Skip to main content

Implementing Compliance: Key Principles & Practices

Written by admin on . Posted in Advice, Blog, Compliance & Regulations, Consultation.

By: Bill Elliott, CRCM, Director of Compliance Education at Young & Associates

There is no question that laws and regulations materially change the way banks do business. The recent new laws and regulations have, more than ever before, crossed over the consumer protection regulatory line and into bank management. This complicates your life, and the starts and stops do not make it easier. 

Consider the “1071 Rule,” which amounted to HMDA for commercial loans, with even more invasive questions. The underlying law was passed in 2010 (the Dodd-Frank Act), and the CFPB took almost 13 years to implement it, only to be stopped by the courts for stepping way beyond the requirements of the law. The updated CRA regulation is also now being challenged in the courts. 

Compliance does not happen in a vacuum. Many of the regulations cover multiple disciplines within the bank, and many departments have to be involved in implementing the solution. This article discusses some of the basics of implementing compliance within your organization, as well as an approach that we believe is critical to the success of any bank. 

The Key Ingredients

To establish a successful compliance program, the following ingredients must exist:  

  • Board of Directors support 
  • Management support 
  • Staff development 
  • A viable and structured compliance network (compliance council) 
  • Compliance monitoring  

Board of Directors Support

The board is ultimately responsible for the success or failure of the compliance program, just as they are for any other aspect of the bank’s risk management. The board needs a flow of information to assist them in understanding the compliance function and the current status of the program. The board must also understand the stresses for compliance and ensure that there are adequate resources to facilitate success. 

Management Support

Management must be actively involved in the development of the compliance program. Although management may not design and develop the program, they should provide direction and ensure that there are resources to support its establishment and maintenance. Management must stay involved by monitoring the progress of the program through requiring periodic reports. 

Staff Development

Staff development involves providing staff with the necessary background to understand the purpose of compliance, the structure to support the program, and the technical skills to it out effectively. Management must direct the designated person or council and allow them the resources, including the resource of time, to fully implement the compliance program. 

A Practical Solution: The Compliance Council

In order to address the compliance burden, we believe banks should use a compliance council. This is NOT a committee. It is a reporting mechanism, where each area of the bank is responsible for the compliance duties that impact their jobs. At the council, they report progress or lack thereof in meeting those requirements.  

The results of the compliance council meeting are reduced to writing. Those minutes then go to management and the board so that they understand the current compliance situation in which the bank finds itself. A compliance council aids the institution in the following ways: 

  • The compliance council is comprised of representatives from each major area of the institution, thereby building continuity into the program. 
  • The compliance council builds compliance into the daily operational procedures of each area so that the institution can function from a practical and preventive focus. 
  • The compliance council incorporates comprehensive compliance coverage through its composition, i.e., lending, customer service, and operations. 
  • The compliance council establishes a compliance link to planning for new products and services. Each area of the institution can establish the compliance details during the planning and implementation stages. 
  • The compliance council allows the institution to include monitoring procedures in the daily workflow that integrates compliance without creating unnecessary work burdens i.e., the use of checklists and most common concern policies. 
  • The compliance council enables the institution to create an effective training and communications channel for all compliance issues. The council members will be able to take information back to their respective areas. 

Choosing the Compliance Council

The compliance council’s objective is to spread the duties among a small group of individuals to reduce the burden on anyone and increase coverage of the compliance function. Compliance has expanded far beyond just “letting the compliance officer deal with it.” 

The persons who are chosen might be representatives from: 

  • real estate lending, 
  • consumer lending, 
  • customer service, 
  • deposit operations, and 
  • compliance administration. 

Of course, banks are free to add others, such as BSA, branch administration, etc. 

The use of management in an advisory capacity can help to ensure accountability. It is difficult to say “I did not have time” or something similar in front of a senior manager. But hopefully, this is not necessary in most banks. The “minutes” of the meeting become a useful tool for management and the board to understand the current compliance position of the bank. 

If there is a regulatory change that involves multiple disciplines, then and only then does the “council” become a “committee” to address the common issue. 

Authority and Credibility

It is important for the compliance officer and the compliance council to develop sufficient authority to operate within the bank. Without this authority, the officer and the council will be ineffective.  

Assuming that the board of directors and executive management have clearly granted the compliance officer and the compliance council sufficient authority with which to operate, the compliance officer and the compliance council must ensure their own credibility to retain any authority that the board of directors and management have granted them. 

The compliance council’s biggest barrier involves establishing credibility with the bank’s employees. For example, if in the eyes of the employees, the compliance council is an informational source to help them do their job, the council will succeed. If communication channels are established but never work, the council will fail. The key to the success of the compliance council is to establish, implement, monitor, and enforce the compliance function throughout the bank. 

Effective Compliance Implementation

Navigating the dynamic landscape of banking regulations requires proactive strategies and a collaborative approach across all levels of an institution. As the regulatory environment continues to evolve, compliance becomes increasingly complex, necessitating a robust framework, dedicated oversight, and effective implementation to ensure adherence. 

Empowering Banks for Regulatory Compliance Success

At Young & Associates, we understand the challenges banks face in implementing and maintaining effective compliance programs. Our team of experts is committed to providing tailored solutions that empower banks to navigate regulatory requirements with confidence and efficiency. 

Ready to streamline your compliance efforts and fortify your institution against compliance risk? Partner with Y&A for comprehensive regulatory compliance consulting services. Contact us today to learn more about how we can support your bank in alleviating regulatory burdens. 

Qualities of a Good Managed Services Provider (MSP)

Written by admin on . Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation.

By: Mike Detrow, CISSP, Director of IT & IT Audit at Young & Associates

Due to the challenges of finding qualified employees to fill internal IT positions and the increased complexity of technology solutions, many community financial institutions have either outsourced the management of their information systems to a managed services provider (MSP), or they are considering this move.  

But how do you know that you currently have, or you are choosing the right partner? In this article, we will discuss the qualities you should look for in an MSP to help you evaluate your current MSP and select the right partner if you want to outsource the management of your information systems. 

Understanding Financial Institution Needs 

First, it is important to understand that financial institutions are unique from other industries, and a local MSP that primarily works with manufacturing companies may not understand the security requirements of a financial institution. Financial institutions are highly regulated and undergo routine IT audits/assessments due to the significant amount of sensitive and personally identifiable information that they maintain, alongside the substantial financial assets under their protection. 

Many MSPs may not be familiar with the regulatory and security requirements associated with banking and therefore may not be prepared to work with examiners/auditors or respond effectively to exam/audit recommendations. 

The Drawbacks of National MSPs 

A national MSP may not be appropriate for a small community financial institution either as you may end up being a little fish in a big pond and may not get the attention that you need. Financial institutions that we work with have already experienced this with some of the large core processing vendors where it is difficult to get good support as a small institution. Additionally, obtaining managed IT services from your core processing vendor may make converting to a different core processor more challenging. 

The Value of Local and Regional MSPs 

So, how do you find a good partner? Based on our experience working with numerous MSPs through the IT Audit process, we typically see that community financial institutions get the most value from working with local or regional MSPs that have existing experience working with numerous financial institutions.  

These MSPs already understand the regulatory and security requirements that financial institutions face, and they have experience with the appropriate tools and configuration practices to secure the institution’s information systems.  

5 Key Qualities of Good MSPs 

Some of the good qualities that we see from these MSPs include: 

  • Proactively identifying and presenting new tools to enhance the institution’s information security posture 
  • Working as a partner by learning about the institution and customizing solutions to its unique needs 
  • Maintaining detailed and accurate documentation for the institution’s system configurations and ongoing monitoring 
  • Being responsive to initial and follow up exam/audit documentation requests 
  • Being responsive to exam/audit recommendations by implementing remediation measures in a timely manner 

MSP Red Flags to Watch Out For  

Some of the red flags that we see from other MSPs include: 

  • Providing security status reports that contain errors or are hard to understand 
  • Lack of detailed and accurate documentation for the institution’s system configurations and ongoing monitoring 
  • Failing to notify the institution prior to making changes that may compromise security or impact system availability 
  • Slow response to documentation requests for exams/audits or charging additional fees to provide this information 
  • Refusing to implement exam/audit recommendations due to lack of technical knowledge or in cases where the recommendations do not fit into the MSP’s “standard configuration” 

Ensuring the Right Partnership 

In closing, it is important to remember that as a financial institution, you are ultimately responsible for any problems that occur from selecting the wrong MSP, whether this decision leads to an insecure environment or just makes your job more difficult as the liaison between the institution and the MSP.  

