Skip to main content

Author: admin

Young & Associates graduates from prestigious Scalerator® program

Written by admin on . Posted in Announcements, Blog, News.

July 24, 2024 – Cleveland, Ohio – Young & Associates (Y&A) is proud to announce the successful completion of the renowned Scalerator® program. Jerry Sutherin, CEO; Joanne Sutherin; Michael Gerbick, President; Ollie Sutherin, CFO; Nicole Conrad, Director of Marketing; and Clarissa Sinchak, Director of Human Resources, have graduated from the intensive program. The program aims to help accelerate Y&A’s revenue growth, profitably and sustainably.

Implementing Scalerator® Principles

Since January 2024, the Y&A leadership team has been diligently working under the guidance of the Scalerator® program. The company focused on the three critical elements of scaling up – Customers, Capacity and Cash. On July 24th, they presented their ScalePlan at MAGNET in Cleveland, Ohio, detailing their strategies for achieving and sustaining growth in the coming years.

“The Scalerator® program has provided us with invaluable insights and tools to drive our growth objectives,” said Jerry Sutherin, CEO of Young & Associates. “Our primary focus has always been to help community financial institutions ensure sustainability while achieving their strategic goals. We are excited to implement these new concepts to enhance our support for our clients.”

About the Scalerator® Program

The Scalerator® program is a proven, results-driven initiative designed to help entrepreneurial leaders rapidly and sustainably grow their businesses. The program consists of a unique blend of proprietary tools, frameworks, team exercises, and faculty-led discussions that have propelled nearly 400 companies into new growth trajectories. Participants from Scalerator® NEO have reported transformative impacts on their businesses, newfound growth opportunities, and enhanced resilience.

A world-class team of practitioner-academics lead the program. These individuals have experience growing companies and have taught scaling strategies at prestigious institutions such as Harvard, Columbia and Babson. The Scalerator® NEO program was brought to Northeast Ohio in 2017 by the Burton D. Morgan Foundation and the Richard J. Fasenmyer Foundation and continues to be supported due to its success. Scalerator® NEO is a highly competitive and sought-after program due to be offered at no cost to selected companies.

Young & Associates looks forward to implementing Scalerator® principles across the organization to drive sustained growth in the years ahead. By passing on these principles to its clients, Y&A aims to further assist community financial institutions in ensuring sustainability while achieving their strategic goals.

For more information about Young & Associates and their participation in the Scalerator® program, please contact:

Nicole Conrad
Director of Marketing
Young & Associates
Email: nconrad@younginc.com

About Young & Associates: Young & Associates, Inc. is a leading provider of consulting, education, and outsourcing services to community financial institutions nationwide. Founded in 1978, the firm offers expertise in a wide range of services including risk management, strategic planning, regulatory compliance, and more.

About Scalerator®: Scalerator® is a rigorous, cohort-based program designed to help entrepreneurial leaders quickly, profitably, and sustainably grow their businesses. Since its inception, Scalerator has facilitated the growth of nearly 400 companies worldwide through its unique approach combining academic insights and practical business strategies.

Ready to elevate your financial institution’s success? Reach out to us today to learn more about our top-notch consultancy services.

CRE stress testing for banks: A crucial tool in a post-COVID world

Written by admin on . Posted in Advice, Blog, Consultation, Contingency Planning, CRE & AG Stress Testing, Interest Rate Review, Interest Rate Risk, Lending & Loan Review, Liquidity Management, Liquidity Review, Management & Planning, Regulatory Enforcement, Risk Management.

By Jerry Sutherin, CEO at Young & Associates

Despite having limited requirements as defined by interagency guidance, the case can be made for requiring community financial institutions to have regular stress tests performed on their commercial real estate loan portfolios.

Emerging challenges in commercial real estate lending

Recent post-COVID events have resulted in a heightened concern with regulators as it relates to commercial real estate. Most notably, interest rates have increased 525 bps from March 2022 through July 2023. This correlates with the level of commercial loan delinquencies over that same period as noted in the chart below. This is further exacerbated the “work from home culture” and office vacancies increasing over the same period.

The ultimate impact on the commercial real estate sector is weaker NOIs, coverage ratios that are insufficient to meet loan covenants, higher Cap Rates and lower valuations. For those loans locked into a lower rate, the issue now becomes; what happens when loans mature or reset? That is occurring now.

CRE Composition and Delinquency at US Banks Chart - S&P Global

Regulatory expectations for bank stress testing

Regulatory expectations for community bank stress testing initiatives have been set in both formal regulatory guidance and through more informal publications and statements. An interagency statement was released in May 2012 to provide clarification of supervisory expectations for stress testing by community banks.[1]

The issuance specifically stated that community banks are not required or expected to conduct the types of enterprise stress tests specifically articulated for larger institutions in rules implementing Dodd-Frank stress testing requirements, the agencies’ capital plan for larger institutions, or as described in interagency stress testing guidance for organizations with more than $10 billion in total consolidated assets.

OCC guidance on stress testing practices

However, in October 2012, the OCC provided additional guidance to banks on using stress testing to identify and quantify risk in the loan portfolio and to help establish effective strategic and capital planning processes.[2] The guidance reiterated that complex, enterprise-wide stress testing is not required of community banks. It also states that some stress testing of loan portfolios by community banks is considered to be an important part of sound risk management.

In the guidance, the OCC does not endorse a particular stress testing method for community banks; however, the guidance also discusses common elements that a community bank should consider, including asking plausible “what if” questions about key vulnerabilities; making a reasonable determination of how much impact the stress event or factor might have on earnings and capital; and incorporating the resulting analysis into the bank’s overall risk management process, asset/liability strategies, and strategic and capital planning processes.

The OCC bulletin also provides a simple example of a stress testing framework for community banks. In the summer of 2012, the FDIC also provided further guidance related to community bank stress testing in the Supervisory Insights Summer Edition.[3]

Interagency guidance on commercial real estate risk

Perhaps the most significant piece of guidance related to loan portfolio stress testing for community banks is the 2006 interagency Concentrations in Commercial Real Estate Lending, Sound Risk Management Practices.[4] The continuing importance of and regulatory emphasis on this guidance was made clear in December 2015 when the interagency Statement on Prudent Risk Management for Commercial Real Estate Lending[5] was released, which reiterated the importance of the principles described in the 2006 CRE Guidance.

The 2006 CRE Guidance describes several important practices for effectively managing the risks associated with CRE lending, especially concentration risk. Portfolio stress testing of the CRE portfolio is described as a critical risk management tool for institutions with CRE concentrations.

Examiner expectations for portfolio-level stress testing

While community banks have not been pushed to perform the enterprise-wide stress testing that the above guidance specifically states is not expected of them, examiner expectations for portfolio-level loan stress tests have continued to increase over time and are becoming more prevalent during a bank’s recurring exams. These expectations are centered on portfolios that represent significant concentrations and, given the perceived level of risk and the existence of the 2006 CRE Guidance, are therefore most focused on CRE portfolios.

A reasonable and well-documented approach to CRE portfolio stress testing, undertaken at appropriately frequent intervals such as on an annual basis, is the most effective way for community banks to meet examiner expectations and to contribute toward effective risk management of CRE concentrations.

Regulatory criteria for CRE concentration risk

The guidance also states that strong risk management practices (with stress testing being one of the most important) and appropriate levels of capital are important elements of a sound CRE lending program. Particularly when an institution has a concentration in CRE loans. It then lays out the criteria regulatory agencies utilize as a preliminary means of identifying institutions that are potentially exposed to significant CRE concentration risk:

  1. Total reported loans for construction, land development, and other land represent 100% percent or more of total capital, or
  2. Total commercial real estate loans (as described above) represent 300% or more of the institution’s total capital. The outstanding balance has increased by 50% or more during the prior 36 months.

Concentration Levels Chart

The guidance is clear that these thresholds do not constitute limits on an institution’s lending activity and are instead intended to function as a high-level indicator of institutions potentially exposed to CRE concentration risk. Conversely, being below these thresholds also does not constitute a “safe harbor” for institutions if other risk indicators are present such as poor underwriting or poor performance metrics such as deteriorating risk rating migration and delinquency.

