Skip to main content

Tag: mobile banking

What financial institutions need to know about the rise of digital lending

Written by admin on . Posted in Blog, Lending & Loan Review.

By Justin Schray; Credit Analyst, Young & Associates

Visiting a local bank or credit union isn’t always practical anymore. Mobile and digital lending platforms are reshaping financial services, giving consumers faster, more convenient and accessible options. Fintech leaders like SoFi, PayPal and Kabbage are driving this shift, using technology to meet borrowers’ changing needs.

One of the most significant advantages of mobile and digital lending is convenience. These platforms allow users to apply for loans, transfer funds and communicate with customer service representatives — all from the comfort of their home or while on the go. The digital loan application process is typically much faster than traditional methods, often delivering approvals within minutes. Furthermore, all necessary documentation is stored securely online, reducing the need for physical paperwork and enabling borrowers to access their information at any time.

Digital lending platforms also offer a wider range of services and investment opportunities. For example, many now provide “buy now, pay later” options, which are particularly popular among consumers making discretionary purchases, such as during vacations or seasonal shopping. Platforms like Kiva focus on providing microloans to entrepreneurs and small businesses, supporting underserved markets and fostering economic growth. This diversity in offerings ensures that digital lending can cater to a variety of financial needs and consumer preferences.

How financial institutions can compete and adapt to digital lending

To remain competitive in this evolving landscape, traditional financial institutions must invest in digital transformation initiatives that align with both consumer expectations and regulatory frameworks. While fintech’s have led the charge in agility and innovation, banks and credit unions can leverage their established reputations, trust and infrastructure to deliver equally compelling digital lending experiences.

Key steps institutions should take include:

  • Invest in digital infrastructure: Banks must adopt modern loan origination systems (LOS), mobile banking platforms and secure cloud-based storage to replicate the speed and accessibility offered by fintechs.
  • Partner with fintech providers: Collaborations with third-party technology vendors can accelerate the rollout of digital lending capabilities. Many vendors offer white-label or integrated solutions that align with the institution’s branding and compliance requirements.
  • Enhance user experience: Developing intuitive user interfaces and streamlined applications is essential. Borrowers expect minimal friction, clear disclosures and mobile responsiveness throughout the lending process.
  • Implement robust data analytics: Leveraging data to enhance underwriting, detect fraud and personalize lending solutions gives traditional institutions a competitive edge. Automation tools and AI-based decision-making can further improve efficiency.
  • Staff training and change management: Internal teams should be trained not only on new systems but also on the institution’s digital strategy and compliance responsibilities. Change management efforts are critical to ensuring organization-wide adoption.

Maintaining regulatory compliance with digital lending

Rolling out digital lending solutions requires strict adherence to consumer protection regulations, data privacy laws and industry best practices.

Institutions must:

  • Comply with lending regulations: Ensure all Truth in Lending Act (TILA), Equal Credit Opportunity Act (ECOA) and Fair Credit Reporting Act (FCRA) disclosures are digitally available and easily understood by consumers.
  • Protect customer data: Maintain robust cybersecurity and encryption protocols to safeguard personally identifiable information (PII) in compliance with the Gramm-Leach-Bliley Act (GLBA) and other relevant laws.
  • Establish vendor due diligence programs: When working with third-party vendors, institutions must perform proper risk assessments, monitor ongoing performance and establish clear service-level agreements.
  • Maintain audit trails and documentation: Regulators expect comprehensive documentation of loan decisions, disclosures and communications. Digital systems should be configured to automatically store and organize these records.

By investing in the right technologies, developing a thoughtful rollout plan and embedding regulatory compliance into each phase, financial institutions can successfully transition into the digital lending space and offer competitive alternatives to fintech challengers.

Modernized FDIC Signage & Advertisement Requirements: What Banks Need to Know

Written by admin on . Posted in Advertising, Blog, Compliance & Regulations, Consultation, News.

In today’s dynamic regulatory landscape, keeping pace with regulatory updates is critical for community banks to maintain compliance and uphold depositor trust. To adapt to shifts in the banking industry and consumer behavior, the Federal Deposit Insurance Corporation (FDIC) has finalized a rule to modernize the requirements for official signs and advertising statements for insured depository institutions (IDIs). This modernization signifies a crucial change in regulatory expectations, demanding a thorough understanding and proactive approach from financial institutions.