Just like any other vendor, you must continuously monitor your MSP to ensure that they are providing acceptable service levels for your institution and consider replacing the MSP if they are not meeting your expectations. While it may seem like a big task to replace your MSP, having the right partner will not only help to ensure that appropriate security controls are implemented, but it should also make your job easier as the liaison. 

Your Trusted IT Consulting Partner 

At Young & Associates, we understand the unique needs and challenges faced by financial institutions. Our IT consulting services are tailored to help you navigate the complexities of technology solutions while ensuring regulatory compliance and information security. Contact us today to learn more about how we can support your institution’s IT needs. 

ACH Risk Management: Understanding NACHA’s Rule Changes

Written by admin on . Posted in ACH, Advice, Blog, Compliance & Regulations, Consultation, News.

By: Mindy Shadoin, Consultant at Young & Associates

On March 15, 2024, Nacha (previously the National Automated Clearing House or NACHA) approved 15 new Automated Clearing House (ACH) rule changes surrounding ACH risk management. These changes are specifically targeted at reducing the incidence of successful fraud and improving the recovery of funds.  

Overview of NACHA’s Rule Changes 

These new rules establish a base-level of ACH payment monitoring on all parties in the ACH Network, except consumers. The new rules do not shift the liability for ACH payments; however, receiving financial institutions or RDFIs will have a defined role in monitoring the ACH payments they receive.  

Rule Changes Effective June 2024 

The following rule changes take effect June 21, 2024: 

  • General Rule Definitions for Web Entries: Rewords the WEB general rule and definition in Article Eight to make is clearer that the WEB SEC Code must be used for all consumer-to-consumer credits regardless of how the consumer communicates the payment instructions to the Originating Depository Financial Institution (ODFI) or P2P service provider.  
  • Definition of Originator: Clarifies changes and alignments to the definitions of Originator to include a reference to the Originator’s authority to credit or debit the Receiver’s account and that the Rules do not always require a receiver’s authorization (Reversals, Reclamations, Person-to-Person Entries).  
  • Originator Action on Notification of Change (NOC): Provides Originators discretion to make NOC changes for a Single Entry, regardless of the SEC Code.  
  • Data Security Requirements: Clarifies that, once a covered party meets the volume threshold for the first time, the requirement to render account numbers unreadable remains in effect, regardless of future volume.  
  • Use of Prenotification Entries: Aligns the prenote rules with industry practice by removing language that limits prenote use to only prior to the first credit or debit entry.  
  • Clarification of Terminology: Subsequent Entries: Replace references to “subsequent entry” in various Rules sections with synonymous terms to avoid any confusion with the new definition of “Subsequent Entry.” 

Rule Changes Effective October 2024  

The following rule changes take effect October 1, 2024: 

  • Additional Funds Availability Exceptions: Provide RDFIs with an additional exemption from the funds availability requirements to include credit ACH entries that the RDFI suspects are fraudulent. 
  • Codifying Use of Return Reason Code R17: Allow RDFIs to return an entry believed to be fraudulent using Return Reason Code R17. 
  • Expand Use of ODFI Request for Return/R06: Expand the permissible uses of the Request for Return Reason Code (R06) to allow an ODFI to request a return from the RFI for any reason. 
  • RDFI Must Promptly Return Unauthorized Debit: Require that when returning a consumer debit as unauthorized in the extended return timeframe, the RDFI must do so by the opening of the sixth Business Day following the completion of its review of the consumer’s signed Written Statement of Unauthorized Debit (WSUD).  
  • Timing of Written Statement of Unauthorized Debit (WSUD): Allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver, even if the debit has not yet been posted to the account.  

Rule Changes Effective 2026 

The following rule changes take effect March 20, 2026: 

  • Company Entry Description – Payroll: Establish a new standard description of Payroll for PPD Credits for payment of wages, salaries, and other similar types of compensation. 
  • Company Entry Description – Purchase: Establish a new standard description of PURCHASE for e-commerce purchases. 

The following rule changes take effect in two phases.  

  • Phase 1 is effective March 20, 2026, for all ODFIs and non-Consumer Originators, Third-Party Service Providers (TPSPs), and Third-Party Senders (TPSs) with an annual ACH origination volume of 6 million or greater in 2023. 
  • Phase 2 is effective June 19, 2026, for all other non-Consumer Originators, TPSPs, and TPSs   
    • Fraud Monitoring by Originators, TPSPs, and ODFIs: Requires each non-Consumer Originator, ODFI, TPSP, and TPS to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud. 
    • RDFI ACH Credit Monitoring: Requires RDFIs to establish and implement risk-based processes and procedures reasonably intended to identify credit ACH Entries initiated due to fraud.  

Ensuring A Secure ACH Landscape Through Proactive Risk Mitigation 

The recent ACH rule changes approved by NACHA signify a significant step towards enhancing ACH risk management and fraud prevention within the financial industry. These changes aim to reduce the incidence of successful fraud and improve the recovery of funds, ultimately safeguarding the integrity of the ACH Network. 

With the implementation of these rule changes, financial institutions and other stakeholders involved in ACH transactions will need to adapt their policies, procedures, and risk management processes accordingly. It’s essential for organizations to stay informed about these regulatory updates and ensure compliance to mitigate ACH-related risks effectively. 

Enhance Your ACH Risk Management Framework with Young & Associates’ Proven Expertise 

Are you seeking expert guidance and support to navigate these ACH rule changes and ensure compliance with regulatory requirements? At Young & Associates, we understand the unique challenges faced by financial institutions in today’s evolving regulatory landscape.

We specialize in providing tailored regulatory compliance consulting services, including comprehensive support with ACH functions such as ACH audit and ACH risk assessment. Our team of experienced professionals is committed to helping you strengthen your ACH risk management practices and achieve regulatory compliance seamlessly. 

Contact us today to explore how we can assist your financial institution in meeting its regulatory obligations while optimizing operational efficiency and minimizing risk exposure. Or, click here to discover the benefits of our customizable ACH policy. Together, let’s navigate the complexities of ACH compliance and ensure the security and integrity of your financial transactions.

NCUA Cybersecurity Priority: What Credit Unions Need to Know

Written by admin on . Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation, Network Penetration Testing, Social Engineering, Vulnerability Assessment.

In the ever-changing landscape of financial services, cybersecurity emerges as a paramount concern for credit unions and their members. As regulatory scrutiny on information security intensifies each year, it’s essential for credit unions to stay vigilant and adaptable. This involves drawing insights from incident response exercises, threat intelligence, and industry benchmarks to bolster resilience and agility while ensuring compliance amidst evolving threats

Understanding the NCUA Supervisory Priority of Information Security

In 2024, the National Credit Union Administration (NCUA) emphasizes the critical importance of cybersecurity as part of its regulatory oversight. This highlights the urgent need for credit unions to strengthen their cyber defenses and resilience. In the face of an increasingly complex threat landscape, credit unions must prioritize cyber security measures to protect member data and maintain seamless operations. From rigorous information security examinations to strict compliance with NCUA’s information security requirements, credit unions must uphold stringent standards to ensure operational continuity and safeguard sensitive information. In today’s digitally interconnected and rapidly advancing technological landscape, it’s vital to adopt a proactive approach to detecting and responding to cyber risks with utmost precision.

Six Key Considerations for Credit Union Cyber Security Compliance

1. Holistic Risk Assessment and Management

Credit unions must adopt a proactive stance towards risk management by conducting thorough assessments of cyber threats, vulnerabilities, and potential impact scenarios. At the core of effective cybersecurity governance lies the comprehensive risk assessment process. By identifying and prioritizing potential threats, vulnerabilities, and impact scenarios, credit unions lay the groundwork for developing targeted risk mitigation strategies.

2. Vendor Risk Management 

Ensuring effective cybersecurity compliance for credit unions demands vigilant vendor risk management. The NCUA underscores the criticality of reviewing third-party contracts to discern incident reporting obligations. This comprehension of responsibilities and liabilities outlined in vendor contracts fosters seamless collaboration, prompt response to cyber incidents, and adherence to reporting requirements.

3. Incident Monitoring and Documentation Protocols

Credit unions must implement robust incident monitoring and documentation protocols to strengthen cyber resilience. Swift detection and containment of cyber threats are facilitated by effective incident monitoring, while comprehensive documentation enables timely reporting and compliance with regulatory mandates. By maintaining detailed records of cyber incidents, credit unions enhance transparency and accountability in their cybersecurity practices.

4. Robust Incident Response Plans

Establishing robust incident response plans is pivotal for credit union cybersecurity compliance. It is imperative to update these plans to align with reporting requirements. By ensuring that response protocols are synchronized with regulatory mandates, credit unions can streamline incident resolution and minimize potential damages effectively. Simplify compliance with NCUA cybersecurity standards and cyber incident reporting requirements using Y&A’s customizable Incident Response Plan for Credit Unions. With a detailed incident response policy, guidance for specific incidents, a sample membership notification letter, and an incident response form, ensure your credit union is well-prepared for any security event. Read more about the plan here.

