Skip to main content

Qualities of a Good Managed Services Provider (MSP)

By: Mike Detrow, CISSP, Director of IT & IT Audit at Young & Associates

Due to the challenges of finding qualified employees to fill internal IT positions and the increased complexity of technology solutions, many community financial institutions have either outsourced the management of their information systems to a managed services provider (MSP), or they are considering this move.  

But how do you know that you currently have, or you are choosing the right partner? In this article, we will discuss the qualities you should look for in an MSP to help you evaluate your current MSP and select the right partner if you want to outsource the management of your information systems. 

Understanding Financial Institution Needs 

First, it is important to understand that financial institutions are unique from other industries, and a local MSP that primarily works with manufacturing companies may not understand the security requirements of a financial institution. Financial institutions are highly regulated and undergo routine IT audits/assessments due to the significant amount of sensitive and personally identifiable information that they maintain, alongside the substantial financial assets under their protection. 

Many MSPs may not be familiar with the regulatory and security requirements associated with banking and therefore may not be prepared to work with examiners/auditors or respond effectively to exam/audit recommendations. 

The Drawbacks of National MSPs 

A national MSP may not be appropriate for a small community financial institution either as you may end up being a little fish in a big pond and may not get the attention that you need. Financial institutions that we work with have already experienced this with some of the large core processing vendors where it is difficult to get good support as a small institution. Additionally, obtaining managed IT services from your core processing vendor may make converting to a different core processor more challenging. 

The Value of Local and Regional MSPs 

So, how do you find a good partner? Based on our experience working with numerous MSPs through the IT Audit process, we typically see that community financial institutions get the most value from working with local or regional MSPs that have existing experience working with numerous financial institutions.  

These MSPs already understand the regulatory and security requirements that financial institutions face, and they have experience with the appropriate tools and configuration practices to secure the institution’s information systems.  

5 Key Qualities of Good MSPs 

Some of the good qualities that we see from these MSPs include: 

  • Proactively identifying and presenting new tools to enhance the institution’s information security posture 
  • Working as a partner by learning about the institution and customizing solutions to its unique needs 
  • Maintaining detailed and accurate documentation for the institution’s system configurations and ongoing monitoring 
  • Being responsive to initial and follow up exam/audit documentation requests 
  • Being responsive to exam/audit recommendations by implementing remediation measures in a timely manner 

MSP Red Flags to Watch Out For  

Some of the red flags that we see from other MSPs include: 

  • Providing security status reports that contain errors or are hard to understand 
  • Lack of detailed and accurate documentation for the institution’s system configurations and ongoing monitoring 
  • Failing to notify the institution prior to making changes that may compromise security or impact system availability 
  • Slow response to documentation requests for exams/audits or charging additional fees to provide this information 
  • Refusing to implement exam/audit recommendations due to lack of technical knowledge or in cases where the recommendations do not fit into the MSP’s “standard configuration” 

Ensuring the Right Partnership 

In closing, it is important to remember that as a financial institution, you are ultimately responsible for any problems that occur from selecting the wrong MSP, whether this decision leads to an insecure environment or just makes your job more difficult as the liaison between the institution and the MSP.  

Just like any other vendor, you must continuously monitor your MSP to ensure that they are providing acceptable service levels for your institution and consider replacing the MSP if they are not meeting your expectations. While it may seem like a big task to replace your MSP, having the right partner will not only help to ensure that appropriate security controls are implemented, but it should also make your job easier as the liaison. 

Your Trusted IT Consulting Partner 

At Young & Associates, we understand the unique needs and challenges faced by financial institutions. Our IT consulting services are tailored to help you navigate the complexities of technology solutions while ensuring regulatory compliance and information security. Contact us today to learn more about how we can support your institution’s IT needs. 

ACH Risk Management: Understanding NACHA’s Rule Changes

By: Mindy Shadoin, Consultant at Young & Associates

On March 15, 2024, Nacha (previously the National Automated Clearing House or NACHA) approved 15 new Automated Clearing House (ACH) rule changes surrounding ACH risk management. These changes are specifically targeted at reducing the incidence of successful fraud and improving the recovery of funds.  

Overview of NACHA’s Rule Changes 

These new rules establish a base-level of ACH payment monitoring on all parties in the ACH Network, except consumers. The new rules do not shift the liability for ACH payments; however, receiving financial institutions or RDFIs will have a defined role in monitoring the ACH payments they receive.  

Rule Changes Effective June 2024 

The following rule changes take effect June 21, 2024: 

  • General Rule Definitions for Web Entries: Rewords the WEB general rule and definition in Article Eight to make is clearer that the WEB SEC Code must be used for all consumer-to-consumer credits regardless of how the consumer communicates the payment instructions to the Originating Depository Financial Institution (ODFI) or P2P service provider.  
  • Definition of Originator: Clarifies changes and alignments to the definitions of Originator to include a reference to the Originator’s authority to credit or debit the Receiver’s account and that the Rules do not always require a receiver’s authorization (Reversals, Reclamations, Person-to-Person Entries).  
  • Originator Action on Notification of Change (NOC): Provides Originators discretion to make NOC changes for a Single Entry, regardless of the SEC Code.  
  • Data Security Requirements: Clarifies that, once a covered party meets the volume threshold for the first time, the requirement to render account numbers unreadable remains in effect, regardless of future volume.  
  • Use of Prenotification Entries: Aligns the prenote rules with industry practice by removing language that limits prenote use to only prior to the first credit or debit entry.  
  • Clarification of Terminology: Subsequent Entries: Replace references to “subsequent entry” in various Rules sections with synonymous terms to avoid any confusion with the new definition of “Subsequent Entry.” 

Rule Changes Effective October 2024  

The following rule changes take effect October 1, 2024: 

  • Additional Funds Availability Exceptions: Provide RDFIs with an additional exemption from the funds availability requirements to include credit ACH entries that the RDFI suspects are fraudulent. 
  • Codifying Use of Return Reason Code R17: Allow RDFIs to return an entry believed to be fraudulent using Return Reason Code R17. 
  • Expand Use of ODFI Request for Return/R06: Expand the permissible uses of the Request for Return Reason Code (R06) to allow an ODFI to request a return from the RFI for any reason. 
  • RDFI Must Promptly Return Unauthorized Debit: Require that when returning a consumer debit as unauthorized in the extended return timeframe, the RDFI must do so by the opening of the sixth Business Day following the completion of its review of the consumer’s signed Written Statement of Unauthorized Debit (WSUD).  
  • Timing of Written Statement of Unauthorized Debit (WSUD): Allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver, even if the debit has not yet been posted to the account.  

Rule Changes Effective 2026 

The following rule changes take effect March 20, 2026: 

  • Company Entry Description – Payroll: Establish a new standard description of Payroll for PPD Credits for payment of wages, salaries, and other similar types of compensation. 
  • Company Entry Description – Purchase: Establish a new standard description of PURCHASE for e-commerce purchases. 

The following rule changes take effect in two phases.  

  • Phase 1 is effective March 20, 2026, for all ODFIs and non-Consumer Originators, Third-Party Service Providers (TPSPs), and Third-Party Senders (TPSs) with an annual ACH origination volume of 6 million or greater in 2023. 
  • Phase 2 is effective June 19, 2026, for all other non-Consumer Originators, TPSPs, and TPSs   
    • Fraud Monitoring by Originators, TPSPs, and ODFIs: Requires each non-Consumer Originator, ODFI, TPSP, and TPS to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud. 
    • RDFI ACH Credit Monitoring: Requires RDFIs to establish and implement risk-based processes and procedures reasonably intended to identify credit ACH Entries initiated due to fraud.  

Ensuring A Secure ACH Landscape Through Proactive Risk Mitigation 

The recent ACH rule changes approved by NACHA signify a significant step towards enhancing ACH risk management and fraud prevention within the financial industry. These changes aim to reduce the incidence of successful fraud and improve the recovery of funds, ultimately safeguarding the integrity of the ACH Network. 