Background: Understanding the Updated Part 328 Rules

The banking industry has experienced significant transformations, including the evolution of bank branches, heightened reliance on internet and mobile banking, and increased partnerships between IDIs and financial technology (fintech) companies. These shifts have heightened the potential for consumer confusion regarding FDIC deposit insurance coverage.

In response, the FDIC has introduced substantial updates to Part 328 of its regulations, specifically addressing the use of official FDIC signs and advertising statements by IDIs. Additionally, it clarifies regulations concerning false advertising, misrepresentations of deposit insurance coverage, and misuse of the FDIC’s name or logo. This revision underscores the FDIC’s dedication to aligning regulatory standards with the evolving banking landscape, especially in digital and mobile channels.

Key Changes to Note: New FDIC Official Signage Requirements

The modernized FDIC signage and advertisement requirements bring about significant changes aimed at enhancing consumer understanding and confidence in deposit insurance coverage. Beginning in 2025, FDIC-insured institutions are mandated to prominently display the official FDIC digital sign across digital platforms, including bank websites, mobile applications, and ATMs. This expansion to digital channels ensures consistent depositor confidence and clarity regarding deposit insurance coverage.

Moreover, the updated rule emphasizes the differentiation between insured deposits and non-deposit products across all banking channels. Financial institutions are now required to provide conspicuous disclosure indicating that certain financial products are not insured by the FDIC, are not deposits, and may incur value loss. These changes aim to extend the certainty and confidence associated with FDIC protection to digital channels while ensuring that consumers are properly informed about the status of their deposits and the scope of FDIC insurance coverage.

Quick Reference: FDIC Modernized Signage Rule Requirements and Compliance Deadlines

Purpose of the Updated FDIC Signage Requirements

The rule updates regulations governing the use of official FDIC signs and advertising statements to reflect contemporary banking practices. It also clarifies regulations regarding false advertising, misrepresentations of deposit insurance coverage, and misuse of the FDIC’s name or logo.

Changes to Official Signs

The traditional black and gold FDIC sign displayed at bank branches will now be complemented by a new black and navy blue FDIC digital sign. Banks will be required to display this digital sign on their websites, mobile applications, and certain ATMs starting in 2025.

Differentiation of Products

Banks must use signs to differentiate insured deposits from non-deposit products across banking channels. They also need to indicate that certain financial products are not insured by the FDIC, are not deposits, and may lose value.

Clarification on Misrepresentations

The rule addresses scenarios where misleading information about deposit insurance coverage could confuse consumers. It prohibits the use of FDIC-associated terms or images in marketing materials to inaccurately imply that uninsured financial products or non-bank entities are insured or guaranteed by the FDIC.

Objectives for IDIs

For IDIs, the rule modernizes rules for displaying the FDIC official sign in branches and extends requirements to other physical premises. It establishes and mandates the display of the FDIC official digital sign on bank websites, mobile applications, and certain IDI ATMs. IDIs are also required to differentiate insured deposits from non-deposit products across banking channels and provide a one-time per web session notification when a logged-in bank customer leaves the IDI’s digital deposit-taking channel for non-deposit products on a non-bank third party’s website. Additionally, IDIs must establish and maintain written policies and procedures for compliance with part 328.

Compliance & Effective Dates

The amendments made by the final rule are effective on April 1, 2024, with an extended mandatory compliance date of January 1, 2025.

Navigating Compliance with Young & Associates

At Young & Associates, we recognize the complexities and challenges community banks face in navigating regulatory changes effectively. As your trusted partner in regulatory compliance, we offer a customizable FDIC Signage and Advertising Requirements Policy crafted to assist community banks in complying with the modernized rule. Additionally, our comprehensive suite of regulatory compliance services includes compliance outsourcing, advertising review, and various other solutions designed to address the unique requirements of community banks. With decades of experience in the financial services industry, our team of compliance experts is committed to guiding institutions towards regulatory compliance excellence while minimizing operational disruptions.

In an era defined by regulatory scrutiny and evolving consumer expectations, ensuring compliance with FDIC signage and advertisement requirements is paramount for community banks. Embrace proactive compliance practices and partner with Young & Associates to navigate the complexities of regulatory change effectively. Contact us today to embark on your journey towards compliance excellence and safeguard the integrity of your institution in the ever-evolving financial landscape.

Stay compliant. Stay confident. Choose Young & Associates.

Managing Compliance

Written by admin on . Posted in Compliance & Regulations.