Case study: Loan portfolio concentration levels

As noted in the example above, the figures indicate that the bank does not have a high level of construction, and land development loans as the balances do not exceed the 100% threshold level as a percentage of total capital. However, the Bank has exceeded the 300% threshold of non-owner-occupied real estate loans as calculated under the 2006 CRE Guidance.  Additionally, the Bank’s three-year growth rate in this category was 72.7%, which is greater than the 50% reference level that constitutes the second part of the two-part regulatory test for a heightened concentration in this category.

Impact of loan acquisitions

It should also be noted that regulatory guidance does not differentiate between organic growth and commercial real estate growth via acquisition. Therefore, all such loans acquired does impact the ratios noted in the concentration chart above.

Loss estimation in bank stress testing

The basic premise for any stress test modeling is to identify moderate / high loss estimates. Then look at the impact to capital on a loan-level basis as well as portfolio-wide. While some community banks provide some stress testing on a transactional basis at origination, the output is typically limited to scenarios that focus primarily on future interest rate fluctuations.

CRE stress test modeling, on the other hand, allows for an organization to gauge potential losses of the CRE portfolio using internal core loan-level data as well as call report data while factoring in other variables that could influence the ultimate collectability of commercial real estate loans.

Loan-level or bottom-up stress testing

The bottom-up or loan-level portion of the stress test estimates losses under the stress scenarios on a loan-by-loan basis. The loan selection is typically a function of the desired penetration identified by the organization. It’s comprised mostly of larger transactions with a sampling of newer originations and adversely risk rated transactions.

In this portion of the analysis, various stress factors are applied to the NOI, collateral value, and interest rate for each loan identified by the Bank. This information, coupled with the transaction’s debt service coverage, liquidation costs and Cap Rates help form a possible loan-level loss for each loan in moderate and in moderate and high-risk scenarios.

Top-down stress testing

To ensure that the entire CRE portfolio is stressed, a useful model would use a top-down loss estimation method to “fill in” losses on the remaining portfolio for which loan-level information was not provided. This is accomplished by comparing the total balances for which loan-level data was provided in each of the various categories (construction and land development, multifamily, and all other non-owner occupied CRE) to the Bank’s call report. Losses are estimated on the amount of exposure for which loan-level information was not provided by applying a top-down loss rate.

The Moderate and High Stress Scenarios below are determined by applying the loss rates included in the stress test example in the 2012 OCC guidance on community bank stress testing. These loss rates represent two-year loss rates, consistent with the OCC’s stress testing guidance.

Top-Down Loss Rates Chart

Enhancing portfolio oversight and credit risk management

Collectively, the “bottom-up (loan level)” and “top-down” moderate and high stress scenarios provide a global overview of a bank’s CRE portfolio and its potential impact to capital. Knowing that this is not a replacement for an enterprise-wide stress test. However, it allows a bank to provide its management, board of directors and regulators with some context of the estimated losses in this segment of their loan portfolio. It also serves as an effective supplement to their internal or third-party loan review.

Historically speaking, any situation in which significant weakness is experienced in critical market and economic factors will result in credit losses that are elevated above those that a bank experiences in “normal” times if unprepared. There is no replacement for appropriate credit administration, however all banks should always utilize tools such as stress testing to enhance their oversight of the metrics behind their CRE portfolio.

Financial institution performance and ultimately their ongoing safety and soundness are dependent on the performance of the Bank’s CRE portfolio. It is critical that management and the board of directors ensure that the bank emphasizes effective implementation of the risk management elements discussed in the 2006 CRE Guidance. These elements include:

  • Continued effective board and management oversight,
  • Effective portfolio management,
  • Ensuring that management information systems are able to provide the information necessary for effective risk management,
  • Performing periodic market analysis and stress testing,
  • Regularly evaluating the appropriateness of credit underwriting standards, and
  • Maintaining an effective credit risk review function

If a financial institution is successful in these endeavors, their CRE loan portfolio should continue to contribute positively to their performance. Accordingly, I am a proponent of all community financial institutions having a stress test performed regularly. This helps to ensure the performance of that segment of their loan portfolio as well as the entire organization.

Partner with Young & Associates for expert CRE stress testing

Navigating the complexities of commercial real estate stress testing can be challenging, especially with evolving regulatory expectations and economic uncertainties. At Young & Associates, we offer specialized CRE and Ag portfolio stress testing services designed to address these very challenges. With over 45 years of experience, our team understands the intricacies of regulatory guidance. We can provide your community bank with the insights needed to enhance strategic and capital planning.

Our proven stress testing model assesses the potential impacts of adverse economic conditions. This helps you manage risk effectively and comply with regulatory expectations. We provide actionable insights to guide your loan product design and underwriting standards. This eases the burden of stress testing and supporting your institution’s resilience.

Choose Young & Associates for a partnership that combines deep industry knowledge with a commitment to excellence. Let us help you stay ahead of regulatory demands and strengthen your CRE portfolio management. Reach out to us now to schedule a consultation.

 

[1]              FDIC, PR 54-2012, Statement to Clarify Supervisory Expectations for Stress Testing by Community Banks. May 14, 2012.

[2]              OCC Bulletin 2012-33, Community Bank Stress Testing: Supervisory Guidance. October 18, 2012.

[3]              FDIC Supervisory Insights, 9(1).” Summer 2012.

[4]              FDIC FIL-104-2006, OCC Bulletin 2006-46, FRB SR 07-1, Concentrations in Commercial Real Estate Lending, Sound Risk Management Practices. December 12, 2006.

[5]              FDIC FIL-62-2015, OCC Bulletin 2015-51, FRB SR 15-17, Statement on Prudent Risk Management for Commercial Real Estate Lending. December 18, 2015.

 

The rising need for virtual chief information security officers

Written by admin on . Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation, Management & Planning.

By Mike Detrow, CISSP, Director of IT & IT Audit, and Noah Lennon, CISA, Consultant, Young & Associates

Emerging trends in technologies, such as cloud computing and artificial intelligence, have significantly increased the complexity of the IT environments at community financial institutions. This has led to heightened regulatory requirements and demands for increased compliance efforts from an already stressed internal staff. Even the most skilled internal staff may find it challenging to manage the increased workload of managing the information security program, IT audits, and regulatory risk, which can lead to repercussions from regulators or security incidents.

For many, the need for dedicated information security management is abundantly clear, but affording and finding dedicated professionals in their communities is not an easy task. While you may already be using the services of a managed services provider (MSP) that may provide some support in this area, most MSPs are focused on IT infrastructure rather than information security programs. Virtual Chief Information Security Officers (vCISOs) are growing in popularity as a solution to this problem as they offer numerous benefits over a dedicated ISO, which are not only limited to cost savings.

Key benefits of virtual chief information security officers services for financial institutions

Some of the benefits that a vCISO can provide include:

Document templates

vCISOs maintain templates for documents such as policies, incident response plans, business continuity and disaster recovery plans, or can simply provide recommendations for enhancements of existing documents. Additionally, vCISOs have exposure to a breadth of policies across the many clients using their services, which allows constant improvements to the financial institution’s own policies and documentation.

Audit/exam preparation

vCISOs can help financial institutions prepare for an audit or exam by making sure that documentation is kept up to date and can help with the documentation gathering process to make sure it is well organized when it is provided to the regulator or auditor. vCISOs are also aware of recent audit/exam findings received by other clients and can help prevent your financial institution from receiving these same findings by addressing the identified issues prior to your next audit/exam.

Routine tasks

vCISOs know the activities that need to be completed each year and can skillfully lead them. These activities include vendor reviews, user access reviews, employee and board training, policy revisions and approvals, strategic planning, end of life monitoring, IT steering committee meetings, and more.

Security monitoring

vCISOs can help to verify that appropriate security controls are implemented for the financial institution’s information systems, ensure that appropriate logging is configured, and help to monitor logs and alerts to detect and investigate security events.

Vendor contacts

vCISOs work with a variety of vendors in the financial industry and can attest to their quality of work, which can assist the financial institution in choosing quality service providers. Leveraging existing rapport between the vCISO and service providers enables smoother transitions between vendors and clarity in the expectations for the relationship.

Plan testing exercises

vCISOs routinely help their clients perform business continuity and incident response tests, so they already develop testing scripts to make the testing process more efficient and productive. vCISOs can also help to ensure that teams appropriately document these tests for regulatory compliance and board reporting.

