wages, salaries, and other similar types of compensation. 
  • Company Entry Description – Purchase: Establish a new standard description of PURCHASE for e-commerce purchases. 

The following rule changes take effect in two phases.  

  • Phase 1 is effective March 20, 2026, for all ODFIs and non-Consumer Originators, Third-Party Service Providers (TPSPs), and Third-Party Senders (TPSs) with an annual ACH origination volume of 6 million or greater in 2023. 
  • Phase 2 is effective June 19, 2026, for all other non-Consumer Originators, TPSPs, and TPSs   
    • Fraud Monitoring by Originators, TPSPs, and ODFIs: Requires each non-Consumer Originator, ODFI, TPSP, and TPS to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud. 
    • RDFI ACH Credit Monitoring: Requires RDFIs to establish and implement risk-based processes and procedures reasonably intended to identify credit ACH Entries initiated due to fraud.  

Ensuring A Secure ACH Landscape Through Proactive Risk Mitigation 

The recent ACH rule changes approved by NACHA signify a significant step towards enhancing ACH risk management and fraud prevention within the financial industry. These changes aim to reduce the incidence of successful fraud and improve the recovery of funds, ultimately safeguarding the integrity of the ACH Network. 

With the implementation of these rule changes, financial institutions and other stakeholders involved in ACH transactions will need to adapt their policies, procedures, and risk management processes accordingly. It’s essential for organizations to stay informed about these regulatory updates and ensure compliance to mitigate ACH-related risks effectively. 

Enhance Your ACH Risk Management Framework with Young & Associates’ Proven Expertise 

Are you seeking expert guidance and support to navigate these ACH rule changes and ensure compliance with regulatory requirements? At Young & Associates, we understand the unique challenges faced by financial institutions in today’s evolving regulatory landscape.

We specialize in providing tailored regulatory compliance consulting services, including comprehensive support with ACH functions such as ACH audit and ACH risk assessment. Our team of experienced professionals is committed to helping you strengthen your ACH risk management practices and achieve regulatory compliance seamlessly. 

Contact us today to explore how we can assist your financial institution in meeting its regulatory obligations while optimizing operational efficiency and minimizing risk exposure. Or, click here to discover the benefits of our customizable ACH policy. Together, let’s navigate the complexities of ACH compliance and ensure the security and integrity of your financial transactions.

Modernized FDIC Signage & Advertisement Requirements: What Banks Need to Know

Written by admin on . Posted in Advertising, Blog, Compliance & Regulations, Consultation, News.

In today’s dynamic regulatory landscape, keeping pace with regulatory updates is critical for community banks to maintain compliance and uphold depositor trust. To adapt to shifts in the banking industry and consumer behavior, the Federal Deposit Insurance Corporation (FDIC) has finalized a rule to modernize the requirements for official signs and advertising statements for insured depository institutions (IDIs). This modernization signifies a crucial change in regulatory expectations, demanding a thorough understanding and proactive approach from financial institutions.

Background: Understanding the Updated Part 328 Rules

The banking industry has experienced significant transformations, including the evolution of bank branches, heightened reliance on internet and mobile banking, and increased partnerships between IDIs and financial technology (fintech) companies. These shifts have heightened the potential for consumer confusion regarding FDIC deposit insurance coverage.

In response, the FDIC has introduced substantial updates to Part 328 of its regulations, specifically addressing the use of official FDIC signs and advertising statements by IDIs. Additionally, it clarifies regulations concerning false advertising, misrepresentations of deposit insurance coverage, and misuse of the FDIC’s name or logo. This revision underscores the FDIC’s dedication to aligning regulatory standards with the evolving banking landscape, especially in digital and mobile channels.

Key Changes to Note: New FDIC Official Signage Requirements

The modernized FDIC signage and advertisement requirements bring about significant changes aimed at enhancing consumer understanding and confidence in deposit insurance coverage. Beginning in 2025, FDIC-insured institutions are mandated to prominently display the official FDIC digital sign across digital platforms, including bank websites, mobile applications, and ATMs. This expansion to digital channels ensures consistent depositor confidence and clarity regarding deposit insurance coverage.

Moreover, the updated rule emphasizes the differentiation between insured deposits and non-deposit products across all banking channels. Financial institutions are now required to provide conspicuous disclosure indicating that certain financial products are not insured by the FDIC, are not deposits, and may incur value loss. These changes aim to extend the certainty and confidence associated with FDIC protection to digital channels while ensuring that consumers are properly informed about the status of their deposits and the scope of FDIC insurance coverage.

Quick Reference: FDIC Modernized Signage Rule Requirements and Compliance Deadlines

Purpose of the Updated FDIC Signage Requirements

The rule updates regulations governing the use of official FDIC signs and advertising statements to reflect contemporary banking practices. It also clarifies regulations regarding false advertising, misrepresentations of deposit insurance coverage, and misuse of the FDIC’s name or logo.

Changes to Official Signs

The traditional black and gold FDIC sign displayed at bank branches will now be complemented by a new black and navy blue FDIC digital sign. Banks will be required to display this digital sign on their websites, mobile applications, and certain ATMs starting in 2025.

