Skip to main content

Key Insights from the OCC Semiannual Risk Perspective (Fall 2024)

Top Trends in Banking Risks

The OCC’s report emphasizes maintaining sound risk management practices to address growing challenges:

  • Fraud Activity: External fraud schemes targeting consumers and banks are rising. Sophisticated tactics, including AI-driven fraud, demand enhanced detection and prevention measures.
  • Credit Risks: Commercial real estate (CRE) remains a focal point, with stress in office and luxury multifamily segments. Retail credit risks are stable but show signs of increased delinquencies in auto loans and credit cards.
  • Operational Risks: Cybersecurity and third-party risks are elevated, reflecting the increasing complexity of the banking environment.
  • Compliance Pressures: Adapting to dynamic regulatory changes and addressing data governance gaps are critical to ensuring compliance.

Fraud and Cybersecurity: A Call for Action

Fraudulent activities targeting the banking system have surged, driven by innovative schemes such as:

  • Wire Transfer Fraud: Fraudsters impersonate trusted entities to steal funds.
  • Check Fraud: Criminals manipulate stolen checks or sell them on dark web platforms.
  • AI-Driven Attacks: Deepfakes and AI-enhanced social engineering pose new threats.

What Banks Can Do:

  • Implement advanced fraud detection systems.
  • Educate customers about fraud prevention.
  • Strengthen authentication and transaction monitoring systems.

Credit Risk: Stabilizing but Uneven

The report identifies pockets of credit risk:

  • Commercial Real Estate (CRE): Stress is evident in the office sector, with rising costs and valuation declines. Multifamily CRE faces challenges from oversupply and increased regulatory expenses.
  • Retail Credit: Stable overall but experiencing increased delinquencies in credit cards and auto loans.

What Banks Can Do:

  • Conduct regular stress testing for CRE portfolios.
  • Enhance monitoring and adjust allowances for credit losses based on emerging risks.

Operational Resilience and Technology Adoption

The banking sector is rapidly digitizing, adopting new technologies to meet evolving customer needs. However, these advancements come with heightened risks:

  • Third-Party Risks: Increased reliance on fintech partnerships expands the cyberattack surface.
  • Legacy System Challenges: Aging infrastructure complicates modernization efforts.
  • AI Adoption: Compliance risks are significant as banks explore advanced AI applications.

What Banks Can Do:

  • Strengthen third-party risk management frameworks.
  • Invest in post-quantum encryption and legacy system upgrades.
  • Implement comprehensive governance for AI-based tools.

Market and Climate-Related Financial Risks

Banks face dual pressures from market dynamics and climate-related risks:

  • Net Interest Margins (NIM): Higher funding costs are compressing margins, requiring strategic adjustments.
  • Climate Impact: Increased natural disasters highlight the importance of climate risk management frameworks.

What Banks Can Do:

  • Focus on liquidity stress testing and modeling depositor behavior.
  • Engage with clients to manage climate-related transition risks effectively.

Economic Outlook: Challenges Ahead

The U.S. economy remains resilient but shows signs of slowing:

  • Housing Market: Affordability issues and “rate lock-in” effects are dampening demand.
  • Consumer Spending: Despite strong spending in 2024, rising costs and a cooling labor market could create headwinds.

Preparation Tips:

  • Monitor consumer credit health closely.
  • Adapt lending standards to evolving economic conditions.

Staying Ahead in a Dynamic Environment

The OCC’s Fall 2024 Semiannual Risk Perspective outlines a roadmap for navigating complex risks in the federal banking system. Financial institutions should prioritize robust fraud prevention, proactive credit risk management, and strategic technology adoption. By addressing these challenges, banks can safeguard their operations and thrive in an ever-changing economic landscape.

Explore More:
Discover how Young & Associates can help your institution mitigate risks, strengthen compliance, and enhance operational resilience. Contact us today for tailored solutions to navigate these challenges effectively. Sign up for our newsletter to stay informed about industry insights and updates.

2025 Rescission Calendar – Free Download Now Available

The right of rescission, governed by Regulation Z under the Truth in Lending Act (TILA), remains a cornerstone of consumer protection in the lending industry. For financial institutions, ensuring compliance with rescission rules is not only a regulatory requirement but also a reflection of their commitment to protecting borrowers’ rights. However, the intricacies of rescission—covering timing, disclosure requirements, and exceptions—can make this area of compliance challenging for many lenders.

To support your institution in navigating these complexities, Young & Associates is proud to offer a free downloadable Rescission Reference Chart, designed to simplify compliance with rescission rules.

 

What Is the 3 Day Right of Rescission?

The right of rescission provides consumers with the ability to cancel certain credit transactions that involve a lien on their principal dwelling. This cooling-off period, typically three business days, is intended to allow borrowers time to evaluate the terms of their transaction without pressure. While the concept is straightforward, compliance involves navigating strict rules related to timing, notification, and disclosure.

Does Presidential Inauguration Day Affect Rescission Periods?

No. While federal employees in the Washington, DC area are granted a holiday on Presidential Inauguration Day (January 20th), this holiday applies only to those “employed in” the designated Inauguration Day Area and does not affect rescission periods.

According to § 1026.2(a)(6) of Regulation Z, a “business day” for rescission purposes is defined as all calendar days except Sundays and the legal public holidays listed in 5 U.S.C. 6103(a), such as New Year’s Day, Martin Luther King Jr. Day, Washington’s Birthday, and others. Inauguration Day is not among these specified legal public holidays and therefore does not impact rescission timelines.

Common Challenges in Rescission Compliance

Despite its importance, rescission often presents challenges for financial institutions. Here are some common issues:

  1. Identifying Covered Transactions
    Not all transactions are subject to rescission. Determining whether a loan qualifies—such as refinances or home equity lines of credit—requires careful evaluation of loan terms and lien positions.
  2. Proper Timing of the Rescission Period
    The rescission period must be calculated accurately, taking into account business days and excluding holidays. Miscalculations can result in compliance violations.
  3. Providing Accurate and Timely Disclosures
    Borrowers must receive clear and complete rescission notices and required disclosures at the time of closing. Any inaccuracies can extend the rescission period or expose the lender to liability.
  4. Handling Rescission Notices
    If a borrower exercises their right to rescind, lenders must act swiftly to return funds and terminate the lien within 20 calendar days. Delays or errors in this process can lead to penalties.

How Do You Calculate a 3 Day Rescission Period?

The rescission period typically begins the business day following the signing of loan documents and ends at midnight on the third business day.

How the Rescission Calendar Can Help

Young & Associates’ Rescission Reference Chart is a comprehensive tool that simplifies the complexities of rescission compliance. This chart provides:

  • A clear breakdown of covered and exempt transactions.
  • Guidelines for accurately calculating the rescission period.
  • Tips for ensuring proper disclosure and handling rescission notices.

Whether you’re training new staff or refreshing your understanding of rescission rules, this chart offers a practical and easy-to-use resource to enhance your compliance program.

Why Rescission Matters

Non-compliance with rescission rules can result in extended rescission periods, regulatory scrutiny, or even legal action. By ensuring your institution has a solid grasp of rescission requirements, you not only avoid potential risks but also reinforce your reputation as a trusted and reliable lender.

Download Your Free Rescission Reference Chart Today

Young & Associates is dedicated to helping financial institutions like yours maintain compliance while streamlining operations. Our Rescission Reference Chart is just one of the many tools we offer to support your success. Equip your team with the knowledge and tools they need to navigate rescission with confidence. With Y&A by your side, you can focus on serving your customers while staying compliant with ease.

Market Shifts & Margin Pressures

By Michael Gerbick, President, Young & Associates

On Thursday, November 7, 2024, Jerome Powell and the FOMC (Federal Open Market Committee) announced a 25 basis point (bp) interest rate reduction of the federal funds rate just after they announced a 50 bp cut in September.  September’s rate reduction was the first time since March 2020, the Fed has cut rates.  Consider the last several years regarding interest rates: rates dropped to zero in the face of a pandemic, rates skyrocketed 550 bps resulting in an inverted yield curve spanning years, and now another shift in monetary policy.

To provide a visual display of this environment, please view the yield curve over the last few years and then just after the announcement of the latest rate cut on November 7, 2024. Between July 2022 and August 2024, the 10-year bond yield was less than the 2-year yield indicating an inverted yield curve. You can see in the November 8, 2024 curve, the yield on the 2-year bond below the 10-year. The shift in the yield curve has been incredible. Consider the decisions made around each of these points in time at your institution.

US Treasury Yield Curve

This rate environment and the decisions made within it are impacting banks everywhere, especially community financial institutions. Decisions on how best to retain and grow deposits have impacted balance sheets and income statements during this time. It is well-known consumers were placing their money in certificates of deposit (CDs) as rates rose and continued to move their funds to these higher yielding deposit accounts, even after the Fed’s last hike in 2023. The charts below utilize call report information from S&P Global for commercial banks and reveal the deposit mix shift from non-maturity deposits and CDs from the last year. Segmenting CD deposit data from commercial banks by asset size, one can see the shift in the deposit mix for the community banks less than $1B has been the most significant.