With the implementation of these rule changes, financial institutions and other stakeholders involved in ACH transactions will need to adapt their policies, procedures, and risk management processes accordingly. It’s essential for organizations to stay informed about these regulatory updates and ensure compliance to mitigate ACH-related risks effectively. 

Enhance Your ACH Risk Management Framework with Young & Associates’ Proven Expertise 

Are you seeking expert guidance and support to navigate these ACH rule changes and ensure compliance with regulatory requirements? At Young & Associates, we understand the unique challenges faced by financial institutions in today’s evolving regulatory landscape.

We specialize in providing tailored regulatory compliance consulting services, including comprehensive support with ACH functions such as ACH audit and ACH risk assessment. Our team of experienced professionals is committed to helping you strengthen your ACH risk management practices and achieve regulatory compliance seamlessly. 

Contact us today to explore how we can assist your financial institution in meeting its regulatory obligations while optimizing operational efficiency and minimizing risk exposure. Or, click here to discover the benefits of our customizable ACH policy. Together, let’s navigate the complexities of ACH compliance and ensure the security and integrity of your financial transactions.

Modernized FDIC Signage & Advertisement Requirements: What Banks Need to Know

In today’s dynamic regulatory landscape, keeping pace with regulatory updates is critical for community banks to maintain compliance and uphold depositor trust. To adapt to shifts in the banking industry and consumer behavior, the Federal Deposit Insurance Corporation (FDIC) has finalized a rule to modernize the requirements for official signs and advertising statements for insured depository institutions (IDIs). This modernization signifies a crucial change in regulatory expectations, demanding a thorough understanding and proactive approach from financial institutions.

Background: Understanding the Updated Part 328 Rules

The banking industry has experienced significant transformations, including the evolution of bank branches, heightened reliance on internet and mobile banking, and increased partnerships between IDIs and financial technology (fintech) companies. These shifts have heightened the potential for consumer confusion regarding FDIC deposit insurance coverage.

In response, the FDIC has introduced substantial updates to Part 328 of its regulations, specifically addressing the use of official FDIC signs and advertising statements by IDIs. Additionally, it clarifies regulations concerning false advertising, misrepresentations of deposit insurance coverage, and misuse of the FDIC’s name or logo. This revision underscores the FDIC’s dedication to aligning regulatory standards with the evolving banking landscape, especially in digital and mobile channels.

Key Changes to Note: New FDIC Official Signage Requirements

The modernized FDIC signage and advertisement requirements bring about significant changes aimed at enhancing consumer understanding and confidence in deposit insurance coverage. Beginning in 2025, FDIC-insured institutions are mandated to prominently display the official FDIC digital sign across digital platforms, including bank websites, mobile applications, and ATMs. This expansion to digital channels ensures consistent depositor confidence and clarity regarding deposit insurance coverage.

Moreover, the updated rule emphasizes the differentiation between insured deposits and non-deposit products across all banking channels. Financial institutions are now required to provide conspicuous disclosure indicating that certain financial products are not insured by the FDIC, are not deposits, and may incur value loss. These changes aim to extend the certainty and confidence associated with FDIC protection to digital channels while ensuring that consumers are properly informed about the status of their deposits and the scope of FDIC insurance coverage.

Quick Reference: FDIC Modernized Signage Rule Requirements and Compliance Deadlines

Purpose of the Updated FDIC Signage Requirements

The rule updates regulations governing the use of official FDIC signs and advertising statements to reflect contemporary banking practices. It also clarifies regulations regarding false advertising, misrepresentations of deposit insurance coverage, and misuse of the FDIC’s name or logo.

Changes to Official Signs

The traditional black and gold FDIC sign displayed at bank branches will now be complemented by a new black and navy blue FDIC digital sign. Banks will be required to display this digital sign on their websites, mobile applications, and certain ATMs starting in 2025.

Differentiation of Products

Banks must use signs to differentiate insured deposits from non-deposit products across banking channels. They also need to indicate that certain financial products are not insured by the FDIC, are not deposits, and may lose value.

Clarification on Misrepresentations

The rule addresses scenarios where misleading information about deposit insurance coverage could confuse consumers. It prohibits the use of FDIC-associated terms or images in marketing materials to inaccurately imply that uninsured financial products or non-bank entities are insured or guaranteed by the FDIC.

Objectives for IDIs

For IDIs, the rule modernizes rules for displaying the FDIC official sign in branches and extends requirements to other physical premises. It establishes and mandates the display of the FDIC official digital sign on bank websites, mobile applications, and certain IDI ATMs. IDIs are also required to differentiate insured deposits from non-deposit products across banking channels and provide a one-time per web session notification when a logged-in bank customer leaves the IDI’s digital deposit-taking channel for non-deposit products on a non-bank third party’s website. Additionally, IDIs must establish and maintain written policies and procedures for compliance with part 328.

Compliance & Effective Dates

The amendments made by the final rule are effective on April 1, 2024, with an extended mandatory compliance date of January 1, 2025.

Navigating Compliance with Young & Associates

At Young & Associates, we recognize the complexities and challenges community banks face in navigating regulatory changes effectively. As your trusted partner in regulatory compliance, we offer a customizable FDIC Signage and Advertising Requirements Policy crafted to assist community banks in complying with the modernized rule. Additionally, our comprehensive suite of regulatory compliance services includes compliance outsourcing, advertising review, and various other solutions designed to address the unique requirements of community banks. With decades of experience in the financial services industry, our team of compliance experts is committed to guiding institutions towards regulatory compliance excellence while minimizing operational disruptions.

In an era defined by regulatory scrutiny and evolving consumer expectations, ensuring compliance with FDIC signage and advertisement requirements is paramount for community banks. Embrace proactive compliance practices and partner with Young & Associates to navigate the complexities of regulatory change effectively. Contact us today to embark on your journey towards compliance excellence and safeguard the integrity of your institution in the ever-evolving financial landscape.

Stay compliant. Stay confident. Choose Young & Associates.

Understanding ACH Risk Management for Community Financial Institutions

Automated Clearing House (ACH) risk management is a topic of paramount importance for community financial institutions. In the realm of modern banking, ACH payments have emerged as a cornerstone of electronic fund transfers, offering unparalleled efficiency and convenience for businesses and consumers alike. However, with the benefits of ACH come inherent risks that financial institutions must proactively address to safeguard their operations and protect their stakeholders.

Spectrum of ACH Risk Categories

From compliance and credit risk to fraud, operational challenges, and systemic vulnerabilities, each facet of ACH risk poses unique challenges and demands strategic foresight and diligent risk mitigation efforts. By understanding the intricacies of ACH risk management, financial institutions can fortify their resilience and ensure compliance with regulatory standards while fostering trust and reliability in the digital banking ecosystem.

The Five Basic Types of ACH Risk

1. ACH Requirements Compliance Risk

Compliance risk encompasses the threat of legal or regulatory sanctions, financial loss, or damage to reputation resulting from failure to comply with laws, regulations, and internal policies. For community financial institutions processing ACH transactions, compliance risk looms large due to the intricate web of regulations governing ACH transfers, including Regulation E and Article 4A of the Uniform Commercial Code, as well as Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements, and the NACHA Rules and Guidelines. Institutions must conduct comprehensive ACH reviews to ensure adherence to regulatory standards and promptly rectify any violations or errors detected.

2. Credit Risk From ACH Transactions

Credit risk arises from the potential for financial loss due to the failure of parties involved in ACH transactions to fulfill their payment obligations. Community financial institutions face credit risk when originating or receiving ACH transactions, especially with the proliferation of high-risk activities such as nonrecurring payments. Establishing rigorous underwriting standards, evaluating originator creditworthiness, and setting appropriate exposure limits are crucial risk mitigation strategies for managing credit risk effectively.

3. Fraud Risk

Fraud risk encompasses the threat of unauthorized or deceptive activities resulting in financial loss or reputational damage. With the increasing sophistication of fraudulent schemes targeting ACH transactions, community financial institutions must remain vigilant against fraudulent activities such as account takeover, unauthorized returns, and unauthorized transactions. Implementing robust authentication measures, monitoring transaction patterns for anomalies, and conducting regular audits of third-party service providers are essential components of an effective fraud risk management framework.