Differentiation of Products

Banks must use signs to differentiate insured deposits from non-deposit products across banking channels. They also need to indicate that certain financial products are not insured by the FDIC, are not deposits, and may lose value.

Clarification on Misrepresentations

The rule addresses scenarios where misleading information about deposit insurance coverage could confuse consumers. It prohibits the use of FDIC-associated terms or images in marketing materials to inaccurately imply that uninsured financial products or non-bank entities are insured or guaranteed by the FDIC.

Objectives for IDIs

For IDIs, the rule modernizes rules for displaying the FDIC official sign in branches and extends requirements to other physical premises. It establishes and mandates the display of the FDIC official digital sign on bank websites, mobile applications, and certain IDI ATMs. IDIs are also required to differentiate insured deposits from non-deposit products across banking channels and provide a one-time per web session notification when a logged-in bank customer leaves the IDI’s digital deposit-taking channel for non-deposit products on a non-bank third party’s website. Additionally, IDIs must establish and maintain written policies and procedures for compliance with part 328.

Compliance & Effective Dates

The amendments made by the final rule are effective on April 1, 2024, with an extended mandatory compliance date of January 1, 2025.

Navigating Compliance with Young & Associates

At Young & Associates, we recognize the complexities and challenges community banks face in navigating regulatory changes effectively. As your trusted partner in regulatory compliance, we offer a customizable FDIC Signage and Advertising Requirements Policy crafted to assist community banks in complying with the modernized rule. Additionally, our comprehensive suite of regulatory compliance services includes compliance outsourcing, advertising review, and various other solutions designed to address the unique requirements of community banks. With decades of experience in the financial services industry, our team of compliance experts is committed to guiding institutions towards regulatory compliance excellence while minimizing operational disruptions.

In an era defined by regulatory scrutiny and evolving consumer expectations, ensuring compliance with FDIC signage and advertisement requirements is paramount for community banks. Embrace proactive compliance practices and partner with Young & Associates to navigate the complexities of regulatory change effectively. Contact us today to embark on your journey towards compliance excellence and safeguard the integrity of your institution in the ever-evolving financial landscape.

Stay compliant. Stay confident. Choose Young & Associates.

Understanding ACH Risk Management for Community Financial Institutions

Written by admin on . Posted in ACH, Blog, Compliance & Regulations, Consultation.

Automated Clearing House (ACH) risk management is a topic of paramount importance for community financial institutions. In the realm of modern banking, ACH payments have emerged as a cornerstone of electronic fund transfers, offering unparalleled efficiency and convenience for businesses and consumers alike. However, with the benefits of ACH come inherent risks that financial institutions must proactively address to safeguard their operations and protect their stakeholders.

Spectrum of ACH Risk Categories

From compliance and credit risk to fraud, operational challenges, and systemic vulnerabilities, each facet of ACH risk poses unique challenges and demands strategic foresight and diligent risk mitigation efforts. By understanding the intricacies of ACH risk management, financial institutions can fortify their resilience and ensure compliance with regulatory standards while fostering trust and reliability in the digital banking ecosystem.

The Five Basic Types of ACH Risk

1. ACH Requirements Compliance Risk

Compliance risk encompasses the threat of legal or regulatory sanctions, financial loss, or damage to reputation resulting from failure to comply with laws, regulations, and internal policies. For community financial institutions processing ACH transactions, compliance risk looms large due to the intricate web of regulations governing ACH transfers, including Regulation E and Article 4A of the Uniform Commercial Code, as well as Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements, and the NACHA Rules and Guidelines. Institutions must conduct comprehensive ACH reviews to ensure adherence to regulatory standards and promptly rectify any violations or errors detected.

2. Credit Risk From ACH Transactions

Credit risk arises from the potential for financial loss due to the failure of parties involved in ACH transactions to fulfill their payment obligations. Community financial institutions face credit risk when originating or receiving ACH transactions, especially with the proliferation of high-risk activities such as nonrecurring payments. Establishing rigorous underwriting standards, evaluating originator creditworthiness, and setting appropriate exposure limits are crucial risk mitigation strategies for managing credit risk effectively.

3. Fraud Risk

Fraud risk encompasses the threat of unauthorized or deceptive activities resulting in financial loss or reputational damage. With the increasing sophistication of fraudulent schemes targeting ACH transactions, community financial institutions must remain vigilant against fraudulent activities such as account takeover, unauthorized returns, and unauthorized transactions. Implementing robust authentication measures, monitoring transaction patterns for anomalies, and conducting regular audits of third-party service providers are essential components of an effective fraud risk management framework.

4. ACH Processing Operational Risk 

Operational risk stems from the potential for disruptions or failures in internal processes, systems, or human factors leading to financial loss or operational inefficiencies. Community financial institutions face operational risk in ACH processing operations due to factors such as technological failures, human error, and inadequate controls. Implementing comprehensive policies and procedures, ensuring adequate training for staff, and conducting regular audits of ACH operations are critical steps in mitigating operational risk.

