Skip to main content

Author: admin

NCUA cybersecurity priority: What credit unions need to know

In the ever-changing landscape of financial services, cybersecurity emerges as a paramount concern for credit unions and their members. As regulatory scrutiny on information security intensifies each year, it’s essential for credit unions to stay vigilant and adaptable. This involves drawing insights from incident response exercises, threat intelligence, and industry benchmarks to bolster resilience and agility while ensuring compliance amidst evolving threats.

Understanding the NCUA supervisory priority of information Sscurity

In 2024, the National Credit Union Administration (NCUA) emphasizes the critical importance of cybersecurity as part of its regulatory oversight. This highlights the urgent need for credit unions to strengthen their cyber defenses and resilience. In the face of an increasingly complex threat landscape, credit unions must prioritize cyber security measures to protect member data and maintain seamless operations. From rigorous information security examinations to strict compliance with NCUA’s information security requirements, credit unions must uphold stringent standards to ensure operational continuity and safeguard sensitive information. In today’s digitally interconnected and rapidly advancing technological landscape, it’s vital to adopt a proactive approach to detecting and responding to cyber risks with utmost precision.

Six key considerations for credit union cyber security compliance

1. Holistic risk assessment and management

Credit unions must adopt a proactive stance towards risk management by conducting thorough assessments of cyber threats, vulnerabilities, and potential impact scenarios. At the core of effective cybersecurity governance lies the comprehensive risk assessment process. By identifying and prioritizing potential threats, vulnerabilities, and impact scenarios, credit unions lay the groundwork for developing targeted risk mitigation strategies.

2. Vendor risk management 

Ensuring effective cybersecurity compliance for credit unions demands vigilant vendor risk management. The NCUA underscores the criticality of reviewing third-party contracts to discern incident reporting obligations. This comprehension of responsibilities and liabilities outlined in vendor contracts fosters seamless collaboration, prompt response to cyber incidents, and adherence to reporting requirements.

3. Incident monitoring and documentation protocols

Credit unions must implement robust incident monitoring and documentation protocols to strengthen cyber resilience. Swift detection and containment of cyber threats are facilitated by effective incident monitoring, while comprehensive documentation enables timely reporting and compliance with regulatory mandates. By maintaining detailed records of cyber incidents, credit unions enhance transparency and accountability in their cybersecurity practices.

4. Robust incident response plans

Establishing robust incident response plans is pivotal for credit union cybersecurity compliance. It is imperative to update these plans to align with reporting requirements. By ensuring that response protocols are synchronized with regulatory mandates, credit unions can streamline incident resolution and minimize potential damages effectively. Simplify compliance with NCUA cybersecurity standards and cyber incident reporting requirements using Y&A’s customizable Incident Response Plan for Credit Unions. With a detailed incident response policy, guidance for specific incidents, a sample membership notification letter, and an incident response form, ensure your credit union is well-prepared for any security event. Read more about the plan here.

5. Adherence to NCUA regulatory standards

Compliance with regulatory standards, including the NCUA’s Cyber Incident Notification Reporting Rule, is non-negotiable. Credit unions must ensure timely and accurate reporting of cyber incidents, enhancing transparency, accountability, and regulatory compliance.

6. Continuous monitoring and improvement

Cybersecurity is not a static endeavor; it demands continuous monitoring, evaluation, and improvement. Credit unions should embrace a culture of vigilance and adaptation, empowering stakeholders to remain abreast of emerging threats and evolving best practices. This commitment to continuous improvement ensures that credit unions remain resilient in the face of evolving cybersecurity challenges.

Empowering credit unions: Tailored cybersecurity solutions from Young & Associates

As the NCUA places increased emphasis on information security, credit unions must prioritize compliance, resilience, and proactive risk management strategies. At Young & Associates, we understand the nuanced challenges and opportunities inherent in cybersecurity governance. Our dedicated team of professionals stands ready to support credit unions in navigating the complexities of cybersecurity risk management, compliance, and strategic planning.

We offer tailored solutions to address your specific needs and concerns. Our customizable Incident Response Plan provides a structured framework for swift and effective response to cyber incidents, ensuring the protection of member data and the integrity of your institution.

Additionally, our full suite of IT consulting services offers comprehensive support to credit unions. Our IT audits provide an independent assessment of your environment, helping you implement controls to manage your risk effectively. Furthermore, our vulnerability assessments and penetration tests identify any weaknesses in your network, enabling proactive threat mitigation.

You’re not alone on your cybersecurity journey. With Young & Associates by your side, you can navigate the complexities of cybersecurity with confidence and peace of mind. Together, we can strengthen your cyber defenses, uphold regulatory compliance, and safeguard the interests of your members and institution.

Contact us today to learn more about how we can support your credit union’s cybersecurity goals. Let’s embark on this journey together towards a more secure and resilient future.

Helpful links:

Young & Associates announces strategic internal promotions

Young & Associates, a leading consultancy firm specializing in banks and credit unions, proudly announces the promotions of two key team members, Michael Gerbick and Ollie Sutherin, marking a significant milestone in the company’s leadership evolution.

Michael Gerbick promoted to President of Young & Associates

Michael Gerbick, a pivotal member of Young & Associates for five years, has been promoted from Chief Operating Officer to President of the organization. Gerbick’s tenure has been marked by significant contributions in accounting functions, internal process enhancements, and the implementation of productivity-driven systems, reflecting his commitment to the company’s success.

Ollie Sutherin promoted to CFO of Young & Associates

Ollie Sutherin, formerly Principal of Y&A Credit Services, assumes the role of Chief Financial Officer. Sutherin’s journey with Young & Associates began with a focus on the company’s loan review process, subsequently expanding his expertise in lending, credit, and systems implementations. His progressive roles, from credit analyst to Principal of Y&A Credit Services, have led to pivotal changes. This has resulted in notable revenue growth and heightened productivity.

Jerry Sutherin continues leadership as CEO

Jerry Sutherin, formerly President and CEO of Young & Associates, will maintain the role of CEO. He remains actively involved in the company’s leadership and operations, leveraging his banking expertise and industry relationships to guide its trajectory.

As stated by Jerry Sutherin, “We are excited to announce the well-deserved promotions of Michael and Ollie. Their dedication, expertise, and innovative leadership have been instrumental in the growth and success of Young & Associates. We remain well positioned to continue our strategic growth initiatives and look forward to their continued contributions to these goals.”

A commitment to excellence and innovation

These promotions underscore Young & Associates’ dedication to recognizing and fostering exceptional talent within the organization. Elevating Michael Gerbick to President and Ollie Sutherin to CFO signifies their invaluable contributions and leadership. This reinforces the company’s commitment to innovation and excellence in the financial institution industry.

Young & Associates is confident that these strategic internal promotions will contribute to the ongoing success of the organization. It highlights the company’s commitment to providing top-tier consultancy services to banks and credit unions. The company looks forward to the continued growth and achievements under the leadership of its dynamic team.

2024 housing market outlook: Implications for mortgage lenders

By: Donald Stimpert, manager of secondary market QC Services

Fannie Mae’s recent revised forecast for 2024 and beyond unveils a nuanced projection that holds significance for community banks and credit unions navigating the intricate landscape of the housing market. The insights presented by Fannie Mae’s Economic and Strategic Research (ESR) Group encapsulate essential indicators and predictions that will influence the housing and mortgage sectors in the forthcoming year.