Incident response

vCISOs may have experience in responding to incidents that their other clients have experienced. You can use this knowledge to implement controls that help prevent an incident at your financial institution or allow you to respond more efficiently if you experience one.

Selecting the right virtual chief information security officers

So now that you are considering the idea of hiring a vCISO, how do you know what to look for?  To help with this process, we have identified some of the criteria that you should consider when selecting a vCISO.

Industry expertise and regulatory understanding

One of the first characteristics to look for is a partner that focuses exclusively on financial institutions, or at a minimum has a division with this focus and understands the specific regulatory requirements from the FFIEC and your specific regulatory agency. While some firms may claim to cover all industries, there are differences in the regulatory requirements for various industries and you need a partner that truly understands the requirements that you must meet. In addition, while many financial institutions may share similarities, they also differ in available local providers, customer demands, regulators, technology, and complexity, so you need to make sure your partner customizes their processes and deliverables with flexibility to meet your specific needs.

Proactive approach and value addition

A vCISO should also provide value by regularly introducing new ideas to enhance the information security program, strengthen the security culture, and improve efficiency in routine processes.  You should not need to continuously ask your partner for recommendations for improvements.

Integrated documentation systems

Another consideration is how the vCISO maintains documentation. While some smaller and less complex institutions may do okay with multiple standalone documents and spreadsheets, you can save time and ultimately money, and limit the potential for errors as you update data, by using an integrated system to share data for various purposes such as the information security risk assessment, vendor risk assessment and business continuity plan.

Maintaining service quality

One potential concern with using a vCISO is that unlike an CISO employed by the financial institution, vCISOs have multiple clients and may be less loyal to your financial institution than a full-time employee. To avoid potential issues associated with this type of relationship, just like any other vendor, you must perform appropriate due diligence and continuously monitor your vCISO to ensure that they are providing an acceptable level of service for your institution.

The strategic value of virtual chief information security officers services

In closing, not only can vCISOs help financial institutions meet regulatory and technological goals without the costs associated with a full-time employee, they also bring a broad range of prior experience from working with multiple financial institutions. If you are struggling to stay on top of increasing technologies and related regulations, a vCISO can be an invaluable resource in ensuring your financial institution is successful.

Your trusted IT consulting partner 

At Young & Associates, we understand the unique needs and challenges faced by financial institutions. Our IT consulting services tailor solutions to help you navigate the complexities of technology while ensuring regulatory compliance and information security.. Contact us today to learn more about how we can support your institution’s IT needs. 

Internal audit: Your third line of defense in third-party risk management

Written by admin on . Posted in Advice, Blog, Compliance & Regulations, Consultation, Cybersecurity & Information Security, Information Technology, Internal Audit, Management & Planning, Risk Management.

By Jeanette McKeever, CCBIA, director of internal audit, Young & Associates

In today’s financial landscape, banks and credit unions increasingly rely on third-party vendors to meet regulatory demands, leverage technological advancements and maintain competitive edges. However, these relationships introduce various types of risks in internal audit, from compliance and operational risks to reputational and strategic risks. Amidst economic uncertainty, increased digitalization and growing supervisory attention, many financial institutions are reviewing their third-party risk management (TPRM) frameworks to ensure they are robust and comprehensive.

Here, the role of internal audit becomes indispensable. Internal audit’s role in TPRM goes beyond mere compliance. By leveraging their unique skills and perspectives, internal auditors can help institutions identify, monitor and control risks while achieving strategic goals.

Understanding third-party risk in banking

Third-party relationships and their associated risks require careful management. Ineffective oversight of the complex operational, financial, technological, and legal agreements governing these extended business relationships can lead to brand or reputation damage, data security breaches, and significant financial losses. Additionally, such oversight failures can result in errors in financial reporting, compounding the challenges and potential impacts on the institution.

Financial institutions are entrusting an increasing percentage of their operations to third parties, prompting regulators to scrutinize these relationships more closely. The updated interagency guidance from the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB) and the Office of the Comptroller of the Currency (OCC) outlines the regulatory expectations for managing third-party risks throughout the relationship lifecycle: planning, due diligence, selection, contract negotiation, ongoing monitoring and termination.

Monitoring vendor performance is also a regulatory requirement for credit unions. The National Credit Union Administration (NCUA) specifies the criteria for assessing vendor performance in their 2007 supervisory letter SL No. 07-01, “Evaluating Third-Party Relationships.” This guidance emphasizes key areas for third-party relationship management, including risk assessment and planning, due diligence, risk management, monitoring, and control.

The role of internal audit in third-party risk management

Though Chief Risk Officers are typically responsible for managing third-party risks, internal audit plays a crucial role as the third line of defense. Internal auditors bring essential skills, capabilities, and perspectives to thoroughly examine TPRM programs, identifying gaps or areas for improvement that might have been missed by the second line of defense. The board relies on internal auditors as an extra layer of security to ensure that third-party risks are properly identified and assessed, appropriate internal controls are in place, and timely risk intelligence is generated to inform decision-making.

Leveraging internal audit to improve third-party risk controls

Internal audit can contribute significantly to managing third-party risks through various areas:

  • Pinpointing critical contracts: Internal auditors can assist in identifying high-risk third parties and ensure they receive more frequent scrutiny. This can help with prioritizing risk management efforts.
  • Assessing risk management programs: They can evaluate the effectiveness of third-party due diligence processes and controls, conducting research to gauge the risk level and reputation of third parties.
  • Reviewing compliance with governance standards: Internal auditors can verify if the financial institution’s processes for selecting and managing third parties adhere to governance requirements and include necessary risk and compliance clauses in contracts.
  • Evaluating and improving risk controls: They can assess the effectiveness of risk management controls, ensure regulatory compliance, and check for “right to audit” clauses in third-party agreements.
  • Facilitating informed decision-making: Auditors offer valuable insights into third-party risks. They also evaluate decision-making and contract management processes. This ensures that these processes align with the bank or credit union’s strategic objectives. Additionally, auditors verify that the processes provide sufficient risk protection.
  • Assessing performance and identifying opportunities: They review global third-party performance, detect inconsistencies, and recommend best practices for effective risk and performance management.

Integrating internal audit into third-party risk management strategies

1. Independent vendor risk assessment and identification

Conducting a risk assessment is essential for the initial decision-making process regarding whether to establish a third-party relationship. Internal auditors bring an independent perspective to the assessment and identification of third-party risks. They can perform thorough risk assessments to identify all third-party relationships and associated risks. This independent evaluation helps ensure no significant risk is overlooked, and it provides a holistic view of the financial institution’s third-party risk landscape.

2. Vendor due diligence and selection oversight

The due diligence process equips management with the necessary information to evaluate both the qualitative and quantitative aspects of potential third parties, determining whether a relationship will support the financial institution’s strategic and financial goals while mitigating identified risks.

If your financial institution has its own internal audit team, involving them in the due diligence process for vetting potential third-party relationships can be highly beneficial. Though not prevalent practice in community banks and credit unions yet, leveraging your institution’s third line of defense can enhance third-party risk management processes and provide an extra layer of protection.

Internal audit teams can provide oversight during the due diligence and selection phases of third-party relationships. They can assess the processes used for selecting third parties to confirm that the institution has effective policies and procedures in place. By ensuring thorough due diligence, internal auditors help identify potential risks early on. Their oversight includes evaluating the third party’s operational quality, compliance capabilities, risk profile, and long-term viability.

3. Contract management and compliance

Financial institution management should ensure that the specific expectations and obligations of both the financial institution and the third party are clearly defined in a written contract before finalizing the arrangement. Board or committee approval is required for many material third-party relationships, and significant contracts should be reviewed by appropriate legal counsel before finalization. The level of detail in contract provisions will depend on the scope and risks associated with the third-party relationship. Effective contract management is crucial for mitigating third-party risks. This involves not just due diligence but also thorough processes in agreement formation, publication, activation, compliance with service delivery, analysis, optimization, and offboarding.

The internal audit function can engage in contract management in two key areas:

  1. Auditing the overall contract management process.
  2. Reviewing active contracts with critical vendors.

Auditing the contract management process

An effective contract management process is crucial for maintaining strong performance across your institution. Even minor inefficiencies can lead to significant issues, particularly when your financial institution aims to grow and scale. A robust contract management system contributes to a thriving institution.