4. ACH Processing Operational Risk 

Operational risk stems from the potential for disruptions or failures in internal processes, systems, or human factors leading to financial loss or operational inefficiencies. Community financial institutions face operational risk in ACH processing operations due to factors such as technological failures, human error, and inadequate controls. Implementing comprehensive policies and procedures, ensuring adequate training for staff, and conducting regular audits of ACH operations are critical steps in mitigating operational risk.

5. Systemic Risk

Systemic risk refers to the threat of widespread disruptions or failures within the financial system resulting from interconnectedness and interdependencies among institutions and market participants. While individual community financial institutions may have limited exposure to systemic risk in ACH processing, they remain vulnerable to broader systemic events impacting the financial industry as a whole. Vigilance, collaboration with industry stakeholders, and contingency planning are essential strategies for managing systemic risk effectively.

Effective ACH Risk Management for Community Financial Institutions

In conclusion, effective ACH risk management is paramount for community financial institutions to navigate the evolving landscape of electronic payments and uphold their commitments to regulatory compliance, financial integrity, and customer or member trust. By understanding and addressing the five basic types of ACH risk—compliance, credit, fraud, operational, and systemic—financial institutions can fortify their resilience and sustain long-term success in the dynamic world of electronic banking.

Young & Associates offers ACH self-assessment reviews, where our compliance experts evaluate your policies, procedures, and test components to ensure compliance with the NACHA Operating Guidelines. For tailored guidance to your unique circumstances, reach out to our team of experts. You can rely on us to navigate the regulatory compliance landscape and keep your financial institution on the path to success. Contact us today.

NCUA Cybersecurity Priority: What Credit Unions Need to Know

In the ever-changing landscape of financial services, cybersecurity emerges as a paramount concern for credit unions and their members. As regulatory scrutiny on information security intensifies each year, it’s essential for credit unions to stay vigilant and adaptable. This involves drawing insights from incident response exercises, threat intelligence, and industry benchmarks to bolster resilience and agility while ensuring compliance amidst evolving threats

Understanding the NCUA Supervisory Priority of Information Security

In 2024, the National Credit Union Administration (NCUA) emphasizes the critical importance of cybersecurity as part of its regulatory oversight. This highlights the urgent need for credit unions to strengthen their cyber defenses and resilience. In the face of an increasingly complex threat landscape, credit unions must prioritize cyber security measures to protect member data and maintain seamless operations. From rigorous information security examinations to strict compliance with NCUA’s information security requirements, credit unions must uphold stringent standards to ensure operational continuity and safeguard sensitive information. In today’s digitally interconnected and rapidly advancing technological landscape, it’s vital to adopt a proactive approach to detecting and responding to cyber risks with utmost precision.

Six Key Considerations for Credit Union Cyber Security Compliance

1. Holistic Risk Assessment and Management

Credit unions must adopt a proactive stance towards risk management by conducting thorough assessments of cyber threats, vulnerabilities, and potential impact scenarios. At the core of effective cybersecurity governance lies the comprehensive risk assessment process. By identifying and prioritizing potential threats, vulnerabilities, and impact scenarios, credit unions lay the groundwork for developing targeted risk mitigation strategies.

2. Vendor Risk Management 

Ensuring effective cybersecurity compliance for credit unions demands vigilant vendor risk management. The NCUA underscores the criticality of reviewing third-party contracts to discern incident reporting obligations. This comprehension of responsibilities and liabilities outlined in vendor contracts fosters seamless collaboration, prompt response to cyber incidents, and adherence to reporting requirements.

3. Incident Monitoring and Documentation Protocols

Credit unions must implement robust incident monitoring and documentation protocols to strengthen cyber resilience. Swift detection and containment of cyber threats are facilitated by effective incident monitoring, while comprehensive documentation enables timely reporting and compliance with regulatory mandates. By maintaining detailed records of cyber incidents, credit unions enhance transparency and accountability in their cybersecurity practices.

4. Robust Incident Response Plans

Establishing robust incident response plans is pivotal for credit union cybersecurity compliance. It is imperative to update these plans to align with reporting requirements. By ensuring that response protocols are synchronized with regulatory mandates, credit unions can streamline incident resolution and minimize potential damages effectively. Simplify compliance with NCUA cybersecurity standards and cyber incident reporting requirements using Y&A’s customizable Incident Response Plan for Credit Unions. With a detailed incident response policy, guidance for specific incidents, a sample membership notification letter, and an incident response form, ensure your credit union is well-prepared for any security event. Read more about the plan here.

5. Adherence to NCUA Regulatory Standards

Compliance with regulatory standards, including the NCUA’s Cyber Incident Notification Reporting Rule, is non-negotiable. Credit unions must ensure timely and accurate reporting of cyber incidents, enhancing transparency, accountability, and regulatory compliance.

6. Continuous Monitoring and Improvement

Cybersecurity is not a static endeavor; it demands continuous monitoring, evaluation, and improvement. Credit unions should embrace a culture of vigilance and adaptation, empowering stakeholders to remain abreast of emerging threats and evolving best practices. This commitment to continuous improvement ensures that credit unions remain resilient in the face of evolving cybersecurity challenges.

Empowering Credit Unions: Tailored Cybersecurity Solutions From Young & Associates

As the NCUA places increased emphasis on information security, credit unions must prioritize compliance, resilience, and proactive risk management strategies. At Young & Associates, we understand the nuanced challenges and opportunities inherent in cybersecurity governance. Our dedicated team of professionals stands ready to support credit unions in navigating the complexities of cybersecurity risk management, compliance, and strategic planning.

We offer tailored solutions to address your specific needs and concerns. Our customizable Incident Response Plan provides a structured framework for swift and effective response to cyber incidents, ensuring the protection of member data and the integrity of your institution.

Additionally, our full suite of IT consulting services offers comprehensive support to credit unions. Our IT audits provide an independent assessment of your environment, helping you implement controls to manage your risk effectively. Furthermore, our vulnerability assessments and penetration tests identify any weaknesses in your network, enabling proactive threat mitigation.

You’re not alone on your cybersecurity journey. With Young & Associates by your side, you can navigate the complexities of cybersecurity with confidence and peace of mind. Together, we can strengthen your cyber defenses, uphold regulatory compliance, and safeguard the interests of your members and institution.

Contact us today to learn more about how we can support your credit union’s cybersecurity goals. Let’s embark on this journey together towards a more secure and resilient future.

Helpful Links:

2024 Housing Market Outlook: Implications for Mortgage Lenders

By: Donald Stimpert, Manager of Secondary Market QC Services

Fannie Mae’s recent revised forecast for 2024 and beyond unveils a nuanced projection that holds significance for community banks and credit unions navigating the intricate landscape of the housing market. The insights presented by Fannie Mae’s Economic and Strategic Research (ESR) Group encapsulate essential indicators and predictions that will influence the housing and mortgage sectors in the forthcoming year.

Economic Deceleration and Housing Recovery

The December report anticipates a potential economic slowdown in 2024, aligned with a gradual recuperation in both home sales and mortgage originations. Although initially forecasting a modest recession for 2023, the economic resilience has surprised many market analysts. Fannie Mae now perceives the possibility of a softer landing due to disinflation and low unemployment rates. However, the housing sector faced challenges in 2023, witnessing record-low affordability, lock-in effects, and a severe deficit in available for-sale housing, leading to the lowest existing home sales since the Great Financial Crisis.

Factors Impacting Home Sales in 2024

Fannie Mae’s analysis points to a challenging landscape ahead. 2023 set a record low for existing home sales since 2010, setting the stage for a gradual recovery in 2024. Yet, obstacles like unaffordability, lock-in effects, and constrained inventory persist, likely causing a marginal impact on 2024’s total home sales compared to the previous year.