Economic deceleration and housing recovery

The December report anticipates a potential economic slowdown in 2024, aligned with a gradual recuperation in both home sales and mortgage originations. Although initially forecasting a modest recession for 2023, the economic resilience has surprised many market analysts. Fannie Mae now perceives the possibility of a softer landing due to disinflation and low unemployment rates. However, the housing sector faced challenges in 2023, witnessing record-low affordability, lock-in effects, and a severe deficit in available for-sale housing, leading to the lowest existing home sales since the Great Financial Crisis.

Factors impacting home sales in 2024

Fannie Mae’s analysis points to a challenging landscape ahead. 2023 set a record low for existing home sales since 2010, setting the stage for a gradual recovery in 2024. Yet, obstacles like unaffordability, lock-in effects, and constrained inventory persist, likely causing a marginal impact on 2024’s total home sales compared to the previous year.

Despite glimpses of potential relief, these hurdles are expected to persist. Although the decline in the 10-year Treasury rate offers a glimmer of hope for better sales and mortgage originations, persistently high mortgage rates forecast subdued home sales at around 4.8 million in 2024, with a modest increase to 5.4 million by 2025.

October’s rock-bottom existing sales at 3.79 million could signal a turning point. Recent shifts in purchase mortgage applications, fueled by notable drops in mortgage rates, hint at a possible sales uptick. This trajectory depends on further rate moderation, potentially leading to increased sales.

Moreover, Fannie Mae’s projection of a slight dip in new home sales contrasts with unexpected buyer resilience amidst rising rates. This unexpected stability, boosted by concessions from builders, hints at sustained sales consistency.

This sales resilience, coupled with an unforeseen home price rebound, shapes Fannie Mae’s view on mortgage originations. Despite fluctuations, the forecast indicates a subtle upward trend, aligning with current origination levels.

Upgraded projections for single-family mortgage originations

Amidst these challenges, Fannie Mae projects a positive trajectory in total single-family mortgage originations:

  • $1.5 trillion in 2023
  • $1.9 trillion in 2024
  • $2.3 trillion in 2025

This upgrade stems from a positive outlook on purchase mortgage origination volumes. Forecasts indicate a substantial increase to $1.4 trillion in 2024, a noteworthy leap from the anticipated $1.3 trillion in 2023. Looking ahead, the trajectory continues its upward trend, projecting $1.6 trillion in purchase origination volumes by 2025. Simultaneously, refinance origination volumes are on an upward trajectory, poised to surge to $451 billion in 2024 and further escalate to $686 billion in 2025.

Dynamics of mortgage rates and home sales

The report reflects on the impact of declining interest rates, projecting a shift to an average FRM30 rate of 6.7% in 2024 and 6.2% in 2025, down from the current 7.4% in Q4 2023. However, the transition in monetary policy might introduce volatility in mortgage rates, presenting a potential risk factor for these projections.

New vs. existing home sales, housing starts and price growth

The resilience of new home sales, unexpected amidst economic uncertainties, and the lower-than-expected impact of high mortgage rates on sales showcase a trend where buyers seem less affected by increased rates compared to previous years. Homebuilders’ concessions, including mortgage rate buydowns, aim to stimulate sales amidst these challenges.

Implications for community banks and credit unions

Understanding Fannie Mae’s 2024 outlook is crucial for community banks and credit unions to tailor their strategies. The projected increase in mortgage originations presents both opportunities and challenges, urging these institutions to adapt swiftly to evolving market dynamics and consumer behaviors.

In conclusion, Fannie Mae’s revised outlook for 2024 emphasizes the need for adaptive strategies by community banks and credit unions to harness opportunities amid the projected housing market landscape. Staying informed about these forecasts will empower these financial institutions to navigate potential challenges while capitalizing on growth prospects effectively.

Secondary market quality control

Young & Associates stands as a trusted ally for financial institutions amid Fannie Mae’s housing market projections. Specializing in secondary mortgage quality control, our QC services serve as a shield against risks, meeting federal and private investor requirements, including those of Fannie Mae. As Fannie Mae anticipates a gradual housing market recovery and increased mortgage activities, partnering with Y&A can fortify your institutions’ risk management strategies. Our meticulous evaluations ensure compliance readiness and accuracy, aligning financial entities with market shifts highlighted by Fannie Mae, securing robust mortgage operations for the future. Visit our website for more information or contact us here.

Notable changes in the new ransomware self-assessment tool

By: Mike Detrow, CISSP 

The Bankers Electronic Crimes Taskforce, state bank regulators, and the United States Secret Service first released the Ransomware Self-Assessment Tool (R-SAT) in October 2020. The tool for banks is used to evaluate their preparedness for a ransomware attack and to help identify additional controls that should be implemented to increase a bank’s security. 

A number of state banking departments worked together to evaluate banks that suffered a ransomware attack between January 1, 2019 and December 31, 2022, and the Conference of State Bank Supervisors used this information to publish a report in October 2023 that identifies the lessons learned by these banks1.   

Key findings from the ransomware lessons report

This report identifies the following significant findings: 

  • Lack of completion and proper use of the R-SAT to identify gaps in a bank’s security controls to prevent or mitigate the effects of a ransomware attack 
  • Lack of multi-factor authentication or improperly configured multi-factor authentication 
  • Lack of proper understanding of social media and methods for monitoring social media platforms to address the potential dissemination of misinformation that may affect a bank’s reputation 

A new version of the R-SAT, released in October 2023, identifies additional security considerations that banks will need to evaluate regarding their preparedness for a ransomware attack.   

Notable additions to R-SAT

Notable additions to the new version of the R-SAT include: 

  • Specific questions added in item 3 regarding the services provided by the cyber insurance carrier to respond to a ransomware attack  
  • A column was added in item 4 to identify services that are based in a cloud environment 
  • Item 5 is a new question asking if any data is housed in a location outside of the United States 
  • Item 10 now asks about the frequency of employee security awareness training  
  • Item 11 is a new question asking if the institution performs phishing test exercises at least quarterly 
  • Item 12 identifies additional questions regarding backup data validation and recovery capabilities 
  • Item 13 includes additional questions regarding the implementation of multi-factor authentication 
  • Item 14 includes several new additional preventative controls that should be considered 
  • Item 18 includes additional ransomware response procedures that should be included in the incident response plan 

Security control enhancements recommended by Young & Associates

Through the IT Audits and consulting work that Young & Associates performs, we also see value in: 

  • Proper understanding of the use of cloud-based services and appropriate policies governing their use 
  • Providing cybersecurity training to employees throughout the year that identifies current threats rather than just one annual training session 
  • Performing employee phishing tests at least quarterly rather than just once a year 
  • Performing an authentication assessment and implementing multi-factor authentication for all critical systems and applications 

To help prevent or mitigate the potential effects of a ransomware attack and to prepare for their next IT examination, banks should review the report regarding the ransomware lessons learned by banks that suffered an attack. Complete the updated R-SAT by using the following link to access these resources: https://www.csbs.org/ransomware-self-assessment-tool 

Strengthening bank security against ransomware

As cyber risks become more prevalent, managing your technology infrastructure and security is paramount. Young & Associates provides financial institution IT consulting to help protect community banks and credit unions from internal and external threats.

Construction loan monitoring: Questions & answers

By: Linda Fisher, Senior Consultant

There is always a certain level of risk in lending, but construction loans are of even greater risk. The ultimate value of the collateral is realized only after the project is completed, and the finished project is either leased to a stabilized level or sold at a profit. Therefore, it is imperative that a construction loan be closely monitored to ensure that the project is successfully executed. 

Why is construction monitoring so important?

Construction monitoring serves both the bank AND the customer. By conducting regular inspections, both parties can verify that the work being done is properly completed, on budget and results in the expected final value of the project.  