CDs as % of Total Deposit Shift September 2023 to September 2024

These CDs will mature; the following chart shows the majority of these maturities will take place in the next year (+84%), with nearly 30% maturing by year end 2024.

% of CDs Maturing in 3 Months and 3-12 Months from September 2024

The deposit shift to CDs is not only more costly to community financial institutions, raising their cost of deposits and ultimately adding pressure to their Net Interest Margin, but they can also be more volatile than traditional non-maturity deposits with savvy depositors more willing to move their deposit relationship to the institution with the highest yielding return. In addition, the data in the charts show this deposit shift is more significant for the smaller community banks with less of an opportunity to reprice in the shorter term than the other community commercial banks.

Many of our community bank colleagues are very much aware of these rising costs and are actively pursuing all resources (including each other) on how best to manage this aspect of the balance sheet. In May 2024, the FDIC released its Annual Risk Review and in June 2024 the OCC released their Semiannual Risk Perspective both outlining significant trends and risks in the banking industry. Among the critical sections in each, the analysis of market risks stands out, particularly for community financial institutions. Both articles have common themes, I’ll break down some important insights from the reports and how they may impact your institution and its strategy in the coming months and years.

Liquidity, Deposits, & Funding: A Shifting Landscape

Reinforcing the analysis earlier this article, the OCC and FDIC both indicate 2023 saw an increase in the cost of funds for banks as community banks reacted to the rising rate environment and for more savvy consumers. For community banks, which typically have smaller balance sheets and lean heavily on customer relationships, the stability of insured deposits has been a positive. However, the growing trend of depositors seeking higher yields has led to a shift from traditional savings accounts to CDs and other high-yielding options.

This shift puts upward pressure on interest expenses, a trend community financial institutions are already feeling. In fact, CDs accounted for 26% of median of all FDIC bank deposits at the end of 2023, compared to 19% the previous year. To remain competitive and retain deposits, community banks are raising deposit rates, which in turn increases their cost of funds.

For community banks that have traditionally benefited from lower-cost deposits, this shift represents a double-edged sword—depositors are seeking better returns, but retaining those deposits requires higher costs. The challenge will be finding a balance between offering attractive rates to depositors and managing interest expenses.

Addressing Deposit Competition

To combat this competition, community financial institutions need to focus on differentiating the value they provide beyond rates. Here are some approaches you may find value in pursuing:

  • Tiered Deposit Products: Offering tiered-rate accounts for different deposit levels or durations can help incentivize customers to commit their funds for longer periods while minimizing the impact on your cost of funds.
  • Relationship Banking: Unlike larger institutions, community banks can leverage personal relationships with customers. Offering value-added services such as financial planning or personalized advisory services can deepen customer loyalty, encouraging them to keep their deposits with your institution even if competitors offer slightly higher rates. This applies to new lending relationships too, prioritize getting the customer’s deposit relationship as the new loan is established.
  • Community Initiatives: Reinforce your brand of being an active member of the community. Consider leveraging the relationship banking discussed above; partner with these businesses to sponsor local fundraisers together. Consider avenues to reinforce your commitment to the community with other members of the community. This can not only build loyalty but also emphasize the bank’s role in the community, creating a compelling reason for customers to stay and others to start a relationship with you.

Increased Reliance on Wholesale Funding

Liquidity pressures in 2023 forced banks, especially community institutions, to turn more heavily to wholesale funding to meet liquidity needs. This is especially concerning for community banks that have historically relied on stable local deposits. The FDIC report noted that liquid assets at community banks declined alongside loan growth, driving a reliance on wholesale sources to fund assets. By the end of 2023, 19% of total assets at community banks were funded by wholesale sources, the highest level since 2017.

Wholesale funding often comes with higher costs and introduces funding risk, particularly in periods of market stress. Community banks need to carefully manage this balance, ensuring they have access to cost-effective liquidity while avoiding over-reliance on wholesale sources that could pose risks if market conditions deteriorate.

Net Interest Margins & Interest Rate Risk

Margin Compression & Variability Among Banks

Both the OCC’s and FDIC’s report make it clear that NIM compression is a concern. Although the median NIM increased slightly to 3.45% in 2023, this masks the deeper issue: funding costs—particularly deposit rates—are rising faster than loan yields, minimizing the yield gains on the assets. Many community banks saw margin compression as the cost of funds outpaced asset yields.

In the FDIC report it is highlighted that smaller community banks with less than $100 million in assets generally fared better than others, with 70% of these institutions reporting higher NIMs comparing 2022 to 2023. This is likely due to their ability to maintain stronger liquidity positions and avoid the sharp increases in funding costs that larger institutions faced. However, even smaller banks are not immune to the challenges posed by rising interest rates, and they may find their NIMs under pressure in the coming quarters as deposit costs continue to rise.

Strategies for Managing the Squeeze

  • Balancing Deposit & Loan Pricing: The traditional method of managing NIM by lowering deposit rates or raising loan rates may no longer provide the same value it did in the past. Community banks can explore variable-rate loan products with rate floors, which allow for automatic adjustments as interest rates rise and have some protection as rates decline. This provides a hedge against rising funding costs.
  • Dynamic Pricing Models: Incorporating dynamic pricing strategies for both deposits and loans can help strike the right balance between growth and profitability. For instance, a Midwest community bank adopted a step-up CD product, which started with a competitive rate that increased over time, providing both flexibility for depositors and predictability for the bank’s funding costs.
  • Strategic Use of Securities Portfolios: To manage asset-liability mismatches, community banks can strategically deploy their securities portfolios. If the bank has excess liquidity, consider investing in current higher rate securities. Many banks invested in securities prior to the most recent rising rate environment and have unrealized losses. Although realizing significant loss on the sale of your securities is not ideal, banks should have discussions internally concerning their portfolio, payback period if a loss is realized and the most prudent path forward for their institution.

Interest Rate Risk Environment Remains High

For community banks, interest rate risk (IRR) has become an increasingly critical issue. The FDIC’s report points to the elevated share of long-term assets held by these institutions, which could constrain future NIM growth. As interest rates rose rapidly in 2022 and 2023, some community banks began selling off lower-yielding securities to reinvest in higher-rate assets. The OCC reports call out unrealized losses in held-to-maturity portfolios declined in the fourth quarter of 2023, but remained elevated at 11.5 percent. This security management strategy was mentioned earlier in this article and if implemented should be tightly monitored so as to minimize the impact and risk of any realized losses on those securities.

The OCC’s report discusses the uncertainty of the rate environment and depositor behavior prior to the Fed acting and reducing rates. It states:

Uncertainty regarding the rate environment and depositor behavior over the next 12 to 24 months increases the importance of stress testing and sensitivity analysis of deposit assumptions. Given uncharted depositor behavior and rate sensitivity observed during the recent increasing rate environment, prudent risk management would include interest rate risk and liquidity stress-testing scenarios that assume higher than expected deposit competition, resulting in higher-than-expected deposit pricing regardless of rate movement direction.

Well-developed assumptions are key to IRR management and modeling. With a declining rate environment community, banks may want to assume more conservative betas in their repricing assumptions.

Strategic Takeaways for Community Banks

So, what can community financial institutions do based on the data in the OCC and FDIC’s Reviews?

  • Diversify Funding Sources: The increasing reliance on wholesale funding is costly for community banks. Banks may focus on exploring alternative funding sources or solidifying relationships with local depositors may help mitigate future liquidity pressures.
  • Focus on Asset-Liability Management (ALM): With interest rate risk remaining high, it is critical for community banks to develop more dynamic asset-liability management strategies. Refining the ALM modeling deposit beta assumptions and monitoring the shift of the deposit mix can help to improve forecasts and reduce the risk of negative financial impact. In addition, reinvesting proceeds from lower-yielding securities at higher rates can help but must be carefully managed to avoid significant losses.
  • Manage Interest Expenses: Even with the Fed reducing rates a total of 75 bps in the last few months, the competition for deposits remains fierce, and many community banks will need to continue offering higher rates to retain customer funds. While this will delay the full impact of cost relief from the Fed’s rate reduction, thoughtful pricing strategies and maintaining a strong loan portfolio could help offset these expenses.

From Stress to Success: Stay Agile, Stay Informed

As community financial institutions adjust to the Fed’s 50 bps and 25 bps rate reductions and face the challenges outlined in both the FDIC’s 2024 Risk Review and the OCC’s Semiannual Risk Perspective, it is clear that agility and innovation will be key to success. The market risks—ranging from deposit competition and NIM compression to liquidity pressures—are significant, but with strategic thinking and proactive management, community banks can navigate these challenges and continue to thrive. With proactive strategies focused on liquidity management, asset-liability alignment, and cost control, community financial institutions can navigate these turbulent waters and position themselves for success in 2024 and beyond.

For community banks, the key takeaway is clear: stay agile, monitor funding costs closely, and adopt risk mitigation strategies that balance growth with stability. By doing so, these institutions can continue serving their communities and remaining resilient in the face of economic uncertainty.

For over 45 years, Young & Associates has guided community financial institutions through shifting market risks. Whether it’s capital planning, liquidity management risk reviews, or interest rate risk management reviews, our team is here to ensure your institution stays agile and ready to adapt to evolving market conditions. Contact us to learn more about how we can support your success.