Despite glimpses of potential relief, these hurdles are expected to persist. Although the decline in the 10-year Treasury rate offers a glimmer of hope for better sales and mortgage originations, persistently high mortgage rates forecast subdued home sales at around 4.8 million in 2024, with a modest increase to 5.4 million by 2025.

October’s rock-bottom existing sales at 3.79 million could signal a turning point. Recent shifts in purchase mortgage applications, fueled by notable drops in mortgage rates, hint at a possible sales uptick. This trajectory depends on further rate moderation, potentially leading to increased sales.

Moreover, Fannie Mae’s projection of a slight dip in new home sales contrasts with unexpected buyer resilience amidst rising rates. This unexpected stability, boosted by concessions from builders, hints at sustained sales consistency.

This sales resilience, coupled with an unforeseen home price rebound, shapes Fannie Mae’s view on mortgage originations. Despite fluctuations, the forecast indicates a subtle upward trend, aligning with current origination levels.

Upgraded Projections for Single-Family Mortgage Originations

Amidst these challenges, Fannie Mae projects a positive trajectory in total single-family mortgage originations:

  • $1.5 trillion in 2023
  • $1.9 trillion in 2024
  • $2.3 trillion in 2025

This upgrade stems from a positive outlook on purchase mortgage origination volumes. Forecasts indicate a substantial increase to $1.4 trillion in 2024, a noteworthy leap from the anticipated $1.3 trillion in 2023. Looking ahead, the trajectory continues its upward trend, projecting $1.6 trillion in purchase origination volumes by 2025. Simultaneously, refinance origination volumes are on an upward trajectory, poised to surge to $451 billion in 2024 and further escalate to $686 billion in 2025.

Dynamics of Mortgage Rates and Home Sales

The report reflects on the impact of declining interest rates, projecting a shift to an average FRM30 rate of 6.7% in 2024 and 6.2% in 2025, down from the current 7.4% in Q4 2023. However, the transition in monetary policy might introduce volatility in mortgage rates, presenting a potential risk factor for these projections.

New vs. Existing Home Sales, Housing Starts, and Price Growth

The resilience of new home sales, unexpected amidst economic uncertainties, and the lower-than-expected impact of high mortgage rates on sales showcase a trend where buyers seem less affected by increased rates compared to previous years. Homebuilders’ concessions, including mortgage rate buydowns, aim to stimulate sales amidst these challenges.

Implications for Community Banks and Credit Unions

Understanding Fannie Mae’s 2024 outlook is crucial for community banks and credit unions to tailor their strategies. The projected increase in mortgage originations presents both opportunities and challenges, urging these institutions to adapt swiftly to evolving market dynamics and consumer behaviors.

In conclusion, Fannie Mae’s revised outlook for 2024 emphasizes the need for adaptive strategies by community banks and credit unions to harness opportunities amid the projected housing market landscape. Staying informed about these forecasts will empower these financial institutions to navigate potential challenges while capitalizing on growth prospects effectively.

Secondary Market Quality Control

Young & Associates stands as a trusted ally for financial institutions amid Fannie Mae’s housing market projections. Specializing in secondary mortgage quality control, our QC services serve as a shield against risks, meeting federal and private investor requirements, including those of Fannie Mae. As Fannie Mae anticipates a gradual housing market recovery and increased mortgage activities, partnering with Y&A can fortify your institutions’ risk management strategies. Our meticulous evaluations ensure compliance readiness and accuracy, aligning financial entities with market shifts highlighted by Fannie Mae, securing robust mortgage operations for the future. Visit our website for more information or contact us here.

Notable Changes in the New Ransomware Self-Assessment Tool

By: Mike Detrow, CISSP 

The Bankers Electronic Crimes Taskforce, state bank regulators, and the United States Secret Service first released the Ransomware Self-Assessment Tool (R-SAT) in October 2020 as a tool for banks to use to evaluate their preparedness for a ransomware attack and to help identify additional controls that should be implemented to increase a bank’s security. 

A number of state banking departments worked together to evaluate banks that suffered a ransomware attack between January 1, 2019 and December 31, 2022, and the Conference of State Bank Supervisors used this information to publish a report in October 2023 that identifies the lessons learned by these banks1.   

Key Findings from the Ransomware Lessons Report

This report identifies the following significant findings: 

  • Lack of completion and proper use of the R-SAT to identify gaps in a bank’s security controls to prevent or mitigate the effects of a ransomware attack 
  • Lack of multi-factor authentication or improperly configured multi-factor authentication 
  • Lack of proper understanding of social media and methods for monitoring social media platforms to address the potential dissemination of misinformation that may affect a bank’s reputation 

In response to the findings identified in this report, a new version of the R-SAT was released in October 2023 that identifies additional security considerations that banks will need to evaluate regarding their preparedness for a ransomware attack.   

Notable Additions to R-SAT

The notable additions to the new version of the R-SAT are identified below: 

  • Specific questions were added in item 3 regarding the services provided by the cyber insurance carrier to respond to a ransomware attack  
  • A column was added in item 4 to identify services that are based in a cloud environment 
  • Item 5 is a new question asking if any data is housed in a location outside of the United States 
  • Item 10 now asks about the frequency of employee security awareness training  
  • Item 11 is a new question asking if the institution performs phishing test exercises at least quarterly 
  • Item 12 identifies additional questions regarding backup data validation and recovery capabilities 
  • Item 13 includes additional questions regarding the implementation of multi-factor authentication 
  • Item 14 includes several new additional preventative controls that should be considered 
  • Item 18 includes additional ransomware response procedures that should be included in the incident response plan 

Security Control Enhancements Recommended by Young & Associates

Through the IT Audits and consulting work that Young & Associates performs for community banks and credit unions, we also see value in the following security control enhancements: 

  • Proper understanding of the use of cloud-based services and appropriate policies governing their use 
  • Providing cybersecurity training to employees throughout the year that identifies current threats rather than just one annual training session 
  • Performing employee phishing tests at least quarterly rather than just once a year 
  • Performing an authentication assessment and implementing multi-factor authentication for all critical systems and applications 

To help prevent or mitigate the potential effects of a ransomware attack and to prepare for their next IT examination, banks should review the report regarding the ransomware lessons learned by banks that suffered an attack and complete the updated R-SAT by using the following link to access these resources: https://www.csbs.org/ransomware-self-assessment-tool 

Strengthening Bank Security Against Ransomware

As cyber risks become more prevalent, managing your technology infrastructure and security is paramount. Young & Associates provides financial institution IT consulting to help protect community banks and credit unions from internal and external threats. Should you have any questions about this article, please reach out to Mike Detrow, Director of Information Technology, at mdetrow@younginc.com or contact us on our website. 

Construction Loan Monitoring: Questions & Answers

By: Linda Fisher, Senior Consultant

There is always a certain level of risk in lending, but construction loans are of even greater risk. The ultimate value of the collateral is realized only after the project is completed, and the finished project is either leased to a stabilized level or sold at a profit. Therefore, it is imperative that a construction loan be closely monitored to ensure that the project is successfully executed. 

Why is construction monitoring so important?

Construction monitoring serves both the bank AND the customer. By conducting regular inspections, both parties can verify that the work being done is properly completed, on budget and results in the expected final value of the project.  

Also, if for any reason there is a dispute or litigation arises, there is a record of independent monitoring of the project by a qualified third party that can aid in any conflict resolution. 

When should a construction inspector be engaged?

While both the bank’s and the borrower’s responsibilities are outlined in the loan documents, a detailed discussion between the bank and the borrower should take place prior to closing that outlines how the draw process will be handled, and identify who will be conducting inspections and the costs associated with this service.   

Subsequent to this discussion, the inspector should be engaged prior to closing. This individual should perform an initial review of the construction agreement, budget, timeline, and plans and specifications associated with the project. This helps to ensure that the proposed project is feasible given the work to be performed and can be completed within the designated costs and timeframe, as well as that all appropriate documentation related to the project is in order prior to closing the loan. 