Also, if there is a dispute or litigation arises, there is a record of independent monitoring of the project. The qualified third party can then aid in any conflict resolution. 

When should a construction inspector be engaged?

While both the bank’s and the borrower’s responsibilities are outlined in the loan documents, a detailed discussion between the bank and the borrower should take place prior to closing that outlines how the draw process will be handled, and identify who will be conducting inspections and the costs associated with this service.   

Subsequent to this discussion, the inspector should be engaged prior to closing. They should perform an initial review of the construction agreement, budget, timeline, and plans and specifications associated with the project. This helps ensure that the proposed project is feasible to be performed and completed within the designated costs and timeframe. They also review that all appropriate documentation related to the project is in order prior to closing the loan. 

Throughout construction, having the construction inspector perform physical site visits provides independent verification of the line item percentage completion of the construction performed during the draw request period and due to the inspector’s expertise, allows the inspector to directly address pertinent construction matters with the contractors, architects and borrowers on the bank’s behalf. 

Who is qualified to perform inspections?

Ideally, construction monitoring services are performed by engineers or other licensed individuals with experience in general construction methods and materials. They also have knowledge of practices, techniques, and equipment used in building construction. A list of individuals/firms should be maintained by the bank that provide construction monitoring/inspection services. 

As with any third-party vendor, these individuals should be thoroughly vetted, with documentation of his/her appropriate experience, references, and insurance.   

A bank may sometimes engage the appraiser who performed the property evaluation prior to closing to serve as the construction inspector. While this individual may meet the intent of having an independent third party visit the site, an appraiser does not have the appropriate experience and training to review and interpret the plans and specifications prior to closing or effectively evaluate and monitor the construction as it progresses. 

Who is responsible for payment of a construction inspector’s services?

The cost associated with utilizing a construction inspector is typically borne by the borrower. It is included in the project budget as a soft cost and as a closing statement line item.   

What do these services cost?

The best answer is…it depends. Costs for a construction inspector’s services will vary in conjunction with the location and scope of the project. The initial cost for a review of the plans and specs is typically a higher expense, with monthly periodic reviews as disbursement requests are received by the bank from the borrower being a lesser cost. The cost pales in comparison to the potential risk of having a project be inappropriately completed, stall mid-construction or potentially turn litigious costing time and expense for the borrower, contractors and the bank.   

What are best practices in monitoring a construction loan?

Every step of the process should be well documented within the loan files. In addition to maintaining copies of the construction agreement(s), as well as original budget and timelines, details of change orders, a copy of the agreement with the construction inspector and any related information should be maintained as well. A copy of each loan disbursement request should be kept in the file and accompanied by the following: 

  • Inspection report – to include the name and title of the person that performed the inspection, the time & date of the inspection, captioned photos of the project, estimated percentage of project completion with supporting descriptions of work completed since the last inspection and materials stored onsite, details of any delays, disputes or inspector concerns, an estimated date of completion and the inspector’s approval of the requested disbursement  
  • Lien waivers/title bringdown/endorsement – to ensure that there are no intervening liens filed against the project 
  • All paid or owing invoices, receipts and other verifications of project expenses or applicable borrower reimbursements  
  • Updated budget – demonstrating percentage of completion of budgeted expense categories, and sources and uses of equity and debt funds to date. 

Maintaining this information in the file demonstrates that the bank is effectively monitoring the loan. It also provides clear documentation of progress of construction. If a question or concern develops, it can be quickly and efficiently addressed, with secured information in one location.  

What is a certificate of final value?

Upon completion of the construction/issuance of the certificate of occupancy, the bank should inform the original appraiser of such completion and a final inspection performed by the appraiser to validate that the project was completed within the parameters defined in the original appraisal. The appraiser then issues a certificate of final value correlating the completed project to the circumstances of the appraisal report and its concluded “as complete” value. 

Building confidence with a construction monitoring plan

An effective, consistent construction monitoring program avoids surprises for all parties, as it documents the evolution of the project. From the initial approved scope and costs, throughout construction and to final completion. Prior to closing, all parties can be confident knowing that they are starting off on the right foot. As the project progresses, any issues that may arise can be identified and dealt with appropriately. Given the potential risks associated with any construction project, having a solid plan and maintaining proper documentation provides a higher probability of a successful outcome that benefits both the borrower and the bank. 

Optimize your construction loan management strategies with Y&A

Young & Associates offers specialized lending and loan review services. We assist community banks and credit unions in constructing robust construction loan management and administration processes. For tailored solutions and expert support, contact us here. Strengthen your construction loan approach with Young & Associates’ dedicated expertise.

HMDA and CRA adjustments are here

By: William J. Showalter, CRCM, CRP

There are changes that arrived with the new year of 2024 to Home Mortgage Disclosure Act (HMDA) compliance for banks and thrifts in many areas. No, the Consumer Financial Protection Bureau (CFPB) is not repealing Regulation C or adding more detail to the required data we collect and report. The existing rule is still in place. 

The changes we will look at here are driven by the decennial (every 10 years) adjustments by the Office of Management and Budget (OMB) to geographic units used by the federal government, including the Census Bureau, for statistical purposes. The particular geographic units that impact bank and thrift HMDA compliance are Metropolitan Statistical Areas (MSAs) since they are a qualifying location factor for lenders in determining HMDA coverage. 

The OMB’s changes will also have possible effects on bank and thrift compliance with the Community Reinvestment Act (CRA) in the drawing of institutional CRA “assessment areas.” 

These latest changes were effective when issued by OMB – July 21, 2023 – so they can impact 2024 HMDA coverage. 

OMB action 

The OMB completed a process of delineating Core Based Statistical Areas (CBSAs) based on 2020 Census data and the American Community Survey and Census Population Estimates Program for 2020 and 2021. A CBSA describes a geographic entity with at least one core of 10,000 or more population, plus adjacent territory that shows a high degree of social and economic integration with the core as measured by commuting ties. The standards designate and delineate two categories of CBSAs: Metropolitan Statistical Areas and Micropolitan Statistical Areas.  

The general concept of a metropolitan statistical area is that of an area containing a large population nucleus and adjacent communities that have a high degree of integration with that nucleus. The concept of a micropolitan statistical area closely parallels that of the metropolitan statistical area, but a micropolitan statistical area features a smaller nucleus. The purpose of these statistical areas remains the same as when officials first delineated metropolitan areas: The classification offers a nationally consistent set of delineations for collecting, tabulating, and publishing federal statistics for geographic areas.

The new delineations are found in OMB Bulletin 23-01 at https://www.whitehouse.gov/wp-content/uploads/2023/07/OMB-Bulletin-23-01.pdf 

HMDA coverage 

Regulation C covers any “financial institution,” as defined by the regulation and its underlying HMDA statute. “Financial institution” means, in part, a bank, savings association, or credit union that: 

  • On the preceding December 31, had assets in excess of the asset threshold established and published annually by the CFPB for coverage by HMDA, based on the year-to-year change in the average of the Consumer Price Index for Urban Wage Earners and Clerical Workers, not seasonally adjusted, for each 12-month period ending in November, rounded to the nearest million – $56 million for 2024 HMDA coverage 
  • On the preceding December 31, had a home or branch office in a Metropolitan Statistical Area (MSA) [Micropolitan Statistical Areas have no HMDA impact.] 
  • In the preceding calendar year, originated at least one home purchase loan (excluding temporary financing such as a construction loan) or refinancing of a home purchase loan, secured by a first lien on a one-to four-family dwelling, and 
  • Meets one or more of the following two criteria: is federally insured or regulated; or the mortgage loan referred to in the previous bullet was insured, guaranteed, or supplemented by a federal agency or was intended for sale to Fannie Mae or Freddie Mac
  • Meets at least one of the following criteria in each of the two preceding calendar years: originated at least 25 closed-end mortgage loans that are not excluded by §1003.3(c)(1) through (10) or (c)(13), or originated at least 200 open-end lines of credit that are not excluded by the cited section of Regulation C 

There are also similar qualification criteria for for-profit mortgage lenders that are not banks, thrifts, or credit unions, which we will not detail here. 