Bridging the Small Business Lending Gap

How Technology Shapes the Future for Community Financial Institutions

By Ollie Sutherin, Chief Financial Officer, Young & Associates

The challenges posed by the COVID-19 pandemic are no surprise to anyone in the financial services industry, least of all to the small business owners across the country. However, concerns around small business lending were growing well before the pandemic and continue to rise, particularly for community financial institutions (CFIs). The evolution of technology has introduced a unique set of challenges and opportunities for CFIs, often seen as a double-edged sword: it both undermines the traditional values CFIs are known for and opens up a vital path to remaining competitive.

Historically, community financial institutions have built their foundation on personal relationships and tailored, customer-first service. It’s this “high-touch” approach that has endeared CFIs to their communities. However, as a new generation of small business owners emerges, so too does the demand for efficiency, automation, and immediate access to capital. In today’s fast-paced business environment, entrepreneurs are less interested in handshake deals and more focused on solutions that save them time and hassle. This shift in expectations is being effectively capitalized upon by fintech companies and larger financial institutions.

The Rise of Technology in Small Business Lending

For many entrepreneurs, the path to success hinges on one critical element: access to capital. Yet, what was once a deeply relational process—built around trust, face-to-face meetings, and careful consideration—has been revolutionized by technology. Today’s small business owners want quick answers. They want the loan process to be as streamlined and efficient as possible. Fintechs and large banks have answered that call by offering tech-driven solutions that not only provide rapid loan decisions but also reduce administrative burdens on both sides of the equation.

The ability to upload financial documents, run credit checks, and aggregate tax returns through automated platforms has cut out many of the manual processes that used to consume weeks or even months in the lending cycle. Fintech innovations use predefined input criteria to spread tax returns, perform credit analysis, and score loan requests—almost instantly. These advances have reduced the reliance on human loan officers and credit teams, who once reviewed each file manually, often delaying decisions and requiring more information from business owners. This high-tech, low-touch approach is particularly appealing to time-strapped small business owners.

The Technology Investment Gap

While fintechs and large institutions are surging ahead, many community financial institutions are lagging behind in terms of technological investment. A significant factor is the stark difference in budgets allocated to technology. Reports indicate that many CFIs dedicate only 3-5% of their total budget to tech solutions, compared to the 10% or more that larger institutions consistently invest. This discrepancy is further widened when considering that large financial institutions often invest in proprietary technologies that require ongoing development and maintenance, allowing them to stay on the cutting edge.

Fortunately, this doesn’t mean community institutions are left without options. Many vendors now offer solutions tailored specifically to CFIs, and these technological tools can be integrated as add-ons to existing products. These systems give CFIs the ability to provide faster decisions, greater transparency, and a smoother experience for small business clients—all without requiring massive investments in proprietary systems.

The Path Forward for CFIs

So, where does this leave community financial institutions in the rapidly evolving small business lending landscape? The answer lies in striking a balance between the traditional values that define CFIs and the technological advancements necessary to compete in today’s marketplace. CFIs possess a unique advantage that fintechs and large banks cannot easily replicate: a deep connection to their local communities and a personal touch that resonates with customers.

By leveraging technology to streamline processes while preserving the relationship-focused nature of their services, CFIs can offer the best of both worlds. Automated loan processes reduce friction and save time for both lenders and borrowers, but the human element—offering personalized advice, local expertise, and building trust—remains critical. This “high-tech, high-touch” approach enables CFIs to retain their core values while meeting the evolving demands of small business owners.

Conclusion: A Double-Edged Sword

Ultimately, the gap in technological investment presents both a challenge and an opportunity for community financial institutions. To remain competitive in today’s lending environment, CFIs must embrace technology without abandoning the personal service that sets them apart. The future of small business lending will depend on the ability of community institutions to wield this double-edged sword—combining the efficiency of streamlined processes with the warmth and trust of personal interaction. By doing so, CFIs will not only bridge the technology gap but also deepen relationships with their clients, ensuring they remain a trusted partner in their communities for generations to come.

If you have questions or would like to discuss how Young & Associates can help your institution tackle its lending challenges, contact us today. Together, we can find the solutions that best fit your needs and ensure your continued success.

Managing Customer Complaints Is Important to an Effective CMS

By William J. Showalter, CRCM, Senior Consultant, Young & Associates

Financial institution supervisory agencies view a formal process for managing complaints from bank customers as an important element in an effective compliance management system (CMS). In fact, the second 2024 issue of the Consumer Compliance Outlook publication from the Federal Reserve Board (FRB) includes three articles on this subject.

The FRB is quoted in one of these articles in an unequivocal statement on this issue:

“Consumer complaints are a critical component of the risk-focused supervisory program. The Federal Reserve uses data on consumer complaint activity in its supervisory processes when monitoring financial institution, scoping and conducting examinations, and analyzing applications.”

The other federal agencies agree with this viewpoint. So, banks and thrifts have found that, if they do not handle customer complaints in a formal, consistent manner, their CMS will be viewed with a more critical eye.

Benefits of Managing Complaints

One positive aspect of proactively managing the customer complaint process is there is no real downside. The only “downside” is that such a process shines a light on the extent of complaints, and their underlying causes. But, this disadvantage is actually an advantage. What you don’t know really can hurt you.

The positive results from complaint management can include:

  • Uncovering and dealing with shortcomings in product features, bank processes, customer service, and other issues at an early stage, before they grow to a point that they present real threats to the institution
  • Improving customer satisfaction with the bank, and enhancing the bank’s efforts to serve the banking needs of its community
  • Resolving fair treatment issues at an early stage
  • Realigning bank products, processes, and services with regulatory requirements and expectations
  • Heading off potential UDAAP (unfair, deceptive, or abusive acts and practices) issues
  • Reducing the institution’s reputation risk.

Managing Customer Complaints

The bank already has formal processes, with assigned responsibilities, for handling errors/disputes asserted by customers related to electronic banking (Regulation E, EFTA), open-end credit (Regulation Z, TILA), and mortgage loan servicing (HUD Regulation X, RESPA). Appropriate treatment of complaints in these areas are mandated by the respective regulations.

However, a formal process to address customer complaints in other areas – both those received directly from customers and those referred by the regulators – is considered an industry best practice, as well as a necessary component of an effective CMS by regulators. The structure of this program will vary depending on the culture of the bank and other internal factors. But, there are some common elements that form the basis of any sound customer complaint program, including:

  • Define what is considered as a “complaint.” This is considered as crucial to success in this area, so defining “complaint” broadly is usually seen as a sound practice.
  • Make sure everyone knows how important it is to respond promptly and accurately to any customer complaints. This is a basis for giving good customer service.
  • Appoint a central point (an individual or an office) to be in charge of your complaint response program, especially those referred by the regulators – and make sure that all bank staff is aware of how to handle complaints, including where to refer them. Branch managers can be charged with handling customer service issues occurring at their branches that do not involve regulatory issues (fair lending, EFTA, etc.). However, they should report on these complaints and resolutions to the central complaint point for tracking of any trends that may arise.
  • Establish uniform standards and timeframes for investigating customer complaints. The time limits you set should be reasonable and probably not significantly longer than those set by regulations for some error resolutions (EFTA, TILA).
  • Ensure that the process includes determining the root cause of complaints being investigated.
  • Document your investigation (e.g., copies of relevant documents and reports) of each customer complaint and the bank response.
  • Ensure that regulators are informed promptly of the results of investigations of any complaints referred by regulatory agencies.
  • Maintain a database of your customer complaints, either manually or using some spreadsheet or database software. This step allows you to mine the data related to this process for information about problems with your products, customer service, potential fair treatment/lending issues, and so forth.

Results

The database discussed in the final bullet above can provide a wealth of information about how customers view your bank, your product mix, your service levels, and many other facets of your business. It also provides you with an opportunity to discern trends in their infancy, allowing you to deal with negative issues early or enhance the benefits from positive developments.

A proactive approach to customer complaint management derives many benefits for the bank, not the least of which is reducing conflicts with customers, enhancing the bank’s public image, improving bank relations with regulators, and creating a competitive advantage for the bank.

The Newest Supervisor

For the past decade or so, there has been a more active and visible regulatory presence in this area – the Consumer Financial Protection Bureau (CFPB). The CFPB established a complaint database to which consumers can submit complaints about financial service providers, have their complaints forwarded to the providers for response, and give the public a window on this process and its outcomes.

The CFPB also periodically analyses the results of this process, usually for one or another particular financial service area – student loans one time, mortgage servicing another, yet another financial service another time. The other agencies, as noted earlier, analyze data related to consumer complaints that are handled through each of them.

The agencies often view data about consumer complaints to be an indicator of a need for future regulations. This view is reinforced by provisions in the Dodd-Frank Act of 2010.

The purpose of the CFPB database is to provide consumers with one central point through which they can submit complaints about financial service providers, without having to search through the maze of regulatory agencies first, and follow the results. Another purpose is to provide a gauge for how well financial service providers are serving their particular customer bases.

While the CFPB database can be a useful tool, financial institutions should have a goal of trying to deal with their own customers’ complaints and concerns themselves, before customers become so frustrated that they feel the need to turn to supervisory agencies.

