Skip to main content

6 Key Components of Effective Credit Stress Testing

When your financial institution is conducting a credit risk stress test, it’s imperative that your test has several key components for effective testing. As your trusted financial guide, at Young & Associates, we’ll walk you through the process. In this blog post, we’ll explore the key components of effective credit stress testing.  

1. Comprehensive scenario design 

This is the single most important component in creating an effective credit stress test. They say that success is 90% planning and 10% perspiration. While the exact percentages may vary, the message still stands. Planning is important! When you’re designing your credit stress scenario, be sure that you have taken into account the following:  

  • Interest rates 
  • Economic growth
  • Industry-specific risks such as collateral value of special use property 

2. High-quality data

The quality of a statistical model is only as good as the data it’s built upon. So, when you’re collecting your data, do your due diligence to ensure that it’s:  

Complete and accurate: Missing data or incorrect data will create skewed outcomes that lead to inaccurate results 

Uniform: When you’re consolidating data from several sources, it’s important to ensure that the format and measurements are uniform over time. Be sure to test at least a few samples of the data for accuracy. 

Timely: When you’re forecasting credit stress, it’s preferable to use data from within the past 3-6 months. The economy is affected by many things, so data that is more current will more accurately reflect the current situation.  

Unique: If you’re combining data sets, it’s all too easy to get duplicates. Be sure to review the data sets to ensure that the data is not replicated elsewhere. Duplicate data can skew the results and lead to inaccurate assumptions. Examples would include property collateralizing multiple loans. It is best to consolidate these loans into one for collateral and NOI purposes. 

Relevance: Is the data that is included in the credit stress test actually relevant to the test? You may be familiar with Karl Pearson’s famous phrase, “correlation does not imply causation.” It’s good to have a working knowledge of economics so that you can draw accurate conclusions from the data and the causes for the outcome. 

3. Robust models and methodologies 

If financial institutions want to test their credit stress with integrity, it’s important that they use robust models and methodologies to measure the risk under various circumstances.  To achieve this, be sure the model you are using bases its testing on consistent data and data that is relevant to current or future economic outcomes.  

4. Adequate portfolio selection 

To obtain an accurate credit risk stress test for a specific loan portfolio (we recommend doing this), then it’s important to include a representative sample size for each segment of your portfolio (bottoms-up approach). However, if the sample size is small, Young & Associates will use call report data to back-fill the rest of the portfolio and use industry standards to stress the portfolio of loans not individually stressed (top-down approach). By including “the rest of the portfolio” Young & Associates can cover the entire portfolio without the financial institution having to gather all that data on smaller loans and accurately reflect the credit risk of your financial institution.  

5. Credit stress scenario and sensitivity 

By now, you are familiar with the preparation for a credit stress test, but another key component is the execution. What are the metrics that you’re measuring to indicate the credit risk of your bank or credit union? Credit stress tests measure several specific metrics, including credit losses, capital requirements and default rates  and the sensitivity to those risks. This highlights the metrics that heavily influence the results and can indicate the robustness of the model.

6. Risk aggregation and reporting 

Like any work, the communication of that data is just as important as the data itself. After the calculations are made, gather the outcomes and associated risks, while adding your insights for how to improve those risks. Young & Associates will go through the stress test report in detail with you and indicate issues in the report including specific borrowers that show greater risk. Young & Associates is also able to present the findings of the report to your board audit committee, and senior management if desired.   

Connect with a consultant 

Credit stress testing can sometimes feel overwhelming. We understand. Financial institutions exist to create stability for others, so when your bank or credit union is required to document the stress on your system, it can feel daunting. That’s where Young & Associates comes in. With unmatched expertise, you can trust us to guide your financial institution even when the future may seem unclear. Contact us today to learn more about our consulting and educational services.  

Meet the Upcoming Fannie Mae Prefunding Deadline on 9/1/23

Upcoming Fannie Mae Prefunding Deadline

Are you prepared for the upcoming Fannie Mae prefunding deadline on 9/1/23? On March 1, 2023, Fannie Mae announced changes to its selling guide that will take effect on September 1, 2023. These changes were made to improve overall loan quality and reduce the number of loans requiring remediation by lenders.

What’s Changing?

As part of these changes, lenders are now required to conduct a minimum number of prefunding reviews each month. The total number of loans reviewed must meet the lesser of the following criteria:

  • 10% of the prior month’s total number of closings, or
  • 750 loans

Lenders are encouraged to implement these changes immediately, but they must be in full compliance by September 1.

Note: The 10% loan population in the September 1 – September 30 cycle will be based on the total number of loans closed in August.

How Young & Associates Can Assist with Your Pre-Closing QC Reviews

At Young & Associates, we understand the importance of staying ahead of the curve. With today’s downturn in mortgage loan volume and high origination costs, our independent pre-closing QC reviews can be a viable option for your organization. Let us help you navigate these changes seamlessly and mitigate the risk of noncompliance.