5. Adherence to NCUA Regulatory Standards

Compliance with regulatory standards, including the NCUA’s Cyber Incident Notification Reporting Rule, is non-negotiable. Credit unions must ensure timely and accurate reporting of cyber incidents, enhancing transparency, accountability, and regulatory compliance.

6. Continuous Monitoring and Improvement

Cybersecurity is not a static endeavor; it demands continuous monitoring, evaluation, and improvement. Credit unions should embrace a culture of vigilance and adaptation, empowering stakeholders to remain abreast of emerging threats and evolving best practices. This commitment to continuous improvement ensures that credit unions remain resilient in the face of evolving cybersecurity challenges.

Empowering Credit Unions: Tailored Cybersecurity Solutions From Young & Associates

As the NCUA places increased emphasis on information security, credit unions must prioritize compliance, resilience, and proactive risk management strategies. At Young & Associates, we understand the nuanced challenges and opportunities inherent in cybersecurity governance. Our dedicated team of professionals stands ready to support credit unions in navigating the complexities of cybersecurity risk management, compliance, and strategic planning.

We offer tailored solutions to address your specific needs and concerns. Our customizable Incident Response Plan provides a structured framework for swift and effective response to cyber incidents, ensuring the protection of member data and the integrity of your institution.

Additionally, our full suite of IT consulting services offers comprehensive support to credit unions. Our IT audits provide an independent assessment of your environment, helping you implement controls to manage your risk effectively. Furthermore, our vulnerability assessments and penetration tests identify any weaknesses in your network, enabling proactive threat mitigation.

You’re not alone on your cybersecurity journey. With Young & Associates by your side, you can navigate the complexities of cybersecurity with confidence and peace of mind. Together, we can strengthen your cyber defenses, uphold regulatory compliance, and safeguard the interests of your members and institution.

Contact us today to learn more about how we can support your credit union’s cybersecurity goals. Let’s embark on this journey together towards a more secure and resilient future.

Helpful Links:

2024 Housing Market Outlook: Implications for Mortgage Lenders

Written by admin on . Posted in Advice, Consultation, Mortgage Quality Control.

By: Donald Stimpert, Manager of Secondary Market QC Services

Fannie Mae’s recent revised forecast for 2024 and beyond unveils a nuanced projection that holds significance for community banks and credit unions navigating the intricate landscape of the housing market. The insights presented by Fannie Mae’s Economic and Strategic Research (ESR) Group encapsulate essential indicators and predictions that will influence the housing and mortgage sectors in the forthcoming year.

Economic Deceleration and Housing Recovery

The December report anticipates a potential economic slowdown in 2024, aligned with a gradual recuperation in both home sales and mortgage originations. Although initially forecasting a modest recession for 2023, the economic resilience has surprised many market analysts. Fannie Mae now perceives the possibility of a softer landing due to disinflation and low unemployment rates. However, the housing sector faced challenges in 2023, witnessing record-low affordability, lock-in effects, and a severe deficit in available for-sale housing, leading to the lowest existing home sales since the Great Financial Crisis.

Factors Impacting Home Sales in 2024

Fannie Mae’s analysis points to a challenging landscape ahead. 2023 set a record low for existing home sales since 2010, setting the stage for a gradual recovery in 2024. Yet, obstacles like unaffordability, lock-in effects, and constrained inventory persist, likely causing a marginal impact on 2024’s total home sales compared to the previous year.

Despite glimpses of potential relief, these hurdles are expected to persist. Although the decline in the 10-year Treasury rate offers a glimmer of hope for better sales and mortgage originations, persistently high mortgage rates forecast subdued home sales at around 4.8 million in 2024, with a modest increase to 5.4 million by 2025.

October’s rock-bottom existing sales at 3.79 million could signal a turning point. Recent shifts in purchase mortgage applications, fueled by notable drops in mortgage rates, hint at a possible sales uptick. This trajectory depends on further rate moderation, potentially leading to increased sales.

Moreover, Fannie Mae’s projection of a slight dip in new home sales contrasts with unexpected buyer resilience amidst rising rates. This unexpected stability, boosted by concessions from builders, hints at sustained sales consistency.

This sales resilience, coupled with an unforeseen home price rebound, shapes Fannie Mae’s view on mortgage originations. Despite fluctuations, the forecast indicates a subtle upward trend, aligning with current origination levels.

Upgraded Projections for Single-Family Mortgage Originations

Amidst these challenges, Fannie Mae projects a positive trajectory in total single-family mortgage originations:

  • $1.5 trillion in 2023
  • $1.9 trillion in 2024
  • $2.3 trillion in 2025

This upgrade stems from a positive outlook on purchase mortgage origination volumes. Forecasts indicate a substantial increase to $1.4 trillion in 2024, a noteworthy leap from the anticipated $1.3 trillion in 2023. Looking ahead, the trajectory continues its upward trend, projecting $1.6 trillion in purchase origination volumes by 2025. Simultaneously, refinance origination volumes are on an upward trajectory, poised to surge to $451 billion in 2024 and further escalate to $686 billion in 2025.

Dynamics of Mortgage Rates and Home Sales

The report reflects on the impact of declining interest rates, projecting a shift to an average FRM30 rate of 6.7% in 2024 and 6.2% in 2025, down from the current 7.4% in Q4 2023. However, the transition in monetary policy might introduce volatility in mortgage rates, presenting a potential risk factor for these projections.

New vs. Existing Home Sales, Housing Starts, and Price Growth

The resilience of new home sales, unexpected amidst economic uncertainties, and the lower-than-expected impact of high mortgage rates on sales showcase a trend where buyers seem less affected by increased rates compared to previous years. Homebuilders’ concessions, including mortgage rate buydowns, aim to stimulate sales amidst these challenges.

Implications for Community Banks and Credit Unions

Understanding Fannie Mae’s 2024 outlook is crucial for community banks and credit unions to tailor their strategies. The projected increase in mortgage originations presents both opportunities and challenges, urging these institutions to adapt swiftly to evolving market dynamics and consumer behaviors.

In conclusion, Fannie Mae’s revised outlook for 2024 emphasizes the need for adaptive strategies by community banks and credit unions to harness opportunities amid the projected housing market landscape. Staying informed about these forecasts will empower these financial institutions to navigate potential challenges while capitalizing on growth prospects effectively.

Secondary Market Quality Control

Young & Associates stands as a trusted ally for financial institutions amid Fannie Mae’s housing market projections. Specializing in secondary mortgage quality control, our QC services serve as a shield against risks, meeting federal and private investor requirements, including those of Fannie Mae. As Fannie Mae anticipates a gradual housing market recovery and increased mortgage activities, partnering with Y&A can fortify your institutions’ risk management strategies. Our meticulous evaluations ensure compliance readiness and accuracy, aligning financial entities with market shifts highlighted by Fannie Mae, securing robust mortgage operations for the future. Visit our website for more information or contact us here.

Notable Changes in the New Ransomware Self-Assessment Tool

Written by admin on . Posted in Advice, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit.

By: Mike Detrow, CISSP 

The Bankers Electronic Crimes Taskforce, state bank regulators, and the United States Secret Service first released the Ransomware Self-Assessment Tool (R-SAT) in October 2020 as a tool for banks to use to evaluate their preparedness for a ransomware attack and to help identify additional controls that should be implemented to increase a bank’s security. 

A number of state banking departments worked together to evaluate banks that suffered a ransomware attack between January 1, 2019 and December 31, 2022, and the Conference of State Bank Supervisors used this information to publish a report in October 2023 that identifies the lessons learned by these banks1.   

Key Findings from the Ransomware Lessons Report

This report identifies the following significant findings: 

  • Lack of completion and proper use of the R-SAT to identify gaps in a bank’s security controls to prevent or mitigate the effects of a ransomware attack 
  • Lack of multi-factor authentication or improperly configured multi-factor authentication 
  • Lack of proper understanding of social media and methods for monitoring social media platforms to address the potential dissemination of misinformation that may affect a bank’s reputation 

In response to the findings identified in this report, a new version of the R-SAT was released in October 2023 that identifies additional security considerations that banks will need to evaluate regarding their preparedness for a ransomware attack.   