By: William J. Showalter, CRCM, CRP, Senior Consultant

We have been told repeatedly over the years that we need to manage compliance, just like all aspects of our business. This maxim is particularly true in today’s escalating compliance environment. There are so many new and changed rules that have been added to the mix over the past decade that we could easily be overwhelmed if we did not proactively manage the compliance process.

Over the years, supervisory agencies have shared general outlines of compliance management systems with the financial institutions they regulate. They have been quick to point out that there is no one “right” way to manage compliance, but that there are certain basic needs that must be met by any such program.

Compliance Management Systems
The Consumer Financial Protection Bureau (CFPB) and other agencies view compliance management as vital to the prevention of violations of federal consumer financial laws and the resulting harm to consumers. In its Supervisory Highlights publication, the CFPB spelled out its expectations for an effective compliance management system (CMS) – which mirror those from other supervisory agencies.

The CFPB states that it expects every entity it supervises (large financial institutions and nonbank financial firms) to have an effective CMS adapted to its business strategy and operations. According to the CFPB, a CMS is how a supervised entity:

  • Establishes its compliance responsibilities
  • Communicates those responsibilities to employees
  • Ensures that responsibilities for meeting legal requirements and internal policies are incorporated into business processes
  • Reviews operations to ensure responsibilities are carried out and legal requirements are met
  • Takes corrective action, and
  • Updates tools, systems, and materials, as necessary

No agency requires financial institutions to structure their CMS in any particular manner. They recognize the differences inherent in an industry comprised of banking organizations of different sizes, differing compliance profiles, and a wide range of consumer financial products and services. In addition, some financial firms outsource functions with consumer compliance-related responsibilities to service providers, requiring adaptations in their CMS structure.

However compliance is managed, financial entities are expected by all the federal supervisory agencies to structure their CMS in a manner sufficient to comply with federal consumer financial laws and appropriately address associated risks of harm to consumers.

CFPB Findings
The CFPB has found that the majority of banks it has examined have generally had adequate CMS structures. However, several institutions have lacked one or more of the components of an effective CMS, which creates an increased risk of noncompliance with federal consumer financial laws.

The most common weakness identified during CFPB reviews of banks’ CMS is a deficient system of periodic monitoring and independent compliance audits. The CFPB has noted that an effective CMS implements an effective internal compliance review program as an integral part of an overall risk management strategy. Such a program has two components – both periodic monitoring reviews and an independent compliance audit. These two types of controls are not interchangeable. They must be complementary.

The periodic monitoring reviews are more frequent and less intensive than the audits, focusing on areas that carry the most risk – where mistakes should not be allowed to go uncorrected too long. Monitoring is an ongoing process, conducted by either the individual business lines or the compliance officer/department on a relatively frequent basis, and allows the bank to self-check its processes and ensure day-to-day compliance with federal consumer financial laws.

The independent compliance audit is a review of all operations impacted by consumer laws. An audit is performed on a less frequent basis, usually annually, to ensure that compliance is ongoing, that the CMS as a whole is operating properly, and that the board is aware of consumer compliance issues noted as part of these independent reviews. Audits are best performed by an independent party – usually either an internal auditor or an outside consultant.

The CFPB notes that an entity lacking periodic monitoring increases its risk that violations and weaknesses will go undetected for long periods of time, potentially leading to multiple regulatory violations and increased consumer harm. Additionally, these entities increase the risk that:

  • Insufficiencies in the periodic monitoring process may not be identified
  • The board is not made aware of regulatory violations or program weaknesses, or
  • Practices or conduct by employees within the business lines or compliance department that are unfair, deceptive, abusive, discriminatory, or otherwise unlawful could go undetected

CMS Elements
Although the CFPB states that it does not require any specific CMS structure, it notes that supervisory experience has found that an effective CMS commonly has four interdependent control components, elements that have been advocated by all regulatory agencies over the years:

  • Board of directors and management oversight. An effective board of directors communicates clear expectations and adopts clear policy statements about consumer compliance for both the bank itself and its service providers. The board should establish a compliance function, allocating sufficient resources and qualified staffing to that function, commensurate with the entity’s size, organizational complexity, and risk profile. The board should ensure that the compliance function has the authority and accountability necessary to implement the compliance management program, with clear and visible support from senior management, as well. Management should ensure a strong compliance function and provide recurring reports of compliance risks, issues, and resolutions to the board or to a committee of the board.
  • Compliance program. The CFPB and other federal financial institutions supervisors expect supervised entities to establish a formal, written compliance program, generally administered by a chief compliance officer. A compliance program includes the following elements: policies and procedures, training, monitoring, and corrective action.