By conducting pre-closing Quality Control reviews, we can:

  • Provide important and timely information to origination staff prior to closing a loan.
  • Test residential mortgage loans and origination sources to identify and address loan defects prior to closing.
  • Verify that loans conform to your organization’s policies and meet insurer and guarantor requirements.
  • Mitigate the risk of noncompliance.
  • Alleviate the time and staffing issues you may be facing in today’s volatile market.
  • Control your costs by eliminating the need to maintain someone in-house to perform this work.

Why Choose Y&A? Superior Results at a Lower Cost

Young & Associates, Inc. is an industry leader and provider of QC services for over 45 years and provides mortgage quality control services to meet government-sponsored enterprise and agency requirements, including Fannie Mae. With a proven track record of delivering superior results for over four decades, partnering with us ensures that you can expect:

  • High-quality, reliable services
  • Expertise  in Fannie Mae guidelines and regulations
  • Unparalleled experience in the mortgage industry
  • Custom solutions tailored to your needs

Contact Us Today

Don’t let the Fannie Mae prefunding deadline catch you off guard. Reach out to Young & Associates today for professional assistance with your pre-closing QC reviews. Learn more about Y&A’s mortgage quality control services by clicking here. For more information about us and how we can assist you with your pre-closing QC reviews, contact us by phone at 330.422.3482 or email at mgerbick@younginc.com. We look forward to partnering with you to ensure compliance and success!

Assess, Plan, and Effectively Respond to Today’s Market Challenges

By: Jerry Sutherin, President & CEO

In today’s dynamic market, some of the biggest challenges faced by our clients include but are not limited to interest rate risk management, liquidity, capital adequacy, and commercial loan underwriting. These issues are magnified by the ability of our clients to locate, hire, and retain quality human capital to operate effectively and efficiently.

Interest Rate Risk Management

Rising or fluctuating interest rates impact your financial institution’s growth prospects in both the short and long term. Not only do interest rates pose a risk to a financial institution’s balance sheet, but they also impede the ability to effectively produce reliable financial statement forecasts. A financial institution’s Net Interest Margin (NIM) is a key component of each income statement. Being able to adequately forecast interest income as well as internal cost of funds allows an institution to produce a reliable budget. To overcome this, financial institutions must identify, measure, monitor, and control interest rate risks to meet the requirements of the Joint Policy Statement on Interest Rate Risk (IRR) and the IRR regulatory guidance. Effective control of the interest rate risk will require conducting annual independent reviews of the asset liability management (ALM) function and validating your risk measurement systems to ensure their integrity, accuracy, and reasonableness. This will also involve internal controls of loan and deposit pricing. Establishing and maintaining these controls should begin at the board level and flow through management.

Credit Risk Management

Rising interest rates have also had a profound impact on credit quality of commercial lending, one of the primary drivers of revenue for most financial institutions. The change in credit quality results in the tightening of credit standards throughout the industry and by the regulators. Being able to effectively underwrite loans and mitigate risks within a commercial loan portfolio is a function of having seasoned staff to manage these processes. Lack of quality credit talent exposes financial institutions to otherwise preventable credit risks. The dilemma for most financial institutions is finding, hiring, and maintaining experienced personnel. In some instances, this has resulted in inadequate credit presentations being prepared by unqualified individuals or loan officers underwriting their own credits for approval. The increasing burden of inflation and wages adds another layer of complexity to the mix. Many community-focused institutions are not willing or able to pay top rate for talent, which is understandable given the need and focus to remain competitive among the larger regional and national banks that continue to acquire and/or out-compete them.

Liquidity Risk Management

Another impact of a higher interest rate environment and inflation is the disintermediation of funds or liquidity from financial institutions to other financial intermediaries. Sound liquidity management is crucial for controlling your organization’s liquidity risk and managing cash flow to meet expected and unexpected cash flow needs without adversely affecting daily operations. Your financial institution should assess the range of possible outcomes of contemplated business strategies, maintain contingency funding plans, position for new opportunities, and ensure regulatory compliance and the adequacy of your risk management practices.

Capital Planning

Both interest rate risk management and liquidity management have a direct impact on the capital adequacy of all financial institutions. Capital contingency planning will ensure that your financial institution maintains the required level of capital through any realistic stress event. Periodic review of minimum capital requirements and stress tests can provide valuable insights and will maintain your standing with the regulators.

The Importance of Strategic Planning

So far, this article has only discussed the challenges faced by the financial institution industry. These obstacles are not just management issues. They are also issues that boards of directors must navigate as well.

Are there solutions? Absolutely — yes there are. Boards of directors and management must be aligned on all strategic initiatives. These objectives need to be derived and adopted by the board and conveyed to management. The most common approach is through a focused strategic planning session involving the board and management. The outcome of such a retreat will enable the board to identify goals and risks faced by the organization while also deciding on how the goals will be accomplished and the risks mitigated. This could be through the utilization of qualified internal staff or engaging outside experts to assist with each objective. An effective strategic plan will incorporate all these pieces to help guide your organization as you navigate the changing industry landscape.