5. Systemic Risk

Systemic risk refers to the threat of widespread disruptions or failures within the financial system resulting from interconnectedness and interdependencies among institutions and market participants. While individual community financial institutions may have limited exposure to systemic risk in ACH processing, they remain vulnerable to broader systemic events impacting the financial industry as a whole. Vigilance, collaboration with industry stakeholders, and contingency planning are essential strategies for managing systemic risk effectively.

Effective ACH Risk Management for Community Financial Institutions

In conclusion, effective ACH risk management is paramount for community financial institutions to navigate the evolving landscape of electronic payments and uphold their commitments to regulatory compliance, financial integrity, and customer or member trust. By understanding and addressing the five basic types of ACH risk—compliance, credit, fraud, operational, and systemic—financial institutions can fortify their resilience and sustain long-term success in the dynamic world of electronic banking.

Young & Associates offers ACH self-assessment reviews, where our compliance experts evaluate your policies, procedures, and test components to ensure compliance with the NACHA Operating Guidelines. For tailored guidance to your unique circumstances, reach out to our team of experts. You can rely on us to navigate the regulatory compliance landscape and keep your financial institution on the path to success. Contact us today.

NCUA Cybersecurity Priority: What Credit Unions Need to Know

Written by admin on . Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation, Network Penetration Testing, Social Engineering, Vulnerability Assessment.

In the ever-changing landscape of financial services, cybersecurity emerges as a paramount concern for credit unions and their members. As regulatory scrutiny on information security intensifies each year, it’s essential for credit unions to stay vigilant and adaptable. This involves drawing insights from incident response exercises, threat intelligence, and industry benchmarks to bolster resilience and agility while ensuring compliance amidst evolving threats

Understanding the NCUA Supervisory Priority of Information Security

In 2024, the National Credit Union Administration (NCUA) emphasizes the critical importance of cybersecurity as part of its regulatory oversight. This highlights the urgent need for credit unions to strengthen their cyber defenses and resilience. In the face of an increasingly complex threat landscape, credit unions must prioritize cyber security measures to protect member data and maintain seamless operations. From rigorous information security examinations to strict compliance with NCUA’s information security requirements, credit unions must uphold stringent standards to ensure operational continuity and safeguard sensitive information. In today’s digitally interconnected and rapidly advancing technological landscape, it’s vital to adopt a proactive approach to detecting and responding to cyber risks with utmost precision.

Six Key Considerations for Credit Union Cyber Security Compliance

1. Holistic Risk Assessment and Management

Credit unions must adopt a proactive stance towards risk management by conducting thorough assessments of cyber threats, vulnerabilities, and potential impact scenarios. At the core of effective cybersecurity governance lies the comprehensive risk assessment process. By identifying and prioritizing potential threats, vulnerabilities, and impact scenarios, credit unions lay the groundwork for developing targeted risk mitigation strategies.

2. Vendor Risk Management 

Ensuring effective cybersecurity compliance for credit unions demands vigilant vendor risk management. The NCUA underscores the criticality of reviewing third-party contracts to discern incident reporting obligations. This comprehension of responsibilities and liabilities outlined in vendor contracts fosters seamless collaboration, prompt response to cyber incidents, and adherence to reporting requirements.

3. Incident Monitoring and Documentation Protocols

Credit unions must implement robust incident monitoring and documentation protocols to strengthen cyber resilience. Swift detection and containment of cyber threats are facilitated by effective incident monitoring, while comprehensive documentation enables timely reporting and compliance with regulatory mandates. By maintaining detailed records of cyber incidents, credit unions enhance transparency and accountability in their cybersecurity practices.

4. Robust Incident Response Plans

Establishing robust incident response plans is pivotal for credit union cybersecurity compliance. It is imperative to update these plans to align with reporting requirements. By ensuring that response protocols are synchronized with regulatory mandates, credit unions can streamline incident resolution and minimize potential damages effectively. Simplify compliance with NCUA cybersecurity standards and cyber incident reporting requirements using Y&A’s customizable Incident Response Plan for Credit Unions. With a detailed incident response policy, guidance for specific incidents, a sample membership notification letter, and an incident response form, ensure your credit union is well-prepared for any security event. Read more about the plan here.

5. Adherence to NCUA Regulatory Standards

Compliance with regulatory standards, including the NCUA’s Cyber Incident Notification Reporting Rule, is non-negotiable. Credit unions must ensure timely and accurate reporting of cyber incidents, enhancing transparency, accountability, and regulatory compliance.

6. Continuous Monitoring and Improvement

Cybersecurity is not a static endeavor; it demands continuous monitoring, evaluation, and improvement. Credit unions should embrace a culture of vigilance and adaptation, empowering stakeholders to remain abreast of emerging threats and evolving best practices. This commitment to continuous improvement ensures that credit unions remain resilient in the face of evolving cybersecurity challenges.