Throughout construction, having the construction inspector perform physical site visits provides independent verification of the line item percentage completion of the construction performed during the draw request period and due to the inspector’s expertise, allows the inspector to directly address pertinent construction matters with the contractors, architects and borrowers on the bank’s behalf. 

Who is qualified to perform inspections?

Ideally, construction monitoring services are performed by engineers or other licensed individuals with experience in general construction methods and materials, as well as practices, techniques, and equipment used in building construction. A list of individuals/firms should be maintained by the bank – similar to lists of appraisers, attorneys, title companies, and other approved third-party vendors – that provide construction monitoring/inspection services. 

As with any third-party vendor, these individuals should be thoroughly vetted, with documentation of his/her appropriate experience, references, and insurance.   

A bank may sometimes engage the appraiser who performed the property evaluation prior to closing to serve as the construction inspector. While this individual may meet the intent of having an independent third party visit the site, an appraiser does not have the appropriate experience and training to review and interpret the plans and specifications prior to closing or effectively evaluate and monitor the construction as it progresses. 

Who is responsible for payment of a construction inspector’s services?

The cost associated with utilizing a construction inspector is typically borne by the borrower and is included in the project budget as a soft cost and as a closing statement line item.   

What do these services cost?

The best answer is…it depends. Costs for a construction inspector’s services will vary in conjunction with the location and scope of the project. The initial cost for a review of the plans and specs is typically a higher expense, with monthly periodic reviews as disbursement requests are received by the bank from the borrower being a lesser cost. The cost pales in comparison to the potential risk of having a project be inappropriately completed, stall mid-construction or potentially turn litigious costing time and expense for the borrower, contractors and the bank.   

What are best practices in monitoring a construction loan?

Every step of the process should be well documented within the loan files. In addition to maintaining copies of the construction agreement(s), as well as original budget and timelines, details of change orders, a copy of the agreement with the construction inspector and any related information should be maintained as well. A copy of each loan disbursement request should be kept in the file and accompanied by the following: 

  • Inspection report – to include the name and title of the person that performed the inspection, the time & date of the inspection, captioned photos of the project, estimated percentage of project completion with supporting descriptions of work completed since the last inspection and materials stored onsite, details of any delays, disputes or inspector concerns, an estimated date of completion and the inspector’s approval of the requested disbursement  
  • Lien waivers/title bringdown/endorsement – to ensure that there are no intervening liens filed against the project 
  • All paid or owing invoices, receipts and other verifications of project expenses or applicable borrower reimbursements  
  • Updated budget – demonstrating percentage of completion of budgeted expense categories, and sources and uses of equity and debt funds to date. 

Maintaining this information in the file demonstrates that the bank is effectively monitoring the loan and provides clear documentation of progress of construction. If a question or concern develops, it can be quickly and efficiently addressed, since the information is secured in one location.  

What is a certificate of final value?

Upon completion of the construction/issuance of the certificate of occupancy, the bank should inform the original appraiser of such completion and a final inspection performed by the appraiser to validate that the project was completed within the parameters defined in the original appraisal. The appraiser then issues a certificate of final value correlating the completed project to the circumstances of the appraisal report and its concluded “as complete” value. 

Building Confidence With a Construction Monitoring Plan

An effective, consistent construction monitoring program avoids surprises for all parties, as it documents the evolution of the project, from the initial approved scope and costs, throughout construction and to final completion. Prior to closing, all parties can be confident knowing that they are starting off on the right foot, with a solid and achievable plan. As the project progresses, any issues that may arise can be identified and dealt with appropriately. Given the potential risks associated with any construction project, having a solid plan and maintaining proper documentation provides a higher probability of a successful outcome that benefits both the borrower and the bank. 

Optimize Your Construction Loan Management Strategies with Y&A

Young & Associates offers specialized lending and loan review services to assist community banks and credit unions in constructing robust construction loan management and administration processes. For tailored solutions and expert support, contact us here. Strengthen your construction loan approach with Young & Associates’ dedicated expertise.

HMDA and CRA Adjustments Are Here

By: William J. Showalter, CRCM, CRP

There are changes that arrived with the new year of 2024 to Home Mortgage Disclosure Act (HMDA) compliance for banks and thrifts in many areas. No, the Consumer Financial Protection Bureau (CFPB) is not repealing Regulation C or adding more detail to the required data we collect and report. The existing rule is still in place. 

The changes we will look at here are driven by the decennial (every 10 years) adjustments by the Office of Management and Budget (OMB) to geographic units used by the federal government, including the Census Bureau, for statistical purposes. The particular geographic units that impact bank and thrift HMDA compliance are Metropolitan Statistical Areas (MSAs) since they are a qualifying location factor for lenders in determining HMDA coverage. 

The OMB’s changes will also have possible effects on bank and thrift compliance with the Community Reinvestment Act (CRA) in the drawing of institutional CRA “assessment areas.” 

These latest changes were effective when issued by OMB – July 21, 2023 – so they can impact 2024 HMDA coverage. 

OMB Action 

The OMB completed a process of delineating Core Based Statistical Areas (CBSAs) based on 2020 Census data and the American Community Survey and Census Population Estimates Program for 2020 and 2021. A CBSA is a geographic entity associated with at least one core of 10,000 or more population, plus adjacent territory that has a high degree of social and economic integration with the core as measured by commuting ties. The standards designate and delineate two categories of CBSAs: Metropolitan Statistical Areas and Micropolitan Statistical Areas.  

The general concept of a metropolitan statistical area is that of an area containing a large population nucleus and adjacent communities that have a high degree of integration with that nucleus. The concept of a micropolitan statistical area closely parallels that of the metropolitan statistical area, but a micropolitan statistical area features a smaller nucleus. The purpose of these statistical areas is unchanged from when metropolitan areas were first delineated: The classification provides a nationally consistent set of delineations for collecting, tabulating, and publishing federal statistics for geographic areas. 

The new delineations are found in OMB Bulletin 23-01 at https://www.whitehouse.gov/wp-content/uploads/2023/07/OMB-Bulletin-23-01.pdf 

HMDA Coverage 

Regulation C covers any “financial institution,” as defined by the regulation and its underlying HMDA statute. “Financial institution” means, in part, a bank, savings association, or credit union that: 

  • On the preceding December 31, had assets in excess of the asset threshold established and published annually by the CFPB for coverage by HMDA, based on the year-to-year change in the average of the Consumer Price Index for Urban Wage Earners and Clerical Workers, not seasonally adjusted, for each 12-month period ending in November, rounded to the nearest million – $56 million for 2024 HMDA coverage 
  • On the preceding December 31, had a home or branch office in a Metropolitan Statistical Area (MSA) [Micropolitan Statistical Areas have no HMDA impact.] 
  • In the preceding calendar year, originated at least one home purchase loan (excluding temporary financing such as a construction loan) or refinancing of a home purchase loan, secured by a first lien on a one-to four-family dwelling, and 
  • Meets one or more of the following two criteria: is federally insured or regulated; or the mortgage loan referred to in the previous bullet was insured, guaranteed, or supplemented by a federal agency or was intended for sale to Fannie Mae or Freddie Mac
  • Meets at least one of the following criteria in each of the two preceding calendar years: originated at least 25 closed-end mortgage loans that are not excluded by §1003.3(c)(1) through (10) or (c)(13), or originated at least 200 open-end lines of credit that are not excluded by the cited section of Regulation C 

There are also similar qualification criteria for for-profit mortgage lenders that are not banks, thrifts, or credit unions, which we will not detail here. 

The qualification criterion impacted by OMB’s action is the geographic one, the second bullet above. If a financial institution that otherwise meets HMDA coverage criteria has an office in an MSA on December 31, then it is covered by HMDA for the following year. For many lenders, determining HMDA coverage is a one-time exercise (other than those who are right around the asset-size threshold). 

Ohio MSA Changes 

I will use my native Ohio as an example of what the MSA changes mean to banks and thrifts and their compliance with HMDA requirements. 

Three counties in Ohio were shuffled into Metropolitan Statistical Areas in this latest OMB action – one being added to an existing MSA and two comprising a new MSA. No Ohio counties were removed this time from MSAs in which they were formerly included. 