Partner With Us for Success

For 45 years, Young & Associates, Inc. (www.younginc.com) has partnered with banks and credit unions across the country to provide consulting, outsourcing, and educational services to minimize their risk and maximize their success. Our services cover areas such as interest rate risk analysis, liquidity planning, assessment of capital adequacy strategic planning, regulatory assistance, internal audit, independent loan review, IT audits and penetration testing, and regulatory compliance assessment, outsourcing and training. Our team of consultants boasts an unmatched level of industry experience and is comprised of former banking executives, compliance regulators, and tenured finance professionals who have personally experienced many of the same issues you face at your organization.

For commercial credit needs, Y&A Credit Services is a full-service provider of outsourced underwriting services and credit analysis. An independent entity, Y&A Credit Services offers the same exceptional service, expertise, and integrity you’ve learned to expect from Young & Associates, Inc., and provides commercial credit underwriting and credit approval presentations, annual underwriting reviews, financial statement spreading and analysis, and approval and underwriting package reviews. We’ll work with you to improve the quality, speed, and accuracy of your lending with a solid focus on minimizing your credit risk. Our team members are experts in credit services and the financial industry and include former chief credit officers and senior credit analysts from both community and regional banks and provide full outsourced credit department services to our clients, keeping their costs low so they can remain competitive in their markets. Our seasoned credit professionals boast a combined 100+ years of experience in credit administration which helps mitigate risks while assisting our clients with safe and sound underwriting processes.

We look forward to assisting your bank or credit union in meeting these challenges head on. Find out more about the many services we provide at www.younginc.com (Young & Associates, Inc.) and www.yacreditservices.com (Y&A Credit Services). Or contact us directly by emailing Jerry Sutherin, President & CEO, at jsutherin@younginc.com or calling him directly at 330.422.3474

Ensuring Compliance in a BSA/AML Compliance Program: Independent Testing

By: Edward Pugh, AAP, CAMS, CAMs-Audit, CFE

One of the key components of a financial institution’s compliance with BSA/AML regulatory requirements is independent testing of the BSA/AML Program. Independent testing may be performed by an institution’s internal audit department, outside auditors, consultants, or other qualified independent parties. There is no regulatory requirement establishing the frequency of BSA/AML independent testing; rather, the frequency should be commensurate with the money laundering/terrorism financing risk profile of the institutions. Many institutions conduct independent testing every 12 to 18 months, increasing frequency if there are any significant changes in the risk profile, such as changes in systems, compliance staff, products, mergers/acquisitions, or an institution’s size. Significant errors or deficiencies may also warrant more frequent independent testing to validate mitigating or remedial measures.

Often, the need for a truly independent assessment, combined with limitations in staffing capacity, prompts institutions to engage an external entity to conduct a comprehensive evaluation of their BSA/AML program compliance. Thus, it is critical to ensure that the independent review provides an unbiased assessment of an institution’s BSA/AML compliance efforts, identifies potential risks or weaknesses, and offers recommendations for improvement. Some key components of a satisfactory BSA/AML independent program audit or testing include the following:

  • Scoping and Planning: The scope of the review should be based on a risk assessment of the institution’s products, services, customers, and geographic locations. The scoping and planning phase often relies on the institution’s own BSA/AML risk assessment, but if it is inadequate, the external auditor may determine the scope. Additionally, any changes in the business or regulatory environment, as well as any issues identified in previous audits or examinations, should be taken into account.
  • Independence: The audit/testing should be conducted by individuals who are independent of the BSA/AML compliance program. While internal auditors may be acceptable, a BSA Officer or assistant would not be. This ensures that any findings are objective and unbiased.
  • Qualifications and Training of Auditors: Persons conducting the independent testing should have sufficient knowledge and understanding of the BSA, AML, and related regulations. They should be trained in auditing principles and procedures and understand the various risks financial institutions face.
  • Review of the BSA/AML Compliance Program: The audit should include a comprehensive review of the BSA/AML Compliance Program, including its policies and procedures, risk assessment, internal controls, training programs, and the role and performance of the BSA Officer.
  • Transaction Testing: Thorough transaction testing should be conducted to verify compliance with BSA/AML requirements, such as customer identification, suspicious activity reporting, customer due diligence, currency transaction reporting, and record keeping requirements.
  • Assessment of Training Programs: The institution’s BSA/AML training programs should be reviewed to ensure they are adequate, up-to-date, and effective in educating employees about the BSA/AML responsibilities. The Board of Directors training should also be reviewed.
  • Reporting: An audit report should be produced that clearly communicates findings, including any weaknesses or deficiencies in the compliance program. Appropriate recommendations for improvement should also be provided where necessary.

A comprehensive and effective BSA/AML independent program audit is essential for financial institutions to ensure compliance with the various laws and regulations pertaining to BSA/AML. Some issues pertaining to independent testing that are frequently found in Reports of Examination include lack of independence on the part of the auditor(tester), insufficient scope, and insufficient transaction testing. A comprehensive and independent audit of an institution’s BSA/AML compliance program not only facilitates regulatory adherence, but also pinpoints and highlights any existing program deficiencies.