The qualification criterion impacted by OMB’s action is the geographic one, the second bullet above. If a financial institution that otherwise meets HMDA coverage criteria has an office in an MSA on December 31, then it is covered by HMDA for the following year. For many lenders, determining HMDA coverage is a one-time exercise (other than those who are right around the asset-size threshold). 

Ohio MSA changes 

I will use my native Ohio as an example of what the MSA changes mean to banks and thrifts and their compliance with HMDA requirements. 

Three counties in Ohio were shuffled into Metropolitan Statistical Areas in this latest OMB action – one being added to an existing MSA and two comprising a new MSA. This time, the MSAs kept all Ohio counties that they formerly included.

The Cleveland MSA now includes Ashtabula County. The new Sandusky MSA now includes Erie and Ottawa counties.

There were also some changes in non-Ohio parts of MSAs that include other Ohio counties. Lenders in the Cincinnati, Huntington-Ashland, and Youngstown-Warren MSAs should look for these additions and deletions of neighboring states’ counties. 

The OMB Bulletin mentioned above contains all the details of the new Ohio geographic delineations. The list of MSAs and micropolitan statistical areas by state is in List 6 (with Ohio on pages 168-169) of the OMB Bulletin, while five additional lists in the bulletin give other breakdowns of the geographic delineations, including the counties included in each. 

HMDA impact 

In 2023, there was no impact for HMDA reporting because the new MSA delineations were not in effect on December 31, 2022. 

However, they were in effect December 31, 2023, which has the following impacts: 

  • Banks and thrifts with offices in Ashtabula, Erie, and Ottawa counties, and in no other MSA counties, now have to begin collecting HMDA data January 1, 2024, and make their first reports of that data by March 1, 2025.
  • Unlike 10 years ago, there are no banks and thrifts whose offices in Ohio counties have made them subject to HMDA reporting (i.e., no offices in other MSA counties) that will no longer have to collect HMDA data beginning in 2024. (Note: Banks must still report their 2023 HMDA data by March 1, 2024.) 

If your institution has an office in any of the counties affected by the MSA changes, be sure to review how this action affects your HMDA compliance beginning in 2024. 

CRA impact 

MSAs affect the CRA compliance efforts of banks and thrifts, too. They come into play in drawing up an institution’s CRA assessment area (AA), as well as in the small business and small farm lending disclosure statements prepared by regulators annually for institutions reporting their data (all except for “small” retail banks and thrifts).  

The CRA rules require that an institution’s CRA AA consist generally of one or more MSAs or metropolitan divisions – using the MSA or metropolitan divisions boundaries that were in effect as of January 1 of the calendar year in which the delineation is made – or one or more contiguous political subdivisions e.g., counties, cities, or towns). 

A CRA AA may not extend substantially beyond an MSA boundary or beyond a state boundary unless the assessment area is located in a multistate MSA. If a bank or thrift serves a geographic area that extends substantially beyond a state boundary, the bank must delineate separate AAs for the areas in each state. If a bank or thrift serves a geographic area that extends substantially beyond an MSA boundary, it must delineate separate AAs for the areas inside and outside the MSA. 

The regulators prepare annually, for each MSA and the nonmetropolitan portion of each state, an aggregate disclosure statement of small business and small farm lending by all institutions subject to reporting of that data (all except “small” retail banks and thrifts). 

Therefore, the redrawn MSA boundaries might have an impact on your institution’s CRA compliance. Each bank and thrift with the affected counties in its CRA AA should review its delineation to make sure that the changes do not require an adjustment to those delineations. Make any adjustments by April 1, when you must complete any updating of CRA public files (including the map of your CRA AA).

Links 

This OMB Bulletin provide the six lists of statistical areas that are available electronically at the link stated above or from the OMB website at https://www.whitehouse.gov/omb/information-for-agencies/bulletins/.  This update, historical delineations, and other information about population statistics are available on the Census Bureau’s website at https://www.census.gov/programs-surveys/metro-micro.html.

Young & Associates: Your trusted partner in regulatory compliance

In navigating the intricacies of HMDA and CRA compliance, Young & Associates stands ready to support community banks and credit unions. Our regulatory compliance consulting services ensure a seamless adherence to evolving regulations. Stay ahead with Young & Associates – your trusted partner in compliance excellence. Contact us today for tailored solutions that empower your financial institution.

Third-party relationships: Risk management

By: Edward Pugh, CAMS, CAMs-Audit, AAP, CFE

Financial Institutions are increasingly relying on third parties for a broad range of products and services. Utilizing third parties can offer organizations significant benefits, including access to new technologies, delivery channels, products and services and increased operational efficiencies. However, engaging third parties, especially those using new technologies, can expose financial institutions and their customers to increased risks. Operational, compliance, and strategic risks are often impacted by the utilization of third parties. Given the increase in the number and type of third parties engaging with financial institutions, the Office of the Comptroller of the Currency (OCC), the Federal Reserve System and the Federal Deposit Insurance Corporation (FDIC) released Interagency Guidance on Third-Party Relationships: Risk Management in June of 2023.  

Interagency guidance on third-party risk

The aforementioned guidance addresses all business arrangements between a financial institution and another entity. (Whether a formal contract exists or not). Third-party relations can include outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures. While there are many benefits to using third-party services, their use can reduce an institutions’ direct control over activities. It may introduce new or increasing risks. Thus, it is important for an institution to identify, assess, monitor, and control risks related to third-party relationships.  

A critical element of third-party risk management is to develop and maintain a complete inventory of third-party relationships. This also includes periodically conducting risk assessments for each relationship. This process will allow an institution to determine its risk and whether these risks have changed over time. The overall goal is to be able to update risk management practices as circumstances and risks change. Third parties performing more critical activities, such as those that may impact customers, the institution’s financial conditions or operations, warrant more robust oversight. 

Third-party risk management life cycle  

The Interagency Guidance identifies planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination of the relationship as the stages of the risk management life cycle.  

Key elements of the planning stage include assessing a potential third party’s impact on customers, including access to or use of those customers’ information, third-party interaction with customers, potential for consumer harm, and handling of customer complaints and inquiries. You should also pay attention to the information security implications. This includes access to the institution’s systems and to its confidential information. The planning phase should also determine how the institution will select, assess, and oversee the third-party. This includes monitoring compliance with applicable laws, regulations, and contractual provisions. Requiring remediation of compliance issues is an important element to consider.  

Due diligence includes assessing the third party’s ability to perform the activity as expected, adhere to the institution’s policies related to the activity, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner. The Guidance notes that, “Relying solely on experience with or prior knowledge of a third party is not an adequate proxy for performing appropriate due diligence, as due diligence should be tailored to the specific activity performed by the third party.” It is critical to identify and document any limitations of its due diligence, understand the risks from such limitations, and consider alternatives in risk mitigation.

Factors to consider in performing due diligence include:

  • Strategies and goals.
  • Legal and regulatory compliance.
  • Financial condition, business experience.
  • Qualifications and backgrounds of key personnel.
  • Risk management.
  • Information security.
  • Management of information systems.
  • Operational resilience.
  • Incident reporting and management processes.
  • Physical security, reliance on subcontractors.
  • Insurance coverage.
  • Contractual arrangements with other parties.