Ashtabula County has been added to the Cleveland MSA. Erie and Ottawa counties have been included in the new Sandusky MSA. 

There were also some changes in non-Ohio parts of MSAs that include other Ohio counties. Lenders in the Cincinnati, Huntington-Ashland, and Youngstown-Warren MSAs should look for these additions and deletions of neighboring states’ counties. 

All the details of the new Ohio geographic delineations can be found in the OMB Bulletin mentioned above. The list of MSAs and micropolitan statistical areas by state is in List 6 (with Ohio on pages 168-169) of the OMB Bulletin, while five additional lists in the bulletin give other breakdowns of the geographic delineations, including the counties included in each. 

HMDA Impact 

In 2023, there was no impact for HMDA reporting because the new MSA delineations were not in effect on December 31, 2022. 

However, they were in effect December 31, 2023, which has the following impacts: 

  • Banks and thrifts with offices in Ashtabula, Erie, and Ottawa counties, and in no other MSA counties, now have to begin collecting HMDA data January 1, 2024, and make their first reports of that data by March 1, 2025.
  • Unlike 10 years ago, there are no banks and thrifts whose offices in Ohio counties have made them subject to HMDA reporting (i.e., no offices in other MSA counties) that will no longer have to collect HMDA data beginning in 2024. (Note that such banks would still be obligated to report their 2023 HMDA data by March 1, 2024.) 

If your institution has an office in any of the counties affected by the MSA changes, be sure to review how this action affects your HMDA compliance beginning in 2024. 

CRA Impact 

MSAs affect the CRA compliance efforts of banks and thrifts, too. They come into play in drawing up an institution’s CRA assessment area (AA), as well as in the small business and small farm lending disclosure statements prepared by regulators annually for institutions reporting their data (all except for “small” retail banks and thrifts).  

The CRA rules require that an institution’s CRA AA consist generally of one or more MSAs or metropolitan divisions – using the MSA or metropolitan divisions boundaries that were in effect as of January 1 of the calendar year in which the delineation is made – or one or more contiguous political subdivisions e.g., counties, cities, or towns). 

A CRA AA may not extend substantially beyond an MSA boundary or beyond a state boundary unless the assessment area is located in a multistate MSA. If a bank or thrift serves a geographic area that extends substantially beyond a state boundary, the bank must delineate separate AAs for the areas in each state. If a bank or thrift serves a geographic area that extends substantially beyond an MSA boundary, it must delineate separate AAs for the areas inside and outside the MSA. 

The regulators prepare annually, for each MSA and the nonmetropolitan portion of each state, an aggregate disclosure statement of small business and small farm lending by all institutions subject to reporting of that data (all except “small” retail banks and thrifts). 

Therefore, the redrawn MSA boundaries might have an impact on your institution’s CRA compliance. Each bank and thrift with the affected counties in its CRA AA should review its delineation to make sure that the changes do not require an adjustment to those delineations. If any adjustments are needed, they should be made by April 1 – when any updating of CRA public files must be accomplished (including the map of your CRA AA).  

Links 

This OMB Bulletin provide the six lists of statistical areas that are available electronically at the link stated above or from the OMB website at https://www.whitehouse.gov/omb/information-for-agencies/bulletins/.  This update, historical delineations, and other information about population statistics are available on the Census Bureau’s website at https://www.census.gov/programs-surveys/metro-micro.html.

Young & Associates: Your Trusted Partner in Regulatory Compliance

In navigating the intricacies of HMDA and CRA compliance, Young & Associates stands ready to support community banks and credit unions. Our regulatory compliance consulting services ensure a seamless adherence to evolving regulations. Stay ahead with Young & Associates – your trusted partner in compliance excellence. Contact us today for tailored solutions that empower your financial institution.

Third-Party Relationships: Risk Management

By: Edward Pugh, CAMS, CAMs-Audit, AAP, CFE

Financial Institutions are increasingly relying on third parties for a broad range of products and services. Utilizing third parties can offer organizations significant benefits, including access to new technologies, delivery channels, products and services, and increased operational efficiencies. However, engaging third parties, especially those using new technologies, can expose financial institutions and their customers to increased risks. Operational, compliance, and strategic risks are often impacted by the utilization of third parties. Given the increase in the number and type of third parties engaging with financial institutions, the Office of the Comptroller of the Currency (OCC), the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) released Interagency Guidance on Third-Party Relationships: Risk Management in June of 2023.  

Interagency Guidance on Third-Party Risk

The aforementioned guidance addresses all business arrangements between a financial institution and another entity, whether a formal contract exists or not. Third-party relations can include outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures. While there are many benefits to using third-party services, their use can reduce an institutions’ direct control over activities and may introduce new or increasing risks. Thus, it is important for an institution to identify, assess, monitor, and control risks related to third-party relationships.  

A critical element of third-party risk management is to develop and maintain a complete inventory of third-party relationships. This also includes periodically conducting risk assessments for each relationship. This process will allow an institution to determine its risk and whether these risks have changed over time. The overall goal is to be able to update risk management practices as circumstances and risks change. Third parties performing more critical activities, such as those that may impact customers, the institution’s financial conditions or operations, warrant more robust oversight. 

Third-Party Risk Management Life Cycle  

The Interagency Guidance identifies planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination of the relationship as the stages of the risk management life cycle.  

Key elements of the planning stage include assessing a potential third party’s impact on customers, including access to or use of those customers’ information, third-party interaction with customers, potential for consumer harm, and handling of customer complaints and inquiries. Attention should also be paid to the information security implications, including access to the institution’s systems and to its confidential information. The planning phase should also determine how the institution will select, assess, and oversee the third-party, including monitoring compliance with applicable laws, regulations, and contractual provisions. Requiring remediation of compliance issues is an important element to consider.  

Due diligence includes assessing the third party’s ability to perform the activity as expected, adhere to the institution’s policies related to the activity, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner. The Guidance notes that, “Relying solely on experience with or prior knowledge of a third party is not an adequate proxy for performing appropriate due diligence, as due diligence should be tailored to the specific activity performed by the third party.” It is critical to identify and document any limitations of its due diligence, understand the risks from such limitations, and consider alternatives in risk mitigation. Factors to consider in performing due diligence include:

  • strategies and goals
  • legal and regulatory compliance
  • financial condition, business experience
  • qualifications and backgrounds of key personnel
  • risk management
  • information security
  • management of information systems
  • operational resilience
  • incident reporting and management processes
  • physical security, reliance on subcontractors
  • insurance coverage, and
  • contractual arrangements with other parties

Contract negotiations are also an important element of third-party risk management.  Factors to consider include the nature and scope of the arrangement, performance measures or benchmarks (i.e., a service level agreement), responsibilities for providing, receiving, and retaining information, the right to audit and require remediation, responsibility for compliance with applicable laws and regulations, costs and compensation, ownership and licensing, confidentiality and integrity, operational resilience and business continuity, indemnification and limits on liability, insurance, dispute resolution, customer complaints, subcontracting, foreign-based third parties involved, and default and termination arrangements.  It is important to also stipulate that the performance of the activities are subject to regulatory supervision and examination.  

Ongoing monitoring allows a financial institution to confirm the quality and sustainability of the third-party’s controls and the ability to meet contractual obligations, escalate significant issues or concerns, and respond to such issues or concerns when identified.  Depending on the complexity of the activities being performed, ongoing monitoring can include a review of reports regarding the third party’s performance and the effectiveness of its controls, periodic visits and/or meetings to discuss performance and operational issues, regular testing of the financial institution’s controls that manage risks from its third-party relations, especially for more complex relationships.  Some additional factors to consider when performing ongoing monitoring include determining the overall effectiveness of the relationship, changes to the third-party’s business strategy and agreements with other entities, changes in financial conditions, insurance coverage, relevant audits and/or testing results, and the third-party’s ongoing compliance with applicable laws and regulations and its performance as measured against contractual obligations.  Depending on the complexity of the relationship, additional factors may also be considered.   