Additional Resources: FFIEC BSA/AML Assessing the BSA/AML Compliance Program – BSA/AML Independent Testing

Young & Associates works with financial institutions of all sizes to help them avoid regulatory pitfalls and develop strong BSA/AML compliance programs. For more information, contact me at epugh@younginc.com or 330.422.3475.

The Role of Loan Review in the Credit Risk Management System

By: David Reno, Director of Loan Review & Lending Services

Loans, especially non-consumer loans, typically represent the greatest level of risk on your balance sheet. Therefore, effective commercial loan portfolio management is crucial to control credit risk. It can serve as an early indicator of emerging credit risk related to lending to individual borrowers, aggregate credit exposure to related borrowers, and the overall credit risk associated with a loan portfolio. It serves as an integral part of an institution’s credit risk management system that is a continuum comprised of the following stages:

  • Well-formulated lending policies, procedures, and practices that are consistently applied, well-known to all credit and lending staff, and compliant with regulatory guidance
  • The collection and accurate credit analysis of financial and other underwriting information
  • Assignment of an accurate risk grade
  • Proper and qualified approval authorities and risk-based process
  • Correct and thorough documentation
  • Pre-closing preparation and loan closing
  • Post-closing credit administration
  • Internal annual loan review
  • External/independent loan review
  • Timely problem loan identification and management
  • Proper calculation of the ALLL
  • Collection and loss mitigation

Effective and efficient loan reviews can help an institution better understand its loan portfolio and identify potential risk exposures to contribute to the formulation of a risk-based lending and loan administration strategy.

Regulatory Background

The OCC, FRB, FDIC, and NCUA issued the Interagency Guidance on Credit Risk Review Systems in FIL-55-2020 dated May 8, 2020, which aligns with Interagency Guidelines Establishing Standards for Safety and Soundness. This guidance is relevant to all institutions supervised by the agencies and replaces Attachment 1 of the 2006 Interagency Policy Statement on the Allowance for Loan and Lease Losses. The final guidance details the objectives of an effective credit risk review system and discusses such topics as sound management of credit risk, a system of independent, ongoing credit review, and appropriate communication regarding the performance of the institution’s loan portfolio to its management and board of directors.

Credit Risk Rating (or Grading) Framework

The foundation for any effective credit risk review system is accurate and timely risk ratings. These risk ratings are used to assess credit quality and identify or confirm problem loans. The system generally places primary reliance on the lending staff to assign accurate, timely risk ratings and identify emerging loan problems. However, the lending personnel’s assignment of risk ratings is typically subject to review by qualified and independent peers, managers, loan committee(s), internal credit review departments, or external credit review consultants that provide a more objective assessment of credit quality.

Elements of an Effective Credit Risk Review System

The starting point is a written credit risk review policy that is updated and approved at least annually by the institution’s board of directors or board committee to evidence its support of and commitment to maintaining an effective system. Effective policies include a description of the overall risk rating framework and responsibilities for loan review.

An effective credit risk review policy addresses the following elements:

Qualifications of Credit Risk Review Personnel. The level of experience and expertise for credit risk review personnel is expected to be commensurate with the nature of the risk and complexity of the loan portfolio, and they should possess a proper level of education, experience, and credit training, together with knowledge of generally sound lending practices, the institution’s lending guidelines, and relevant laws, regulations, and supervisory guidance.

Independence of Credit Risk Review Personnel. Because of their frequent contact with borrowers, loan officers, risk officers, and line staff are primarily responsible for continuous portfolio analysis and prompt identification and reporting of problem loans to proactively identify potential problems. While larger institutions may establish a separate credit review department, smaller institutions may use an independent committee of outside directors or other qualified institution staff. These individuals should not be involved in originating or approving the specific credits being assessed, and their compensation should not be influenced by the assigned risk ratings. Regardless of the approach taken, it is prudent for the credit risk review function to report directly to the institution’s board of directors or a committee thereof. Senior management should be responsible for administrative functions.

The institution’s board of directors may outsource the role to a third-party vendor; however, the board is ultimately responsible for maintaining a sound credit risk review system.

Scope of Reviews
Comprehensive and effective reviews cover all segments of the loan portfolio that pose significant credit risk or concentrations. The review process should consider industry standards for credit risk review coverage, which should be consistent with the institution’s size, complexity, loan types, risk profile, and risk management practices. This consideration helps to verify whether the review scope is appropriate.

An effective scope of review is risk-based and typically includes:

  • Loans over a predetermined size along with a sample of smaller loans
  • Loans with higher risk indicators, such as low credit scores or approved as exceptions to policy
  • Segments of loan portfolios, including retail, with similar risk characteristics, such as those related to borrower risk (e.g., credit history), transaction risk (e.g., product and/or collateral type), etc.
  • Segments of the loan portfolio experiencing rapid growth
  • Past due, nonaccrual, renewed, and restructured loans
  • Loans previously criticized or adversely classified
  • Loans to insiders, affiliates, or related parties
  • Loans constituting concentrations of credit risk and other loans affected by common repayment factors

 Review of Findings and Follow-Up

A discussion of credit risk review findings should be held with management, credit, and lending staff and should include noted deficiencies, identified weaknesses, and any existing or planned corrective actions and associated timelines.