Empowering Credit Unions: Tailored Cybersecurity Solutions From Young & Associates

As the NCUA places increased emphasis on information security, credit unions must prioritize compliance, resilience, and proactive risk management strategies. At Young & Associates, we understand the nuanced challenges and opportunities inherent in cybersecurity governance. Our dedicated team of professionals stands ready to support credit unions in navigating the complexities of cybersecurity risk management, compliance, and strategic planning.

We offer tailored solutions to address your specific needs and concerns. Our customizable Incident Response Plan provides a structured framework for swift and effective response to cyber incidents, ensuring the protection of member data and the integrity of your institution.

Additionally, our full suite of IT consulting services offers comprehensive support to credit unions. Our IT audits provide an independent assessment of your environment, helping you implement controls to manage your risk effectively. Furthermore, our vulnerability assessments and penetration tests identify any weaknesses in your network, enabling proactive threat mitigation.

You’re not alone on your cybersecurity journey. With Young & Associates by your side, you can navigate the complexities of cybersecurity with confidence and peace of mind. Together, we can strengthen your cyber defenses, uphold regulatory compliance, and safeguard the interests of your members and institution.

Contact us today to learn more about how we can support your credit union’s cybersecurity goals. Let’s embark on this journey together towards a more secure and resilient future.

Helpful Links:

Young & Associates Announces Strategic Internal Promotions

Written by admin on . Posted in Announcements, Blog, News.

Young & Associates, a leading consultancy firm specializing in banks and credit unions, proudly announces the promotions of two key team members, Michael Gerbick and Ollie Sutherin, marking a significant milestone in the company’s leadership evolution.

Michael Gerbick Promoted to President of Young & Associates, Inc.

Michael Gerbick, a pivotal member of Young & Associates for five years, has been promoted from Chief Operating Officer to President of the organization. Gerbick’s tenure has been marked by significant contributions in accounting functions, internal process enhancements, and the implementation of productivity-driven systems, reflecting his commitment to the company’s success.

Ollie Sutherin Promoted to CFO of Young & Associates, Inc.

Ollie Sutherin, formerly Principal of Y&A Credit Services, assumes the role of Chief Financial Officer. Sutherin’s journey with Young & Associates began with a focus on the company’s loan review process, subsequently expanding his expertise in lending, credit, and systems implementations. His progressive roles, from credit analyst to Principal of Y&A Credit Services, have led to pivotal changes resulting in notable revenue growth and heightened productivity.

Jerry Sutherin Continues Leadership as CEO

Jerry Sutherin, formerly President and CEO of Young & Associates, will maintain the role of CEO, affirming his enduring commitment to the company’s growth and strategic direction. He remains actively involved in the company’s leadership and operations, leveraging his banking expertise and industry relationships to guide its trajectory.

As stated by Jerry Sutherin, “We are excited to announce the well-deserved promotions of Michael and Ollie. Their dedication, expertise, and innovative leadership have been instrumental in the growth and success of Young & Associates. We remain well positioned to continue our strategic growth initiatives and look forward to their continued contributions to these goals.”

A Commitment to Excellence and Innovation

These promotions underscore Young & Associates’ dedication to recognizing and fostering exceptional talent within the organization. Elevating Michael Gerbick to President and Ollie Sutherin to CFO signifies their invaluable contributions and leadership, reinforcing the company’s commitment to innovation and excellence in the financial institution industry.

Young & Associates is confident that these strategic internal promotions will contribute to the ongoing success of the organization and its commitment to providing top-tier consultancy services to banks and credit unions. The company looks forward to the continued growth and achievements under the leadership of its dynamic team.

Ready to elevate your financial institution’s success? Reach out to us today to learn more about our top-notch consultancy services.

2024 Housing Market Outlook: Implications for Mortgage Lenders

Written by admin on . Posted in Advice, Consultation, Mortgage Quality Control.

By: Donald Stimpert, Manager of Secondary Market QC Services

Fannie Mae’s recent revised forecast for 2024 and beyond unveils a nuanced projection that holds significance for community banks and credit unions navigating the intricate landscape of the housing market. The insights presented by Fannie Mae’s Economic and Strategic Research (ESR) Group encapsulate essential indicators and predictions that will influence the housing and mortgage sectors in the forthcoming year.

Economic Deceleration and Housing Recovery

The December report anticipates a potential economic slowdown in 2024, aligned with a gradual recuperation in both home sales and mortgage originations. Although initially forecasting a modest recession for 2023, the economic resilience has surprised many market analysts. Fannie Mae now perceives the possibility of a softer landing due to disinflation and low unemployment rates. However, the housing sector faced challenges in 2023, witnessing record-low affordability, lock-in effects, and a severe deficit in available for-sale housing, leading to the lowest existing home sales since the Great Financial Crisis.

Factors Impacting Home Sales in 2024

Fannie Mae’s analysis points to a challenging landscape ahead. 2023 set a record low for existing home sales since 2010, setting the stage for a gradual recovery in 2024. Yet, obstacles like unaffordability, lock-in effects, and constrained inventory persist, likely causing a marginal impact on 2024’s total home sales compared to the previous year.

