Category: Financial Institutions and Banking

Rapidly increasing cyber risks make it essential for banks to conduct regular tests of their cybersecurity preparedness, including vulnerability and penetration testing. According to IBM’s “Cost of a Data Breach Report 2024,” the average breach cost $6.08 million in the financial industry (defined as banking, insurance and investment companies). That’s second only to health care. To help prevent cyberattacks, banks must develop effective information security programs and test them regularly to ensure that they’re operating as expected.

According to the Federal Financial Institutions Examination Council’s (FFIEC’s) Information Technology Examination Handbook, the primary testing tools include self-assessments, penetration tests, vulnerability assessments and audits. Penetration testing is particularly important, given the speed with which hackers’ techniques are evolving. It involves subjecting a system to real-world attacks selected and conducted by the testers to identify weaknesses in business processes and technical controls.

FFIEC to retire Cybersecurity Assessment Tool

The FFIEC will “sunset” its Cybersecurity Assessment Tool (CAT) at the end of August 2025. First made available nearly 10 years ago, the CAT is a voluntary tool banks can use to identify their cybersecurity risks and determine their preparedness. The FFIEC notes that while “fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.”

Government resources include:

• The National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 (go to nist.govand search for cyber framework), and
• The Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals (go to cisa.gov and search for cybersecurity performance goals).

Industry resources include:

• The Cyber Risk Institute’s (CRI) Cyber Profile (go to http://www.cyberriskinstitute.org

and search for “the profile,”) and

• The Center for Internet Security Critical Security Controls (go to cisecurity.org and search for controls.)

The FFIEC doesn’t endorse any particular tool, but says that these standardized tools can assist banks in their self-assessment activities.

CFPB targeting improper overdraft opt-in practices

In a recent Consumer Financial Protection Circular (2024-05), the Consumer Financial Protection Bureau (CFPB) explained how to tell if a bank is violating the Electronic Fund Transfer Act and Regulation E. A violation may happen if the bank lacks proof that it has obtained consumers’ affirmative consent before levying overdraft fees for ATM and one-time debit card transactions.

Regulation E’s overdraft provisions establish an “opt-in” regime. The CFPB clarifies that banks are prohibited from charging such fees unless consumers affirmatively consent to enrollment. The form of records that demonstrate consent may vary depending on which channel the consumer uses to opt in to covered overdraft services.

© 2024

One advantage of community banks is the business relationships they’re typically able to develop within their local communities. This includes providing loans to local industries and businesses that may have a strong impact on the bank’s profitability — for better or worse. Asset concentration in local industries can be a strength. However, it’s important to manage those assets carefully to avoid the downsides, including the risk of heavy concentration in an industry that’s losing ground.

Determine the risks and rewards

Asset concentrations increase a bank’s risk by exposing it to potential losses. For example, banks with concentrated assets are vulnerable to significant losses in the event of a local industry or economic downturn. But that doesn’t mean that banks should avoid such concentrations at all costs. On the contrary, asset concentrations enable banks to better serve their communities by taking advantage of local industry expertise and market knowledge. So, you should weigh the risks against the benefits — and implement measures to mitigate potential risks.

First, evaluate your credit risk management policies, keeping in mind that asset concentration risks are felt well beyond the area of concentration. Suppose a bank has a heavy concentration of loans to businesses in a particular industry. A downturn in that sector could make it harder for businesses in the industry to repay their commercial loans and for individuals who work in the industry to repay their auto loans or mortgages.

So, it’s critical to consider the impact of asset concentrations on your entire loan portfolio and to implement policies to address the elevated risk. Such policies might include tightening underwriting standards, placing caps on asset concentrations, conducting global cash-flow analyses, performing stress tests and monitoring loans carefully.

Also ensure that your bank’s level of capital and reserves is commensurate with its concentration risk and aligns with the bank’s strategic plan. If your bank has a significant loan concentration in a particular industry, market or loan type, consider the relationships among these loans when evaluating the sufficiency of your capital and determining an appropriate allowance for loan and lease losses (ALLL).