Communication and Distribution of Results

The results of a credit risk review are presented in a summary analysis with detailed supporting information that substantiates the concluded risk ratings assigned to the loans reviewed. The summary analysis is then periodically presented to the board of directors or board committee to maintain accountability and drive results. Comprehensive reporting includes trend analysis regarding the overall quality of the loan portfolio, the adequacy of and adherence to internal policies and procedures, the quality of underwriting and risk identification, compliance with laws and regulations, and management’s response to substantive criticisms or recommendations.

Summary Insights

The back-testing that is performed by the loan review process is necessary to ensure that an institution has in place a comprehensive and effective credit risk management system and that an institution acknowledges and practically applies the established framework of its unique but compliant credit culture.

An effective external loan review process is not so much a traditional audit exercise as it is an advisory process that produces meaningful dialogue between the review firm and the institution that seeks to identify and interpret various aspects of credit risk to minimize risk of loss by implementing industry best practices, maintaining regulatory compliance, and supporting the institution’s long-term viability in continuing to serve the needs of its customers and community.

For more information on the role of loan review in the credit risk management system, contact David Reno, Director of Loan Review & Lending Services, at dreno@younginc.com or 330.422.3455.

Vendor Due Diligence Evaluations

By: Michael Gerbick, COO

Do you have a due diligence packet?

Can you answer these questions for our due diligence?

Our outsourced vendor relationship manager will be reaching out to you for due diligence information.

As a trusted vendor to many clients, we receive requests/comments like these every day from our customers and it brings to light the large disparity between what is requested and what is understood from the information. We are trusted with personal, identifiable information daily, and it is our responsibility to do our best to protect that information. No one can guarantee foolproof protection as it’s not “if” but “when” security breaches will occur. We can, however, adhere to industry standards that assist in reducing these risks significantly. This is important when looking internally at our own systems and processes as well as our critical vendors.

There are several areas to consider in the due diligence evaluation. I have highlighted a few of these areas below to assist you in choosing a trustworthy vendor.

Vendor Purpose

Knowing how a vendor will be leveraged will begin to shape the risk analysis needed for the remaining due diligence areas. Think about if they will need access to your environment, if they will need access to your confidential information, and/or if they will provide a service that you could not otherwise handle without them. How long have they been in business? Have they declared bankruptcy? Your risk profile will start to take shape regarding strategic and reputational risk and will direct the due diligence areas you focus on going forward.

Information Access

At a most basic level, how will your vendor access your information? Remotely from anywhere, with unbridled access to your core system? Onsite via paper documents with 24-hour oversight by your staff? Or will the service be executed in a hybrid fashion (onsite and remote)? In addition to access, will you allow the vendor to save the information outside of your environment? Will you send information electronically to the vendor and if so, how will you communicate? Vendors that do not have direct access to your core or large repositories of confidential information may still touch non-public information. You may consider a business email compromise for your vendor and its impact to your organization as a scenario when you approach sharing non-public information through either email or a secure file transfer. Thinking about how the information will be accessed, transferred, and used will help in your due diligence process and help ensure that you’ve done your best to get the valuable service from your vendor with a method of accessing confidential information you are most comfortable with.

Information and System Controls

This is more than just passwords. It’s about if the vendor’s systems are updated frequently with the latest patching, data center security (SOC 1 and 2 reports), the encryption on devices, the MFA (Multifactor Authentication) in place at the account and device level, the antivirus, antimalware, protection from ransomware and MDR (Managed Detection and Response), where your information is accessed and that all the system controls are monitored. Every week, there are news reports of another ‘hack’ and ransom of individuals’ sensitive information. The only constant here is that this is reality, and the protections and attacks are ever-changing and evolving. There is a lot to unpack here, and you can ask thousands of questions of your provider. Ultimately, you need to decide if the information you share with them is held in an environment that meets your expectations of safety and security. An informed and trusted IT leader on your team can help make sense of this space for your organization and identify those areas that apply to you. At a minimum a complete set of robust questions or list of requests will help you immediately highlight those vendors that can help you from those that may just introduce risk to your organization.

Business Continuity, Incident Response Plan, and Disaster Recovery

An event will happen. Plans in place that are reviewed and tested regularly will minimize the negative impact. Ask your vendor if they have these plans and discuss with them to understand how robust they are. Gain a comfort level that the vendor cares about managing the inevitable event as much as you do. If they are a critical vendor and something happens to them, you should expect them to have a plan in place to mitigate your risk.

Confidential Information

In addition to specific language in your vendor contract and the methods of accessing confidential or non-public information, ask about cybersecurity-specific insurance coverage in case of an incident. If their staff is touching your information, ask about their hiring practices and the expertise of their personnel, confidentiality agreements, and background checks.