Notable Additions to R-SAT

The notable additions to the new version of the R-SAT are identified below: 

  • Specific questions were added in item 3 regarding the services provided by the cyber insurance carrier to respond to a ransomware attack  
  • A column was added in item 4 to identify services that are based in a cloud environment 
  • Item 5 is a new question asking if any data is housed in a location outside of the United States 
  • Item 10 now asks about the frequency of employee security awareness training  
  • Item 11 is a new question asking if the institution performs phishing test exercises at least quarterly 
  • Item 12 identifies additional questions regarding backup data validation and recovery capabilities 
  • Item 13 includes additional questions regarding the implementation of multi-factor authentication 
  • Item 14 includes several new additional preventative controls that should be considered 
  • Item 18 includes additional ransomware response procedures that should be included in the incident response plan 

Security Control Enhancements Recommended by Young & Associates

Through the IT Audits and consulting work that Young & Associates performs for community banks and credit unions, we also see value in the following security control enhancements: 

  • Proper understanding of the use of cloud-based services and appropriate policies governing their use 
  • Providing cybersecurity training to employees throughout the year that identifies current threats rather than just one annual training session 
  • Performing employee phishing tests at least quarterly rather than just once a year 
  • Performing an authentication assessment and implementing multi-factor authentication for all critical systems and applications 

To help prevent or mitigate the potential effects of a ransomware attack and to prepare for their next IT examination, banks should review the report regarding the ransomware lessons learned by banks that suffered an attack and complete the updated R-SAT by using the following link to access these resources: https://www.csbs.org/ransomware-self-assessment-tool 

Strengthening Bank Security Against Ransomware

As cyber risks become more prevalent, managing your technology infrastructure and security is paramount. Young & Associates provides financial institution IT consulting to help protect community banks and credit unions from internal and external threats. Should you have any questions about this article, please reach out to Mike Detrow, Director of Information Technology, at mdetrow@younginc.com or contact us on our website. 

Construction Loan Monitoring: Questions & Answers

Written by admin on . Posted in Advice, Consultation, Lending & Loan Review.

By: Linda Fisher, Senior Consultant

There is always a certain level of risk in lending, but construction loans are of even greater risk. The ultimate value of the collateral is realized only after the project is completed, and the finished project is either leased to a stabilized level or sold at a profit. Therefore, it is imperative that a construction loan be closely monitored to ensure that the project is successfully executed. 

Why is construction monitoring so important?

Construction monitoring serves both the bank AND the customer. By conducting regular inspections, both parties can verify that the work being done is properly completed, on budget and results in the expected final value of the project.  

Also, if for any reason there is a dispute or litigation arises, there is a record of independent monitoring of the project by a qualified third party that can aid in any conflict resolution. 

When should a construction inspector be engaged?

While both the bank’s and the borrower’s responsibilities are outlined in the loan documents, a detailed discussion between the bank and the borrower should take place prior to closing that outlines how the draw process will be handled, and identify who will be conducting inspections and the costs associated with this service.   

Subsequent to this discussion, the inspector should be engaged prior to closing. This individual should perform an initial review of the construction agreement, budget, timeline, and plans and specifications associated with the project. This helps to ensure that the proposed project is feasible given the work to be performed and can be completed within the designated costs and timeframe, as well as that all appropriate documentation related to the project is in order prior to closing the loan. 

Throughout construction, having the construction inspector perform physical site visits provides independent verification of the line item percentage completion of the construction performed during the draw request period and due to the inspector’s expertise, allows the inspector to directly address pertinent construction matters with the contractors, architects and borrowers on the bank’s behalf. 

Who is qualified to perform inspections?

Ideally, construction monitoring services are performed by engineers or other licensed individuals with experience in general construction methods and materials, as well as practices, techniques, and equipment used in building construction. A list of individuals/firms should be maintained by the bank – similar to lists of appraisers, attorneys, title companies, and other approved third-party vendors – that provide construction monitoring/inspection services. 

As with any third-party vendor, these individuals should be thoroughly vetted, with documentation of his/her appropriate experience, references, and insurance.   

A bank may sometimes engage the appraiser who performed the property evaluation prior to closing to serve as the construction inspector. While this individual may meet the intent of having an independent third party visit the site, an appraiser does not have the appropriate experience and training to review and interpret the plans and specifications prior to closing or effectively evaluate and monitor the construction as it progresses. 

Who is responsible for payment of a construction inspector’s services?

The cost associated with utilizing a construction inspector is typically borne by the borrower and is included in the project budget as a soft cost and as a closing statement line item.   

What do these services cost?

The best answer is…it depends. Costs for a construction inspector’s services will vary in conjunction with the location and scope of the project. The initial cost for a review of the plans and specs is typically a higher expense, with monthly periodic reviews as disbursement requests are received by the bank from the borrower being a lesser cost. The cost pales in comparison to the potential risk of having a project be inappropriately completed, stall mid-construction or potentially turn litigious costing time and expense for the borrower, contractors and the bank.   

What are best practices in monitoring a construction loan?

Every step of the process should be well documented within the loan files. In addition to maintaining copies of the construction agreement(s), as well as original budget and timelines, details of change orders, a copy of the agreement with the construction inspector and any related information should be maintained as well. A copy of each loan disbursement request should be kept in the file and accompanied by the following: 

  • Inspection report – to include the name and title of the person that performed the inspection, the time & date of the inspection, captioned photos of the project, estimated percentage of project completion with supporting descriptions of work completed since the last inspection and materials stored onsite, details of any delays, disputes or inspector concerns, an estimated date of completion and the inspector’s approval of the requested disbursement  
  • Lien waivers/title bringdown/endorsement – to ensure that there are no intervening liens filed against the project 
  • All paid or owing invoices, receipts and other verifications of project expenses or applicable borrower reimbursements  
  • Updated budget – demonstrating percentage of completion of budgeted expense categories, and sources and uses of equity and debt funds to date. 

Maintaining this information in the file demonstrates that the bank is effectively monitoring the loan and provides clear documentation of progress of construction. If a question or concern develops, it can be quickly and efficiently addressed, since the information is secured in one location.  

What is a certificate of final value?

Upon completion of the construction/issuance of the certificate of occupancy, the bank should inform the original appraiser of such completion and a final inspection performed by the appraiser to validate that the project was completed within the parameters defined in the original appraisal. The appraiser then issues a certificate of final value correlating the completed project to the circumstances of the appraisal report and its concluded “as complete” value. 

Building Confidence With a Construction Monitoring Plan

An effective, consistent construction monitoring program avoids surprises for all parties, as it documents the evolution of the project, from the initial approved scope and costs, throughout construction and to final completion. Prior to closing, all parties can be confident knowing that they are starting off on the right foot, with a solid and achievable plan. As the project progresses, any issues that may arise can be identified and dealt with appropriately. Given the potential risks associated with any construction project, having a solid plan and maintaining proper documentation provides a higher probability of a successful outcome that benefits both the borrower and the bank. 

Optimize Your Construction Loan Management Strategies with Y&A

Young & Associates offers specialized lending and loan review services to assist community banks and credit unions in constructing robust construction loan management and administration processes. For tailored solutions and expert support, contact us here. Strengthen your construction loan approach with Young & Associates’ dedicated expertise.

HMDA and CRA Adjustments Are Here

Written by admin on . Posted in Advice, Compliance & Regulations, Consultation, HMDA.

By: William J. Showalter, CRCM, CRP

There are changes that arrived with the new year of 2024 to Home Mortgage Disclosure Act (HMDA) compliance for banks and thrifts in many areas. No, the Consumer Financial Protection Bureau (CFPB) is not repealing Regulation C or adding more detail to the required data we collect and report. The existing rule is still in place. 

The changes we will look at here are driven by the decennial (every 10 years) adjustments by the Office of Management and Budget (OMB) to geographic units used by the federal government, including the Census Bureau, for statistical purposes. The particular geographic units that impact bank and thrift HMDA compliance are Metropolitan Statistical Areas (MSAs) since they are a qualifying location factor for lenders in determining HMDA coverage. 

The OMB’s changes will also have possible effects on bank and thrift compliance with the Community Reinvestment Act (CRA) in the drawing of institutional CRA “assessment areas.” 

These latest changes were effective when issued by OMB – July 21, 2023 – so they can impact 2024 HMDA coverage. 

OMB Action 

The OMB completed a process of delineating Core Based Statistical Areas (CBSAs) based on 2020 Census data and the American Community Survey and Census Population Estimates Program for 2020 and 2021. A CBSA is a geographic entity associated with at least one core of 10,000 or more population, plus adjacent territory that has a high degree of social and economic integration with the core as measured by commuting ties. The standards designate and delineate two categories of CBSAs: Metropolitan Statistical Areas and Micropolitan Statistical Areas.  