Contract negotiations are also an important element of third-party risk management.  Factors to consider include the nature and scope of the arrangement, performance measures or benchmarks (i.e., a service level agreement), responsibilities for providing, receiving, and retaining information, the right to audit and require remediation, responsibility for compliance with applicable laws and regulations, costs and compensation, ownership and licensing, confidentiality and integrity, operational resilience and business continuity, indemnification and limits on liability, insurance, dispute resolution, customer complaints, subcontracting, foreign-based third parties involved, and default and termination arrangements.  It is important to also stipulate that the performance of the activities are subject to regulatory supervision and examination.  

Ongoing monitoring allows a financial institution to confirm the quality and sustainability of the third-party’s controls and the ability to meet contractual obligations, escalate significant issues or concerns, and respond to such issues or concerns when identified.  Depending on the complexity of the activities being performed, ongoing monitoring can include a review of reports regarding the third party’s performance and the effectiveness of its controls, periodic visits and/or meetings to discuss performance and operational issues, regular testing of the financial institution’s controls that manage risks from its third-party relations, especially for more complex relationships.

Some additional factors to consider when performing ongoing monitoring include determining the overall effectiveness of the relationship, changes to the third-party’s business strategy and agreements with other entities, changes in financial conditions, insurance coverage, relevant audits and/or testing results, and the third-party’s ongoing compliance with applicable laws and regulations and its performance as measured against contractual obligations.  Depending on the complexity of the relationship, additional factors may also be considered.   

The final stage, termination, is also an important element of the risk management life cycle.  There are many reasons an institution may wish to terminate a relationship with a third-party.  Some factors to facilitate termination include options for an effective transition of services, costs and fees associated with termination, managing risks associated with data retention and destruction, handling of joint intellectual property, and managing risks to the financial institution, including any impact on customers, if the termination happens as a result of the third-party’s inability to meet expectations.  

Governance in third-party risk management

There are many ways an institution can structure their third-party risk management processes. Business lines or a central unit may hold the accountability structure. Regardless of the structure, you should consider certain practices throughout the risk management lifecycle. These include oversight and accountability, independent reviews, and documentation and reporting.  

Upholding responsibilities in third-party relationships

This summary is not intended to be a comprehensive review of the Agencies’ </span>Interagency Guidance on Third-Party Relationships: Risk Management released on June 6, 2023.  As a reminder, the use of third parties does not diminish or remove financial institutions’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.  The full text of the Guidance may be found here: Interagency Guidance on Third-Party Relationships: Risk Management (occ.gov) 

Optimize your risk strategy with Y&A’s expertise

Discover our customizable Vendor Risk Management Policy, which provides guidance on managing risks from outsourced relationships. This comprehensive policy covers responsibilities, risk assessment, due diligence, contracts, security, confidentiality, controls, business resumption, and monitoring. Learn more here.

Y&A offers insights into vendor due diligence or program refinement. Please reach out to Michael Gerbick at mgerbick@younginc.com or contact us on our website for more information. Strengthen your risk approach with our expertise – connect with us today.

2024 Rescission Reference Chart

View and download the Young & Associates 2024 Rescission Reference Chart to assist your lenders in preparing the Notice of Right to Cancel. Please forward this document to someone in your organization who will use this helpful tool.

For over 45 years, Young & Associates has provided consulting, training, and practical tools for the banking industry. Thank you for the opportunity to serve your needs.

 

Navigating compliance challenges: Reg Z, Reg E, and Flood Rules

Expert Regulatory Compliance Services for Financial Institutions

Are you finding the ever-evolving web of financial regulations a challenge to navigate? In the intricate landscape of compliance, regulations like Z, E, and Flood can be complex and overwhelming for financial institutions. Young & Associates offers a comprehensive suite of solutions specifically tailored to alleviate the burden of regulatory compliance challenges for community banks and credit unions.

Regulatory challenges made simple

Regulation Z compliance: Comprehensive TILA support

A cornerstone of financial institution compliance, Regulation Z delineates the implementation and execution of the Truth in Lending Act (TILA). Our experts understand the nuances of Reg Z and can guide your institution through its complex requirements. Our Reg Z compliance solutions are meticulously crafted to not only ensure your institution’s compliance but also to ensure transparency and fairness for your valued customers or members.

  • Loan Disclosures.  We review your financial institution’s disclosures – both open-end and closed-end (including TRID) disclosures – to help ensure compliance with these measures to inform customers, and to help your institution avoid potential required reimbursements, regulatory penalties, and civil liability.
  • Right of Rescission.  We help your lending personnel navigate the intricacies of the right of rescission, making sure that the proper consumers are recognized for this right and given required notices and disclosures, and that disbursements and other lender actions are delayed until it is confirmed that the customers have not exercised their cancellation right.  Proper observance of rescission requirements will help your institution avoid significant penalties – extended rescission rights, regulatory penalties, and civil liability.
  • Other Consumer Protections.  We facilitate your financial institution’s efforts to comply with, or avoid, significant requirements related to high-cost mortgages, home equity lines of credit, higher priced mortgage loans, private education loans, and others.

Regulation E compliance: EFTs and error resolution

The Electronic Fund Transfer Act (EFTA) brings its own set of challenges. The EFTA, implemented by Regulation E, governs electronic transactions. As the volume of EFT transactions continues to rise, so does the complexity of associated error claims. Resolving these claims can pose a significant challenge for banks and credit unions. Our team specializes in providing tailored guidance and support for Reg E compliance, including:

  • Error Resolution Procedures: We review your financial institution’s error resolution procedures, ensuring strict adherence to meet regulatory standards.
  • Electronic Payment Systems: We facilitate adherence to Reg E requirements by ensuring your financial institution’s electronic payment systems and procedures are diligently followed.
  • Consumer Protection: We review your Reg E compliance program to confirm that your institution’s procedures and adherence align with regulations aimed at safeguarding your customers’ rights, privacy, and security.

You can rely on our Reg E compliance guidance to navigate the complexities of regulatory requirements, effectively mitigating the risks of violations and penalties in the dynamic landscape of electronic transactions.

Flood insurance compliance: Ensuring flood disaster protection

Navigating the intricacies of federal flood regulations is crucial for financial institutions, given the increased scrutiny by regulators and the potential risks and penalties associated with noncompliance. Monetary penalties for such violations underscore the importance of a robust compliance program. Young & Associates is committed to providing comprehensive compliance solutions to guide your institution through the complex requirements of the Flood Disaster Protection Act encapsulated in the flood insurance rules.

At Y&A, our commitment to comprehensive compliance solutions extends to helping your institution navigate the nuances of federal flood-related requirements. Our seasoned experts specialize in helping your institution navigate federal flood-related requirements, offering tailored solutions to minimize exposure to potential risks. We can review your financial institution’s Flood Act compliance program to ensure compliance with variables such as flood zone determinations, borrower notifications, lender placement, and more.

Key components of our flood compliance reviews dial in on common areas of violations, including:

  • Compliance with Flood Regulations for Lenders: Our experts understand the intricacies of flood regulations, addressing common areas of violations such as proper loan file documentation, justified waivers, insurance coverage requirements, notice to borrower requirements, forced placement of flood insurance requirements, and more. We ensure your institution adheres to the most stringent regulatory standards, mitigating risks associated with non-compliant loans.
  • Flood Insurance Notice to Borrower Requirements: Timely and accurate notices to borrowers are critical. Our comprehensive reviews focus on your institution’s process for delivering and receiving acknowledgement of flood insurance-related notices, ensuring compliance with regulatory timelines and requirements.
  • SFHA Flood Insurance Requirements: Staying abreast of FEMA’s special flood hazard areas and implementing appropriate flood insurance requirements is essential. Our compliance reviews are designed to assist your institution in adhering to evolving SFHA standards.