The final stage, termination, is also an important element of the risk management life cycle.  There are many reasons an institution may wish to terminate a relationship with a third-party.  Some factors to facilitate termination include options for an effective transition of services, costs and fees associated with termination, managing risks associated with data retention and destruction, handling of joint intellectual property, and managing risks to the financial institution, including any impact on customers, if the termination happens as a result of the third-party’s inability to meet expectations.  

Governance in Third-Party Risk Management

There are many ways an institution can structure their third-party risk management processes. The accountability structure may be dispersed across business lines or may be centralized.  Regardless of the structure, the following practices should be considered through the risk management lifecycle: oversight and accountability, independent reviews, and documentation and reporting.  

Upholding Responsibilities in Third-Party Relationships

This summary is not intended to be a comprehensive review of the Agencies’ Interagency Guidance on Third-Party Relationships: Risk Management released on June 6, 2023.  As a reminder, the use of third parties does not diminish or remove financial institutions’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.  The full text of the Guidance may be found here: Interagency Guidance on Third-Party Relationships: Risk Management (occ.gov) 

Optimize Your Risk Strategy with Y&A’s Expertise

Discover our customizable Vendor Risk Management Policy, which provides guidance on managing risks from outsourced relationships. This comprehensive policy covers responsibilities, risk assessment, due diligence, contracts, security, confidentiality, controls, business resumption, and monitoring. Learn more here.

For insights into vendor due diligence or program refinement, please reach out to Michael Gerbick at mgerbick@younginc.com or contact us on our website. Strengthen your risk approach with our expertise – connect with us today.

Navigating Compliance Challenges: Reg Z, Reg E, and Flood Rules

Expert Regulatory Compliance Services for Financial Institutions

Are you finding the ever-evolving web of financial regulations a challenge to navigate? In the intricate landscape of compliance, regulations like Z, E, and Flood can be complex and overwhelming for financial institutions. Young & Associates offers a comprehensive suite of solutions specifically tailored to alleviate the burden of regulatory compliance for community banks and credit unions.

Regulatory Challenges Made Simple

Regulation Z Compliance: Comprehensive TILA Support

A cornerstone of financial institution compliance, Regulation Z delineates the implementation and execution of the Truth in Lending Act (TILA). Our experts understand the nuances of Reg Z and can guide your institution through its complex requirements. Our Reg Z compliance solutions are meticulously crafted to not only ensure your institution’s compliance but also to ensure transparency and fairness for your valued customers or members.

  • Loan Disclosures.  We review your financial institution’s disclosures – both open-end and closed-end (including TRID) disclosures – to help ensure compliance with these measures to inform customers, and to help your institution avoid potential required reimbursements, regulatory penalties, and civil liability.
  • Right of Rescission.  We help your lending personnel navigate the intricacies of the right of rescission, making sure that the proper consumers are recognized for this right and given required notices and disclosures, and that disbursements and other lender actions are delayed until it is confirmed that the customers have not exercised their cancellation right.  Proper observance of rescission requirements will help your institution avoid significant penalties – extended rescission rights, regulatory penalties, and civil liability.
  • Other Consumer Protections.  We facilitate your financial institution’s efforts to comply with, or avoid, significant requirements related to high-cost mortgages, home equity lines of credit, higher priced mortgage loans, private education loans, and others.

Regulation E Compliance: EFTs and Error Resolution

The Electronic Fund Transfer Act (EFTA) brings its own set of challenges. The EFTA, implemented by Regulation E, governs electronic transactions. As the volume of EFT transactions continues to rise, so does the complexity of associated error claims. Resolving these claims can pose a significant challenge for banks and credit unions. Our team specializes in providing tailored guidance and support for Reg E compliance, including:

  • Error Resolution Procedures: We review your financial institution’s error resolution procedures, ensuring strict adherence to meet regulatory standards.
  • Electronic Payment Systems: We facilitate adherence to Reg E requirements by ensuring your financial institution’s electronic payment systems and procedures are diligently followed.
  • Consumer Protection: We review your Reg E compliance program to confirm that your institution’s procedures and adherence align with regulations aimed at safeguarding your customers’ rights, privacy, and security.

You can rely on our Reg E compliance guidance to navigate the complexities of regulatory requirements, effectively mitigating the risks of violations and penalties in the dynamic landscape of electronic transactions.

Flood Insurance Compliance: Ensuring Flood Disaster Protection

Navigating the intricacies of federal flood regulations is crucial for financial institutions, given the increased scrutiny by regulators and the potential risks and penalties associated with noncompliance. Monetary penalties for such violations underscore the importance of a robust compliance program. Young & Associates is committed to providing comprehensive compliance solutions to guide your institution through the complex requirements of the Flood Disaster Protection Act encapsulated in the flood insurance rules.

At Y&A, our commitment to comprehensive compliance solutions extends to helping your institution navigate the nuances of federal flood-related requirements. Our seasoned experts specialize in helping your institution navigate federal flood-related requirements, offering tailored solutions to minimize exposure to potential risks. We can review your financial institution’s Flood Act compliance program to ensure compliance with variables such as flood zone determinations, borrower notifications, lender placement, and more.

Key components of our flood compliance reviews dial in on common areas of violations, including:

  • Compliance with Flood Regulations for Lenders: Our experts understand the intricacies of flood regulations, addressing common areas of violations such as proper loan file documentation, justified waivers, insurance coverage requirements, notice to borrower requirements, forced placement of flood insurance requirements, and more. We ensure your institution adheres to the most stringent regulatory standards, mitigating risks associated with non-compliant loans.
  • Flood Insurance Notice to Borrower Requirements: Timely and accurate notices to borrowers are critical. Our comprehensive reviews focus on your institution’s process for delivering and receiving acknowledgement of flood insurance-related notices, ensuring compliance with regulatory timelines and requirements.
  • SFHA Flood Insurance Requirements: Staying abreast of FEMA’s special flood hazard areas and implementing appropriate flood insurance requirements is essential. Our compliance reviews are designed to assist your institution in adhering to evolving SFHA standards.

As your trusted partner, we streamline the compliance process, allowing your institution to focus on core functions while remaining resilient in the face of regulatory challenges. Let us guide you through the intricate web of flood-related regulations, ensuring your institution stays protected from compliance violations in the ever-evolving financial landscape.

Expert Guidance on Regulation Z, Regulation E, and Flood Compliance

Regulations such as Z, E, and Flood are just the tip of the iceberg. Our consultants are well-versed in all aspects of federal banking consumer regulations, ensuring you’re not just compliant but also in the best possible position to thrive in a highly regulated environment. Whether you’re looking for assistance in understanding the intricacies of Truth in Lending, Electronic Fund Transfers, or Flood Compliance Requirements, we have you covered.

Why Partner With Young & Associates?

At Y&A, we’ve been a trusted partner in regulatory compliance for over four decades, and here’s why:

  • Stay Ahead of Regulatory Changes: We keep you informed and prepared in a constantly evolving regulatory landscape. We help you navigate the intricate landscape of financial regulations, so you can focus on your core mission.
  • Comprehensive Solutions Tailored to Your Institution: We understand that a one-size-fits-all approach doesn’t work in regulatory compliance. Our solutions are customized to address your institution’s unique needs.
  • Real Solutions for Real Challenges: We provide practical, real-world recommendations, enabling your bank or credit union to not only meet regulatory requirements but also implement best practices for a robust compliance framework.
  • Experienced Team: Our seasoned consultants bring decades of experience in banking and financial regulation to the table, ensuring you receive expert guidance.
  • Unmatched Quality: With over 45 years exclusively dedicated to financial institutions, excellence is our trademark. We maintain meticulous standards, offering precision, thoroughness, and a steadfast commitment to delivering actionable results.
  • Comprehensive Support: We offer end-to-end support, and our full-service approach covers all aspects of financial institution consulting. When you partner with Y&A, you gain access to a comprehensive team of industry experts.