The general concept of a metropolitan statistical area is that of an area containing a large population nucleus and adjacent communities that have a high degree of integration with that nucleus. The concept of a micropolitan statistical area closely parallels that of the metropolitan statistical area, but a micropolitan statistical area features a smaller nucleus. The purpose of these statistical areas is unchanged from when metropolitan areas were first delineated: The classification provides a nationally consistent set of delineations for collecting, tabulating, and publishing federal statistics for geographic areas. 

The new delineations are found in OMB Bulletin 23-01 at https://www.whitehouse.gov/wp-content/uploads/2023/07/OMB-Bulletin-23-01.pdf 

HMDA Coverage 

Regulation C covers any “financial institution,” as defined by the regulation and its underlying HMDA statute. “Financial institution” means, in part, a bank, savings association, or credit union that: 

  • On the preceding December 31, had assets in excess of the asset threshold established and published annually by the CFPB for coverage by HMDA, based on the year-to-year change in the average of the Consumer Price Index for Urban Wage Earners and Clerical Workers, not seasonally adjusted, for each 12-month period ending in November, rounded to the nearest million – $56 million for 2024 HMDA coverage 
  • On the preceding December 31, had a home or branch office in a Metropolitan Statistical Area (MSA) [Micropolitan Statistical Areas have no HMDA impact.] 
  • In the preceding calendar year, originated at least one home purchase loan (excluding temporary financing such as a construction loan) or refinancing of a home purchase loan, secured by a first lien on a one-to four-family dwelling, and 
  • Meets one or more of the following two criteria: is federally insured or regulated; or the mortgage loan referred to in the previous bullet was insured, guaranteed, or supplemented by a federal agency or was intended for sale to Fannie Mae or Freddie Mac
  • Meets at least one of the following criteria in each of the two preceding calendar years: originated at least 25 closed-end mortgage loans that are not excluded by §1003.3(c)(1) through (10) or (c)(13), or originated at least 200 open-end lines of credit that are not excluded by the cited section of Regulation C 

There are also similar qualification criteria for for-profit mortgage lenders that are not banks, thrifts, or credit unions, which we will not detail here. 

The qualification criterion impacted by OMB’s action is the geographic one, the second bullet above. If a financial institution that otherwise meets HMDA coverage criteria has an office in an MSA on December 31, then it is covered by HMDA for the following year. For many lenders, determining HMDA coverage is a one-time exercise (other than those who are right around the asset-size threshold). 

Ohio MSA Changes 

I will use my native Ohio as an example of what the MSA changes mean to banks and thrifts and their compliance with HMDA requirements. 

Three counties in Ohio were shuffled into Metropolitan Statistical Areas in this latest OMB action – one being added to an existing MSA and two comprising a new MSA. No Ohio counties were removed this time from MSAs in which they were formerly included. 

Ashtabula County has been added to the Cleveland MSA. Erie and Ottawa counties have been included in the new Sandusky MSA. 

There were also some changes in non-Ohio parts of MSAs that include other Ohio counties. Lenders in the Cincinnati, Huntington-Ashland, and Youngstown-Warren MSAs should look for these additions and deletions of neighboring states’ counties. 

All the details of the new Ohio geographic delineations can be found in the OMB Bulletin mentioned above. The list of MSAs and micropolitan statistical areas by state is in List 6 (with Ohio on pages 168-169) of the OMB Bulletin, while five additional lists in the bulletin give other breakdowns of the geographic delineations, including the counties included in each. 

HMDA Impact 

In 2023, there was no impact for HMDA reporting because the new MSA delineations were not in effect on December 31, 2022. 

However, they were in effect December 31, 2023, which has the following impacts: 

  • Banks and thrifts with offices in Ashtabula, Erie, and Ottawa counties, and in no other MSA counties, now have to begin collecting HMDA data January 1, 2024, and make their first reports of that data by March 1, 2025.
  • Unlike 10 years ago, there are no banks and thrifts whose offices in Ohio counties have made them subject to HMDA reporting (i.e., no offices in other MSA counties) that will no longer have to collect HMDA data beginning in 2024. (Note that such banks would still be obligated to report their 2023 HMDA data by March 1, 2024.) 

If your institution has an office in any of the counties affected by the MSA changes, be sure to review how this action affects your HMDA compliance beginning in 2024. 

CRA Impact 

MSAs affect the CRA compliance efforts of banks and thrifts, too. They come into play in drawing up an institution’s CRA assessment area (AA), as well as in the small business and small farm lending disclosure statements prepared by regulators annually for institutions reporting their data (all except for “small” retail banks and thrifts).  

The CRA rules require that an institution’s CRA AA consist generally of one or more MSAs or metropolitan divisions – using the MSA or metropolitan divisions boundaries that were in effect as of January 1 of the calendar year in which the delineation is made – or one or more contiguous political subdivisions e.g., counties, cities, or towns). 

A CRA AA may not extend substantially beyond an MSA boundary or beyond a state boundary unless the assessment area is located in a multistate MSA. If a bank or thrift serves a geographic area that extends substantially beyond a state boundary, the bank must delineate separate AAs for the areas in each state. If a bank or thrift serves a geographic area that extends substantially beyond an MSA boundary, it must delineate separate AAs for the areas inside and outside the MSA. 

The regulators prepare annually, for each MSA and the nonmetropolitan portion of each state, an aggregate disclosure statement of small business and small farm lending by all institutions subject to reporting of that data (all except “small” retail banks and thrifts). 

Therefore, the redrawn MSA boundaries might have an impact on your institution’s CRA compliance. Each bank and thrift with the affected counties in its CRA AA should review its delineation to make sure that the changes do not require an adjustment to those delineations. If any adjustments are needed, they should be made by April 1 – when any updating of CRA public files must be accomplished (including the map of your CRA AA).  

Links 

This OMB Bulletin provide the six lists of statistical areas that are available electronically at the link stated above or from the OMB website at https://www.whitehouse.gov/omb/information-for-agencies/bulletins/.  This update, historical delineations, and other information about population statistics are available on the Census Bureau’s website at https://www.census.gov/programs-surveys/metro-micro.html.

Young & Associates: Your Trusted Partner in Regulatory Compliance

In navigating the intricacies of HMDA and CRA compliance, Young & Associates stands ready to support community banks and credit unions. Our regulatory compliance consulting services ensure a seamless adherence to evolving regulations. Stay ahead with Young & Associates – your trusted partner in compliance excellence. Contact us today for tailored solutions that empower your financial institution.

Third-Party Relationships: Risk Management

Written by admin on . Posted in Advice, Consultation, Risk Management.

By: Edward Pugh, CAMS, CAMs-Audit, AAP, CFE

Financial Institutions are increasingly relying on third parties for a broad range of products and services. Utilizing third parties can offer organizations significant benefits, including access to new technologies, delivery channels, products and services, and increased operational efficiencies. However, engaging third parties, especially those using new technologies, can expose financial institutions and their customers to increased risks. Operational, compliance, and strategic risks are often impacted by the utilization of third parties. Given the increase in the number and type of third parties engaging with financial institutions, the Office of the Comptroller of the Currency (OCC), the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) released Interagency Guidance on Third-Party Relationships: Risk Management in June of 2023.  

Interagency Guidance on Third-Party Risk

The aforementioned guidance addresses all business arrangements between a financial institution and another entity, whether a formal contract exists or not. Third-party relations can include outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures. While there are many benefits to using third-party services, their use can reduce an institutions’ direct control over activities and may introduce new or increasing risks. Thus, it is important for an institution to identify, assess, monitor, and control risks related to third-party relationships.  

A critical element of third-party risk management is to develop and maintain a complete inventory of third-party relationships. This also includes periodically conducting risk assessments for each relationship. This process will allow an institution to determine its risk and whether these risks have changed over time. The overall goal is to be able to update risk management practices as circumstances and risks change. Third parties performing more critical activities, such as those that may impact customers, the institution’s financial conditions or operations, warrant more robust oversight. 

Third-Party Risk Management Life Cycle  

The Interagency Guidance identifies planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination of the relationship as the stages of the risk management life cycle.  

Key elements of the planning stage include assessing a potential third party’s impact on customers, including access to or use of those customers’ information, third-party interaction with customers, potential for consumer harm, and handling of customer complaints and inquiries. Attention should also be paid to the information security implications, including access to the institution’s systems and to its confidential information. The planning phase should also determine how the institution will select, assess, and oversee the third-party, including monitoring compliance with applicable laws, regulations, and contractual provisions. Requiring remediation of compliance issues is an important element to consider.  