At Young & Associates, we understand the critical role that managing customer complaints plays in building an effective compliance management system. Our full suite of regulatory compliance consulting and advisory services is tailored to the unique needs of community financial institutions, ensuring you can navigate complex regulatory requirements with confidence. Whether you need compliance outsourcing, assistance through our Virtual Compliance Consultant Program, compliance management reviews, or risk assessment facilitation, we’re here to help. Let us simplify your compliance processes so you can focus on achieving your strategic goals. For more information, please contact us today

CRE Stress Testing for Banks: A Crucial Tool in a Post-COVID World

By Jerry Sutherin, CEO at Young & Associates

Despite having limited requirements as defined by interagency guidance, the case can be made for requiring community financial institutions to have regular stress tests performed on their commercial real estate loan portfolios.

Emerging Challenges in Commercial Real Estate Lending

Recent post-COVID events have resulted in a heightened concern with regulators as it relates to commercial real estate. Most notably, interest rates have increased 525 bps from March 2022 through July 2023 and this correlates with the level of commercial loan delinquencies over that same period as noted in the chart below. This is further exacerbated the “work from home culture” and office vacancies increasing over the same period.

The ultimate impact on the commercial real estate sector is weaker NOIs, coverage ratios that are insufficient to meet loan covenants, higher Cap Rates, and lower valuations. For those loans locked into a lower rate, the issue now becomes; what happens when loans mature or reset? That is occurring now.

CRE Composition and Delinquency at US Banks Chart - S&P Global

Regulatory Expectations for Bank Stress Testing

Regulatory expectations for community bank stress testing initiatives have been set in both formal regulatory guidance and through more informal publications and statements. An interagency statement was released in May 2012 to provide clarification of supervisory expectations for stress testing by community banks.[1]

The issuance specifically stated that community banks are not required or expected to conduct the types of enterprise stress tests specifically articulated for larger institutions in rules implementing Dodd-Frank stress testing requirements, the agencies’ capital plan for larger institutions, or as described in interagency stress testing guidance for organizations with more than $10 billion in total consolidated assets.

OCC Guidance on Stress Testing Practices

However, in October 2012, the OCC provided additional guidance to banks on using stress testing to identify and quantify risk in the loan portfolio and to help establish effective strategic and capital planning processes.[2] The guidance reiterated that complex, enterprise-wide stress testing is not required of community banks, but also states that some stress testing of loan portfolios by community banks is considered to be an important part of sound risk management.

In the guidance, the OCC does not endorse a particular stress testing method for community banks; however, the guidance also discusses common elements that a community bank should consider, including asking plausible “what if” questions about key vulnerabilities; making a reasonable determination of how much impact the stress event or factor might have on earnings and capital; and incorporating the resulting analysis into the bank’s overall risk management process, asset/liability strategies, and strategic and capital planning processes.

The OCC bulletin also provides a simple example of a stress testing framework for community banks. In the summer of 2012, the FDIC also provided further guidance related to community bank stress testing in the Supervisory Insights Summer Edition.[3]

Interagency Guidance on Commercial Real Estate Risk

Perhaps the most significant piece of guidance related to loan portfolio stress testing for community banks is the 2006 interagency Concentrations in Commercial Real Estate Lending, Sound Risk Management Practices.[4] The continuing importance of and regulatory emphasis on this guidance was made clear in December 2015 when the interagency Statement on Prudent Risk Management for Commercial Real Estate Lending[5] was released, which reiterated the importance of the principles described in the 2006 CRE Guidance.

The 2006 CRE Guidance describes several important practices for effectively managing the risks associated with CRE lending, especially concentration risk. Portfolio stress testing of the CRE portfolio is described as a critical risk management tool for institutions with CRE concentrations.

Examiner Expectations for Portfolio-Level Stress Testing

While community banks have not been pushed to perform the enterprise-wide stress testing that the above guidance specifically states is not expected of them, examiner expectations for portfolio-level loan stress tests have continued to increase over time and are becoming more prevalent during a bank’s recurring exams. These expectations are centered on portfolios that represent significant concentrations and, given the perceived level of risk and the existence of the 2006 CRE Guidance, are therefore most focused on CRE portfolios.

A reasonable and well-documented approach to CRE portfolio stress testing, undertaken at appropriately frequent intervals such as on an annual basis, is the most effective way for community banks to meet examiner expectations and to contribute toward effective risk management of CRE concentrations.

Regulatory Criteria for CRE Concentration Risk

The guidance also states that strong risk management practices (with stress testing being one of the most important) and appropriate levels of capital are important elements of a sound CRE lending program, particularly when an institution has a concentration in CRE loans. The guidance then lays out the criteria regulatory agencies utilize as a preliminary means of identifying institutions that are potentially exposed to significant CRE concentration risk:

  1. Total reported loans for construction, land development, and other land represent 100% percent or more of total capital, or
  2. Total commercial real estate loans (as described above) represent 300% or more of the institution’s total capital, and the outstanding balance has increased by 50% or more during the prior 36 months.

Concentration Levels Chart

The guidance is clear that these thresholds do not constitute limits on an institution’s lending activity and are instead intended to function as a high-level indicator of institutions potentially exposed to CRE concentration risk. Conversely, being below these thresholds also does not constitute a “safe harbor” for institutions if other risk indicators are present such as poor underwriting or poor performance metrics such as deteriorating risk rating migration and delinquency.

Case Study: Loan Portfolio Concentration Levels

As noted in the example above, the figures indicate that the bank does not have a high level of construction, and land development loans as the balances do not exceed the 100% threshold level as a percentage of total capital. However, the Bank has exceeded the 300% threshold of non-owner-occupied real estate loans as calculated under the 2006 CRE Guidance.  Additionally, the Bank’s three-year growth rate in this category was 72.7%, which is greater than the 50% reference level that constitutes the second part of the two-part regulatory test for a heightened concentration in this category.

Impact of Loan Acquisitions

It should also be noted that regulatory guidance does not differentiate between organic growth and commercial real estate growth via acquisition. Therefore, all such loans acquired does impact the ratios noted in the concentration chart above.

Loss Estimation in Bank Stress Testing

The basic premise for any stress test modeling is to identify moderate / high loss estimates and the impact to capital on a loan-level basis as well as portfolio-wide. While some community banks provide some stress testing on a transactional basis at origination, the output is typically limited to scenarios that focus primarily on future interest rate fluctuations.

CRE stress test modeling, on the other hand, allows for an organization to gauge potential losses of the CRE portfolio using internal core loan-level data as well as call report data while factoring in other variables that could influence the ultimate collectability of commercial real estate loans.

Loan-Level or Bottom-Up Stress Testing

The bottom-up or loan-level portion of the stress test estimates losses under the stress scenarios on a loan-by-loan basis. The loan selection is typically a function of the desired penetration identified by the organization and is comprised mostly of larger transactions with a sampling of newer originations and adversely risk rated transactions.

In this portion of the analysis, various stress factors are applied to the NOI, collateral value, and interest rate for each loan identified by the Bank. This information, coupled with the transaction’s debt service coverage, liquidation costs and Cap Rates help form a possible loan-level loss for each loan in moderate and in moderate and high-risk scenarios.

Top-Down Stress Testing

To ensure that the entire CRE portfolio is stressed, a useful model would use a top-down loss estimation method to “fill in” losses on the remaining portfolio for which loan-level information was not provided. This is accomplished by comparing the total balances for which loan-level data was provided in each of the various categories (construction and land development, multifamily, and all other non-owner occupied CRE) to the Bank’s call report. Losses are estimated on the amount of exposure for which loan-level information was not provided by applying a top-down loss rate.

The Moderate and High Stress Scenarios below are determined by applying the loss rates included in the stress test example in the 2012 OCC guidance on community bank stress testing. These loss rates represent two-year loss rates, consistent with the OCC’s stress testing guidance.

Top-Down Loss Rates Chart

Enhancing Portfolio Oversight and Credit Risk Management

Collectively, the “bottom-up (loan level)” and “top-down” moderate and high stress scenarios provide a global overview of a bank’s CRE portfolio and its potential impact to capital. Knowing that this is not a replacement for an enterprise-wide stress test, it allows a bank to provide its management, Board of Directors, and regulators with some context of the estimated losses in this segment of their loan portfolio while also serving as an effective supplement to their internal or third-party loan review.

Historically speaking, any situation in which significant weakness is experienced in critical market and economic factors will result in credit losses that are elevated above those that a bank experiences in “normal” times if unprepared. There is no replacement for appropriate credit administration, however all banks should always utilize tools such as stress testing to enhance their oversight of the metrics behind their CRE portfolio.

The performance of any financial institution and ultimately their ongoing safety and soundness are dependent on the performance of the Bank’s CRE portfolio. It is critical that management and the board of directors ensure that the Bank emphasizes effective implementation of the risk management elements discussed in the 2006 CRE Guidance. These elements include:

  • Continued effective board and management oversight,
  • Effective portfolio management,
  • Ensuring that management information systems are able to provide the information necessary for effective risk management,
  • Performing periodic market analysis and stress testing,
  • Regularly evaluating the appropriateness of credit underwriting standards, and
  • Maintaining an effective credit risk review function

If a financial institution is successful in these endeavors, their CRE loan portfolio should continue to contribute positively to their performance. Accordingly, I am a proponent of all community financial institutions having a stress test performed regularly to ensure the performance of that segment of their loan portfolio as well as the entire organization.