Regular audits of your contract management lifecycle can reveal hidden costs and growth opportunities. These audits should assess process deficiencies, compliance issues, and historical management practices. Start by identifying key stages in your process and setting benchmarks for measurement. Key stages often include planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination, as outlined in regulatory guidance.

Evaluate your management practices within each stage. Is the contract management process clearly defined? Are roles and responsibilities assigned? Who ensures compliance with service-level agreements (SLAs)? Addressing these questions through a contract management audit can help identify risks and gaps, ensuring a more effective and efficient process.

Reviewing active contracts with critical vendors

Begin by inventorying and segmenting critical vendors based on risk levels to identify those most critical to audit. Incorporate audits of high-risk and important service provider contracts into your annual audit plan. Gain an understanding of the key risks associated with each service provider and thoroughly review their contracts.

Internal auditors can review critical third-party contracts to ensure they include comprehensive risk and compliance clauses. This includes verifying that contracts have “right to audit” provisions, which allow the institution to monitor third-party compliance continuously. Once you’ve established your audit rights, you can start the contract audit by assessing key legal and business risks. Look for deficiencies and compliance issues in the contract, and consider conducting on-site reviews if your audit rights permit. An efficiency audit may also be warranted to ensure services are delivered as per the contract and service level agreements.

After completing the audit, validate the results, identify root causes, and propose solutions. Finally, communicate the results to the contract owner and key stakeholders, ensuring they are informed of the findings and recommended actions.

4. Ongoing monitoring and reporting

Once a third-party relationship is established, continuous monitoring is essential to manage evolving risks. Internal audit can play a vital role in developing and implementing monitoring frameworks that track third-party performance, compliance and risk exposure. Regular audits and reviews can provide senior management with timely risk intelligence. This enables informed decision-making and ensures that effective internal controls are in place.

5. Internal audit collaboration with risk management functions

Internal audit of third-party risk management becomes more effective when auditors and risk managers collaborate and share information. This allows both to leverage each other’s abilities and tools. By working closely with risk, compliance and other departments, internal auditors can ensure that third-party governance policies and procedures are consistently applied across the bank or credit union.

By integrating third-party risk assessments with audit plans, both auditors and risk management teams can eliminate redundancies in the risk evaluation processes. This approach also helps standardize the risk language used. It offers management teams and boards a comprehensive view of the financial institution’s third-party risk profile. This collaboration integrates TPRM into the overall risk management strategy, enhancing the institution’s ability to manage third-party risks.

Building a robust third-party risk management framework

To effectively manage third-party risks, financial institutions should establish a comprehensive TPRM framework. TPRM necessitates a framework that holds the board of directors and senior management accountable. It requires them to adjust the principles based on the size, scope and criticality of the products or services provided by third parties. This framework should be consistently applied across the institution and integrated into its operational, risk, and compliance management activities. As discussed, key components of a robust TPRM framework include:

  • Defining and Inventorying Third-Party Vendors: Internal audit can assist in identifying and inventorying all third-party relationships, categorizing them by risk level and criticality.
  • Risk Appetite Assessment: Assessing the bank or credit union’s risk appetite concerning third-party relationships, particularly those in high-risk locations or industries.
  • Enhanced Vendor Due Diligence: Conducting enhanced due diligence for critical third-party relationships, ensuring alignment with the institution’s risk profile and regulatory requirements.
  • Ongoing Monitoring and Performance Standards: Establishing and maintaining rigorous monitoring and performance standards for third-party relationships, ensuring continuous compliance and risk management.
  • Training and Awareness: Providing training for stakeholders on TPRM processes and the importance of effective third-party risk management.

Risk-based internal audit for financial institutions

With regulatory bodies calling for enhanced third-party oversight, the imperative for thorough risk and assurance functions has never been greater. These functions must delve deeply into the third-party network. This helps to ensure that critical risks and compliance requirements are diligently managed and monitored. Internal auditors are pivotal in this endeavor and should seek to broaden their role in fortifying third-party risk management.

At Young & Associates, we understand the critical importance of robust TPRM processes. We offer expert consulting services to help banks and credit unions strengthen their internal audit functions, risk management, and more. By leveraging our expertise, financial institutions can enhance their third-party risk management frameworks, ensuring compliance, mitigating risks and achieving strategic objectives. Ultimately, effective TPRM is not just about regulatory compliance; it’s about creating a resilient and thriving financial institution.

For more information on how Young & Associates can support your internal audit needs, click here.

Upcoming Nacha Rule changes in 2026: What you need to know

Written by admin on . Posted in ACH, Advice, Blog, Compliance & Regulations, Consultation, News.

By Mindy Shadoin, Consultant, Young & Associates

On March 15, 2024, Nacha announced significant updates to ACH (Automated Clearing House) Rules, aimed at enhancing fraud management and improving the recovery of funds. These updates are set to roll out in phases, with some changes effective as early as June 2024 and others beginning March 20, 2026. This article summarizes the key changes that will take effect in 2026, providing a concise overview of what community financial institutions need to know.

Key Nacha changes effective March 2026

The changes effective March 20, 2026, are designed to address fraud more effectively and enhance the recovery of funds when fraud occurs. Therefore, institutions must adapt to these new rules to comply with regulatory requirements and improve their fraud detection and management practices.

Fraud Monitoring (Phase 1)

Who’s Affected: Originating Deposit Financial Institutions (ODFIs) and each Non-Consumer Originator, Third-Party Service Provider, and Third-Party Senders with annual ACH origination volume of six million or greater in 2023.

Requirements: Institutions must implement risk-based processes for ACH entry fraud detection and review these processes annually. The final rule emphasizes specific process requirements over the previous “commercially reasonable” standard.

Reason: The amendment is designed to cut down on fraud. By regularly monitoring for fraud, institutions can create a baseline of normal activity, which makes it easier to spot unusual or suspicious behavior.

RDFI ACH credit monitoring

Who’s Affected: Receiving Depository Financial Institutions (RDFIs) with annual ACH receipt volumes of 10 million or more in 2023.

Requirements: RDFIs must develop fraud detection systems for incoming credit entries, using a risk-based approach to monitor transaction patterns and account anomalies.

Reason: The rule aims to decrease successful fraud and improve the recovery of funds in case of fraud. Also, it supports an institution’s regulatory duty to monitor suspicious transactions. Additionally, it promotes better communication between compliance, operations, product management, and relationship staff.

New definitions and descriptions

False pretenses

The updated rules introduce the term “False Pretenses,” which refers to fraud involving misrepresentations of identity, authority, or account ownership. This definition aims to cover common fraud scenarios like Business Email Compromise (BEC) and vendor impersonation, enhancing clarity in handling such cases.

Standard company entry description: payroll

Effective March 20, 2026, regardless of ACH volume, all Prearranged Payment and Deposit Entry (PPD) Credits for wages and similar compensation must include the description “PAYROLL” in the Company Entry Description field. This standardization will help RDFIs better identify payroll-related transactions and prevent fraud associated with payroll redirections.

Standard company entry description: purchase

Effective March 20, 2026, regardless of ACH volume, this amendment requires that e-commerce purchases use the description “PURCHASE” in the Company Entry Description field. This change will help differentiate e-commerce transactions and prevent misclassification of transactions.

Nacha changes effective June 2026

Fraud monitoring (Phase 2)

Starting June 22, 2026, the rules from Phase 1 will apply to all RDFIs not previously covered. These Phase 2 changes will further enhance fraud detection and fund recovery processes, ensuring comprehensive coverage across the industry.

Preparing for the Nacha Rule changes

The upcoming changes to the Nacha Operating Rules represent a significant step forward in managing ACH fraud and improving fund recovery. Financial institutions will need to prepare by refining their fraud monitoring processes and adapting to the new definitions and descriptions outlined in these rules. For detailed information, you can find the Nacha Operating Rules and Guidelines on Nacha’s website.

Staying informed and compliant with these rules will be crucial for maintaining effective fraud management and regulatory adherence. This article provides a simplified overview of these updates, focusing on key changes and their implications. For a more comprehensive understanding, inquire about the in-depth article featured in the August edition of our Compliance Update newsletter, including details on the final rule changes, adjustments from the original proposal issued in May 2023, and specific actions required.