Conclusion

There are many talented vendors out there to assist your organization. A consistent approach with a defined leader on your team will elevate the quality of the vendors your organization chooses to do business with. The few areas discussed above help manage risk when something goes wrong. The more prepared your vendor and you are for those inevitabilities, the less impact it will have on you and your customers.

If you want to find out more about vendor due diligence or need help improving or starting your vendor due diligence program, please contact Michael Gerbick at mgerbick@younginc.com or 330.422.3482. Young & Associates can help you every step of the way.

 

In Loving Memory – Kyle Curtis

May 5, 1961 – January 7, 2023

With great sadness, we announce that Kyle Curtis, of Chandler, AZ, passed away unexpectedly on January 7, 2023. Born on May 5, 1961, Kyle had more than 30 years of diverse banking experience in financial reporting, lending, credit authority and administration, and senior management level positions. He spent his entire career as a banker in Arizona, starting at the entry level and working his way up to serving in several executive leadership positions before becoming a banking consultant.

At Young & Associates, Kyle was a dedicated leader, manager, mentor, and teammate for over 11 years. He was a vital part of the lending and management divisions of the company and served as the Director Management Services since 2019. He assisted his clients through the de novo formation process, those under regulatory enforcement agreements, management and board of director assessments, appraisal reviews, loan reviews and ALLL/CECL methodology reviews, loan portfolio stress testing, and policy development and implementation.

Jerry Sutherin, President & CEO at Young & Associates, reflected on Kyle’s passing and contribution to the company…

“Kyle’s work ethic and understanding of the banking industry were unparalleled. He was always willing to assist co-workers and clients by conveying this knowledge with logic and occasionally humor. However, more important than our peer-to-peer relationships that we all maintained with Kyle, he was a dear friend to everyone. He will be missed by everyone that he met.”

Kyle is survived by his loving wife, Mary; son, Ryan (Alycia) Curtis; daughters, Sara (Nick) McCord, Katelyn (Jonathan) Curtis; and granddaughter, Ella Curtis.

Both personally and professionally, Kyle’s talent, dedication, leadership, and friendship will be greatly missed by our corporate family here at Young & Associates, as well as so many bankers across the country.

Upcoming Webinars

The most important investment a financial institution can make is in the training of its employees. Young & Associates is a national leader in continuing education and training programs for financial professionals.

Upcoming Webinars in 2023

Date                                      Topic

April 28                                1071 Rule Changes

May 15                                  Regulation E – Who is Responsible When Things Go Wrong

June 26                                Mistakes to Avoid on Loan Estimates

July 24                                  Fair Lending Disasters

September 18                     BSA for New Employees

November 20                      SAR Disasters

December 4                        Avoiding CTR Errors

With years of experience, our consultants offer an unmatched level of real-world expertise across a variety of educational topics including lending and underwriting, regulatory compliance, director development and more. For more information, click here.

Loan Underwriting Issues in a Shrinking Market

By: Ollie Sutherin, Principal, Y&A Credit Services, LLC

It is no secret that community banking is shrinking at an increasing rate across the entire United States. At the close of Q4 2022, there were approximately 4,548 community banks across all 50 states. This is a net decrease of about 200 active charters since the FDIC completed their Community Banking Study in 2020. Of these 4,548 active charters, nearly 50% of the community banks are in counties with a population of 50,000 individuals or less, and all these institutions combined make up about 97% of the banking industry as a whole.

Challenges for Community-Focused Lenders

Despite their market share, the fact that nearly 50% of the community banks serve counties with less than 50,000 people presents risks and difficulties for them to continue their missions as community-centered institutions.

One of the primary difficulties is the ability to hire and retain quality talent needed to maintain good practices and good standing with regulatory bodies. This is especially evident in the banks that serve 50,000 people or less, as populations in rural areas continue to decrease.

Furthermore, the increasing burden of inflation and wages adds another layer of complexity to the mix. Many community-focused institutions are not willing or able to pay top rate for talent, which is understandable given the need and focus to remain competitive among the larger regional and national banks that continue to acquire and/or out-compete them.

Outsource Excellence for Your Credit Underwriting

One of Young & Associates, Inc.’s primary missions is to serve community financial institutions across the country. Recognizing the risks and difficulties stated above, we have formed an independent affiliate, Y&A Credit Services, LLC.

As an independent entity, Y&A Credit Services offers the same exceptional service, expertise, and integrity you’ve learned to expect from Young & Associates, Inc. Our team members are experts in credit services and the financial industry and include former chief credit officers and senior credit analysts from both community and regional banks and provide full outsourced credit department services to our clients, keeping their costs low so they can remain competitive in their markets. This creates less risk with respect to the regulatory bodies as our seasoned credit professionals boast a combined 100+ years of experience in credit administration.

Finding talent is one issue, but affording it is another issue. By outsourcing credit responsibilities such as underwriting, annual reviews, and spreading financials, Y&A Credit Services can complete the work of several full-time employees at rates far less than the bank’s full-time employee.