The agencies assert that a well-planned, implemented, and maintained compliance program will prevent or reduce regulatory violations, protect consumers from noncompliance and associated harms, decrease the costs and risks of litigation affecting revenues and operational focus, and help align business strategies with outcomes.

  • Consumer complaint management program. Financial service providers are expected to be responsive to complaints and inquiries received from consumers. In addition, financial institutions should monitor and analyze complaints to understand and correct weaknesses in their programs that could lead to consumer risks and violations of law.

Key elements of a consumer complaint management program include establishment of channels through which to receive consumer complaints and inquiries (e.g., telephone numbers or email addresses dedicated to receiving consumer complaints or inquiries); proper and timely resolution of all complaints; recordation, categorization, and analysis of complaints and inquiries; and reviews for possible violations of federal consumer financial laws.

The agencies expect financial firms to organize, retain, and analyze complaint data to identify trends, isolate areas of risk, and identify program weaknesses in their lines of business and overall CMS.

  • Independent compliance audit. A compliance audit program provides a board of directors or its designated committees with a determination of whether policies and standards are being implemented to provide for the level of compliance and consumer protection established by the board. As noted above, these audits should be conducted by a party independent of both the compliance program and the business functions. The audit results should be reported directly to the board or a board committee.

The agencies expect that the audit schedule and scope will be appropriate for the entity’s size, its consumer financial product offerings, and structure for offering these products. The compliance audit program should address compliance with all applicable federal consumer financial laws, and identify any significant gaps in policies and standards.

When all of these four control components are strong and well-coordinated, the CFPB states that a supervised entity should be successful at managing its compliance responsibilities and risks.

To learn more about Young & Associates, Inc. and how we can assist your organization in developing a strong Compliance Management System, visit our website, or contact Dave Reno, Director – Lending and Business Development.

www.younginc.com
Email: dreno@younginc.com
Phone: 330.422. 3455

About Young & Associates, Inc.
Young & Associates, Inc. has provided consulting, training, and practical products for community financial institutions for over 43 years. We strive to provide the most up-to-date solutions for our clients’ needs, while remaining true to our founding principles and goals – to ease the management of your organization, reduce the regulatory burden, improve your bottom line, and increase shareholder value.

 

 

Mergers & Acquisitions Expected to Rebound in 2021

Written by admin on . Posted in Uncategorized.

By: Bob Viering, Director of Management
April 2021

The Covid-19 pandemic brought M&A activity for community banks and credit unions to a halt in 2020. All expectations for 2021 are that M&A activity is likely to pick up significantly. Much of this activity is due to organizations that had planned to sell or start acquiring in 2020 to make up for lost time, but it will also be due to the changes in the industry as a result of the pandemic.

Electronic and mobile banking adoption accelerated as financial institutions closed branches or provided limited access during the pandemic. Today, not having a digital banking platform (internet and mobile apps) is no longer an option. Financial institutions need to re-assess branch networks in light of how customers/members bank today. Among the reasons that will drive many organizations to sell are:

  • Long-term impact of low interest rates, today’s compressed margin, and the future impact of rising rates
  • Cost/Liability of data security
  • Regulatory compliance costs
  • Lack of management succession

Conversely, those organizations that have made the technology infrastructure investments, have staffing in place that can succeed in this volatile time, and are comfortable thinking outside the traditional banking box have great opportunities.

How We can Assist
Young & Associates, Inc. has been assisting banks and credit unions for over 43 years and have assembled a team of qualified professionals that can assist you in your acquisition or help you prepare to sell your organization and maximize your return.

The industry is fortunate in that we have many excellent investment bankers, law firms, and accounting firms that provide great advice on the pricing, structure, and regulatory requirements. But as anyone who has been through an acquisition or merger can tell you, it is the knowledge you gain during due diligence and post-merger integration that, in the end, will determine if the transaction was successful. Our services will supplement the services acquired from your investment banker, law firm, and accounting firm.

While due diligence and post-merger integration can be done by your staff, our breadth of knowledge, gained from decades of working for hundreds of banks and credit unions, brings a broader perspective. We deal with many of these issues regularly and can often be more efficient. We also understand that time is of the essence for due diligence and will make your engagement a priority to be completed in the time needed.

Due Diligence Assistance

Loan Due Diligence: We can provide a timely assessment of the underwriting, management, and quality of the target’s loan portfolio. We have experts from all disciplines of lending, including ALLL analysis and credit process. We will help you understand the culture of the organization you are acquiring.