Each month, our Compliance Update newsletter offers in-depth analysis and insights on regulatory updates and amendments impacting the banking industry. Our compliance experts review new developments. We provide valuable guidance to help you maintain regulatory compliance and navigate the evolving landscape. To receive timely and detailed compliance information, we encourage you to subscribe. Click here to learn more about our Compliance Update newsletter and purchase a subscription.

Young & Associates provides a full suite of regulatory compliance consulting services tailored to meet the unique needs of your institution. Our offerings include ACH self-assessment reviews, compliance outsourcing, our Virtual Compliance Consultant Program, and more. These services are designed to simplify complex regulatory requirements and allow you to focus on strategic goals. For more information on how we can support your institution, please contact us.

Spotlight on compliance training: Showalter featured in In Touch Magazine

Written by admin on . Posted in Advice, Blog, Compliance & Regulations, Consultation, News.

William Showalter, CRCM, CRP, a senior consultant with Young & Associates, was recently featured in an issue of In Touch Magazine, the publication of the Community Bankers Association of Kansas. The article, “Training: The Foundation of Effective Compliance,” underscores the critical role that comprehensive compliance training plays in building and maintaining a robust compliance program within financial institutions.

Training: The bedrock of compliance

In his article, Showalter highlights a timeless truth: employees can’t be expected to comply with laws and regulations if they haven’t been properly instructed on them. Training is the bedrock upon which a thriving compliance program is built, enabling institutions to manage compliance risks effectively. With over 20 years of experience transitioning into a new compliance management model, Showalter emphasizes pushing responsibility and involvement down to the front lines, making well-versed employees essential for success.

Why train? Reducing risk and ensuring compliance

Training employees in compliance is not just about meeting regulatory requirements; it’s about reducing the risk of noncompliance. Showalter points out that educating the bank’s board of directors, management, and staff is essential for maintaining an effective compliance program. Compliance training helps mitigate various risks identified by federal banking supervisors, including compliance risk, transaction or operational risk, and reputation risk.

Customizing training programs for success

Effective compliance training varies from one institution to another. Showalter offers practical guidance on setting up a successful compliance training program, stressing the importance of a thorough needs assessment. Identifying the types of products and services offered, the regulations impacting these processes, and the current knowledge level of staff are crucial steps in this process. The article also provides insights into choosing the right format and media for training, from online programs to classroom-style sessions, ensuring that the training is relevant and engaging for all employees.

Keeping compliance on track: Testing and record-keeping

An essential component of any training process is testing to measure success and maintain records. Showalter emphasizes the need for continuous assessment and refresher training to keep up with evolving regulations and ensure that all employees remain knowledgeable and compliant.

William Showalter’s expertise and practical advice in this article underscore the importance of a proactive approach to compliance training, helping financial institutions navigate the complex regulatory landscape with confidence. For more insights and to read the full article, click here. Stay informed with the Community Bankers Association of Kansas and discover more industry insights in In Touch Magazine — the leading publication dedicated exclusively to serving the interests of Kansas community banks.

Regulatory compliance Training for financial institutions

Investing in the training and development of your staff is the most important investment your financial institution can make. Competent, well-trained employees not only ensure compliance but also contribute to the overall success and profitability of your institution.

Young & Associates is a national leader in continuing education and training for financial professionals. Our consultants bring unmatched real-world expertise in topics such as lending, underwriting, regulatory compliance, and director development. We offer a wide range of education and training services for financial professionals. Our training is flexible, with options for off-site, in-house, and virtual sessions. These are all customized to meet the specific needs and objectives of your institution.

Take a proactive approach to regulatory compliance with our comprehensive training for your personnel. Our training provides the latest information and techniques for maintaining an effective internal program. Whether you need to establish a compliance program or update your knowledge on changing regulations. Topics include the Bank Secrecy Act, Privacy, Fair Lending, and more, all customized to the specific needs of your institution. Investing in our training services helps ensure compliance and boosts your institution’s overall success.

We also offer the Community Bankers for Compliance Program (CBC), the longest-running compliance program in the country. This program equips banks with comprehensive tools for managing in-house compliance. This includes live seminars, webinars, a compliance hotline, a members-only portal and a monthly newsletter.

Discover our full range of compliance training services and explore our comprehensive regulatory compliance consulting offerings.

Contact us today to see how we can support your bank or credit union in achieving your strategic goals.

CDs maturing in Q2: Impact on interest rate risk management

Written by admin on . Posted in Advice, Blog, Consultation, Contingency Planning, CRE & AG Stress Testing, Interest Rate Review, Interest Rate Risk, Lending & Loan Review, Liquidity Management, Liquidity Review, Management & Planning, Regulatory Enforcement, Risk Management.

By: Michael Gerbick, President at Young & Associates

Interest rate risk (IRR) is the exposure of a bank or credit union’s current or future earnings and capital to adverse changes in market rates. Management of that risk is critical to community financial institutions and since the pandemic and rates went to zero, due to the rapid pace of change, effective management of that risk has been difficult due to the rapid increase in interest rates.

Navigating market volatility: The role of ALM models 

Most banks and credit unions utilize asset liability management (ALM) models to assist in the modeling of interest rate increases and decreases, typically +/- 400 bp shock scenarios. Similar to the parallel rate shock scenarios of the ALM models designed to identify risk exposure in a rapidly changing rate environment, the Fed raised rates between March 2022 and July 2023 from 0 percent to 5.25–5.50 percent.  

The yield curve shape changed significantly, putting additional stress on the Asset Liability Committees (ALCO) responsible for managing the ALM function of financial institutions, and has not let up. Yes, the inverted yield curve has flattened from 12 months ago, however in March this year, the Treasury yield curve for the two-year and ten-year yields hit a consecutive day record for being inverted 625 days, besting the previous record set in 1978.  

The chart shown below1 illustrates the difference between the higher yield 2-year and the lower yield 10-year. 

Strategies amidst rising rates: Insights for community Banks and credit unions 

Amongst many of the strategies employed during the rising rate environment of 2022 and 2023 was offering certificates of deposit (CDs) to maintain and grow deposits on the balance sheet. However, the funding mix began to shift as consumers migrated towards the higher interest-bearing accounts or the Bank increased Federal Home Loan borrowing which caused the cost of funds to increase.  

Industry research for the last two years shows interest-bearing deposits up 5.1 percent and non-interest-bearing deposits down 28 percent2. Rates have not risen since July 2023, however many of the CDs offered in 2023 are due to mature in 2024 in a different rate environment than when they were issued. Financial institutions are monitoring this closely.  

Strategic considerations for ALCOs: Addressing interest rate risk 

ALCOs are tasked with predicting the interest rate exposure in the elevated rate environment. Currently, we are in a unique environment and banks and credit unions should be cautious about using historical data only to predict future activity. In addition to non-bank competitors competing for deposits, community financial institutions need to continue improving their approach to cost of funds, net interest margin compression and how the institution will effectively manage their exposure to interest rate risk. A few strategies and actions financial institutions can employ related to deposits are: 

Optimizing interest rate exposure

Increase the frequency in which ALCO meets to review the interest rate environment. This may currently be semi-annual or quarterly at your institution. Additionally, the financial institution may consider meeting monthly to stay abreast of any changes in the environment or new products the Bank is releasing. 

Policy revision

Review your policy limits approved by the Board. Your policy may only have -100 bp or -200 bp scenarios listed given the previous low-rate environment. Not only review the existing policy limits with the Board but increase the stress range to account for -300 bp and -400 bp. 

Trigger points

In addition to the policy limits, consider thresholds for the rate of change of the risk measures that consider risks associated with liquidity, interest rate risk and capital. Also, these rate of change thresholds are designed to commence action or additional investigation into the source of the significant movement ahead of falling outside of policy limits. 

Stress your assumptions

ALM models have built-in assumptions and are likely based on historical industry averages supplemented by data supplied by your institution. Common key assumptions outlined by the FDIC3: 

  • Asset prepayment – represents the change in cash flows from an asset’s contractual repayment schedule. The severity of prepayments fluctuates with various interest rate scenarios. Mortgage loans are a prime example of assets subject to prepayment fluctuations.
  • Non-maturity deposits
    • Sensitivity or Beta Factor – describes the magnitude of change in deposit rates compared to a driver rate.
    • Decay Rate – estimates the amount of existing non-maturity deposits that will run off over time.
    • Weighted Average Life – estimates the average effective maturity of the deposits.
  • Driver rate – represents the rate, or rates, which drive the re-pricing characteristics of assets and liabilities. Examples include Fed funds rate, LIBOR, U.S. Treasury yields, and the WSJ Prime rate.