Let’s Navigate Compliance Together

Don’t let regulatory challenges hinder your institution’s growth. Reach out to Young & Associates today to ensure your institution not only meets compliance standards but is also prepared for success. We’re here to help you navigate the intricate world of Regulations Z, E, H, and beyond. With our expertise, your institution can thrive in a highly regulated environment.

In addition to our full suite of compliance consulting services, we offer:

  • Virtual Compliance Consultant (VCC) Program: Receive access to all the invaluable compliance tools and services that we have to offer including compliance coaching, compliance products and policies, regulatory manuals, access to an online forum with experts from Y&A, and more.
  • Compliance Policies, Tools, and Workbooks: We offer customizable resources designed to simplify complex compliance tasks. From policies to interactive workbooks, our tools facilitate smoother compliance operations.
  • Compliance Update Newsletter: This monthly newsletter provides a thorough compliance review and covers developments that affect the banking industry. Each month our compliance experts scour the regulatory issuances, final rules, and amendments to provide you with the compliance information you need. The newsletter includes hot topics, action items, a compliance calendar, and more relevant information and resources.
  • Education Services: In addition to timely, easily accessible webinars, we offer customizable training solutions.

Contact us to explore how our tailored solutions can address your regulatory challenges.

Credit Union Cybersecurity: Actionable Cyber Threat Defense

In an era dominated by technology, the financial sector faces a growing menace in the form of cyberattacks. Credit unions, along with their members’ sensitive data, have become prime targets for cybercriminals. To safeguard against these evolving threats, credit unions must proactively fortify their cybersecurity defenses.

As the financial industry changes, cybercriminals adapt, so credit unions must prioritize cybersecurity planning. This article discusses steps and measures credit unions can take to protect their operations and member data from cyber threats.

Understanding the Cyber Threat Landscape

The increase in cyberattacks on credit unions, as well as their affiliated CUSOs and vendors, has brought cybersecurity vulnerabilities into sharp focus. It’s essential to recognize that cyber threats are no longer a distant possibility, but a tangible reality that demands immediate attention. Cybercriminals employ a range of tactics, including ransomware, phishing, and Distributed Denial-of-Service (DDoS) attacks, all with the potential to disrupt operations, compromise data, and tarnish the reputation of credit unions.

Taking Action: Security Controls for Credit Unions

In a realm where financial innovation and digital transformation reign, protecting sensitive data and ensuring uninterrupted services takes precedence. However, this progress is accompanied by the challenge of cyber threats, demanding a proactive approach to security.

To counter the evolving threat landscape, credit unions must adopt specific actions and security controls that reinforce their defenses. These measures not only safeguard their operations but also uphold the confidence and trust of their members. Let’s explore the steps credit unions can take to strengthen their cybersecurity and defend against cyber threats.

1. Implement Strong Access Controls

Effective access controls form the first line of defense against unauthorized access. Credit unions should enforce stringent access policies, ensuring that only authorized personnel have access to critical systems and sensitive data. Implement role-based access controls (RBAC) to limit privileges based on job roles, and regularly review and update permissions to maintain a least-privilege approach.

2. Fortify with Multi-Factor Authentication (MFA)

Incorporate MFA for all critical systems, applications, and accounts in your credit union. This extra layer of security forms a significant hurdle for unauthorized access attempts and provides protection against phishing attacks. MFA necessitates users to offer additional confirmation apart from a password, thereby boosting security.

3. Prioritize Patching and Updating Systems

Addressing vulnerabilities promptly is critical to preventing potential breaches. Outdated software and unpatched systems are prime targets for cyber attackers. Regularly update and patch operating systems, software applications, and security solutions to address known vulnerabilities and reduce the risk of exploitation. Stay informed about security advisories and updates from the software provider and relevant cybersecurity agencies.

4. Enhance Member and Employee Cybersecurity Awareness

Cyber threats evolve continuously, and so should employee knowledge. Educating your employees about cyber threats is one of the most effective ways to mitigate risks. Provide ongoing training to employees to help them recognize and respond to social engineering, the latest cyber threats, other common attack techniques, and best practices to keep them vigilant and informed. Awareness empowers your team to become a crucial line of defense. Equally important is educating members about safe online practices to prevent them from falling victim to scams or attacks.

5. Reinforce Email Security and Anti-Phishing Measures

Email remains a primary vector for cyberattacks. Implement sophisticated email security systems that inherently possess phishing identification and prevention features. Use SPF, DKIM, and DMARC to stop email spoofing and make emails more authentic, lowering the chance of successful phishing.

6. Conduct Regular Penetration Testing and Vulnerability Assessments

Proactively identify vulnerabilities by conducting regular penetration testing and vulnerability assessments. This allows credit unions to uncover weaknesses in their systems, applications, and infrastructure before cybercriminals can exploit them.

7. Craft a Robust Incident Response Plan

Prepare for the worst by developing a comprehensive incident response plan. Regularly test this plan to ensure your credit union is ready to respond swiftly and efficiently to a cyberattack. This plan should outline steps to take in case of a cyber incident, clearly define roles, responsibilities, communication protocols, and procedures, and rehearse different attack scenarios to minimize downtime and mitigate damages.

8. Manage Vendor Risk Strategically

Your credit union’s security isn’t solely dependent on your internal measures—it extends to third-party vendors as well. Review and assess the cybersecurity practices of vendors providing services to your credit union. Ensure they adhere to robust security standards and regularly evaluate their security posture to safeguard your ecosystem. Learn more about effective vendor due diligence evaluations in this blog.

9. Network Segmentation and DDoS Protection

Network segmentation involves dividing the network into smaller segments to limit lateral movement in the event of a breach. Execute network partitioning to confine possible security breaches and reduce their effects. This approach restricts attackers’ ability to move freely within the network, containing the impact and reducing the potential damage. Protect against DDoS attacks by filtering and limiting traffic to prevent disruptions to your services.

10. Safeguard through Regular Data Backups, Testing, and Recovery Planning

Ransomware attacks can paralyze credit unions by encrypting critical data. Regularly back up your data and test the recovery process to ensure quick and effective restoration in case of an attack. Backups reduce the likelihood of data loss and minimize the temptation to pay ransoms.

11. Encourage Sharing of Threat Intelligence

Get involved in communities that share threat intelligence in order to keep updated on new cyber threats and trends. Collaborating with industry peers enhances your understanding of evolving attack tactics, enabling you to adapt and protect your credit union effectively.

12. Sustain Vigilance with Continuous Monitoring and Updates

Cyber threats are ever-evolving, making continuous monitoring and prompt patch application essential. Monitor network traffic, logs, and systems for any unusual activities that could indicate a breach. Timely identification of suspicious activities enables credit unions to respond promptly and mitigate potential damage. Stay up to date with the latest security updates and promptly implement patches to close potential vulnerabilities.

13. Engage with Cybersecurity Experts

Consider seeking guidance from cybersecurity experts or firms specializing in the financial sector, like Young & Associates. Our industry-specific insights can provide credit unions with tailored solutions to address the unique challenges posed by cyber and information security threats.

Credit unions can strengthen their security and protect their operations, member data, and reputation by taking proactive cybersecurity measures. To protect against cyberattacks, credit unions must stay alert and take necessary actions as threats change and become more advanced. Remember, protecting against cyber threats is not just a responsibility—it’s a necessity for the digital age.

Partnering with Young & Associates: Expert Cybersecurity Solutions

In the face of escalating cyber threats, credit unions are seeking expert guidance and support to bolster their security measures. At Young & Associates, we understand the dynamic challenges that credit unions face in the realm of cybersecurity. We offer IT consulting, audit, and technical testing services to help strengthen your credit union’s defenses.

Our experienced experts provide valuable knowledge to help protect your institution from cyber threats with effective strategies and solutions. Y&A offers cybersecurity solutions ranging from comprehensive security audits to technical testing that uncovers vulnerabilities. We tailor our services to suit the unique needs of credit unions in this digital age. We will help your credit union understand and navigate cybersecurity. Contact us to learn more. 

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question