Interest Rate Risk and Liquidity Management Due Diligence: We can assist you in determining the target institution’s level of interest rate and liquidity risk. This can then help you as you consider the combined organization’s level of risk. This will help you answer the following question: “Does the combined organization fit within your risk ‘comfort zone?'”

Compliance Due Diligence: Many aspects of compliance, such as Fair Lending and BSA/AML, will become the acquirer’s problem if there was an issue prior to acquisition. Having the target’s compliance program reviewed prior to closing can help you understand the degree of compliance risk you will be assuming.

IT Due Diligence: This is an often overlooked but critical piece of information to understand how well or what IT-related issues a target bank may have that will need to be addressed post-acquisition.

Strategic Planning: We can help you assess how the acquisition will fit into your strategic direction. If your strategic plan involves potential acquisitions, have you put a plan/process in place to prepare for it, or will you put it together on the fly if an acquisition comes along? Analyzing how the target fits with your culture and your strategic direction is one of the most important aspects of a successful acquisition.

Succession Planning: While much of the attention in an acquisition analysis is on the financial aspects of the transaction, the quality and depth of the human resources of the target institution are the drivers of the target’s current success or challenges. We can assist you with reviewing the target’s succession plan or help you craft a new one for the combined organization.

Interagency Bank Merger Application Assistance

We can assist you with the delineation of the relevant geographic markets, evaluation of competitive factors in the proposed transaction, CRA assessment area data and mapping, demographic information, business environment data, information on traffic patterns, and other relevant market information.

We can also help you craft your business plan that is a required part of the application.

Post-Acquisition Integration
Post-acquisition integration is the key to whether your merger/acquisition is successful. You will have just spent many millions of dollars to buy an organization. Buying the organization is not the end result but the beginning of many months and years of hard work to get the return you expect.

There are several ways we can help you achieve the results you expect from the transaction:

  • Employee and Customer Communications
  • Strategic, Capital, and Succession Plan Updates, based on the combined organization
  • Re-assessment of your Branch Network. Does it make sense to consolidate any branches, especially given the changes that the pandemic has brought along to digital banking adoption?
  • Periodic Loan Review and Compliance Review will allow you to assess the quality of results at both the overall organization and the acquired organization.
  • Analysis of Workflow and Staffing of the combined organization
  • Assessment of your Human Resources Management. Retaining key members of the acquired organization’s staff is often the biggest determinant of future success. This is especially true for your frontline commercial/ag/private bankers and key deposit/cash management personnel who are often the day-to-day face of the organization for your largest customers.

These are just some of the ways Young & Associates can work with you to have a long-term successful acquisition, based on your unique needs. Contact us today for more information on how we can assist you with your M&A efforts.

About Young & Associates, Inc.
Young & Associates, Inc. has provided consulting, training, and practical products for community financial institutions for over 43 years. We strive to provide the most up-to-date solutions for our clients’ needs, while remaining true to our founding principles and goals — to ease the management of your organization, reduce the regulatory burden, improve your bottom line, and increase shareholder value.

To learn more about Young & Associates, Inc. and how we can assist your organization, visit our website or contact Dave Reno, Director — Lending and Business Development.

www.younginc.com
Email: dreno@younginc.com
Phone:330.422. 3455

ADA Website Compliance Notes from the Field

Written by admin on . Posted in Management & Planning.

By: Mike Lehr, Human Resources Consultant

About this time last year, the topic of website accessibility and accommodation under Title III of the Americans with Disabilities Act (ADA) hit the community banking industry with full fury. Since that time both banks and service providers have upped their game. So, now is a good time for us to assess and share what we have learned in our ADA website audits.

There are two ways to assess sites. The more common and less expensive way involves scanning the site using software. Based on the logic coded into it, the software identifies potential issues. The second, less common, and more expensive way involves professionals or sight-impaired people using the site with a screen reader. A screen reader is software that converts a site page to text and reads it to the user.

Both ways involve a professional overseeing the process to interpret the results. Yet, something else drives both ways that tend to lead clients astray – measurability. The old adage of “what gets measured gets done” hits full force here. However, just because it’s a number doesn’t mean it’s more important. We are finding that the software scan, because of its beautifully quantifiable graphics, is causing many of our clients to focus on minor, even insignificant aspects of their sites that have little to no impact on the site’s overall accessibility.