Partner with Young & Associates for Expert CRE Stress Testing

Navigating the complexities of commercial real estate stress testing can be challenging, especially with evolving regulatory expectations and economic uncertainties. At Young & Associates, we offer specialized CRE and Ag portfolio stress testing services designed to address these very challenges. With over 45 years of experience, our team understands the intricacies of regulatory guidance and can provide your community bank with the insights needed to enhance strategic and capital planning.

Our proven stress testing model assesses the potential impacts of adverse economic conditions, helping you manage risk effectively and comply with regulatory expectations. We provide actionable insights to guide your loan product design and underwriting standards, easing the burden of stress testing and supporting your institution’s resilience.

Choose Young & Associates for a partnership that combines deep industry knowledge with a commitment to excellence. Let us help you stay ahead of regulatory demands and strengthen your CRE portfolio management. Reach out to us now to schedule a consultation.

 


[1]              FDIC, PR 54-2012, Statement to Clarify Supervisory Expectations for Stress Testing by Community Banks. May 14, 2012.

[2]              OCC Bulletin 2012-33, Community Bank Stress Testing: Supervisory Guidance. October 18, 2012.

[3]              FDIC Supervisory Insights, 9(1).” Summer 2012.

[4]              FDIC FIL-104-2006, OCC Bulletin 2006-46, FRB SR 07-1, Concentrations in Commercial Real Estate Lending, Sound Risk Management Practices. December 12, 2006.

[5]              FDIC FIL-62-2015, OCC Bulletin 2015-51, FRB SR 15-17, Statement on Prudent Risk Management for Commercial Real Estate Lending. December 18, 2015.

 

The Rising Need for Virtual Chief Information Security Officers

By Mike Detrow, CISSP, Director of IT & IT Audit, and Noah Lennon, CISA, Consultant, Young & Associates

Emerging trends in technologies, such as cloud computing and artificial intelligence, have significantly increased the complexity of the IT environments at community financial institutions. This has led to heightened regulatory requirements and demands for increased compliance efforts from an already stressed internal staff. Even the most skilled internal staff may find it challenging to manage the increased workload of managing the information security program, IT audits, and regulatory risk, which can lead to repercussions from regulators or security incidents.

For many, the need for dedicated information security management is abundantly clear, but affording and finding dedicated professionals in their communities is not an easy task. While you may already be using the services of a managed services provider (MSP) that may provide some support in this area, most MSPs are focused on IT infrastructure rather than information security programs. Virtual Chief Information Security Officers (vCISOs) are growing in popularity as a solution to this problem as they offer numerous benefits over a dedicated ISO, which are not only limited to cost savings.

Key Benefits of vCISO Services for Financial Institutions

Some of the benefits that a vCISO can provide include:

Document Templates

vCISOs maintain templates for documents such as policies, incident response plans, business continuity and disaster recovery plans, or can simply provide recommendations for enhancements of existing documents. Additionally, vCISOs have exposure to a breadth of policies across the many clients using their services, which allows constant improvements to the financial institution’s own policies and documentation.

Audit/Exam Preparation

vCISOs can help financial institutions prepare for an audit or exam by making sure that documentation is kept up to date and can help with the documentation gathering process to make sure it is well organized when it is provided to the regulator or auditor. vCISOs are also aware of recent audit/exam findings received by other clients and can help prevent your financial institution from receiving these same findings by addressing the identified issues prior to your next audit/exam.

Routine Tasks

vCISOs are aware of the activities that need to be completed each year and can skillfully lead them. These activities include vendor reviews, user access reviews, employee and board training, policy revisions and approvals, strategic planning, end of life monitoring, IT steering committee meetings, and more.

Security Monitoring

vCISOs can help to verify that appropriate security controls are implemented for the financial institution’s information systems, ensure that appropriate logging is configured, and help to monitor logs and alerts to detect and investigate security events.

Vendor Contacts

vCISOs work with a variety of vendors in the financial industry and can attest to their quality of work, which can assist the financial institution in choosing quality service providers. Leveraging existing rapport between the vCISO and service providers enables smoother transitions between vendors and clarity in the expectations for the relationship.

Plan Testing Exercises

vCISOs routinely help their clients perform business continuity and incident response tests, so they have testing scripts already developed to help make the testing process more efficient and productive. vCISOs can also help to ensure that these tests are appropriately documented for regulatory compliance and board reporting.

Incident Response

vCISOs may have experience in responding to incidents that their other clients have experienced. This knowledge can be used to implement controls that will help to prevent an incident at your financial institution or respond more efficiently should you experience an incident.

Selecting the Right Virtual CISO

So now that you are considering the idea of hiring a vCISO, how do you know what to look for?  To help with this process, we have identified some of the criteria that you should consider when selecting a vCISO.

Industry Expertise and Regulatory Understanding

One of the first characteristics to look for is a partner that focuses exclusively on financial institutions, or at a minimum has a division with this focus and understands the specific regulatory requirements from the FFIEC and your specific regulatory agency. While some firms may claim to cover all industries, there are differences in the regulatory requirements for various industries and you need a partner that truly understands the requirements that you must meet. In addition, while there may be many similarities that are shared by financial institutions, there are also differences in available local providers, customer demands, regulators, technology, and complexity, so you need to make sure that your partner has the flexibility to customize their processes and deliverables to your specific needs.

Proactive Approach and Value Addition

A vCISO should also provide value by regularly introducing new ideas to enhance the information security program, strengthen the security culture, and improve efficiency in routine processes.  You should not need to continuously ask your partner for recommendations for improvements.

Integrated Documentation Systems

Another consideration is the process used by the vCISO to maintain documentation. While some smaller and less complex institutions may do okay with multiple standalone documents and spreadsheets, having an integrated system that is used to share data for various purposes such as the information security risk assessment, vendor risk assessment, and business continuity plan may save time and ultimately money as well as limit the potential for errors as data is updated.

Maintaining Service Quality

One potential concern with using a vCISO is that unlike an CISO employed by the financial institution, vCISOs have multiple clients and may be less loyal to your financial institution than a full-time employee. To avoid potential issues associated with this type of relationship, just like any other vendor, you must perform appropriate due diligence and continuously monitor your vCISO to ensure that they are providing an acceptable level of service for your institution.

The Strategic Value of Virtual CISO Services

In closing, not only can vCISOs help financial institutions meet regulatory and technological goals without the costs associated with a full-time employee, they also bring a broad range of prior experience from working with multiple financial institutions. If you are struggling to stay on top of increasing technologies and related regulations, a vCISO can be an invaluable resource in ensuring your financial institution is successful.

Your Trusted IT Consulting Partner 

At Young & Associates, we understand the unique needs and challenges faced by financial institutions. Our IT consulting services are tailored to help you navigate the complexities of technology solutions while ensuring regulatory compliance and information security. Contact us today to learn more about how we can support your institution’s IT needs. 

Internal Audit: Your Third Line of Defense in Third-Party Risk Management

By Jeanette McKeever, CCBIA, Director of Internal Audit, Young & Associates

In today’s financial landscape, banks and credit unions increasingly rely on third-party vendors to meet regulatory demands, leverage technological advancements, and maintain competitive edges. However, these relationships introduce various types of risks in internal audit, from compliance and operational risks to reputational and strategic risks. Amidst economic uncertainty, increased digitalization, and growing supervisory attention, many financial institutions are reviewing their third-party risk management (TPRM) frameworks to ensure they are robust and comprehensive.

Here, the role of internal audit becomes indispensable. Internal audit’s role in TPRM goes beyond mere compliance. By leveraging their unique skills and perspectives, internal auditors can help institutions identify, monitor, and control risks while achieving strategic goals.

Understanding Third-Party Risk in Banking

Third-party relationships and their associated risks require careful management. Ineffective oversight of the complex operational, financial, technological, and legal agreements governing these extended business relationships can lead to brand or reputation damage, data security breaches, and significant financial losses. Additionally, such oversight failures can result in errors in financial reporting, compounding the challenges and potential impacts on the institution.

Financial institutions are entrusting an increasing percentage of their operations to third parties, prompting regulators to scrutinize these relationships more closely. The updated interagency guidance from the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB), and the Office of the Comptroller of the Currency (OCC) outlines the regulatory expectations for managing third-party risks throughout the relationship lifecycle: planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination.

Monitoring vendor performance is also a regulatory requirement for credit unions. The National Credit Union Administration (NCUA) specifies the criteria for assessing vendor performance in their 2007 supervisory letter SL No. 07-01, “Evaluating Third-Party Relationships.” This guidance emphasizes key areas for third-party relationship management, including risk assessment and planning, due diligence, risk management, monitoring, and control.