As your trusted partner, we streamline the compliance process. This allows your institution to focus on core functions while remaining resilient in the face of regulatory challenges. Let us guide you through the intricate web of flood-related regulations, ensuring your institution stays protected from compliance violations in the ever-evolving financial landscape.

Expert guidance on Regulation Z, Regulation E, and Flood Compliance

Regulations such as Z, E, and Flood are just the tip of the iceberg. Our consultants are well-versed in all aspects of federal banking consumer regulations. We ensure you’re not just compliant but also in the best possible position to thrive in a highly regulated environment. We can assist you in understanding the intricacies of Truth in Lending, Electronic Fund Transfers, or Flood Compliance Requirements.

Why partner with Young & Associates?

At Y&A, we’ve been a trusted partner in regulatory compliance for over four decades, and here’s why:

  • Stay Ahead of Regulatory Changes: We keep you informed and prepared in a constantly evolving regulatory landscape. We help you navigate the intricate landscape of financial regulations, so you can focus on your core mission.
  • Comprehensive Solutions Tailored to Your Institution: We understand that a one-size-fits-all approach doesn’t work in regulatory compliance. We customize our solutions to address your institution’s unique needs.
  • Real Solutions for Real Challenges: We provide practical, real-world recommendations, enabling your bank or credit union to not only meet regulatory requirements but also implement best practices for a robust compliance framework.
  • Experienced Team: Our seasoned consultants bring decades of experience in banking and financial regulation to the table, ensuring you receive expert guidance.
  • Unmatched Quality: With over 45 years exclusively dedicated to financial institutions, excellence is our trademark. We maintain meticulous standards, offering precision, thoroughness, and a steadfast commitment to delivering actionable results.
  • Comprehensive Support: We offer end-to-end support, and our full-service approach covers all aspects of financial institution consulting. When you partner with Y&A, you gain access to a comprehensive team of industry experts.

Let’s navigate compliance challenges together

Don’t let regulatory compliance challenges hinder your institution’s growth. Contact Young & Associates to ensure your institution meets compliance standards and prepares for success. We’re here to help you navigate the intricate world of Regulations Z, E, H, and beyond. With our expertise, your institution can thrive in a highly regulated environment.

In addition to our full suite of compliance consulting services, we offer:

  • Virtual Compliance Consultant (VCC) Program: Receive access to all the invaluable compliance tools and services that we have to offer including compliance coaching, compliance products and policies, regulatory manuals, access to an online forum with experts from Y&A, and more.
  • Compliance Policies, Tools, and Workbooks: We offer customizable resources designed to simplify complex compliance tasks. From policies to interactive workbooks, our tools facilitate smoother compliance operations.
  • Compliance Update Newsletter: This monthly newsletter provides a thorough compliance review and covers developments that affect the banking industry. Each month our compliance experts scour the regulatory issuances, final rules, and amendments. They then provide you with the compliance information you need. The newsletter includes hot topics, action items, a compliance calendar, and more relevant information and resources.
  • Education Services: In addition to timely, easily accessible webinars, we offer customizable training solutions.

Contact us to explore how our tailored solutions can address your regulatory challenges.

Young & Associates celebrates 45th anniversary milestone

Celebrating 45 years of dedication: Young & Associates’ journey

In a world where companies come and go, few can boast of standing the test of time and evolving with the changing landscape. Young & Associates, Inc. is proud to mark its 45th anniversary on November 13th, a significant milestone in its journey of serving financial institutions with expertise and dedication since 1978. This achievement allows us to take a pragmatic look at our growth, transformation, and unwavering commitment to our clients and partners over the years.

Young & Associates’ humble beginnings

Young & Associates, Inc. began its journey under the name “Young Marketing Services.” We didn’t just focus on marketing, advertising, branch feasibilities, and product development; we thrived on them. But as time passed, the financial industry evolved, and it became evident that the needs of financial institutions were changing, demanding a more comprehensive suite of services. In response to this, Y&A expanded its offerings to encompass management and lending services, regulatory compliance, and more, effectively transforming into a one-stop consultancy for community financial institutions across the United States.

A change in leadership

In 2018, Jerry Sutherin, a seasoned financial expert and long-time consultant with the company, assumed ownership of Young & Associates. Under Sutherin’s leadership, the company has continued to flourish, positioning itself for further growth and success.

As President and CEO, Sutherin remarked, “Our 45th anniversary is a testament to our commitment to helping community financial institutions thrive. We are grateful for the trust our clients have placed in us, and we look forward to continuing to provide innovative solutions that enhance their success.”

Young & Associates' Leadership Team
Young & Associates’ Leadership Team (Pictured: Michael Gerbick, COO; Joanne Sutherin, Co-Owner; Ollie Sutherin, Principal of Y&A Credit Services; Jerry Sutherin, Co-Owner and President & CEO)

Diverse expertise, nationwide reach

Today, Young & Associates boasts a dedicated team of nearly 50 highly skilled consultants. These experts offer a wide range of services, including regulatory compliance, risk management, strategic planning, mergers and acquisitions, branching and expansion, lending, loan review, information technology, quality control, appraisal reviews, human resources, and internal audit. With consultants located across the nation, Young & Associates is renowned for delivering top-notch services.

A people-centric approach

Despite its impressive growth, Young & Associates maintains its commitment to its clients, partners, and associates. Y&A still holds consulting relationships with some original clients from 1978, embodying a people-centric approach and a familial culture. The dedication to its staff, many of whom have over 30 years of service, remains a cornerstone of its success.

Sutherin explains, “A major factor in the decision to purchase Young & Associates was the depth of knowledge and experience of its employee base within each functional discipline. This has enabled us not only to maintain long-standing relationships with legacy clients but also to forge new client relationships throughout the United States.”

With sincere gratitude

Young & Associates extends heartfelt gratitude to its valued customers, clients, and friends for their support over the past 45 years. The company eagerly anticipates the future, continuing to build upon its legacy of excellence by empowering community financial institutions to make informed decisions that enhance their success.

Young & Associates has come a long way since our inception in 1978. With a rich history of serving community financial institutions, we remain dedicated to simplifying the management of banks and credit unions, reducing regulatory burdens, improving financial performance, and increasing shareholder value. As we celebrate our 45th anniversary, we look forward to the journey ahead. We know that our commitment to our clients will continue to drive us towards greater success. Thank you for being a part of our journey.

Credit union cybersecurity: Actionable cyber threat defense

In an era dominated by technology, the financial sector faces a growing menace in the form of cyberattacks. Credit unions, along with their members’ sensitive data, have become prime targets for cybercriminals. To safeguard against these evolving threats, credit unions must proactively fortify their cybersecurity defenses.

As the financial industry changes, cybercriminals adapt, so credit unions must prioritize cybersecurity planning. This article discusses steps and measures credit unions can take to protect their operations and member data from cyber threats.

Understanding the cyber threat landscape

The increase in cyberattacks on credit unions, as well as their affiliated CUSOs and vendors, has brought cybersecurity vulnerabilities into sharp focus. It’s essential to recognize that cyber threats are no longer a distant possibility, but a tangible reality that demands immediate attention. Cybercriminals employ a range of tactics, including ransomware, phishing, and Distributed Denial-of-Service (DDoS) attacks, all with the potential to disrupt operations, compromise data, and tarnish the reputation of credit unions.