Despite glimpses of potential relief, these hurdles are expected to persist. Although the decline in the 10-year Treasury rate offers a glimmer of hope for better sales and mortgage originations, persistently high mortgage rates forecast subdued home sales at around 4.8 million in 2024, with a modest increase to 5.4 million by 2025.

October’s rock-bottom existing sales at 3.79 million could signal a turning point. Recent shifts in purchase mortgage applications, fueled by notable drops in mortgage rates, hint at a possible sales uptick. This trajectory depends on further rate moderation, potentially leading to increased sales.

Moreover, Fannie Mae’s projection of a slight dip in new home sales contrasts with unexpected buyer resilience amidst rising rates. This unexpected stability, boosted by concessions from builders, hints at sustained sales consistency.

This sales resilience, coupled with an unforeseen home price rebound, shapes Fannie Mae’s view on mortgage originations. Despite fluctuations, the forecast indicates a subtle upward trend, aligning with current origination levels.

Upgraded Projections for Single-Family Mortgage Originations

Amidst these challenges, Fannie Mae projects a positive trajectory in total single-family mortgage originations:

  • $1.5 trillion in 2023
  • $1.9 trillion in 2024
  • $2.3 trillion in 2025

This upgrade stems from a positive outlook on purchase mortgage origination volumes. Forecasts indicate a substantial increase to $1.4 trillion in 2024, a noteworthy leap from the anticipated $1.3 trillion in 2023. Looking ahead, the trajectory continues its upward trend, projecting $1.6 trillion in purchase origination volumes by 2025. Simultaneously, refinance origination volumes are on an upward trajectory, poised to surge to $451 billion in 2024 and further escalate to $686 billion in 2025.

Dynamics of Mortgage Rates and Home Sales

The report reflects on the impact of declining interest rates, projecting a shift to an average FRM30 rate of 6.7% in 2024 and 6.2% in 2025, down from the current 7.4% in Q4 2023. However, the transition in monetary policy might introduce volatility in mortgage rates, presenting a potential risk factor for these projections.

New vs. Existing Home Sales, Housing Starts, and Price Growth

The resilience of new home sales, unexpected amidst economic uncertainties, and the lower-than-expected impact of high mortgage rates on sales showcase a trend where buyers seem less affected by increased rates compared to previous years. Homebuilders’ concessions, including mortgage rate buydowns, aim to stimulate sales amidst these challenges.

Implications for Community Banks and Credit Unions

Understanding Fannie Mae’s 2024 outlook is crucial for community banks and credit unions to tailor their strategies. The projected increase in mortgage originations presents both opportunities and challenges, urging these institutions to adapt swiftly to evolving market dynamics and consumer behaviors.

In conclusion, Fannie Mae’s revised outlook for 2024 emphasizes the need for adaptive strategies by community banks and credit unions to harness opportunities amid the projected housing market landscape. Staying informed about these forecasts will empower these financial institutions to navigate potential challenges while capitalizing on growth prospects effectively.

Secondary Market Quality Control

Young & Associates stands as a trusted ally for financial institutions amid Fannie Mae’s housing market projections. Specializing in secondary mortgage quality control, our QC services serve as a shield against risks, meeting federal and private investor requirements, including those of Fannie Mae. As Fannie Mae anticipates a gradual housing market recovery and increased mortgage activities, partnering with Y&A can fortify your institutions’ risk management strategies. Our meticulous evaluations ensure compliance readiness and accuracy, aligning financial entities with market shifts highlighted by Fannie Mae, securing robust mortgage operations for the future. Visit our website for more information or contact us here.

Notable Changes in the New Ransomware Self-Assessment Tool

Written by admin on . Posted in Advice, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit.

By: Mike Detrow, CISSP 

The Bankers Electronic Crimes Taskforce, state bank regulators, and the United States Secret Service first released the Ransomware Self-Assessment Tool (R-SAT) in October 2020 as a tool for banks to use to evaluate their preparedness for a ransomware attack and to help identify additional controls that should be implemented to increase a bank’s security. 

A number of state banking departments worked together to evaluate banks that suffered a ransomware attack between January 1, 2019 and December 31, 2022, and the Conference of State Bank Supervisors used this information to publish a report in October 2023 that identifies the lessons learned by these banks1.   

Key Findings from the Ransomware Lessons Report

This report identifies the following significant findings: 

  • Lack of completion and proper use of the R-SAT to identify gaps in a bank’s security controls to prevent or mitigate the effects of a ransomware attack 
  • Lack of multi-factor authentication or improperly configured multi-factor authentication 
  • Lack of proper understanding of social media and methods for monitoring social media platforms to address the potential dissemination of misinformation that may affect a bank’s reputation 

In response to the findings identified in this report, a new version of the R-SAT was released in October 2023 that identifies additional security considerations that banks will need to evaluate regarding their preparedness for a ransomware attack.   