In summary, you can trust Y&A Credit Services to handle all your credit needs, ranging from simple commercial real estate transactions to the most complex C&I deals. Furthermore, Y&A Credit Services can complete this work in your preferred format using our advanced credit software. We recognize the risk of deviating from years of good practice and strive to ensure that we are meeting your standards. We also recognize that we are here to assist you in every way possible and will provide you with recommendations and good practices gleaned from extensive experience dealing with credit departments across the entire country and the regulatory bodies overseeing them.

For more information on Y&A Credit Services and how we can assist you with your credit underwriting needs, contact me at osutherin@younginc.com or 330. 422.3453. I look forward to discussing how we can assist your organization with your credit underwriting needs.

The Purpose of BSA/AML Model Validations – Common Findings

By: Edward Pugh, CAMS, CAMS-Audit, AAP, CFE, Consultant

For many financial institutions, the concept of a BSA/AML Model Validation is new. In the past, model validations were in the domain of larger financial institutions, typically with $1 Billion or more in assets. In general, model validations are a component of model risk management (MRM), and the guidance for MRM doesn’t easily conform to AML models, particularly models purchased from vendors. To rectify this, the regulatory agencies released an Interagency Statement of Model Risk management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance in April 2021. We have found that subsequent to the release of this guidance, examiners are frequently requesting that model validations be completed for financial institutions of all sizes.

The purpose of Anti-Money Laundering (AML) model validation is to evaluate the effectiveness and accuracy of an AML model in identifying potentially suspicious transactions and preventing money laundering and terrorist financing activities.

A model validation consists primarily of three components:

  • Conceptual Soundness – This entails (among other considerations) the review of documentation and empirical evidence used and variables selected for the model. Much of this information is found in the implementation documentation.
  • Ongoing Monitoring – This component confirms that the model is appropriately implemented and is performing as intended. Additionally, the processes and procedures for changes to the model are evaluated. For example, when an agent is added or thresholds are changed, what is the process leading up to the change?
  • System/Outcome Analysis – This verifies that the alerts generated are indeed valid. On the flip side, is the model missing transactions due to parameter settings or data issues?

Common Findings

As more financial institutions are having model validations performed, we have found some common findings, both in validation reports and examination reports. Below are some of the most common findings. Reviewing these findings may help a financial institution prepare for its first validation. These include:

  • Data Quality Issues – Appropriate data is not flowing to the model. This often includes monetary instrument information, wire information, ATM activity, and NAICS codes. A particular concern is 314(a) lists – data from closed accounts and non-customer transactions (such as monetary instrument purchases) is not included in the searches.
  • Inadequate Model Governance – This includes lack of model documentation, lack of proper oversight and controls, and lack of model testing.
  • Lack of Documentation of Filtering Thresholds – This includes documentation as to why thresholds were selected, as well as why/how any subsequent changes were made.
  • Missing or Incomplete Mapping Documentation – Mapping documentation demonstrates how inputs from various systems flow into the AML Model. This information is usually included in the implementation documentation, though issues often arise when new products and services are introduced.
  • No Reconciliation Procedure – Institutions should periodically reconcile the data between the system feeding the data into the model and the model. This ensures that transactions are appropriately monitored.

While this list is not exhaustive, it does shed some light as to what auditors and examiners are looking for when it comes to model performance. Addressing these issues prior to a model validation or examination can help the process go more smoothly.

In Conclusion

BSA/AML model validations are essential for both financial institutions and regulatory bodies to ensure that AML models are working as intended and regulatory requirements are being met. Young & Associates performs customized BSA/AML Validations and Reviews and collaborates with many of the AML software providers throughout the validation and review to provide a seamless process for our clients. If you would like more information on this article, or on how we can assist your organization, please contact me at epugh@younginc.com or 330.422.3475.

Penetration Tests and Vulnerability Scans: What’s the Difference?

By: Brian Kienzle, CISSP, OSCP and Mike Detrow, CISSP

As we discuss technical testing techniques with financial institutions, we still see a lot of confusion about the difference between a vulnerability scan and a penetration test (pen test). In the past, and even nowadays, these two terms are sometimes used interchangeably. However, a true pen test is quite different from a simple vulnerability scan.

A vulnerability scan is an assessment performed by running a scanning application like Nessus or Qualys. With these applications, the assessor inputs the target IP address ranges or DNS names, clicks scan, and then waits for the results. Scans are important tools for detecting and mitigating several types of vulnerabilities; however, they are limited, since they generally rely on fingerprints of known vulnerabilities.

A pen test, on the other hand, can be thought of as a highly technical audit. A pen tester will use a wide variety of techniques and tools, often including vulnerability scanners, to discover and exploit vulnerabilities. The tools that are used will be different depending on what network services and device types are encountered.

One of the biggest differences between a scan and a pen test is that a pen test will exploit vulnerabilities. This minimizes false positives and lets you know exactly what a vulnerability’s real impact is in your unique environment.