Taking action: Security controls for credit unions

In a realm where financial innovation and digital transformation reign, protecting sensitive data and ensuring uninterrupted services takes precedence. However, this progress is accompanied by the challenge of cyber threats, demanding a proactive approach to security.

To counter the evolving threat landscape, credit unions must adopt specific actions and security controls that reinforce their defenses. These measures not only safeguard their operations but also uphold the confidence and trust of their members. Let’s explore the steps credit unions can take to strengthen their cybersecurity and defend against cyber threats.

1. Implement strong access controls

Effective access controls form the first line of defense against unauthorized access. Credit unions should enforce stringent access policies, ensuring that only authorized personnel have access to critical systems and sensitive data. Implement role-based access controls (RBAC) to limit privileges based on job roles, and regularly review and update permissions to maintain a least-privilege approach.

2. Fortify with multi-factor authentication (MFA)

Incorporate MFA for all critical systems, applications, and accounts in your credit union. This extra layer of security forms a significant hurdle for unauthorized access attempts and provides protection against phishing attacks. MFA necessitates users to offer additional confirmation apart from a password, thereby boosting security.

3. Prioritize patching and updating systems

Addressing vulnerabilities promptly is critical to preventing potential breaches. Outdated software and unpatched systems are prime targets for cyber attackers. Regularly update and patch operating systems, software applications, and security solutions to address known vulnerabilities and reduce the risk of exploitation. Stay informed about security advisories and updates from the software provider and relevant cybersecurity agencies.

4. Enhance member and employee cybersecurity awareness

Cyber threats evolve continuously, and so should employee knowledge. Educating your employees about cyber threats is one of the most effective ways to mitigate risks. Provide ongoing training to employees to help them recognize and respond to social engineering, the latest cyber threats, other common attack techniques, and best practices to keep them vigilant and informed. Awareness empowers your team to become a crucial line of defense. Equally important is educating members about safe online practices to prevent them from falling victim to scams or attacks.

5. Reinforce email security and anti-phishing measures

Email remains a primary vector for cyberattacks. Implement sophisticated email security systems that inherently possess phishing identification and prevention features. Use SPF, DKIM, and DMARC to stop email spoofing and make emails more authentic, lowering the chance of successful phishing.

6. Conduct regular penetration testing and vulnerability assessments

Proactively identify vulnerabilities by conducting regular penetration testing and vulnerability assessments. This allows credit unions to uncover weaknesses in their systems, applications, and infrastructure before cybercriminals can exploit them.

7. Craft a robust incident response plan

Prepare for the worst by developing a comprehensive incident response plan. Regularly test this plan to ensure your credit union is ready to respond swiftly and efficiently to a cyberattack. This plan should outline steps to take in case of a cyber incident, clearly define roles, responsibilities, communication protocols, and procedures, and rehearse different attack scenarios to minimize downtime and mitigate damages.

8. Manage vendor risk strategically

Your credit union’s security isn’t solely dependent on your internal measures—it extends to third-party vendors as well. Review and assess the cybersecurity practices of vendors providing services to your credit union. Ensure they adhere to robust security standards and regularly evaluate their security posture to safeguard your ecosystem. Learn more about effective vendor due diligence evaluations in this blog.

9. Network segmentation and DDoS protection

Network segmentation involves dividing the network into smaller segments to limit lateral movement in the event of a breach. Execute network partitioning to confine possible security breaches and reduce their effects. This approach restricts attackers’ ability to move freely within the network, containing the impact and reducing the potential damage. Protect against DDoS attacks by filtering and limiting traffic to prevent disruptions to your services.

10. Safeguard through regular data backups, testing and recovery planning

Ransomware attacks can paralyze credit unions by encrypting critical data. Regularly back up your data and test the recovery process to ensure quick and effective restoration in case of an attack. Backups reduce the likelihood of data loss and minimize the temptation to pay ransoms.

11. Encourage sharing of threat intelligence

Get involved in communities that share threat intelligence in order to keep updated on new cyber threats and trends. Collaborating with industry peers enhances your understanding of evolving attack tactics, enabling you to adapt and protect your credit union effectively.

12. Sustain vigilance with continuous monitoring and updates

Cyber threats are ever-evolving, making continuous monitoring and prompt patch application essential. Monitor network traffic, logs, and systems for any unusual activities that could indicate a breach. Timely identification of suspicious activities enables credit unions to respond promptly and mitigate potential damage. Stay up to date with the latest security updates and promptly implement patches to close potential vulnerabilities.

13. Engage with cybersecurity experts

Consider seeking guidance from cybersecurity experts or firms specializing in the financial sector, like Young & Associates. Our industry-specific insights can provide credit unions with tailored solutions to address the unique challenges posed by cyber and information security threats.

Credit unions can strengthen their security and protect their operations, member data, and reputation by taking proactive cybersecurity measures. To protect against cyberattacks, credit unions must stay alert and take necessary actions as threats change and become more advanced. Remember, protecting against cyber threats is not just a responsibility—it’s a necessity for the digital age.

Partnering with Young & Associates: Expert cybersecurity solutions

In the face of escalating cyber threats, credit unions are seeking expert guidance and support to bolster their security measures. At Young & Associates, we understand the dynamic challenges that credit unions face in the realm of cybersecurity. We offer IT consulting, audit, and technical testing services to help strengthen your credit union’s defenses.

Our experienced experts provide valuable knowledge to help protect your institution from cyber threats with effective strategies and solutions. Y&A offers cybersecurity solutions ranging from comprehensive security audits to technical testing that uncovers vulnerabilities. We tailor our services to suit the unique needs of credit unions in this digital age. We will help your credit union understand and navigate cybersecurity. Contact us to learn more. 

Managing commercial real estate credit risk amid market shifts

By: Jerry Sutherin, President & CEO of Young & Associates

The landscape of commercial real estate (CRE) lending is shifting due to current economic events, presenting both challenges and opportunities for community financial institutions deeply entrenched in this sector. The challenges range from the profound impact of remote work trends and the uncertain future of office spaces to growing concerns about inflation and higher interest rates bringing CRE risk into the spotlight. This volatility has garnered increased attention from internal and external stakeholders, as well as regulatory authorities. Consequently, identifying the most pressing threats among these challenges and proactively mitigating risk has become a top priority for financial institutions with CRE exposure.

In the face of rising interest rates and delinquencies, many financial institutions are preparing to confront these economic stressors. In fact, some were already scaling back lending before the recent collapses of Silicon Valley Bank and Signature Bank. We have all witnessed the tightening of lending standards resulting from that event, and many analysts anticipate further tightening among all community financial institutions. This constriction is also impacted by limited deposits and liquidity forcing financial institutions to be selective in how they deploy their capital. These facts leave many analysts predicting when credit problems will emerge in the CRE sector.

Current CRE landscape at a glance

The evidence speaks for itself. According to S&P Global Market Intelligence, the delinquency rate for all CRE loans held in U.S. banks has increased by five basis points year over year. Moreover, within a single quarter earlier this year, the delinquency rate for nonowner-occupied nonresidential property loans spiked by a significant 24 basis points. This has led to tighter lending standards at origination, reflecting the concerns of institutions. Further, financial institutions are taking proactive measures to mitigate CRE risk after origination. Some have set aside high-single-digit percentage allowances for office loans. Others have reduced exposure through portfolio sales. Overall, loan originations have fallen, CRE sales have slumped, and forecasts indicate a drop in CRE prices.