Notable Additions to R-SAT

The notable additions to the new version of the R-SAT are identified below: 

  • Specific questions were added in item 3 regarding the services provided by the cyber insurance carrier to respond to a ransomware attack  
  • A column was added in item 4 to identify services that are based in a cloud environment 
  • Item 5 is a new question asking if any data is housed in a location outside of the United States 
  • Item 10 now asks about the frequency of employee security awareness training  
  • Item 11 is a new question asking if the institution performs phishing test exercises at least quarterly 
  • Item 12 identifies additional questions regarding backup data validation and recovery capabilities 
  • Item 13 includes additional questions regarding the implementation of multi-factor authentication 
  • Item 14 includes several new additional preventative controls that should be considered 
  • Item 18 includes additional ransomware response procedures that should be included in the incident response plan 

Security Control Enhancements Recommended by Young & Associates

Through the IT Audits and consulting work that Young & Associates performs for community banks and credit unions, we also see value in the following security control enhancements: 

  • Proper understanding of the use of cloud-based services and appropriate policies governing their use 
  • Providing cybersecurity training to employees throughout the year that identifies current threats rather than just one annual training session 
  • Performing employee phishing tests at least quarterly rather than just once a year 
  • Performing an authentication assessment and implementing multi-factor authentication for all critical systems and applications 

To help prevent or mitigate the potential effects of a ransomware attack and to prepare for their next IT examination, banks should review the report regarding the ransomware lessons learned by banks that suffered an attack and complete the updated R-SAT by using the following link to access these resources: https://www.csbs.org/ransomware-self-assessment-tool 

Strengthening Bank Security Against Ransomware

As cyber risks become more prevalent, managing your technology infrastructure and security is paramount. Young & Associates provides financial institution IT consulting to help protect community banks and credit unions from internal and external threats. Should you have any questions about this article, please reach out to Mike Detrow, Director of Information Technology, at mdetrow@younginc.com or contact us on our website. 

Construction Loan Monitoring: Questions & Answers

Written by admin on . Posted in Advice, Consultation, Lending & Loan Review.

By: Linda Fisher, Senior Consultant

There is always a certain level of risk in lending, but construction loans are of even greater risk. The ultimate value of the collateral is realized only after the project is completed, and the finished project is either leased to a stabilized level or sold at a profit. Therefore, it is imperative that a construction loan be closely monitored to ensure that the project is successfully executed. 

Why is construction monitoring so important?

Construction monitoring serves both the bank AND the customer. By conducting regular inspections, both parties can verify that the work being done is properly completed, on budget and results in the expected final value of the project.  

Also, if for any reason there is a dispute or litigation arises, there is a record of independent monitoring of the project by a qualified third party that can aid in any conflict resolution. 

When should a construction inspector be engaged?

While both the bank’s and the borrower’s responsibilities are outlined in the loan documents, a detailed discussion between the bank and the borrower should take place prior to closing that outlines how the draw process will be handled, and identify who will be conducting inspections and the costs associated with this service.   

Subsequent to this discussion, the inspector should be engaged prior to closing. This individual should perform an initial review of the construction agreement, budget, timeline, and plans and specifications associated with the project. This helps to ensure that the proposed project is feasible given the work to be performed and can be completed within the designated costs and timeframe, as well as that all appropriate documentation related to the project is in order prior to closing the loan. 

Throughout construction, having the construction inspector perform physical site visits provides independent verification of the line item percentage completion of the construction performed during the draw request period and due to the inspector’s expertise, allows the inspector to directly address pertinent construction matters with the contractors, architects and borrowers on the bank’s behalf. 

Who is qualified to perform inspections?

Ideally, construction monitoring services are performed by engineers or other licensed individuals with experience in general construction methods and materials, as well as practices, techniques, and equipment used in building construction. A list of individuals/firms should be maintained by the bank – similar to lists of appraisers, attorneys, title companies, and other approved third-party vendors – that provide construction monitoring/inspection services. 

As with any third-party vendor, these individuals should be thoroughly vetted, with documentation of his/her appropriate experience, references, and insurance.   

A bank may sometimes engage the appraiser who performed the property evaluation prior to closing to serve as the construction inspector. While this individual may meet the intent of having an independent third party visit the site, an appraiser does not have the appropriate experience and training to review and interpret the plans and specifications prior to closing or effectively evaluate and monitor the construction as it progresses. 

Who is responsible for payment of a construction inspector’s services?

The cost associated with utilizing a construction inspector is typically borne by the borrower and is included in the project budget as a soft cost and as a closing statement line item.   

What do these services cost?

The best answer is…it depends. Costs for a construction inspector’s services will vary in conjunction with the location and scope of the project. The initial cost for a review of the plans and specs is typically a higher expense, with monthly periodic reviews as disbursement requests are received by the bank from the borrower being a lesser cost. The cost pales in comparison to the potential risk of having a project be inappropriately completed, stall mid-construction or potentially turn litigious costing time and expense for the borrower, contractors and the bank.   

What are best practices in monitoring a construction loan?