Use diversification strategies wisely

In addition, take a judicious approach to diversification. An obvious solution to a risky asset concentration is to diversify. But diversification presents its own risks, so handle the process carefully. For example, a bank with a heavy concentration of loans in an industry or geographic territory might diversify by making loans to businesses in other industries or territories. But doing so might require the bank to venture out of its comfort zone into areas where it doesn’t possess the same level of knowledge and expertise.

Look for ways to diversify within a particular industry. For example, a bank with a high concentration of agricultural loans should consider lending to both crop producers, such as corn or soybean farmers, and livestock producers. This can mitigate the bank’s risk because economic and other external forces that hurt one industry segment may help the other. A decline in crop prices, for instance, would harm crop producers but it would benefit livestock producers by reducing their feed costs.

Another diversification strategy is to increase the size of your bank’s securities portfolio. Doing so instantly shrinks the bank’s loan-to-asset ratio. (A high ratio is often a red flag.) But keep in mind that investing in securities poses problems of its own and may divert capital away from the community the bank serves.

Stay on top of the local economy

A superficial understanding of the industries in which your customers operate may lead to bad decisions. Your bank’s lending officers need to be conversant with the many factors involved in the local business environment in order to analyze, and react to, its fluctuating risks and rewards.

Abstract:   Community banks are on the front lines when it comes to ensuring people in their local areas have equal access to loans. This means they must be vigilant in maintaining stringent lending standards to avoid any suggestion of discriminatory practices. This article suggests five steps for avoiding violations of fair lending laws and developing an effective compliance program, including conducting a risk assessment and providing compliance training.

Keep it fair

Stay aligned with fair lending practices

Community banks are on the front lines when it comes to ensuring people in their local areas have equal access to loans. This means they must be vigilant in maintaining stringent lending standards to avoid any suggestion of discriminatory practices. Violations of fair lending laws have the potential to affect a community bank’s bottom line in the form of litigation or other penalties. Plus, they may cause a bank to lose customers.

The laws are clear

There are two primary fair lending laws. First, the Fair Housing Act (FHA) prohibits discrimination in residential real estate-related transactions based on race or color, national origin, religion, sex, handicap, or familial status. For example, banks can’t discriminate against households with one or more children under 18, pregnant women, or people in the process of adopting or otherwise gaining custody of a child.

Second, the Equal Credit Opportunity Act (ECOA) prohibits discrimination in credit transactions based on race or color, national origin, religion, sex, marital status, age (assuming the applicant has the capacity to contract), an applicant’s receipt of income from a public assistance program, or an applicant’s good faith exercise of his or her rights under the Consumer Credit Protection Act.

In addition, the Home Mortgage Disclosure Act requires certain lenders to report information about mortgage loan activity, including the race, ethnicity and sex of applicants. And the Community Reinvestment Act provides incentives for banks to help meet their communities’ credit needs.

These steps will help

Here are five tips for developing an effective compliance program:

1. Conduct a risk assessment. Identify your bank’s most significant fair lending risks based on its size, location, customer demographics, product and service mix, and other factors. This can reveal weaknesses in the bank’s credit policies and procedures and other aspects of its credit operations. It’s particularly important to examine the bank’s management of risks associated with third parties, such as appraisers, aggregators, brokers and loan originators.
2. Develop a written policy. A comprehensive written fair lending policy is key to help minimize your bank’s risks. This document can go a long way toward mitigating the bank’s liability in the event of a violation by demonstrating its commitment to fair lending.
3. Review your data. Analyzing data about your lending and other credit decisions is important for two reasons: First, it’s the only way to determine whether disparities in access to credit exist for members of the various protected classes. These disparities don’t necessarily signal that unlawful discrimination is taking place — but gathering this data is the only way to make this determination.

Second, lending discrimination isn’t limited to disparate treatment of protected classes. Banks are potentially liable under the FHA and ECOA if their lending practices have a disparate impact on protected classes. For example, a policy of not making single-family mortgage loans under a specified dollar amount may disproportionately exclude certain low-income groups, even though the policy applies equally to all loan applicants.

Banks can defend against allegations of discrimination based on disparate impact by showing that the policy was justified by business necessity and that there was no alternative practice for achieving the same business objective without a disparate impact.