The tightening of lending standards, the slowdown in the growth of CRE loans, and the impact on loan originations have emerged as central concerns in the financial sector. What unifies these factors is their inherent risk and whether they act as warning signals or responses. Managing CRE credit risk is undeniably intricate, but leveraging available strategies and tools empowers community banks, credit unions, and financial institutions to effectively navigate the ever-changing CRE lending sector. This enables them to proactively assess and plan for risk mitigation, rather than merely react to these changes.

Understanding commercial real estate risk

As CRE loans represent a substantial part of many banks’ loan portfolios and higher yielding assets, especially within community financial institutions, understanding the significance of CRE credit risk is paramount. Community banks and credit unions often operate in areas experiencing job and population growth, leading to a high demand for CRE lending and, in turn, a high concentration of CRE loans. This growth and its corresponding effects on loan portfolio concentration pose new challenges for banks in terms of risk monitoring and control.

While larger financial institutions commonly maintain experienced staff and even entire departments to manage these risks, it is generally not cost effective for smaller financial institutions to hire and maintain qualified resources to help mitigate the inherent risks. In the absence of an internal CRE risk management team, it is imperative for financial institutions to rely on independent third-party resources to assist in this crucial process.

Historical context and lessons from past experiences

A retrospective examination underscores the importance of proactive risk management. Many significant historical banking failures were largely attributed to overinvestment in CRE loans and the lack of an effective risk management process. Weak underwriting standards and poor portfolio management led to an oversupply of CRE properties and borrower defaults. Over time, regulatory improvements, such as stricter underwriting and risk management requirements, have been implemented. Nevertheless, predicting the future remains uncertain. We can only analyze past patterns and the shortcomings to properly assess future risks.

In 2023, community and regional financial institutions comprise approximately 72% of the CRE loan market, taking on an above-average amount of CRE credit exposure. Recognizing such circumstances is vital, as you should be alert to potential red flags. Identifying and managing CRE credit risk is critical.

Identifying emerging commercial real estate risk

A comprehensive understanding of CRE credit risk highlights the increasing complexity of its landscape. CRE credit risk is multifaceted, with numerous risk categories affecting CRE lending, including market risk, asset risk, liquidity risk, and credit risk, among others. To construct a robust risk management strategy, all these variables must be explored and considered.

To assess your financial institution’s CRE loan segment’s health, a systematic approach is needed. When determining if your CRE portfolio exceeds your institution’s risk appetite and how to quantify that risk and respond effectively, the answers lie in developing a comprehensive, tailored framework for assessing and analyzing your CRE loan market. The most recent regulatory interagency Statement on Prudent Risk Management for Commercial Real Estate Lending notes that institutions that successfully monitored risk have:

  • Established appropriate loan policies, underwriting standards, and concentration limits.
  • Conducted cash flow analyses based on realistic rates and expenses to ensure repayment ability and assessed borrowers’ ability to repay during interest rate fluctuations and loan structure changes.
  • Analyzed the impact of economic changes on the loan portfolio’s quality, earnings, and capital.
  • Provided boards and management with information to adapt lending strategies in changing market conditions.
  • Maintained information systems to manage concentration risk effectively.
  • Implemented appropriate appraisal review and collateral valuation processes.

With the many challenges faced by community financial institutions, the need to effectively identify, measure, and manage these risks has become paramount. While established best practices exist to address these risks, financial institutions must transition from assessing each risk in isolation to recognizing the interconnectedness and synergy between them. A more holistic approach to risk management is required, allowing institutions to confidently inform their capital planning, risk tolerance, and overarching strategy.

Strengthening commercial real estate risk management in community financial institutions

A comprehensive risk management strategy empowers financial institutions to adapt to market dynamics, instilling confidence among stakeholders and regulators. Alongside the factors discussed in the previous section, regulatory guidelines highlight two critical facets of CRE risk management: stress testing and portfolio reviews. While community financial institutions can execute these internally, outsourcing can offer efficiency and effectiveness.

Commercial real estate portfolio stress testing

Stress testing and sensitivity analyses are indispensable tools for evaluating CRE risk and gauging the impact of economic fluctuations on asset quality, earnings, and capital. These assessments should align with the portfolio’s size and risk profile. CRE stress tests inform strategic and capital planning, credit concentration limits, policy, and underwriting. Integrating stress testing into risk management and strategic planning is essential to anticipate and mitigate risks, especially given current market uncertainties.

Although loan-level stress testing serves a purpose on a transactional level at origination, financial institutions should also regularly perform portfolio-level stress testing that encompasses a bottoms-up and a top-down approach. The bottom-up approach allows financial institutions to gauge the risks of individual, seasoned loans by stressing each transaction through interest rate changes, collateral values, and other market factors. Implying moderate and high stress scenarios to each transaction allows for early identification of potential losses and their impact on the capital of your organization. The top-down approach takes the remaining portfolio not identified on a loan-level analysis and uses the same stressors to further identify any possible impact to capital.

Independent loan reviews for commercial real estate risk mitigation

Thorough loan reviews are pivotal for identifying and mitigating potential CRE portfolio risks. They enable banks to assess loan quality, maintain compliance with regulations, and make necessary adjustments on a loan and portfolio level. An effective loan review function is crucial for assessing asset quality, evaluating underwriting and ongoing monitoring, and identifying exceptions to policies. Proactive issue resolution ensures risk mitigation before regulatory scrutiny or asset quality deterioration.

To further safeguard against future losses, it is critical that a loan review be independent. If maintained internally at the organization, it should report directly to the audit committee of the board of directors or the full board of directors. If a third-party firm is contracted to perform this work, it too should report all findings to the board of directors or a committee thereof.

Tactical approaches to limit commercial real estate risk in an unpredictable market

To minimize exposure to CRE credit risk, institutions should enhance communication with borrowers, allocate additional resources for portfolio management, understand collateral, and manage interest rate risk. Effective market area monitoring, adaptable to the institution’s unique risk exposure and appetite, is essential. Clear communication of risk tolerance from the board down to lending staff fosters alignment and clarity.

Community financial institutions must not become complacent in their approach to risk management. It is critical to remain agile and continually adapt to changing environments and emerging risks, especially in the currently volatile realm of CRE lending. By staying proactive and employing a comprehensive risk assessment and management approach, banks and credit unions can successfully address CRE credit risk, safeguard their portfolios, and maintain their success.

Optimize your risk management strategies with Young & Associates

With over four decades of experience, Y&A specializes in helping community financial institutions manage risk. Our enduring presence in the industry reflects our ability to adapt to evolving financial landscapes. Our seasoned consultants, who have backgrounds in banking, bring firsthand experience of market fluctuations.

Outsourcing commercial real estate risk stress testing

Young & Associates offers a CRE portfolio stress testing service that efficiently and insightfully assesses your portfolio. Using data specific to your bank, we stress your CRE portfolio across various factors. Our report quantifies potential impacts on earnings and capital resulting from collateral value decreases, changes in property net operating incomes, or increases in interest rates. What sets us apart is our ability to handle the stress testing process efficiently, allowing your institution’s management to focus on other important initiatives.

Outsourcing loan review

For most community financial institutions, outsourced loan review is the best choice due to size and the need for an independent party. Our loan review service, applied to your CRE portfolio, uncovers individual credit assessments. It also evaluates the alignment of your credit standards, analysis, and continuous credit monitoring with the specific characteristics of your CRE portfolio. Our findings not only inform you about existing portfolio risks but also provide recommendations for effective risk management.

Contact us to explore how we can support your journey in addressing CRE credit risk effectively.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question