In the end, if a bank ever ends up in court, it’s not about software being able to access the site. It’s about individuals with disabilities. Yet, it is much harder to quantify that into an eye-catching chart. For instance, a client called worried about their PDFs. The software scan showed them inaccessible. Moreover, they spent a lot of time trying to fix them. The nature of the documents were such that they required a professional printer. In short, it wasn’t a Word document. Upon closer look, there were only a dozen of them. All but one were on the same page of the site. Furthermore, the page saw little traffic from customers and prospects. Plainly, the page wasn’t important.

Yet, since bankers can be conscientious to a fault, it bugged them that these PDFs kept showing up “red” as an issue. By itself it’s not bad. In context of the whole site though, it is. This was energy, time, and money diverted from far more important issues. One was whether a sight-impaired person can navigate the site. Software can’t determine this. One can only determine this reliably by using a screen reader or by observing a sight-impaired person trying.

For instance, it’s not uncommon these days to find sites that have multiple ways to navigate them. On one hand, you have the traditional horizontal navigation. On the other, you have the more recent mobile friendly navigation (“hamburger menu”). Still yet, some sites use vertical left-hand (or less common right-hand) navigation. That’s three ways to navigate the site. We’ve seen these on a couple of sites already. This doesn’t even include all the links and smaller menus that might be contained within the page.

Now, to a sight-impaired person, this is nothing but chaos. Keep in mind, a non-sight-impaired person can see the whole site at once. It’s two-dimensional. He/she can select whatever menu they like. A sight-impaired person doesn’t have this luxury. That’s because a screen reader can only read one word at a time. It’s a linear process, one-dimensional.

Also, he/she might tell the screen reader to only read navigation menus. So, if he/she starts hearing two or three different menus, it becomes hard to visualize in his/her mind how he/she might use the site. To a sight impaired person, they blend together as one. That’s frustrating. It’s also something else . . . inaccessible.

Yet, in most cases, as long as these menus are coded and tagged right, the software scan won’t catch them. Moreover, and back to the original point about measurability, it’s hard to quantify this user experience. The solution then is to code one of these menus invisible to screen readers. Of course, that means the remaining one has to be comprehensive and robust.

In the end, it’s a battle between easily measurable but unimportant PDFs and unmeasurable but important navigation. What gets measured gets done. Thus, the unimportant gets done and the important doesn’t. That’s why we can give compliance ratings to clients who still have issues on their software scans and non-compliant ones to clients whose scans show no issues.

In short then, invest in a screen reader. If not, partner with someone who has one. Banks can generate much goodwill by reaching out to groups and societies that support Americans with Disabilities. Remember, computers don’t use sites. People do. People also testify in court.

For more information on this article or to learn how Young & Associates, Inc. can assist your bank with its ADA website compliance, contact Mike Lehr at 1.800.525.9775 or mlehr@younginc.com.

The Changing Role of the Community Bank IT Manager

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

At small community banks, the IT Manager role was once, and in some cases still is, one of many hats worn by the President or CFO. However, this role is quickly evolving into a nearly full-time position even at smaller community banks. There are a number of factors that are contributing to this change, including increased use and sophistication of technology, increased regulatory scrutiny for cybersecurity, and the rapidly changing threat landscape.

It was not long ago that the IT Manager only needed to support a few internal servers and workstations. Over time, technology and customer expectations have evolved, leading to increased network complexity through the requirement for additional internal servers to support new services, the use of server virtualization, and connectivity to additional outside networks. In addition, the use of mobile technology has expanded dramatically leading to employees using mobile devices to access internal network resources, and banking services being provided to customers through their mobile devices.

The amount of time required to properly manage and monitor a bank’s information systems has increased dramatically. However, in many cases, community banks have not significantly increased the human resources assigned to the management of their IT environment. We have had numerous discussions with bank IT personnel indicating that they do not believe that they have enough time and resources to properly address the changing IT regulatory requirements and new cyber risks. While some community banks have outsourced the management of their network and other systems to a service provider, this does not relieve the bank of its role in the oversight of these systems. Additionally, outsourcing increases the time that the bank must spend to manage these vendor relationships.