The Role of Internal Audit in Third-Party Risk Management

Though Chief Risk Officers are typically responsible for managing third-party risks, internal audit plays a crucial role as the third line of defense. Internal auditors bring essential skills, capabilities, and perspectives to thoroughly examine TPRM programs, identifying gaps or areas for improvement that might have been missed by the second line of defense. The board relies on internal auditors as an extra layer of security to ensure that third-party risks are properly identified and assessed, appropriate internal controls are in place, and timely risk intelligence is generated to inform decision-making.

Leveraging Internal Audit to Improve Third-Party Risk Controls

Internal audit can contribute significantly to managing third-party risks through various areas:

  • Pinpointing Critical Contracts: Internal auditors can assist in identifying high-risk third parties and ensure they receive more frequent scrutiny. This can help with prioritizing risk management efforts.
  • Assessing Risk Management Programs: They can evaluate the effectiveness of third-party due diligence processes and controls, conducting research to gauge the risk level and reputation of third parties.
  • Reviewing Compliance with Governance Standards: Internal auditors can verify if the financial institution’s processes for selecting and managing third parties adhere to governance requirements and include necessary risk and compliance clauses in contracts.
  • Evaluating and Improving Risk Controls: They can assess the effectiveness of risk management controls, ensure regulatory compliance, and check for “right to audit” clauses in third-party agreements.
  • Facilitating Informed Decision-Making: Auditors offer valuable insights into third-party risks. They also evaluate decision-making and contract management processes. This ensures that these processes align with the bank or credit union’s strategic objectives. Additionally, auditors verify that the processes provide sufficient risk protection.
  • Assessing Performance and Identifying Opportunities: They review global third-party performance, detect inconsistencies, and recommend best practices for effective risk and performance management.

Integrating Internal Audit into Third-Party Risk Management Strategies

1. Independent Vendor Risk Assessment and Identification

Conducting a risk assessment is essential for the initial decision-making process regarding whether to establish a third-party relationship. Internal auditors bring an independent perspective to the assessment and identification of third-party risks. They can perform thorough risk assessments to identify all third-party relationships and associated risks. This independent evaluation helps ensure no significant risk is overlooked, and it provides a holistic view of the financial institution’s third-party risk landscape.

2. Vendor Due Diligence and Selection Oversight

The due diligence process equips management with the necessary information to evaluate both the qualitative and quantitative aspects of potential third parties, determining whether a relationship will support the financial institution’s strategic and financial goals while mitigating identified risks.

If your financial institution has its own internal audit team, involving them in the due diligence process for vetting potential third-party relationships can be highly beneficial. Though not prevalent practice in community banks and credit unions yet, leveraging your institution’s third line of defense can enhance third-party risk management processes and provide an extra layer of protection.

Internal audit teams can provide oversight during the due diligence and selection phases of third-party relationships. They can assess the processes used for selecting third parties to confirm that the institution has effective policies and procedures in place. By ensuring thorough due diligence, internal auditors help identify potential risks early on. Their oversight includes evaluating the third party’s operational quality, compliance capabilities, risk profile, and long-term viability.

3. Contract Management and Compliance

Financial institution management should ensure that the specific expectations and obligations of both the financial institution and the third party are clearly defined in a written contract before finalizing the arrangement. Board or committee approval is required for many material third-party relationships, and significant contracts should be reviewed by appropriate legal counsel before finalization. The level of detail in contract provisions will depend on the scope and risks associated with the third-party relationship. Effective contract management is crucial for mitigating third-party risks. This involves not just due diligence but also thorough processes in agreement formation, publication, activation, compliance with service delivery, analysis, optimization, and offboarding.

The internal audit function can engage in contract management in two key areas:

  1. Auditing the overall contract management process.
  2. Reviewing active contracts with critical vendors.

Auditing the Contract Management Process

An effective contract management process is crucial for maintaining strong performance across your institution. Even minor inefficiencies can lead to significant issues, particularly when your financial institution aims to grow and scale. A robust contract management system contributes to a thriving institution.

Regular audits of your contract management lifecycle can reveal hidden costs and growth opportunities. These audits should assess process deficiencies, compliance issues, and historical management practices. Start by identifying key stages in your process and setting benchmarks for measurement. Key stages often include planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination, as outlined in regulatory guidance.

Evaluate your management practices within each stage. Is the contract management process clearly defined? Are roles and responsibilities assigned? Who ensures compliance with service-level agreements (SLAs)? Addressing these questions through a contract management audit can help identify risks and gaps, ensuring a more effective and efficient process.

Reviewing Active Contracts with Critical Vendors

Begin by inventorying and segmenting critical vendors based on risk levels to identify those most critical to audit. Incorporate audits of high-risk and important service provider contracts into your annual audit plan. Gain an understanding of the key risks associated with each service provider and thoroughly review their contracts.

Internal auditors can review critical third-party contracts to ensure they include comprehensive risk and compliance clauses. This includes verifying that contracts have “right to audit” provisions, which allow the institution to monitor third-party compliance continuously. Once you’ve established your audit rights, you can start the contract audit by assessing key legal and business risks. Look for deficiencies and compliance issues in the contract, and consider conducting on-site reviews if your audit rights permit. An efficiency audit may also be warranted to ensure services are delivered as per the contract and service level agreements.

After completing the audit, validate the results, identify root causes, and propose solutions. Finally, communicate the results to the contract owner and key stakeholders, ensuring they are informed of the findings and recommended actions.

4. Ongoing Monitoring and Reporting

Once a third-party relationship is established, continuous monitoring is essential to manage evolving risks. Internal audit can play a vital role in developing and implementing monitoring frameworks that track third-party performance, compliance, and risk exposure. Regular audits and reviews can provide senior management with timely risk intelligence, enabling informed decision-making and ensuring that effective internal controls are in place.

5. Internal Audit Collaboration with Risk Management Functions

Internal audit of third-party risk management becomes more effective when auditors and risk managers collaborate and share information, leveraging each other’s abilities and tools. By working closely with risk, compliance, and other departments, internal auditors can ensure that third-party governance policies and procedures are consistently applied across the bank or credit union.

By integrating third-party risk assessments with audit plans, both auditors and risk management teams can eliminate redundancies in the risk evaluation processes. This approach also helps standardize the risk language used and offers management teams and boards a comprehensive view of the financial institution’s third-party risk profile. This collaboration integrates TPRM into the overall risk management strategy, enhancing the institution’s ability to manage third-party risks.

Building a Robust Third-Party Risk Management Framework

To effectively manage third-party risks, financial institutions should establish a comprehensive TPRM framework. TPRM necessitates a framework that holds the board of directors and senior management accountable, requiring them to adjust the principles based on the size, scope, and criticality of the products or services provided by third parties. This framework should be consistently applied across the institution and integrated into its operational, risk, and compliance management activities. As discussed, key components of a robust TPRM framework include:

  • Defining and Inventorying Third-Party Vendors: Internal audit can assist in identifying and inventorying all third-party relationships, categorizing them by risk level and criticality.
  • Risk Appetite Assessment: Assessing the bank or credit union’s risk appetite concerning third-party relationships, particularly those in high-risk locations or industries.
  • Enhanced Vendor Due Diligence: Conducting enhanced due diligence for critical third-party relationships, ensuring alignment with the institution’s risk profile and regulatory requirements.
  • Ongoing Monitoring and Performance Standards: Establishing and maintaining rigorous monitoring and performance standards for third-party relationships, ensuring continuous compliance and risk management.
  • Training and Awareness: Providing training for stakeholders on TPRM processes and the importance of effective third-party risk management.

Risk-Based Internal Audit for Financial Institutions

With regulatory bodies calling for enhanced third-party oversight, the imperative for thorough risk and assurance functions has never been greater. These functions must delve deeply into the third-party network to ensure that critical risks and compliance requirements are diligently managed and monitored. Internal auditors are pivotal in this endeavor and should seek to broaden their role in fortifying third-party risk management.

At Young & Associates, we understand the critical importance of robust TPRM processes and offer expert consulting services to help banks and credit unions strengthen their internal audit functions, risk management, and more. By leveraging our expertise, financial institutions can enhance their third-party risk management frameworks, ensuring compliance, mitigating risks, and achieving strategic objectives. Ultimately, effective TPRM is not just about regulatory compliance; it’s about creating a resilient and thriving financial institution.

For more information on how Young & Associates can support your internal audit needs, click here.

Upcoming Nacha Rule Changes in 2026: What You Need to Know

By Mindy Shadoin, Consultant, Young & Associates

On March 15, 2024, Nacha announced significant updates to ACH (Automated Clearing House) Rules, aimed at enhancing fraud management and improving the recovery of funds. These updates are set to roll out in phases, with some changes effective as early as June 2024 and others beginning March 20, 2026. This article summarizes the key changes that will take effect in 2026, providing a concise overview of what community financial institutions need to know.

Key Changes Effective March 2026

The changes effective March 20, 2026, are designed to address fraud more effectively and enhance the recovery of funds when fraud occurs. Institutions must adapt to these new rules to comply with regulatory requirements and improve their fraud detection and management practices.

Fraud Monitoring (Phase 1)

Who’s Affected: Originating Deposit Financial Institutions (ODFIs) and each Non-Consumer Originator, Third-Party Service Provider, and Third-Party Senders with annual ACH origination volume of six million or greater in 2023.