Every step of the process should be well documented within the loan files. In addition to maintaining copies of the construction agreement(s), as well as original budget and timelines, details of change orders, a copy of the agreement with the construction inspector and any related information should be maintained as well. A copy of each loan disbursement request should be kept in the file and accompanied by the following: 

  • Inspection report – to include the name and title of the person that performed the inspection, the time & date of the inspection, captioned photos of the project, estimated percentage of project completion with supporting descriptions of work completed since the last inspection and materials stored onsite, details of any delays, disputes or inspector concerns, an estimated date of completion and the inspector’s approval of the requested disbursement  
  • Lien waivers/title bringdown/endorsement – to ensure that there are no intervening liens filed against the project 
  • All paid or owing invoices, receipts and other verifications of project expenses or applicable borrower reimbursements  
  • Updated budget – demonstrating percentage of completion of budgeted expense categories, and sources and uses of equity and debt funds to date. 

Maintaining this information in the file demonstrates that the bank is effectively monitoring the loan and provides clear documentation of progress of construction. If a question or concern develops, it can be quickly and efficiently addressed, since the information is secured in one location.  

What is a certificate of final value?

Upon completion of the construction/issuance of the certificate of occupancy, the bank should inform the original appraiser of such completion and a final inspection performed by the appraiser to validate that the project was completed within the parameters defined in the original appraisal. The appraiser then issues a certificate of final value correlating the completed project to the circumstances of the appraisal report and its concluded “as complete” value. 

Building Confidence With a Construction Monitoring Plan

An effective, consistent construction monitoring program avoids surprises for all parties, as it documents the evolution of the project, from the initial approved scope and costs, throughout construction and to final completion. Prior to closing, all parties can be confident knowing that they are starting off on the right foot, with a solid and achievable plan. As the project progresses, any issues that may arise can be identified and dealt with appropriately. Given the potential risks associated with any construction project, having a solid plan and maintaining proper documentation provides a higher probability of a successful outcome that benefits both the borrower and the bank. 

Optimize Your Construction Loan Management Strategies with Y&A

Young & Associates offers specialized lending and loan review services to assist community banks and credit unions in constructing robust construction loan management and administration processes. For tailored solutions and expert support, contact us here. Strengthen your construction loan approach with Young & Associates’ dedicated expertise.

HMDA and CRA Adjustments Are Here

Written by admin on . Posted in Advice, Compliance & Regulations, Consultation, HMDA.

By: William J. Showalter, CRCM, CRP

There are changes that arrived with the new year of 2024 to Home Mortgage Disclosure Act (HMDA) compliance for banks and thrifts in many areas. No, the Consumer Financial Protection Bureau (CFPB) is not repealing Regulation C or adding more detail to the required data we collect and report. The existing rule is still in place. 

The changes we will look at here are driven by the decennial (every 10 years) adjustments by the Office of Management and Budget (OMB) to geographic units used by the federal government, including the Census Bureau, for statistical purposes. The particular geographic units that impact bank and thrift HMDA compliance are Metropolitan Statistical Areas (MSAs) since they are a qualifying location factor for lenders in determining HMDA coverage. 

The OMB’s changes will also have possible effects on bank and thrift compliance with the Community Reinvestment Act (CRA) in the drawing of institutional CRA “assessment areas.” 

These latest changes were effective when issued by OMB – July 21, 2023 – so they can impact 2024 HMDA coverage. 

OMB Action 

The OMB completed a process of delineating Core Based Statistical Areas (CBSAs) based on 2020 Census data and the American Community Survey and Census Population Estimates Program for 2020 and 2021. A CBSA is a geographic entity associated with at least one core of 10,000 or more population, plus adjacent territory that has a high degree of social and economic integration with the core as measured by commuting ties. The standards designate and delineate two categories of CBSAs: Metropolitan Statistical Areas and Micropolitan Statistical Areas.  

The general concept of a metropolitan statistical area is that of an area containing a large population nucleus and adjacent communities that have a high degree of integration with that nucleus. The concept of a micropolitan statistical area closely parallels that of the metropolitan statistical area, but a micropolitan statistical area features a smaller nucleus. The purpose of these statistical areas is unchanged from when metropolitan areas were first delineated: The classification provides a nationally consistent set of delineations for collecting, tabulating, and publishing federal statistics for geographic areas. 

The new delineations are found in OMB Bulletin 23-01 at https://www.whitehouse.gov/wp-content/uploads/2023/07/OMB-Bulletin-23-01.pdf 

HMDA Coverage 

Regulation C covers any “financial institution,” as defined by the regulation and its underlying HMDA statute. “Financial institution” means, in part, a bank, savings association, or credit union that: 

  • On the preceding December 31, had assets in excess of the asset threshold established and published annually by the CFPB for coverage by HMDA, based on the year-to-year change in the average of the Consumer Price Index for Urban Wage Earners and Clerical Workers, not seasonally adjusted, for each 12-month period ending in November, rounded to the nearest million – $56 million for 2024 HMDA coverage 
  • On the preceding December 31, had a home or branch office in a Metropolitan Statistical Area (MSA) [Micropolitan Statistical Areas have no HMDA impact.] 
  • In the preceding calendar year, originated at least one home purchase loan (excluding temporary financing such as a construction loan) or refinancing of a home purchase loan, secured by a first lien on a one-to four-family dwelling, and 
  • Meets one or more of the following two criteria: is federally insured or regulated; or the mortgage loan referred to in the previous bullet was insured, guaranteed, or supplemented by a federal agency or was intended for sale to Fannie Mae or Freddie Mac
  • Meets at least one of the following criteria in each of the two preceding calendar years: originated at least 25 closed-end mortgage loans that are not excluded by §1003.3(c)(1) through (10) or (c)(13), or originated at least 200 open-end lines of credit that are not excluded by the cited section of Regulation C 

There are also similar qualification criteria for for-profit mortgage lenders that are not banks, thrifts, or credit unions, which we will not detail here. 