Here are some of the areas where we have seen community banks spending additional time to perform IT and information security functions:

  • Vendor Management. As the bank implements new services or engages service providers to manage existing services, additional time is required to monitor these vendors. Significant time is needed to obtain the required documentation from each vendor and to review and analyze this documentation.
  • Threat Intelligence. Threat intelligence sources are monitored to identify threat sources and their current activities to identify and implement mitigating controls that will limit the potential impact of these activities on the bank. Significant time can be spent analyzing the data from threat intelligence sources to determine its applicability to the bank and to then implement or modify mitigating controls.
  • Risk Assessment and Policy Maintenance. As the bank adds or changes technologies or services, risk assessments and policies must be created or updated to address their risks. In addition, risk assessments need to be updated periodically to ensure that the risks associated with new or changing threats are evaluated and mitigated. A cybersecurity assessment must be completed and reviewed periodically based on changes within the bank’s IT environment.
  • Ongoing Employee Information Security Awareness Training. With most banks providing external email access and internet access to all of their employees, each employee has become a critical link in the security chain where the result of one employee clicking on a malicious link in an email can be an organization-wide catastrophe. Annual training is no longer adequate to keep employees apprised of current threats such as ransomware and phishing scenarios. A significant amount of time can be spent developing training materials and distributing them to employees on an ongoing basis.
  • Event Management and Monitoring. Network devices, operating systems, and applications must be monitored to identify malicious activity. In the past, many banks were only monitoring perimeter devices such as firewalls and believing that the perimeter devices would stop any threats. However, many current attacks start with the installation of malicious code on an employee’s workstation to bypass the controls imposed by the firewall and then the attacker moves around, potentially undetected on the internal network. Monitoring for malicious activity on all of the bank’s internal network devices can require significant resources. ƒ ƒ Patch Management. Patch management is more than just patching Microsoft operating systems and applications such as Adobe Acrobat and Java. Patch management includes updating the software running on network devices such as firewalls, routers, switches, DVRs, and printers to address any known vulnerabilities. Additional time must be spent to identify the release of new patches, and in many cases the patches must be installed manually on each network device.
  • Disaster Recovery / Business Continuity Planning and Testing. A bank’s increased dependence on technology requires formal documentation for maintaining business continuity and testing the selected plans to ensure that the bank can recover from a disaster within a reasonable time frame to allow for the continued performance of its daily functions. Additional time is required to initially document recovery strategies and then modify the strategies based on system or vendor changes. Time is also required to prepare testing strategies, coordinate testing schedules with vendors, and analyze the test results. ƒ ƒ Incident Response Planning and Testing. Many experts say that it is not a question of if a business will be hit by some form of breach, but a question of when it will happen. Banks must have a well-documented plan in place to detect and respond to an information security incident. In addition, the plan needs to be tested periodically to ensure that all employees are aware of their roles to effectively and efficiently respond to an incident.

Potential Costs of a Breach
Why should changes to the technology used by the bank, changes to regulatory requirements, and the evolving threat landscape be a significant concern for the board of directors? The board of directors is ultimately responsible for the management of the information security program, and failing to provide the appropriate resources to manage the IT and information security functions at the bank can lead to regulatory enforcement actions, harm to the bank’s reputation, and significant costs associated with a data breach.

According to the Ponemon Institute’s 2017 Cost of Data Breach Study: United States, performed June 2017, the average cost for each lost or stolen record containing sensitive and confidential information is $225. This study also indicated that breaches involving businesses within the financial services industry had a per capita cost of $336.

Insurance Coverage
Another consideration for the board of directors is insurance coverage. While a bank may have a cyber insurance policy, management needs to thoroughly understand the requirements for this policy and ensure that it is meeting all of the minimum security requirements of the policy. Insurance companies may reject a claim or even seek repayment of a settlement if defined controls were not in place at the bank at the time of a breach.

Using the example of a community bank with assets of 100 million and 12,000 customer records, a breach of those 12,000 records could cost the bank 4 million dollars. This would be a substantial loss for the bank if insurance coverage is not appropriate, and even more significant if an insurance claim is denied due to the bank’s failure to maintain the minimum security requirements defined within the policy.

Continuing Education
With the rapid changes in technology and the changing threat landscape, continuing education for the bank’s IT staff is also a critical consideration. A bank’s IT Manager must learn how to change the bank’s mitigation strategies to address evolving cyber threats rather than relying solely on the strategies that have been used in the past. There are numerous options for continuing education such as cybersecurity conferences sponsored by state banking associations and webinars.

Cybersecurity Assessment Tool Staffing Requirements
With the regulatory focus on cybersecurity, another illustration of the need to evaluate the human resources required to effectively manage the bank’s information systems can be found in the declarative statements within the staffing section of the FFIEC’s Cybersecurity Assessment Tool as shown below. Attainment of the baseline cybersecurity maturity level is required for all banks as this level identifies the minimum expectations required by law, regulations, or supervisory guidance. The declarative statements within the evolving cybersecurity maturity level will also need to be attained by small community banks as they increase their maturity level over time.