Requirements: Institutions must implement risk-based processes for ACH entry fraud detection and review these processes annually. The final rule emphasizes specific process requirements over the previous “commercially reasonable” standard.

Reason: The amendment is designed to cut down on fraud. By regularly monitoring for fraud, institutions can create a baseline of normal activity, which makes it easier to spot unusual or suspicious behavior.

RDFI ACH Credit Monitoring

Who’s Affected: Receiving Depository Financial Institutions (RDFIs) with annual ACH receipt volumes of 10 million or more in 2023.

Requirements: RDFIs must develop fraud detection systems for incoming credit entries, using a risk-based approach to monitor transaction patterns and account anomalies.

Reason: The rule aims to decrease successful fraud and improve the recovery of funds in case of fraud. It supports an institution’s regulatory duty to monitor suspicious transactions. Additionally, it promotes better communication between compliance, operations, product management, and relationship staff.

New Definitions and Descriptions

False Pretenses

The updated rules introduce the term “False Pretenses,” which refers to fraud involving misrepresentations of identity, authority, or account ownership. This definition aims to cover common fraud scenarios like Business Email Compromise (BEC) and vendor impersonation, enhancing clarity in handling such cases.

Standard Company Entry Description: Payroll

Effective March 20, 2026, regardless of ACH volume, all Prearranged Payment and Deposit Entry (PPD) Credits for wages and similar compensation must include the description “PAYROLL” in the Company Entry Description field. This standardization will help RDFIs better identify payroll-related transactions and prevent fraud associated with payroll redirections.

Standard Company Entry Description: Purchase

Effective March 20, 2026, regardless of ACH volume, this amendment requires that e-commerce purchases use the description “PURCHASE” in the Company Entry Description field. This change will help differentiate e-commerce transactions and prevent misclassification of transactions.

Changes Effective June 2026

Fraud Monitoring (Phase 2)

Starting June 22, 2026, the rules from Phase 1 will apply to all RDFIs not previously covered. These Phase 2 changes will further enhance fraud detection and fund recovery processes, ensuring comprehensive coverage across the industry.

Preparing for the Nacha Rule Changes

The upcoming changes to the Nacha Operating Rules represent a significant step forward in managing ACH fraud and improving fund recovery. Financial institutions will need to prepare by refining their fraud monitoring processes and adapting to the new definitions and descriptions outlined in these rules. For detailed information, you can find the Nacha Operating Rules and Guidelines on Nacha’s website.

Staying informed and compliant with these rules will be crucial for maintaining effective fraud management and regulatory adherence. This article provides a simplified overview of these updates, focusing on key changes and their implications. For a more comprehensive understanding, inquire about the in-depth article featured in the August edition of our Compliance Update newsletter, including details on the final rule changes, adjustments from the original proposal issued in May 2023, and specific actions required.

Each month, our Compliance Update newsletter offers in-depth analysis and insights on regulatory updates and amendments impacting the banking industry. Our compliance experts review new developments and provide valuable guidance to help you maintain regulatory compliance and navigate the evolving landscape. To receive timely and detailed compliance information, we encourage you to subscribe. Click here to learn more about our Compliance Update newsletter and purchase a subscription.

Additionally, Young & Associates provides a full suite of regulatory compliance consulting services tailored to meet the unique needs of your institution. Our offerings include ACH self-assessment reviews, compliance outsourcing, our Virtual Compliance Consultant Program, and more, designed to simplify complex regulatory requirements and allow you to focus on strategic goals. For more information on how we can support your institution, please contact us.

Spotlight on Compliance Training: Showalter Featured in In Touch Magazine

Young & Associates’ Expert Shares Insights on Compliance Training

William Showalter, CRCM, CRP, a Senior Consultant with Young & Associates, was recently featured in an issue of In Touch Magazine, the publication of the Community Bankers Association of Kansas. The article, “Training: The Foundation of Effective Compliance,” underscores the critical role that comprehensive training plays in building and maintaining a robust compliance program within financial institutions.

Training: The Bedrock of Compliance

In his article, Showalter highlights a timeless truth: employees can’t be expected to comply with laws and regulations if they haven’t been properly instructed on them. Training is the bedrock upon which a thriving compliance program is built, enabling institutions to manage compliance risks effectively. With over 20 years of experience transitioning into a new compliance management model, Showalter emphasizes pushing responsibility and involvement down to the front lines, making well-versed employees essential for success.

Why Train? Reducing Risk and Ensuring Compliance

Training employees in compliance is not just about meeting regulatory requirements; it’s about reducing the risk of noncompliance. Showalter points out that educating the bank’s board of directors, management, and staff is essential for maintaining an effective compliance program. Compliance training helps mitigate various risks identified by federal banking supervisors, including compliance risk, transaction or operational risk, and reputation risk.

Customizing Training Programs for Success

Effective compliance training varies from one institution to another. Showalter offers practical guidance on setting up a successful compliance training program, stressing the importance of a thorough needs assessment. Identifying the types of products and services offered, the regulations impacting these processes, and the current knowledge level of staff are crucial steps in this process. The article also provides insights into choosing the right format and media for training, from online programs to classroom-style sessions, ensuring that the training is relevant and engaging for all employees.

Keeping Compliance on Track: Testing and Record-Keeping

An essential component of any training process is testing to measure success and maintain records. Showalter emphasizes the need for continuous assessment and refresher training to keep up with evolving regulations and ensure that all employees remain knowledgeable and compliant.

William Showalter’s expertise and practical advice in this article underscore the importance of a proactive approach to compliance training, helping financial institutions navigate the complex regulatory landscape with confidence. For more insights and to read the full article, click here. Stay informed with the Community Bankers Association of Kansas and discover more industry insights in In Touch Magazine — the leading publication dedicated exclusively to serving the interests of Kansas community banks.

Regulatory Compliance Training for Financial Institutions

Investing in the training and development of your staff is the most important investment your financial institution can make. Competent, well-trained employees not only ensure compliance but also contribute to the overall success and profitability of your institution.

Young & Associates is a national leader in continuing education and training for financial professionals. Our consultants bring unmatched real-world expertise in topics such as lending, underwriting, regulatory compliance, and director development. We offer a wide range of education and training services for financial professionals. Our training is flexible, with options for off-site, in-house, and virtual sessions, all customized to meet the specific needs and objectives of your institution.

Take a proactive approach to regulatory compliance with our comprehensive training for your personnel. Whether you need to establish a compliance program or update your knowledge on changing regulations, our training provides the latest information and techniques for maintaining an effective internal program. Topics include the Bank Secrecy Act, Privacy, Fair Lending, and more, all customized to the specific needs of your institution. Investing in our training services helps ensure compliance and boosts your institution’s overall success.

We also offer the Community Bankers for Compliance Program (CBC), the longest-running compliance program in the country. This program equips banks with comprehensive tools for managing in-house compliance, including live seminars, webinars, a compliance hotline, a members-only portal, and a monthly newsletter.

Discover our full range of compliance training services and explore our comprehensive regulatory compliance consulting offerings.

Contact us today to see how we can support your bank or credit union in achieving your strategic goals.

CDs Maturing in Q2: Impact on Interest Rate Risk Management

By: Michael Gerbick, President at Young & Associates

Interest rate risk (IRR) is the exposure of a bank or credit union’s current or future earnings and capital to adverse changes in market rates. Management of that risk is critical to community financial institutions and since the pandemic and rates went to zero, due to the rapid pace of change, effective management of that risk has been difficult due to the rapid increase in interest rates.

Navigating Market Volatility: The Role of ALM Models 

Most banks and credit unions utilize asset liability management (ALM) models to assist in the modeling of interest rate increases and decreases, typically +/- 400 bp shock scenarios. Similar to the parallel rate shock scenarios of the ALM models designed to identify risk exposure in a rapidly changing rate environment, the Fed raised rates between March 2022 and July 2023 from 0% to 5.25–5.50%.  

The yield curve shape changed significantly, putting additional stress on the Asset Liability Committees (ALCO) responsible for managing the ALM function of financial institutions, and has not let up. Yes, the inverted yield curve has flattened from 12 months ago, however in March this year, the Treasury yield curve for the two-year and ten-year yields hit a consecutive day record for being inverted 625 days, besting the previous record set in 1978.  

The chart shown below1 illustrates the difference between the higher yield 2-year and the lower yield 10-year. 

Strategies Amidst Rising Rates: Insights for Community Banks and Credit Unions 

Amongst many of the strategies employed during the rising rate environment of 2022 and 2023 was offering certificates of deposit (CDs) to maintain and grow deposits on the balance sheet. However, the funding mix began to shift as consumers migrated towards the higher interest-bearing accounts or the Bank increased Federal Home Loan borrowing which caused the cost of funds to increase.  

Industry research for the last two years shows interest-bearing deposits up 5.1% and non-interest-bearing deposits down 28%2. Rates have not risen since July 2023, however many of the CDs offered in 2023 are due to mature in 2024 in a different rate environment than when they were issued. Financial institutions are monitoring this closely.  