Have discussions with your team and understand what is going on broadly in the economic environment as well as items specific to your bank or credit union. Also, address changes or concerns in your modeling assumptions or at the very least, be aware of their potential impact. Spend time to learn the assumptions. Do not accept the defaults as correct, make sure your team understands them.

In addition to your base case, stress the assumptions – double or triple the decay rates, assume a high sensitivity to driver rates in the change in deposit rates and cut the prepayment speeds in half. The alternate scenarios with severe assumptions will assist ALCO in understanding potential value creation and risks.  

Interest rate risk review

Regulatory guidance indicates that every bank should have an annual third-party assessment of the interest rate risk system. Similar to other audits, this review should be delivered to the Board of Directors or the Board’s audit committee. It is a critical component of the Board’s responsibility for bank oversight. 

Educate the board on interest rate risk

There are educational videos available through the FDIC website. In addition, there are IRR modeling vendors that will attend meetings to provide perspective to your institution on the current economic environment and your modeling results. Leverage them. 

Managing interest rate risk in 2024 and beyond 

There is always an opportunity for significant value creation in any environment. The rapidly increasing rate environment experienced in 2022-2023 brought forth significant risks and opportunities. The 2024 environment possesses new challenges. I am excited to see our community banks and credit unions adjust their balance sheets, act on the highest value opportunities and limit their interest rate exposure.  

Assess your interest rate risk 

Ready to proactively manage your institution’s interest rate risk? Young & Associates offers comprehensive interest rate risk reviews tailored to your needs. Ensure your bank or credit union is prepared to navigate market volatility with confidence. Reach out to us now to schedule your consultation!

1Federal Reserve Economic Data (FRED) 10-Year Treasury Constant Maturity Minus 2-Year Treasury Constant Maturity
2S&P Global US Bank Market Report 2024
3FDIC Developing Key Assumptions for Analysis of Interest Rate Risk

Implementing compliance: Key principles and practices

Written by admin on . Posted in Advice, Blog, Compliance & Regulations, Consultation.

By: Bill Elliott, CRCM, director of compliance education at Young & Associates

There is no question that laws and regulations materially change the way banks do business. The recent new laws and regulations have, more than ever before, crossed over the consumer protection regulatory line and into bank management. This complicates your life, and the starts and stops do not make it easier. 

Consider the “1071 Rule,” which amounted to HMDA for commercial loans, with even more invasive questions. The underlying law was passed in 2010 (the Dodd-Frank Act), and the CFPB took almost 13 years to implement it, only to be stopped by the courts for stepping way beyond the requirements of the law. The updated CRA regulation is also now being challenged in the courts. 

Compliance does not happen in a vacuum. Many of the regulations cover multiple disciplines within the bank, and many departments have to be involved in implementing the solution. This article discusses some of the basics of implementing compliance within your organization, as well as an approach that we believe is critical to the success of any bank. 

The key ingredients for successful compliance

To establish a successful program, the following ingredients must exist:  

  • Board of Directors support 
  • Management support 
  • Staff development 
  • A viable and structured compliance network (compliance council) 
  • Compliance monitoring  

Board of directors support

The board is ultimately responsible for the success or failure of the program, just as they are for any other aspect of the bank’s risk management. The board needs a flow of information to assist them in understanding the compliance function and the current status of the program. It must also understand the stresses for compliance and ensure that there are adequate resources to facilitate success. 

Management support

Management must be actively involved in the development of the program. Although management may not design and develop the program, they should provide direction and ensure that there are resources to support its establishment and maintenance. Management must stay involved by monitoring the progress of the program through requiring periodic reports. 

Staff development

Staff development involves providing staff with the necessary background to understand the purpose of compliance, the structure to support the program and the technical skills to it out effectively. Management must direct the designated person or council and allow them the resources, including the resource of time, to fully implement the compliance program. 

A practical solution: The compliance council

In order to address the compliance burden, we believe banks should use a compliance council. This is NOT a committee. It is a reporting mechanism, where each area of the bank is responsible for the compliance duties that impact their jobs. At the council, they report progress or lack thereof in meeting those requirements.  

The results of the compliance council meeting are reduced to writing. Those minutes then go to management and the board so that they understand the current compliance situation in which the bank finds itself. A compliance council aids the institution in the following ways: 

  • The compliance council is comprised of representatives from each major area of the institution, thereby building continuity into the program. 
  • The compliance council builds compliance into the daily operational procedures of each area so that the institution can function from a practical and preventive focus. 
  • The compliance council incorporates comprehensive compliance coverage through its composition, i.e., lending, customer service, and operations. 
  • The compliance council establishes a compliance link to planning for new products and services. Each area of the institution can establish the compliance details during the planning and implementation stages. 
  • The compliance council allows the institution to include monitoring procedures in the daily workflow that integrates compliance without creating unnecessary work burdens i.e., the use of checklists and most common concern policies. 
  • The compliance council enables the institution to create an effective training and communications channel for all compliance issues. The council members will be able to take information back to their respective areas. 

Choosing the compliance council

The compliance council’s objective is to spread the duties among a small group of individuals to reduce the burden on anyone and increase coverage of the compliance function. Compliance has expanded far beyond just “letting the compliance officer deal with it.” 

The persons who are chosen might be representatives from: 

  • real estate lending, 
  • consumer lending, 
  • customer service, 
  • deposit operations, and 
  • compliance administration. 

Of course, banks are free to add others, such as BSA, branch administration, etc. 

The use of management in an advisory capacity can help to ensure accountability. It is difficult to say “I did not have time” or something similar in front of a senior manager. But hopefully, this is not necessary in most banks. The “minutes” of the meeting become a useful tool for management and the board to understand the current compliance position of the bank. 

If there is a regulatory change that involves multiple disciplines, then and only then does the “council” become a “committee” to address the common issue. 

Authority and credibility

It is important for the compliance officer and the compliance council to develop sufficient authority to operate within the bank. Without this authority, the officer and the council will be ineffective.  

Assuming that the board of directors and executive management have clearly granted the compliance officer and the compliance council sufficient authority with which to operate, the compliance officer and the compliance council must ensure their own credibility to retain any authority that the board of directors and management have granted them. 

The compliance council’s biggest barrier involves establishing credibility with the bank’s employees. For example, if in the eyes of the employees, the compliance council is an informational source to help them do their job, the council will succeed. If communication channels are established but never work, the council will fail. The key to the success of the compliance council is to establish, implement, monitor, and enforce the compliance function throughout the bank. 

Effective compliance implementation

Navigating the dynamic landscape of banking regulations requires proactive strategies and a collaborative approach across all levels of an institution. As the regulatory environment continues to evolve, compliance becomes increasingly complex, necessitating a robust framework, dedicated oversight, and effective implementation to ensure adherence. 

Empowering banks for regulatory compliance success

At Young & Associates, we understand the challenges banks face in implementing and maintaining effective compliance programs. Our team of experts is committed to providing tailored solutions that empower banks to navigate regulatory requirements with confidence and efficiency. 

Ready to streamline your compliance efforts and fortify your institution against compliance risk? Partner with Y&A for comprehensive regulatory compliance consulting services. Contact us today to learn more about how we can support your bank in alleviating regulatory burdens. 

Qualities of a good managed services provider (MSP)

Written by admin on . Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation.

By: Mike Detrow, CISSP, Director of IT & IT Audit at Young & Associates

Due to the challenges of finding qualified employees to fill internal IT positions and the increased complexity of technology solutions, many community financial institutions have either outsourced the management of their information systems to a managed services provider (MSP), or they are considering this move.  

But how do you know that you currently have, or you are choosing the right partner? In this article, we will discuss the qualities you should look for in an MSP to help you evaluate your current MSP and select the right partner if you want to outsource the management of your information systems. 

Understanding financial institution needs 

First, it is important to understand that financial institutions are unique from other industries, and a local MSP that primarily works with manufacturing companies may not understand the security requirements of a financial institution. Financial institutions are highly regulated and undergo routine IT audits/assessments due to the significant amount of sensitive and personally identifiable information that they maintain, alongside the substantial financial assets under their protection. 