     Baseline ƒƒ

  • Information security roles and responsibilities have been identified.
  • Processes are in place to identify additional expertise needed to improve information security defenses.

     Evolving ƒƒ

  • A formal process is used to identify cybersecurity tools and expertise that may be needed.
  • Management with appropriate knowledge and experience leads the institution’s cybersecurity efforts.
  • Staff with cybersecurity responsibilities have the requisite qualifications to perform the necessary tasks of the position.
  • Employment candidates, contractors, and third parties are subject to background verification proportional to the confidentiality of the data accessed, business requirements, and acceptable risk.

Conclusion
In summary, the board of directors and senior management must carefully consider the resources required to appropriately manage its information systems based on the rapid technological, regulatory, and threat landscape changes. Strategic plans should consider the additional workload that will be created to support changes within the bank’s IT environment to achieve management’s strategic goals, and ensure that appropriate human resources are included within its plans.

For more information on this article or how Young & Associates, Inc. can assist you, contact me at 330.422.3447 or mdetrow@younginc.com.

 

Do You Know Where Your Data Went Last Night?

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

Maybe your data went to a football game on an employee’s smart phone. Or, perhaps your data met some international friends at an offsite backup location used by one of your service providers. In either case, if you do not know how your data moves and where your data is stored, you cannot protect it.

During our IT Audit engagements, it is not uncommon to see bank employees storing or transferring non-public information (NPI) using services such as Google Drive or Dropbox. This creates a very dangerous situation if one of these services suffers a data breach or the data is synchronized to personal devices infected with malware. In most of these cases, senior management does not understand how employees are handling NPI.

The importance of understanding and controlling NPI data flow and data storage is emphasized in the newly released version of the FFIEC’s Information Technology Management Handbook, as well as in the declarative statements to meet the Baseline maturity level within the Cybersecurity Assessment Tool. This article will discuss a process that can be used to document the data flow and data storage locations used within your institution and those used by your third-party service providers.

Here’s a way this could be used to illustrate the way that an institution can document data flow and data storage. You will first identify each Service or Application that uses NPI. Some examples of these services and applications include: core processing, lending platform, internet banking, and online loan applications. Next, you will identify the Vendor(s) associated with each service or application. The Process Type is used to identify the various processes that are performed using the specific service or application that may use different methods for accessing the data or result in data being transmitted through different connectivity types. An example of different process types can be illustrated with internet banking where data may flow between the core processing system and the internet banking system through a dedicated circuit, but customers access the internet banking system through a home internet connection. The Type of Data will most often be customer NPI, but may also include proprietary institution data. Data can be accessed in numerous ways including: institution workstations, institution servers, employee mobile devices, customer PCs, and customer mobile devices. The Connectivity Type may include: dedicated circuits, virtual private networks (VPN), local area networks (LAN), wide area networks (WAN), wireless networks, or the internet. Controls in Transit may include: encryption, firewall rules, patch management, and intrusion prevention systems (IPS). The Primary Storage Location(s) should include known locations where the data is stored such as: application or database servers, data backup devices, service provider datacenters, and service provider backup locations. The Optional Storage Location(s) should consider other places where data can be stored such as: removable media, an employee’s workstation, mobile devices, Dropbox, and Google Drive. Identifying the Optional Storage Location(s) may take a significant amount of time, as this step will involve discussions with application administrators to understand the options for exporting data and discussions with employees to understand their processes for transferring and storing data. A review of this information may lead to the implementation of additional controls to block the use of unapproved sharing and storage services.

Controls at Rest may include: encryption, physical security, and environmental controls. The Access Rights column should identify who can access the data at any point in time, which may include institution employees, service provider employees, and subcontractors used by a service provider.

This may seem like a daunting task to complete, and it may take a significant amount of time depending on the size and complexity of your institution. One option for implementing this process is to start with your annual vendor review process rather than trying to complete the process for all of your services and applications at one time. When you are gathering and reviewing documentation from each service provider, complete the table shown above for the service or application provided by that service provider. Documentation for internally managed systems and applications can also be completed over a period of time.

Upon completion of this process, you should have a full understanding of how your data moves between devices and where the data is stored. This information will allow you to justify the risk ratings within your information security risk assessment and identify additional controls that need to be implemented to properly protect your data.

For more information on this article, contact Mike Detrow at 1.800.525.9775 or click here to send an email.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question