Strategic Considerations for ALCOs: Addressing Interest Rate Risk 

ALCOs are tasked with predicting the interest rate exposure in the elevated rate environment. Currently, we are in a unique environment and banks and credit unions should be cautious about using historical data only to predict future activity. In addition to non-bank competitors competing for deposits, community financial institutions need to continue improving their approach to cost of funds, net interest margin compression, and how the institution will effectively manage their exposure to interest rate risk. A few strategies and actions financial institutions can employ related to deposits are: 

Optimizing Interest Rate Exposure

Increase the frequency in which ALCO meets to review the interest rate environment. This may currently be semi-annual or quarterly at your institution. The financial institution may consider meeting monthly to stay abreast of any changes in the environment or new products the Bank is releasing. 

Policy Revision

Review your policy limits approved by the Board. Your policy may only have -100 bp or -200 bp scenarios listed given the previous low-rate environment. Not only review the existing policy limits with the Board but increase the stress range to account for -300 bp and -400 bp. 

Trigger Points

In addition to the policy limits, consider thresholds for the rate of change of the risk measures that consider risks associated with liquidity, interest rate risk, and capital. These rate of change thresholds are designed to commence action or additional investigation into the source of the significant movement ahead of falling outside of policy limits. 

Stress Your Assumptions

ALM models have built-in assumptions and are likely based on historical industry averages supplemented by data supplied by your institution. Common key assumptions outlined by the FDIC3: 

  • Asset Prepayment – represents the change in cash flows from an asset’s contractual repayment schedule. The severity of prepayments fluctuates with various interest rate scenarios. Mortgage loans are a prime example of assets subject to prepayment fluctuations.
  • Non-Maturity Deposits
    • Sensitivity or Beta Factor – describes the magnitude of change in deposit rates compared to a driver rate.
    • Decay Rate – estimates the amount of existing non-maturity deposits that will run off over time.
    • Weighted Average Life – estimates the average effective maturity of the deposits.
  • Driver Rate – represents the rate, or rates, which drive the re-pricing characteristics of assets and liabilities. Examples include Fed funds rate, LIBOR, U.S. Treasury yields, and the WSJ Prime rate.

Have discussions with your team and understand what is going on broadly in the economic environment as well as items specific to your bank or credit union. Address changes or concerns in your modeling assumptions or at the very least, be aware of their potential impact. Spend time to learn the assumptions. Do not accept the defaults as correct, make sure your team understands them.

In addition to your base case, stress the assumptions – double or triple the decay rates, assume a high sensitivity to driver rates in the change in deposit rates, and cut the prepayment speeds in half. The alternate scenarios with severe assumptions will assist ALCO in understanding potential value creation and risks.  

Interest Rate Risk Review

Regulatory guidance indicates that every bank should have an annual third-party assessment of the interest rate risk system. Similar to other audits, this review should be delivered to the Board of Directors or the Board’s audit committee and is a critical component of the Board’s responsibility for bank oversight. 

Educate the Board on Interest Rate Risk

There are educational videos available through the FDIC website. In addition, there are IRR modeling vendors that will attend meetings to provide perspective to your institution on the current economic environment and your modeling results. Leverage them. 

Managing Interest Rate Risk in 2024 and Beyond 

There is always an opportunity for significant value creation in any environment. The rapidly increasing rate environment experienced in 2022-2023 brought forth significant risks and opportunities. The 2024 environment possesses new challenges, and I am excited to see our community banks and credit unions adjust their balance sheets, act on the highest value opportunities, and limit their interest rate exposure.  

Assess Your Interest Rate Risk 

Ready to proactively manage your institution’s interest rate risk? Young & Associates offers comprehensive interest rate risk reviews tailored to your needs. Ensure your bank or credit union is prepared to navigate market volatility with confidence. Reach out to us now to schedule your consultation!

 

 


1Federal Reserve Economic Data (FRED) 10-Year Treasury Constant Maturity Minus 2-Year Treasury Constant Maturity
2S&P Global US Bank Market Report 2024
3FDIC Developing Key Assumptions for Analysis of Interest Rate Risk

Implementing Compliance: Key Principles & Practices

By: Bill Elliott, CRCM, Director of Compliance Education at Young & Associates

There is no question that laws and regulations materially change the way banks do business. The recent new laws and regulations have, more than ever before, crossed over the consumer protection regulatory line and into bank management. This complicates your life, and the starts and stops do not make it easier. 

Consider the “1071 Rule,” which amounted to HMDA for commercial loans, with even more invasive questions. The underlying law was passed in 2010 (the Dodd-Frank Act), and the CFPB took almost 13 years to implement it, only to be stopped by the courts for stepping way beyond the requirements of the law. The updated CRA regulation is also now being challenged in the courts. 

Compliance does not happen in a vacuum. Many of the regulations cover multiple disciplines within the bank, and many departments have to be involved in implementing the solution. This article discusses some of the basics of implementing compliance within your organization, as well as an approach that we believe is critical to the success of any bank. 

The Key Ingredients

To establish a successful compliance program, the following ingredients must exist:  

  • Board of Directors support 
  • Management support 
  • Staff development 
  • A viable and structured compliance network (compliance council) 
  • Compliance monitoring  

Board of Directors Support

The board is ultimately responsible for the success or failure of the compliance program, just as they are for any other aspect of the bank’s risk management. The board needs a flow of information to assist them in understanding the compliance function and the current status of the program. The board must also understand the stresses for compliance and ensure that there are adequate resources to facilitate success. 

Management Support

Management must be actively involved in the development of the compliance program. Although management may not design and develop the program, they should provide direction and ensure that there are resources to support its establishment and maintenance. Management must stay involved by monitoring the progress of the program through requiring periodic reports. 

Staff Development

Staff development involves providing staff with the necessary background to understand the purpose of compliance, the structure to support the program, and the technical skills to it out effectively. Management must direct the designated person or council and allow them the resources, including the resource of time, to fully implement the compliance program. 

A Practical Solution: The Compliance Council

In order to address the compliance burden, we believe banks should use a compliance council. This is NOT a committee. It is a reporting mechanism, where each area of the bank is responsible for the compliance duties that impact their jobs. At the council, they report progress or lack thereof in meeting those requirements.  

The results of the compliance council meeting are reduced to writing. Those minutes then go to management and the board so that they understand the current compliance situation in which the bank finds itself. A compliance council aids the institution in the following ways: 

  • The compliance council is comprised of representatives from each major area of the institution, thereby building continuity into the program. 
  • The compliance council builds compliance into the daily operational procedures of each area so that the institution can function from a practical and preventive focus. 
  • The compliance council incorporates comprehensive compliance coverage through its composition, i.e., lending, customer service, and operations. 
  • The compliance council establishes a compliance link to planning for new products and services. Each area of the institution can establish the compliance details during the planning and implementation stages. 
  • The compliance council allows the institution to include monitoring procedures in the daily workflow that integrates compliance without creating unnecessary work burdens i.e., the use of checklists and most common concern policies. 
  • The compliance council enables the institution to create an effective training and communications channel for all compliance issues. The council members will be able to take information back to their respective areas. 

Choosing the Compliance Council

The compliance council’s objective is to spread the duties among a small group of individuals to reduce the burden on anyone and increase coverage of the compliance function. Compliance has expanded far beyond just “letting the compliance officer deal with it.” 

The persons who are chosen might be representatives from: 

  • real estate lending, 
  • consumer lending, 
  • customer service, 
  • deposit operations, and 
  • compliance administration. 

Of course, banks are free to add others, such as BSA, branch administration, etc. 

The use of management in an advisory capacity can help to ensure accountability. It is difficult to say “I did not have time” or something similar in front of a senior manager. But hopefully, this is not necessary in most banks. The “minutes” of the meeting become a useful tool for management and the board to understand the current compliance position of the bank. 

If there is a regulatory change that involves multiple disciplines, then and only then does the “council” become a “committee” to address the common issue. 

Authority and Credibility

It is important for the compliance officer and the compliance council to develop sufficient authority to operate within the bank. Without this authority, the officer and the council will be ineffective.  

Assuming that the board of directors and executive management have clearly granted the compliance officer and the compliance council sufficient authority with which to operate, the compliance officer and the compliance council must ensure their own credibility to retain any authority that the board of directors and management have granted them. 

The compliance council’s biggest barrier involves establishing credibility with the bank’s employees. For example, if in the eyes of the employees, the compliance council is an informational source to help them do their job, the council will succeed. If communication channels are established but never work, the council will fail. The key to the success of the compliance council is to establish, implement, monitor, and enforce the compliance function throughout the bank. 

Effective Compliance Implementation

Navigating the dynamic landscape of banking regulations requires proactive strategies and a collaborative approach across all levels of an institution. As the regulatory environment continues to evolve, compliance becomes increasingly complex, necessitating a robust framework, dedicated oversight, and effective implementation to ensure adherence. 

Empowering Banks for Regulatory Compliance Success

At Young & Associates, we understand the challenges banks face in implementing and maintaining effective compliance programs. Our team of experts is committed to providing tailored solutions that empower banks to navigate regulatory requirements with confidence and efficiency. 

Ready to streamline your compliance efforts and fortify your institution against compliance risk? Partner with Y&A for comprehensive regulatory compliance consulting services. Contact us today to learn more about how we can support your bank in alleviating regulatory burdens. 

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question