Due diligence includes assessing the third party’s ability to perform the activity as expected, adhere to the institution’s policies related to the activity, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner. The Guidance notes that, “Relying solely on experience with or prior knowledge of a third party is not an adequate proxy for performing appropriate due diligence, as due diligence should be tailored to the specific activity performed by the third party.” It is critical to identify and document any limitations of its due diligence, understand the risks from such limitations, and consider alternatives in risk mitigation. Factors to consider in performing due diligence include:

  • strategies and goals
  • legal and regulatory compliance
  • financial condition, business experience
  • qualifications and backgrounds of key personnel
  • risk management
  • information security
  • management of information systems
  • operational resilience
  • incident reporting and management processes
  • physical security, reliance on subcontractors
  • insurance coverage, and
  • contractual arrangements with other parties

Contract negotiations are also an important element of third-party risk management.  Factors to consider include the nature and scope of the arrangement, performance measures or benchmarks (i.e., a service level agreement), responsibilities for providing, receiving, and retaining information, the right to audit and require remediation, responsibility for compliance with applicable laws and regulations, costs and compensation, ownership and licensing, confidentiality and integrity, operational resilience and business continuity, indemnification and limits on liability, insurance, dispute resolution, customer complaints, subcontracting, foreign-based third parties involved, and default and termination arrangements.  It is important to also stipulate that the performance of the activities are subject to regulatory supervision and examination.  

Ongoing monitoring allows a financial institution to confirm the quality and sustainability of the third-party’s controls and the ability to meet contractual obligations, escalate significant issues or concerns, and respond to such issues or concerns when identified.  Depending on the complexity of the activities being performed, ongoing monitoring can include a review of reports regarding the third party’s performance and the effectiveness of its controls, periodic visits and/or meetings to discuss performance and operational issues, regular testing of the financial institution’s controls that manage risks from its third-party relations, especially for more complex relationships.  Some additional factors to consider when performing ongoing monitoring include determining the overall effectiveness of the relationship, changes to the third-party’s business strategy and agreements with other entities, changes in financial conditions, insurance coverage, relevant audits and/or testing results, and the third-party’s ongoing compliance with applicable laws and regulations and its performance as measured against contractual obligations.  Depending on the complexity of the relationship, additional factors may also be considered.   

The final stage, termination, is also an important element of the risk management life cycle.  There are many reasons an institution may wish to terminate a relationship with a third-party.  Some factors to facilitate termination include options for an effective transition of services, costs and fees associated with termination, managing risks associated with data retention and destruction, handling of joint intellectual property, and managing risks to the financial institution, including any impact on customers, if the termination happens as a result of the third-party’s inability to meet expectations.  

Governance in Third-Party Risk Management

There are many ways an institution can structure their third-party risk management processes. The accountability structure may be dispersed across business lines or may be centralized.  Regardless of the structure, the following practices should be considered through the risk management lifecycle: oversight and accountability, independent reviews, and documentation and reporting.  

Upholding Responsibilities in Third-Party Relationships

This summary is not intended to be a comprehensive review of the Agencies’ Interagency Guidance on Third-Party Relationships: Risk Management released on June 6, 2023.  As a reminder, the use of third parties does not diminish or remove financial institutions’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.  The full text of the Guidance may be found here: Interagency Guidance on Third-Party Relationships: Risk Management (occ.gov) 

Optimize Your Risk Strategy with Y&A’s Expertise

Discover our customizable Vendor Risk Management Policy, which provides guidance on managing risks from outsourced relationships. This comprehensive policy covers responsibilities, risk assessment, due diligence, contracts, security, confidentiality, controls, business resumption, and monitoring. Learn more here.

For insights into vendor due diligence or program refinement, please reach out to Michael Gerbick at mgerbick@younginc.com or contact us on our website. Strengthen your risk approach with our expertise – connect with us today.

Credit Union Cybersecurity: Actionable Cyber Threat Defense

Written by admin on . Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation, Network Penetration Testing, Social Engineering, Vulnerability Assessment.

In an era dominated by technology, the financial sector faces a growing menace in the form of cyberattacks. Credit unions, along with their members’ sensitive data, have become prime targets for cybercriminals. To safeguard against these evolving threats, credit unions must proactively fortify their cybersecurity defenses.

As the financial industry changes, cybercriminals adapt, so credit unions must prioritize cybersecurity planning. This article discusses steps and measures credit unions can take to protect their operations and member data from cyber threats.

Understanding the Cyber Threat Landscape

The increase in cyberattacks on credit unions, as well as their affiliated CUSOs and vendors, has brought cybersecurity vulnerabilities into sharp focus. It’s essential to recognize that cyber threats are no longer a distant possibility, but a tangible reality that demands immediate attention. Cybercriminals employ a range of tactics, including ransomware, phishing, and Distributed Denial-of-Service (DDoS) attacks, all with the potential to disrupt operations, compromise data, and tarnish the reputation of credit unions.

Taking Action: Security Controls for Credit Unions

In a realm where financial innovation and digital transformation reign, protecting sensitive data and ensuring uninterrupted services takes precedence. However, this progress is accompanied by the challenge of cyber threats, demanding a proactive approach to security.

To counter the evolving threat landscape, credit unions must adopt specific actions and security controls that reinforce their defenses. These measures not only safeguard their operations but also uphold the confidence and trust of their members. Let’s explore the steps credit unions can take to strengthen their cybersecurity and defend against cyber threats.

1. Implement Strong Access Controls

Effective access controls form the first line of defense against unauthorized access. Credit unions should enforce stringent access policies, ensuring that only authorized personnel have access to critical systems and sensitive data. Implement role-based access controls (RBAC) to limit privileges based on job roles, and regularly review and update permissions to maintain a least-privilege approach.

2. Fortify with Multi-Factor Authentication (MFA)

Incorporate MFA for all critical systems, applications, and accounts in your credit union. This extra layer of security forms a significant hurdle for unauthorized access attempts and provides protection against phishing attacks. MFA necessitates users to offer additional confirmation apart from a password, thereby boosting security.

3. Prioritize Patching and Updating Systems

Addressing vulnerabilities promptly is critical to preventing potential breaches. Outdated software and unpatched systems are prime targets for cyber attackers. Regularly update and patch operating systems, software applications, and security solutions to address known vulnerabilities and reduce the risk of exploitation. Stay informed about security advisories and updates from the software provider and relevant cybersecurity agencies.

4. Enhance Member and Employee Cybersecurity Awareness

Cyber threats evolve continuously, and so should employee knowledge. Educating your employees about cyber threats is one of the most effective ways to mitigate risks. Provide ongoing training to employees to help them recognize and respond to social engineering, the latest cyber threats, other common attack techniques, and best practices to keep them vigilant and informed. Awareness empowers your team to become a crucial line of defense. Equally important is educating members about safe online practices to prevent them from falling victim to scams or attacks.

5. Reinforce Email Security and Anti-Phishing Measures

Email remains a primary vector for cyberattacks. Implement sophisticated email security systems that inherently possess phishing identification and prevention features. Use SPF, DKIM, and DMARC to stop email spoofing and make emails more authentic, lowering the chance of successful phishing.

6. Conduct Regular Penetration Testing and Vulnerability Assessments

Proactively identify vulnerabilities by conducting regular penetration testing and vulnerability assessments. This allows credit unions to uncover weaknesses in their systems, applications, and infrastructure before cybercriminals can exploit them.

7. Craft a Robust Incident Response Plan

Prepare for the worst by developing a comprehensive incident response plan. Regularly test this plan to ensure your credit union is ready to respond swiftly and efficiently to a cyberattack. This plan should outline steps to take in case of a cyber incident, clearly define roles, responsibilities, communication protocols, and procedures, and rehearse different attack scenarios to minimize downtime and mitigate damages.

8. Manage Vendor Risk Strategically

Your credit union’s security isn’t solely dependent on your internal measures—it extends to third-party vendors as well. Review and assess the cybersecurity practices of vendors providing services to your credit union. Ensure they adhere to robust security standards and regularly evaluate their security posture to safeguard your ecosystem. Learn more about effective vendor due diligence evaluations in this blog.

9. Network Segmentation and DDoS Protection

Network segmentation involves dividing the network into smaller segments to limit lateral movement in the event of a breach. Execute network partitioning to confine possible security breaches and reduce their effects. This approach restricts attackers’ ability to move freely within the network, containing the impact and reducing the potential damage. Protect against DDoS attacks by filtering and limiting traffic to prevent disruptions to your services.

10. Safeguard through Regular Data Backups, Testing, and Recovery Planning

Ransomware attacks can paralyze credit unions by encrypting critical data. Regularly back up your data and test the recovery process to ensure quick and effective restoration in case of an attack. Backups reduce the likelihood of data loss and minimize the temptation to pay ransoms.