Many MSPs may not be familiar with the regulatory and security requirements associated with banking and therefore may not be prepared to work with examiners/auditors or respond effectively to exam/audit recommendations. 

The drawbacks of national managed services providers 

A national MSP may not be appropriate for a small community financial institution either as you may end up being a little fish in a big pond and may not get the attention that you need. Financial institutions that we work with have already experienced this with some of the large core processing vendors where it is difficult to get good support as a small institution. Additionally, obtaining managed IT services from your core processing vendor may make converting to a different core processor more challenging. 

The value of local and regional managed services providers 

So, how do you find a good partner? Based on our experience working with numerous MSPs through the IT Audit process, we typically see that community financial institutions get the most value from working with local or regional MSPs that have existing experience working with numerous financial institutions.  

These MSPs already understand the regulatory and security requirements that financial institutions face, and they have experience with the appropriate tools and configuration practices to secure the institution’s information systems.  

5 key qualities of good managed services providers 

Some of the good qualities that we see from these MSPs include: 

  • Proactively identifying and presenting new tools to enhance the institution’s information security posture.
  • Working as a partner by learning about the institution and customizing solutions to its unique needs.
  • Maintaining detailed and accurate documentation for the institution’s system configurations and ongoing monitoring.
  • Being responsive to initial and follow up exam/audit documentation requests.
  • Being responsive to exam/audit recommendations by implementing remediation measures in a timely manner.

Managed services provider red flags to watch out for  

Some of the red flags that we see from other MSPs include: 

  • Providing security status reports that contain errors or are hard to understand. 
  • Lack of detailed and accurate documentation for the institution’s system configurations and ongoing monitoring. 
  • Failing to notify the institution prior to making changes that may compromise security or impact system availability. 
  • Slow response to documentation requests for exams/audits or charging additional fees to provide this information. 
  • Refusing to implement exam/audit recommendations due to lack of technical knowledge or in cases where the recommendations do not fit into the MSP’s “standard configuration.” 

Ensuring the right partnership 

It is important to remember that you are ultimately responsible for any problems that occur from selecting the wrong MSP. Whether this decision leads to an insecure environment or just makes your job more difficult as the liaison between the institution and the MSP.  

Just like any other vendor, you must continuously monitor your MSP to ensure that they are providing acceptable service levels. You should consider replacing the MSP if they are not meeting your expectations. While it may seem like a big task to replace your MSP, having the right partner will not only help to ensure that appropriate security controls are implemented, but it should also make your job easier as the liaison. 

Your trusted IT consulting partner 

At Young & Associates, we understand the unique needs and challenges faced by financial institutions. Our IT consulting services help you navigate the complexities of technology solutions while ensuring regulatory compliance and information security. Contact us today to learn more about how we can support your institution’s IT needs. 

ACH risk management: Understanding NACHA’s rule changes

Written by admin on . Posted in ACH, Advice, Blog, Compliance & Regulations, Consultation, News.

By: Mindy Shadoin, Consultant at Young & Associates

On March 15, 2024, Nacha (previously the National Automated Clearing House or NACHA) approved 15 new Automated Clearing House (ACH) rule changes surrounding ACH risk management. These changes are specifically targeted at reducing the incidence of successful fraud and improving the recovery of funds.  

Overview of NACHA’s rule changes 

These new rules establish a base-level of ACH payment monitoring on all parties in the ACH Network, except consumers. The new rules do not shift the liability for ACH payments; however, receiving financial institutions or RDFIs will have a defined role in monitoring the ACH payments they receive.  

Rule changes effective June 2024 

The following rule changes take effect June 21, 2024: 

  • General Rule Definitions for Web Entries: Rewords the WEB general rule and definition in Article Eight to make is clearer that the WEB SEC Code must be used for all consumer-to-consumer credits regardless of how the consumer communicates the payment instructions to the Originating Depository Financial Institution (ODFI) or P2P service provider.  
  • Definition of Originator: Clarifies changes and alignments to the definitions of Originator to include a reference to the Originator’s authority to credit or debit the Receiver’s account and that the Rules do not always require a receiver’s authorization (Reversals, Reclamations, Person-to-Person Entries).  
  • Originator Action on Notification of Change (NOC): Provides Originators discretion to make NOC changes for a Single Entry, regardless of the SEC Code.  
  • Data Security Requirements: Clarifies that, once a covered party meets the volume threshold for the first time, the requirement to render account numbers unreadable remains in effect, regardless of future volume.  
  • Use of Prenotification Entries: Aligns the prenote rules with industry practice by removing language that limits prenote use to only prior to the first credit or debit entry.  
  • Clarification of Terminology: Subsequent Entries: Replace references to “subsequent entry” in various Rules sections with synonymous terms to avoid any confusion with the new definition of “Subsequent Entry.” 

Rule changes effective October 2024  

The following rule changes take effect October 1, 2024: 

  • Additional Funds Availability Exceptions: Provide RDFIs with an additional exemption from the funds availability requirements to include credit ACH entries that the RDFI suspects are fraudulent. 
  • Codifying Use of Return Reason Code R17: Allow RDFIs to return an entry believed to be fraudulent using Return Reason Code R17. 
  • Expand Use of ODFI Request for Return/R06: Expand the permissible uses of the Request for Return Reason Code (R06) to allow an ODFI to request a return from the RFI for any reason. 
  • RDFI Must Promptly Return Unauthorized Debit: Require that when returning a consumer debit as unauthorized in the extended return timeframe, the RDFI must do so by the opening of the sixth Business Day following the completion of its review of the consumer’s signed Written Statement of Unauthorized Debit (WSUD).  
  • Timing of Written Statement of Unauthorized Debit (WSUD): Allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver, even if the debit has not yet been posted to the account.  

Rule changes effective 2026 

The following rule changes take effect March 20, 2026: 

  • Company Entry Description – Payroll: Establish a new standard description of Payroll for PPD Credits for payment of wages, salaries, and other similar types of compensation. 
  • Company Entry Description – Purchase: Establish a new standard description of PURCHASE for e-commerce purchases. 

The following rule changes take effect in two phases.  

  • Phase 1 is effective March 20, 2026, for all ODFIs and non-Consumer Originators, Third-Party Service Providers (TPSPs), and Third-Party Senders (TPSs) with an annual ACH origination volume of 6 million or greater in 2023. 
  • Phase 2 is effective June 19, 2026, for all other non-Consumer Originators, TPSPs, and TPSs   
    • Fraud Monitoring by Originators, TPSPs, and ODFIs: Requires each non-Consumer Originator, ODFI, TPSP, and TPS to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud. 
    • RDFI ACH Credit Monitoring: Requires RDFIs to establish and implement risk-based processes and procedures reasonably intended to identify credit ACH Entries initiated due to fraud.  

Ensuring a secure ACH landscape through proactive risk mitigation 

The recent ACH rule changes approved by NACHA signify a significant step towards enhancing ACH risk management and fraud prevention. These changes aim to reduce the incidence of successful fraud and improve the recovery of funds, ultimately safeguarding the integrity of the ACH Network. 

With the implementation of these rule changes, financial institutions and other stakeholders involved in ACH transactions will need to adapt their policies, procedures and risk management processes accordingly. It’s essential for organizations to stay informed about these regulatory updates and ensure compliance to mitigate ACH-related risks effectively. 

Enhance your ACH risk management framework with Young & Associates’ proven expertise 

Are you seeking expert guidance and support to navigate these ACH rule changes and ensure compliance with regulatory requirements? At Young & Associates, we understand the unique challenges faced by financial institutions in today’s evolving regulatory landscape.

We specialize in providing tailored regulatory compliance consulting services. These include comprehensive support with ACH functions such as ACH audit and ACH risk assessment. Our team of experienced professionals is committed to helping you strengthen your ACH risk management practices and achieve regulatory compliance seamlessly. 

Contact us today. Explore how we can assist your financial institution in meeting its regulatory obligations while optimizing operational efficiency and minimizing risk exposure. Or, click here to discover the benefits of our customizable ACH policy. Together, let’s navigate the complexities of ACH compliance and ensure the security and integrity of your financial transactions.

Modernized FDIC signage & advertisement requirements: What banks need to know

Written by admin on . Posted in Advertising, Blog, Compliance & Regulations, Consultation, News.