Are vulnerability scans worthless? No, but it is important to understand their strengths and weaknesses. Scanning software cannot think; it can only discover what it has been programmed to discover. It is valuable for finding low-hanging fruit, but its inherent design limitations prevent it from detecting certain vulnerabilities, such as vulnerabilities requiring custom exploitation, fuzzing, or guided brute-force attacks. Discovery and exploitation of these vulnerabilities requires investigation by an experienced security professional.

How do you tell which one you’re getting?

It takes a hacker to know how a hacker will try to exploit the devices on your network. Unlike vulnerability scans, pen tests require a lot of time and expertise. These are not perfect indicators, but can be helpful in determining what type of service is being performed:

  • The proposal should give some detail about the overall penetration testing. True penetration testing by its nature is somewhat open-ended but should always involve manual investigation and exploitation of any discovered vulnerabilities.
  • Engagement price can be an indicator. If the cost of your penetration test is very low, that could mean the pen test is simply a vulnerability scan. It would not make business sense to sell such a skill and time-intensive engagement so cheaply.
  • If the findings do not include step-by-step instructions to exploit the specific vulnerability, that could be an indicator that the findings are automatically generated.
  • Hackers and penetration testers are often self-taught, so certifications may not be strictly necessary. However, if this is an area of consideration, more weight should be given to certifications whose exam processes are practical exploitation tests, rather than multiple-choice exams. Certifications like this include Offensive Security Certified Professional (OSCP) and Licensed Penetration Tester (LPT).

When should you get a pen test or vulnerability scan?

Vulnerability scans and pen tests are different types of tools and therefore should be applied in different situations. Because of the lower cost and time restraints of vulnerability scans, they should be conducted more frequently. Regular vulnerability scans help to identify vulnerabilities in a timely manner, which allows IT staff to limit the time that these vulnerabilities remain exploitable on the network by remediating the vulnerabilities soon after they are discovered.

Vulnerability scans can even be performed by financial institution staff or by the financial institution’s Managed Service Provider (MSP). This is typically more cost-effective than hiring an independent party to perform frequent scans. However, it is still important to have an independent party perform an annual vulnerability scan to verify that the financial institution’s vulnerability management processes are effective.

Pen test frequency will typically vary based on a financial institution’s network infrastructure and vulnerability management practices. While external pen tests may commonly be performed annually, a financial institution may choose to perform internal pen tests annually, biennially, or even less frequently. Management should use a risk-based approach to determine the frequency of pen tests by considering the following factors:

  • Significance of data stored on internal systems
  • Frequency of network infrastructure changes
  • Complexity of network infrastructure or network operating system
  • Any network services or applications developed in-house, such as intranet sites
  • Demand from examiners

If you have any questions about the differences between vulnerability scans and pen tests, or you would like to get more information about the testing services that Young & Associates has to offer, please contact Mike Detrow, Director of IT, at mdetrow@younginc.com or 330.422.3447. We look forward to helping you maximize the return on your technology investments.

HMDA Alert – Smaller Mortgage Producers May Have to Comply in 2023

By Bill Elliott, CRCM; Director of Compliance Education

On September 23, 2022, the United States District Court for the District of Columbia issued an order vacating (cancelling) the 2020 Home Mortgage Disclosure Act (HMDA) Final Rule. That final rule changed the limits for closed-end mortgage loans. At the time, that final rule raised the “minimum” for mandatory reporting from 25 to 100 closed-end mortgage loans in each of the two preceding years.

The court vacated that change, and so the threshold for HMDA reporting in the regulation for 2023 and into the future has been reset back to 25 closed-end loans. Banks that have been able to avoid HMDA because they made fewer than 100 loans are required to comply in 2023. A blog entry issued by the Consumer Financial Protection Bureau (CFPB) on December 8, 2022 stated that the CFPB (and we presume the prudential regulators) will not require backfiling, nor would they cite banks for the absence of 2020, 2021, and 2022 filing data, but said nothing about 2023. Therefore, if your bank made more than 25 closed-end mortgage loans in 2021 and 2022, HMDA is now a requirement for closed-end mortgage loan reporting for your institution – starting January 1, 2023.

We are unsure why the CFPB waited about 10 weeks to inform us. But you will need to dust off those old policies, procedures, systems, and operations to come into compliance, or perhaps create new policies, procedures, and operations in a hurry. Additionally, there may be applications from 2022 that do not have the government monitoring information in file, because it would have been a violation for non-HMDA banks to collect that information. We believe that your institution needs to go back and collect that information for all loans that had an application in 2022, but that close in 2023.

The 25 vs. 100 threshold was a decision made by the CFPB, and that was reversed. The partial exemption changes – impacting a number of the data elements required to be collected – were the result of a change in law, so the partial exemption remains unaffected by this reversal.

HMDA Review
Do you need a validation of your HMDA data prior to the 3/1/23 filing deadline? Young & Associates offers an off-site compliance review of your institution’s HMDA data. Using our secure file transfer system, we will validate your HMDA data to detect errors and issues before the filing deadline. For more information on our HMDA Review service, click here or contact Karen Clower, Director of Compliance, at 330.422.3444 or kclower@younginc.com.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question