11. Encourage Sharing of Threat Intelligence

Get involved in communities that share threat intelligence in order to keep updated on new cyber threats and trends. Collaborating with industry peers enhances your understanding of evolving attack tactics, enabling you to adapt and protect your credit union effectively.

12. Sustain Vigilance with Continuous Monitoring and Updates

Cyber threats are ever-evolving, making continuous monitoring and prompt patch application essential. Monitor network traffic, logs, and systems for any unusual activities that could indicate a breach. Timely identification of suspicious activities enables credit unions to respond promptly and mitigate potential damage. Stay up to date with the latest security updates and promptly implement patches to close potential vulnerabilities.

13. Engage with Cybersecurity Experts

Consider seeking guidance from cybersecurity experts or firms specializing in the financial sector, like Young & Associates. Our industry-specific insights can provide credit unions with tailored solutions to address the unique challenges posed by cyber and information security threats.

Credit unions can strengthen their security and protect their operations, member data, and reputation by taking proactive cybersecurity measures. To protect against cyberattacks, credit unions must stay alert and take necessary actions as threats change and become more advanced. Remember, protecting against cyber threats is not just a responsibility—it’s a necessity for the digital age.

Partnering with Young & Associates: Expert Cybersecurity Solutions

In the face of escalating cyber threats, credit unions are seeking expert guidance and support to bolster their security measures. At Young & Associates, we understand the dynamic challenges that credit unions face in the realm of cybersecurity. We offer IT consulting, audit, and technical testing services to help strengthen your credit union’s defenses.

Our experienced experts provide valuable knowledge to help protect your institution from cyber threats with effective strategies and solutions. Y&A offers cybersecurity solutions ranging from comprehensive security audits to technical testing that uncovers vulnerabilities. We tailor our services to suit the unique needs of credit unions in this digital age. We will help your credit union understand and navigate cybersecurity. Contact us to learn more. 

Managing CRE Credit Risk Amid Market Shifts

Written by admin on . Posted in Advice, Consultation, CRE & AG Stress Testing, Lending & Loan Review, Liquidity Review, Management & Planning, Regulatory Enforcement.

By: Jerry Sutherin, President & CEO of Young & Associates

The landscape of commercial real estate (CRE) lending is shifting due to current economic events, presenting both challenges and opportunities for community financial institutions deeply entrenched in this sector. The challenges range from the profound impact of remote work trends and the uncertain future of office spaces to growing concerns about inflation and higher interest rates bringing CRE risk into the spotlight. This volatility has garnered increased attention from internal and external stakeholders, as well as regulatory authorities. Consequently, identifying the most pressing threats among these challenges and proactively mitigating risk has become a top priority for financial institutions with CRE exposure.

In the face of rising interest rates and delinquencies, many financial institutions are preparing to confront these economic stressors. In fact, some were already scaling back lending before the recent collapses of Silicon Valley Bank and Signature Bank. We have all witnessed the tightening of lending standards resulting from that event, and many analysts anticipate further tightening among all community financial institutions. This constriction is also impacted by limited deposits and liquidity forcing financial institutions to be selective in how they deploy their capital. These facts leave many analysts predicting when credit problems will emerge in the CRE sector.

The evidence speaks for itself. According to S&P Global Market Intelligence, the delinquency rate for all CRE loans held in U.S. banks has increased by five basis points year over year. Moreover, within a single quarter earlier this year, the delinquency rate for nonowner-occupied nonresidential property loans spiked by a significant 24 basis points. This has led to tighter lending standards at origination, reflecting the concerns of institutions. Further, financial institutions are taking proactive measures to mitigate CRE risk after origination. Some have set aside high-single-digit percentage allowances for office loans. Others have reduced exposure through portfolio sales. Overall, loan originations have fallen, CRE sales have slumped, and forecasts indicate a drop in CRE prices.

The tightening of lending standards, the slowdown in the growth of CRE loans, and the impact on loan originations have emerged as central concerns in the financial sector. What unifies these factors is their inherent risk and whether they act as warning signals or responses. Managing CRE credit risk is undeniably intricate, but leveraging available strategies and tools empowers community banks, credit unions, and financial institutions to effectively navigate the ever-changing CRE lending sector. This enables them to proactively assess and plan for risk mitigation, rather than merely react to these changes.

Understanding Commercial Real Estate Risk

As CRE loans represent a substantial part of many banks’ loan portfolios and higher yielding assets, especially within community financial institutions, understanding the significance of CRE credit risk is paramount. Community banks and credit unions often operate in areas experiencing job and population growth, leading to a high demand for CRE lending and, in turn, a high concentration of CRE loans. This growth and its corresponding effects on loan portfolio concentration pose new challenges for banks in terms of risk monitoring and control.

While larger financial institutions commonly maintain experienced staff and even entire departments to manage these risks, it is generally not cost effective for smaller financial institutions to hire and maintain qualified resources to help mitigate the inherent risks. In the absence of an internal CRE risk management team, it is imperative for financial institutions to rely on independent third-party resources to assist in this crucial process.

Historical Context and Lessons from Past Experiences

A retrospective examination underscores the importance of proactive risk management. Many significant historical banking failures were largely attributed to overinvestment in CRE loans and the lack of an effective risk management process. Weak underwriting standards and poor portfolio management led to an oversupply of CRE properties and borrower defaults. Over time, regulatory improvements, such as stricter underwriting and risk management requirements, have been implemented. Nevertheless, predicting the future remains uncertain. We can only analyze past patterns and the shortcomings to properly assess future risks.

In 2023, community and regional financial institutions comprise approximately 72% of the CRE loan market, taking on an above-average amount of CRE credit exposure. Recognizing such circumstances is vital, as you should be alert to potential red flags. Identifying and managing CRE credit risk is critical.

Identifying Emerging CRE Risk

A comprehensive understanding of CRE credit risk highlights the increasing complexity of its landscape. CRE credit risk is multifaceted, with numerous risk categories affecting CRE lending, including market risk, asset risk, liquidity risk, and credit risk, among others. To construct a robust risk management strategy, all these variables must be explored and considered.

To assess your financial institution’s CRE loan segment’s health, a systematic approach is needed. When determining if your CRE portfolio exceeds your institution’s risk appetite and how to quantify that risk and respond effectively, the answers lie in developing a comprehensive, tailored framework for assessing and analyzing your CRE loan market. The most recent regulatory interagency Statement on Prudent Risk Management for Commercial Real Estate Lending notes that institutions that successfully monitored risk have:

  • Established appropriate loan policies, underwriting standards, and concentration limits.
  • Conducted cash flow analyses based on realistic rates and expenses to ensure repayment ability and assessed borrowers’ ability to repay during interest rate fluctuations and loan structure changes.
  • Analyzed the impact of economic changes on the loan portfolio’s quality, earnings, and capital.
  • Provided boards and management with information to adapt lending strategies in changing market conditions.
  • Maintained information systems to manage concentration risk effectively.
  • Implemented appropriate appraisal review and collateral valuation processes.

With the many challenges faced by community financial institutions, the need to effectively identify, measure, and manage these risks has become paramount. While established best practices exist to address these risks, financial institutions must transition from assessing each risk in isolation to recognizing the interconnectedness and synergy between them. A more holistic approach to risk management is required, allowing institutions to confidently inform their capital planning, risk tolerance, and overarching strategy.

Strengthening CRE Risk Management in Community Financial Institutions

A comprehensive risk management strategy empowers financial institutions to adapt to market dynamics, instilling confidence among stakeholders and regulators. Alongside the factors discussed in the previous section, regulatory guidelines highlight two critical facets of CRE risk management: stress testing and portfolio reviews. While community financial institutions can execute these internally, outsourcing can offer efficiency and effectiveness.

CRE Portfolio Stress Testing

Stress testing and sensitivity analyses are indispensable tools for evaluating CRE risk and gauging the impact of economic fluctuations on asset quality, earnings, and capital. These assessments should align with the portfolio’s size and risk profile. CRE stress tests inform strategic and capital planning, credit concentration limits, policy, and underwriting. Integrating stress testing into risk management and strategic planning is essential to anticipate and mitigate risks, especially given current market uncertainties.

Although loan-level stress testing serves a purpose on a transactional level at origination, financial institutions should also regularly perform portfolio-level stress testing that encompasses a bottoms-up and a top-down approach. The bottom-up approach allows financial institutions to gauge the risks of individual, seasoned loans by stressing each transaction through interest rate changes, collateral values, and other market factors. Implying moderate and high stress scenarios to each transaction allows for early identification of potential losses and their impact on the capital of your organization. The top-down approach takes the remaining portfolio not identified on a loan-level analysis and uses the same stressors to further identify any possible impact to capital.