The qualification criterion impacted by OMB’s action is the geographic one, the second bullet above. If a financial institution that otherwise meets HMDA coverage criteria has an office in an MSA on December 31, then it is covered by HMDA for the following year. For many lenders, determining HMDA coverage is a one-time exercise (other than those who are right around the asset-size threshold). 

Ohio MSA Changes 

I will use my native Ohio as an example of what the MSA changes mean to banks and thrifts and their compliance with HMDA requirements. 

Three counties in Ohio were shuffled into Metropolitan Statistical Areas in this latest OMB action – one being added to an existing MSA and two comprising a new MSA. No Ohio counties were removed this time from MSAs in which they were formerly included. 

Ashtabula County has been added to the Cleveland MSA. Erie and Ottawa counties have been included in the new Sandusky MSA. 

There were also some changes in non-Ohio parts of MSAs that include other Ohio counties. Lenders in the Cincinnati, Huntington-Ashland, and Youngstown-Warren MSAs should look for these additions and deletions of neighboring states’ counties. 

All the details of the new Ohio geographic delineations can be found in the OMB Bulletin mentioned above. The list of MSAs and micropolitan statistical areas by state is in List 6 (with Ohio on pages 168-169) of the OMB Bulletin, while five additional lists in the bulletin give other breakdowns of the geographic delineations, including the counties included in each. 

HMDA Impact 

In 2023, there was no impact for HMDA reporting because the new MSA delineations were not in effect on December 31, 2022. 

However, they were in effect December 31, 2023, which has the following impacts: 

  • Banks and thrifts with offices in Ashtabula, Erie, and Ottawa counties, and in no other MSA counties, now have to begin collecting HMDA data January 1, 2024, and make their first reports of that data by March 1, 2025.
  • Unlike 10 years ago, there are no banks and thrifts whose offices in Ohio counties have made them subject to HMDA reporting (i.e., no offices in other MSA counties) that will no longer have to collect HMDA data beginning in 2024. (Note that such banks would still be obligated to report their 2023 HMDA data by March 1, 2024.) 

If your institution has an office in any of the counties affected by the MSA changes, be sure to review how this action affects your HMDA compliance beginning in 2024. 

CRA Impact 

MSAs affect the CRA compliance efforts of banks and thrifts, too. They come into play in drawing up an institution’s CRA assessment area (AA), as well as in the small business and small farm lending disclosure statements prepared by regulators annually for institutions reporting their data (all except for “small” retail banks and thrifts).  

The CRA rules require that an institution’s CRA AA consist generally of one or more MSAs or metropolitan divisions – using the MSA or metropolitan divisions boundaries that were in effect as of January 1 of the calendar year in which the delineation is made – or one or more contiguous political subdivisions e.g., counties, cities, or towns). 

A CRA AA may not extend substantially beyond an MSA boundary or beyond a state boundary unless the assessment area is located in a multistate MSA. If a bank or thrift serves a geographic area that extends substantially beyond a state boundary, the bank must delineate separate AAs for the areas in each state. If a bank or thrift serves a geographic area that extends substantially beyond an MSA boundary, it must delineate separate AAs for the areas inside and outside the MSA. 

The regulators prepare annually, for each MSA and the nonmetropolitan portion of each state, an aggregate disclosure statement of small business and small farm lending by all institutions subject to reporting of that data (all except “small” retail banks and thrifts). 

Therefore, the redrawn MSA boundaries might have an impact on your institution’s CRA compliance. Each bank and thrift with the affected counties in its CRA AA should review its delineation to make sure that the changes do not require an adjustment to those delineations. If any adjustments are needed, they should be made by April 1 – when any updating of CRA public files must be accomplished (including the map of your CRA AA).  

Links 

This OMB Bulletin provide the six lists of statistical areas that are available electronically at the link stated above or from the OMB website at https://www.whitehouse.gov/omb/information-for-agencies/bulletins/.  This update, historical delineations, and other information about population statistics are available on the Census Bureau’s website at https://www.census.gov/programs-surveys/metro-micro.html.

Young & Associates: Your Trusted Partner in Regulatory Compliance

In navigating the intricacies of HMDA and CRA compliance, Young & Associates stands ready to support community banks and credit unions. Our regulatory compliance consulting services ensure a seamless adherence to evolving regulations. Stay ahead with Young & Associates – your trusted partner in compliance excellence. Contact us today for tailored solutions that empower your financial institution.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question