In today’s dynamic regulatory landscape, keeping pace with regulatory updates is critical for community banks to maintain compliance and uphold depositor trust. To adapt to shifts in the banking industry and consumer behavior, the Federal Deposit Insurance Corporation (FDIC) has finalized a rule to modernize the requirements for official signs and advertising statements for insured depository institutions (IDIs). This modernization signifies a crucial change in regulatory expectations, demanding a thorough understanding and proactive approach from financial institutions.

Background: Understanding the updated part 328 rules

The banking industry has experienced significant transformations. These include the evolution of bank branches, heightened reliance on internet and mobile banking, and increased partnerships between IDIs and financial technology (fintech) companies. These shifts have heightened the potential for consumer confusion regarding FDIC deposit insurance coverage.

In response, the FDIC has introduced substantial updates to Part 328 of its regulations, specifically addressing the use of official FDIC signs and advertising statements by IDIs. Additionally, it clarifies regulations concerning false advertising, misrepresentations of deposit insurance coverage, and misuse of the FDIC’s name or logo. This revision underscores the FDIC’s dedication to aligning regulatory standards with the evolving banking landscape, especially in digital and mobile channels.

Key changes to note: New FDIC official signage requirements

The modernized FDIC signage and advertisement requirements bring about significant changes. The aim to enhance consumer understanding and confidence in deposit insurance coverage. Beginning in 2025, FDIC-insured institutions are mandated to prominently display the official FDIC digital sign across digital platforms, including bank websites, mobile applications, and ATMs. This expansion to digital channels ensures consistent depositor confidence and clarity regarding deposit insurance coverage.

Moreover, the updated rule emphasizes the differentiation between insured deposits and non-deposit products across all banking channels. Regulations now require financial institutions to provide conspicuous disclosure indicating that certain financial products are not insured by the FDIC, are not deposits, and may incur value loss. These changes aim to extend the certainty and confidence associated with FDIC protection to digital channels. All while ensuring that consumers are properly informed about the status of their deposits and the scope of FDIC insurance coverage.

Quick reference: FDIC modernized signage rule requirements and compliance deadlines

Purpose of the updated FDIC signage requirements

The rule updates regulations governing the use of official FDIC signs and advertising statements to reflect contemporary banking practices. It also clarifies regulations regarding false advertising, misrepresentations of deposit insurance coverage, and misuse of the FDIC’s name or logo.

Changes to official signs

The traditional black and gold FDIC sign displayed at bank branches will now be complemented by a new black and navy blue FDIC digital sign. Banks will be required to display this digital sign on their websites, mobile applications, and certain ATMs starting in 2025.

Differentiation of products

Banks must use signs to differentiate insured deposits from non-deposit products across banking channels. They also need to indicate that certain financial products are not insured by the FDIC, are not deposits and may lose value.

Clarification on misrepresentations

The rule addresses scenarios where misleading information about deposit insurance coverage could confuse consumers. It prohibits the use of FDIC-associated terms or images in marketing materials to inaccurately imply that uninsured financial products or non-bank entities are insured or guaranteed by the FDIC.

Objectives for IDIs

For IDIs, the rule modernizes rules for displaying the FDIC official sign in branches and extends requirements to other physical premises. It establishes and mandates the display of the FDIC official digital sign on bank websites, mobile applications and certain IDI ATMs. Regulations also require IDIs to differentiate insured deposits from non-deposit products across banking channels.” They provide a one-time per web session notification when a logged-in bank customer leaves the IDI’s digital deposit-taking channel for non-deposit products on a non-bank third party’s website. Additionally, IDIs must establish and maintain written policies and procedures for compliance with part 328.

Compliance and effective dates

The amendments made by the final rule are effective on April 1, 2024. There is an extended mandatory compliance date of January 1, 2025.

Navigating compliance with Young & Associates

At Young & Associates, we recognize the complexities and challenges community banks face in navigating regulatory changes effectively. We offer a customizable FDIC Signage and Advertising Requirements Policy to assist community banks in complying with the modernized rule. Additionally, our comprehensive suite of regulatory compliance services includes compliance outsourcing, advertising review and more solutions. Our team of compliance experts commits to guiding institutions toward regulatory compliance excellence while minimizing operational disruptions.

Ensuring compliance with FDIC signage and advertisement requirements is paramount for community banks. Embrace proactive compliance practices and partner with Young & Associates to navigate the complexities of regulatory change effectively. Contact us today to embark on your journey towards compliance excellence and safeguard the integrity of your institution in the ever-evolving financial landscape.

Stay compliant. Stay confident. Choose Young & Associates.

Understanding ACH risk management for community financial institutions

Written by admin on . Posted in ACH, Blog, Compliance & Regulations, Consultation.

Automated Clearing House (ACH) risk management is a topic of paramount importance for community financial institutions. In the realm of modern banking, ACH payments have emerged as a cornerstone of electronic fund transfers, offering unparalleled efficiency and convenience for businesses and consumers alike. However, with the benefits of ACH come inherent risks. Financial institutions must proactively address to safeguard their operations and protect their stakeholders.

Spectrum of ACH risk categories

From compliance and credit risk to fraud, operational challenges, and systemic vulnerabilities, each facet of ACH risk poses unique challenges. It demands strategic foresight and diligent risk mitigation efforts. By understanding the intricacies of ACH risk management, financial institutions can fortify their resilience and ensure compliance with regulatory standards while fostering trust and reliability in the digital banking ecosystem.

The five basic types of ACH risk

1. ACH requirements compliance risk

Compliance risk encompasses the threat of legal or regulatory sanctions, financial loss, or damage to reputation resulting from failure to comply with laws, regulations, and internal policies. For community financial institutions processing ACH transactions, compliance risk looms large due to the intricate web of regulations governing ACH transfers, including Regulation E and Article 4A of the Uniform Commercial Code, as well as Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements, and the NACHA Rules and Guidelines. Institutions must conduct comprehensive ACH reviews to ensure adherence to regulatory standards and promptly rectify any violations or errors detected.

2. Credit risk from ACH transactions

Credit risk arises from the potential for financial loss due to the failure of parties involved in ACH transactions to fulfill their payment obligations. Community financial institutions face credit risk when originating or receiving ACH transactions, especially with the proliferation of high-risk activities such as nonrecurring payments. Establishing rigorous underwriting standards, evaluating originator creditworthiness, and setting appropriate exposure limits are crucial risk mitigation strategies for managing credit risk effectively.

3. Fraud risk

Fraud risk encompasses the threat of unauthorized or deceptive activities resulting in financial loss or reputational damage. With the increasing sophistication of fraudulent schemes targeting ACH transactions, community financial institutions must remain vigilant against fraudulent activities such as account takeover, unauthorized returns and unauthorized transactions. Implementing robust authentication measures, monitoring transaction patterns for anomalies and conducting regular audits of third-party service providers are essential components of an effective fraud risk management framework.

4. ACH processing operational risk 

Operational risk stems from the potential for disruptions or failures in internal processes, systems or human factors leading to financial loss or operational inefficiencies. Community financial institutions face operational risk in ACH processing operations. These are due to factors such as technological failures, human error and inadequate controls. Implementing comprehensive policies and procedures, ensuring adequate training for staff and conducting regular audits of ACH operations are critical steps in mitigating operational risk.

5. Systemic risk

Systemic risk refers to the threat of widespread disruptions or failures within the financial system resulting from interconnectedness and interdependencies among institutions and market participants. Individual community financial institutions may have limited exposure to systemic risk in ACH processing. But they remain vulnerable to broader systemic events impacting the financial industry as a whole. Vigilance, collaboration with industry stakeholders, and contingency planning are essential strategies for managing systemic risk effectively.

Effective ACH risk management for community financial institutions

In conclusion, effective ACH risk management is paramount for community financial institutions to navigate the evolving landscape of electronic payments. It’s a must to uphold their commitments to regulatory compliance, financial integrity and customer or member trust. By understanding and addressing the five basic types of ACH risk—compliance, credit, fraud, operational and systemic—financial institutions can fortify their resilience and sustain long-term success in the dynamic world of electronic banking.

Young & Associates offers ACH self-assessment reviews. Our compliance experts evaluate your policies, procedures, and test components to ensure compliance with the NACHA Operating Guidelines. For tailored guidance to your unique circumstances, reach out to our team of experts. We help you navigate the regulatory compliance landscape and keep your financial institution on the path to success. Contact us today.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question