Independent Loan Reviews for CRE Risk Mitigation

Thorough loan reviews are pivotal for identifying and mitigating potential CRE portfolio risks. They enable banks to assess loan quality, maintain compliance with regulations, and make necessary adjustments on a loan and portfolio level. An effective loan review function is crucial for assessing asset quality, evaluating underwriting and ongoing monitoring, and identifying exceptions to policies. Proactive issue resolution ensures risk mitigation before regulatory scrutiny or asset quality deterioration.

To further safeguard against future losses, it is critical that a loan review be independent. If maintained internally at the organization, it should report directly to the audit committee of the board of directors or the full board of directors. If a third-party firm is contracted to perform this work, it too should report all findings to the board of directors or a committee thereof.

Tactical Approaches to Limit CRE Risk in an Unpredictable Market

To minimize exposure to CRE credit risk, institutions should enhance communication with borrowers, allocate additional resources for portfolio management, understand collateral, and manage interest rate risk. Effective market area monitoring, adaptable to the institution’s unique risk exposure and appetite, is essential. Clear communication of risk tolerance from the board down to lending staff fosters alignment and clarity.

Community financial institutions must not become complacent in their approach to risk management. It is critical to remain agile and continually adapt to changing environments and emerging risks, especially in the currently volatile realm of CRE lending. By staying proactive and employing a comprehensive risk assessment and management approach, banks and credit unions can successfully address CRE credit risk, safeguard their portfolios, and maintain their success.

Optimize Your Risk Management Strategies with Young & Associates

With over four decades of experience, Y&A specializes in helping community financial institutions manage risk. Our enduring presence in the industry reflects our ability to adapt to evolving financial landscapes. Our seasoned consultants, who have backgrounds in banking, bring firsthand experience of market fluctuations.

Outsourcing CRE Stress Testing

Young & Associates offers a CRE portfolio stress testing service that efficiently and insightfully assesses your portfolio. Using data specific to your bank, we stress your CRE portfolio across various factors. Our report quantifies potential impacts on earnings and capital resulting from collateral value decreases, changes in property net operating incomes, or increases in interest rates. What sets us apart is our ability to handle the stress testing process efficiently, allowing your institution’s management to focus on other important initiatives.

Outsourcing Loan Review

For most community financial institutions, outsourced loan review is the best choice due to size and the need for an independent party. Our loan review service, applied to your CRE portfolio, not only uncovers individual credit assessments but also evaluates the alignment of your credit standards, analysis, and continuous credit monitoring with the specific characteristics of your CRE portfolio. Our findings not only inform you about existing portfolio risks but also provide recommendations for effective risk management.

Contact us to explore how we can support your journey in addressing CRE credit risk effectively.

The Art of Safe Lending: How to Mitigate Commercial Loan Underwriting Risks

Written by admin on . Posted in Advice, Commercial Underwriting, Consultation, Lending & Loan Review.

By: Ollie Sutherin, Principal of Y&A Credit Services

Community financial institutions have long been known for their agility and personalized service, excelling at creating unique lending solutions and facilitating distinct transactions. However, the very attributes that have set them apart may now present fresh challenges as they seek to expand. Community banks and credit unions find themselves navigating a delicate equilibrium: effectively managing underwriting risk, diversifying their loan portfolios, and growing to better serve their communities. 

Additionally, the world of commercial loan underwriting presents its own distinctive challenges that further complicate finding this equilibrium. Commercial loan underwriting standards, in particular, are designed to foster relationship banking rather than transactional interactions. Loans are underwritten based on the borrower’s anticipated ability to operate their business profitably and service the debt being requested. However, the actual cash flows of borrowers can often deviate from expectations, and the value of collateral securing these loans may fluctuate. Most commercial loans are secured by the assets they finance, along with other business assets such as accounts receivable or inventory, and sometimes entail personal guarantees. Loans secured by accounts receivable heavily rely on the borrower’s ability to collect due amounts from customers. These complexities create a web of considerations for underwriters. 

Effective management of a community financial institution’s loan portfolio necessitates a strategic approach guided by skilled underwriters who play a pivotal role in mitigating underwriting risks in commercial lending. 

The After Effects of the SVB Collapse 

A little over six months have passed since the financial world experienced a seismic shift when a prominent regional bank collapsed. This event sent shockwaves throughout the banking sector, triggering a chain reaction that affected numerous other financial institutions, both regional and local. These far-reaching consequences have also left their mark on various aspects of community bank and credit union operations. 

Risk management has always held a pivotal role in credit underwriting, and its significance has become more pronounced in today’s ever-volatile environment. As we navigate an era of monetary tightening, global inflationary pressures, and increasing interest rates, underwriters find themselves under increased scrutiny. In the past, cheap funding was abundant, but now, risk-appropriate pricing is paramount for funding new deals. Underwriters must balance a new interest rate environment with the heightened lending and refinancing risks, necessitating increased diligence in risk assessments when extending credit and negotiating terms. 

To shed light on this matter, we will explore effective strategies for community financial institutions to limit underwriting risk in commercial lending, ensuring they can thrive while maintaining a prudent approach to lending.  

Comprehensive Credit Analysis 

The cornerstone of any sound underwriting process is conducting a comprehensive credit analysis. This involves digging deep into the current financial health of the borrower, their business, and the industry they operate in. By meticulously assessing factors like cash flow, collateral, and credit history, you can gain a clearer picture of the borrower’s ability to repay the loan. 

Moreover, consider working with an experienced outsourced credit underwriting service like Y&A Credit Services to ensure you have access to the latest data, analytical tools, and expertise in evaluating commercial loans. Our team of experts can assist from reviewing your analysis to completely underwriting the transaction, ensuring you have all the information to help you make informed lending decisions. 

Diversification of Loan Portfolios 

Diversification is a risk management principle that rings true in commercial lending as well. By diversifying your loan portfolios across various industries and business types, you can reduce your exposure to sector-specific risks. A balanced mix of loans in manufacturing, real estate, healthcare, and other sectors can help buffer your institution against economic downturns that may affect a particular industry. 

Loan Covenants and Monitoring 

Establishing clear and enforceable loan covenants is another key step in limiting underwriting risk. These covenants set out the terms and conditions under which the borrower must operate and repay the loan. Regularly monitoring the borrower’s compliance with these covenants and requesting the most current information from your borrower is equally important. It allows you to detect early warning signs of financial distress and take corrective action sooner when you have more options for a successful outcome for both your borrower and your institution. 

Loan Portfolio Stress Testing 

In an ever-changing economic landscape, stress testing is an invaluable tool for gauging how your loan portfolio would perform under adverse conditions. By modeling various scenarios against your portfolio, you can assess your institution’s vulnerability to economic shocks and make proactive adjustments to your lending practices. 

Ongoing Training and Education 

Staying up to date with the latest industry trends, regulations, and best practices is essential. Encourage your staff to engage in ongoing training and education programs related to commercial lending and underwriting. This ensures that your institution’s underwriting processes remain current and effective. 

Regular Commercial Loan Underwriting Reviews 

To maintain the health of your loan portfolio, it’s crucial to conduct regular reviews of your commercial loan underwriting practices. This ensures that your institution’s standards and processes align with the evolving landscape of commercial lending. It also allows you to make necessary adjustments and refinements to minimize underwriting risks continuously. 

Outsourcing Commercial Credit Underwriting 

Third party assistance for commercial credit underwriting can be a strategic move to ensure the accuracy and effectiveness of your underwriting processes and relieve your institution of the need to maintain an up-to-date full-time staff.   Professional outsourced services, like Y&A Credit Services, offer expertise, access to advanced analytical tools, and an impartial perspective, helping your institution make sound lending decisions and maintain high underwriting standards.  These services can be implemented from fully outsourced to fractional, helping assist during peaks in volume.  

Y&A Credit Services’ Guidance in Commercial Underwriting 

Mitigating underwriting risk in commercial lending stands as a pivotal cornerstone for upholding the financial health and stability of community banks and credit unions, especially in the wake of the industry upheaval earlier this year. By implementing comprehensive credit analysis, diversifying loan portfolios, enforcing loan covenants, conducting stress tests, and investing in ongoing training, regular reviews, and outsourcing, you can confidently navigate the complexities of commercial lending while minimizing risks and enhance your institution’s lending capabilities. 

At Y&A Credit Services, we understand the importance of risk management in commercial lending, and we’re here to guide you through the process. Our outsourced credit underwriting services are designed to provide community banks and credit unions with the expertise and resources needed to make sound lending decisions. Together, we can build a more secure lending future for your institution, helping our communities one loan at a time. 

Contact us today to learn how we can help. 

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question