4. Provide compliance training. Even the most thorough, well-designed policy won’t be worth the paper it’s printed on unless you provide fair lending compliance training for bank directors, management and other relevant employees. It’s also important to evaluate whether the policy is effective.
5. Monitor compliance. You’ll need to monitor your bank’s compliance with fair lending laws and promptly address any violations or red flags. Among other things, perform regular data analysis; monitor and manage consumer complaints; keep an eye on third-party vendors; and conduct periodic independent audits of your compliance program (by your internal audit team or an outside consultant).

Stay on top of fair lending practices

Lending is a key function of any community bank, so your bank should stay alert to any potential violations of fair lending laws. Although some of these laws have been in place for many years, that doesn’t mean banks should become complacent. If not addressed properly, these issues may come back to haunt your bank’s operations and negatively affect its financial health. Contact us to learn more.

© 2024

Online and mobile banking apps have become wildly popular. According to a 2023 study by Consumer Reports (CR), 75% of Americans use one or more banking apps to check their balances, monitor transactions, transfer and receive money, deposit checks, pay bills, and perform other tasks. Of those who use banking apps, 77% use them at least once a week — and 32% use them every day, or nearly every day.

In March 2024, CR published a report, “Banking Apps: The Case Study for a Digital Finance Standard.” For this report, CR evaluated 10 popular mobile banking apps — five offered by large traditional banks and five offered by “digital” (that is, online only) banks. CR found that many apps fall short, particularly when it comes to fraud protection, privacy and accessibility. Here are some additional highlights from the report.

Fraud protection

Although CR’s 2023 survey found that the vast majority of users feel confident that their banking apps adequately protect them against fraud and scams, the 2024 report concluded that the banking apps generally don’t “adequately commit to real-time fraud monitoring and notifying users in the event of suspicious activity.” Also, while most banks provide users with basic fraud education on their websites, some fail to provide similar information in their apps.

CR recommends that banking apps make explicit commitments to real-time fraud monitoring and fraud notifications to users. The apps also need to increase education about scams and fraud.

Privacy

According to CR, “Most of the banking apps we reviewed share data beyond what is required to provide the service the user requests, and only some banking apps offer the ability to opt out of targeted advertising.” The report recommends that banks “practice true data minimization” in their apps.

It also suggests that banks should provide more meaningful information about data that’s shared with third parties. Finally, banks need to provide in-app controls over data sharing and targeted advertising to make it easy for users to opt out.

Accessibility

CR found that many banking apps are lacking when it comes to accessibility for users with disabilities. In addition, the apps aren’t necessarily accessible for those whose primary language isn’t English.

The report urges banks to “build robust accessibility features directly into mobile apps and websites,” particularly for users with visual or hearing disabilities. It also recommends making apps and account information available in Spanish and other languages.

Financial well-being

According to the report, digital banks offer maintenance fee structures that benefit users’ financial health, while traditional banks fall short in this regard. CR also found that banking apps are inconsistent in offering tools and features designed to help users improve their financial well-being, such as automated savings features, budgeting tools, goal-setting features and spending indicators. Plus, most users don’t take advantage of these resources. The report concluded that banks “can do more to educate their customers about the importance of saving and budgeting and make app design decisions that encourage active use of these tools.”

CR recommends that banks eliminate maintenance fees, seamlessly embed interactive financial health tools in their apps and track user financial well-being metrics as institutional key performance indicators.

Best practices

As mobile banking apps continue to grow in popularity and functionality, the CR report provides a useful guide to best practices when designing these apps. Banks can create a competitive edge by ensuring their mobile banking apps are up to speed. Contact us for more information.

© 2024

Abstract:   This brief summary of current developments in community banking explains the importance of having internal controls that identify, monitor and control residential real estate valuation discrimination. In addition, it notes that bank customers are generally skeptical of the use of artificial intelligence (AI) to assist in various banking services. Finally, it warns financial institutions about the increasing use of counterfeit U.S. passport cards to perpetrate identify theft and schemes.

Bank Wire

Steering clear of discrimination in real estate valuation

A recent Federal Financial Institutions Examination Council (FFIEC) statement discusses “Principles Related to Valuation Discrimination and Bias in Residential Lending.” The statement notes that “Deficiencies in real estate valuations, including those due to valuation discrimination or bias, can lead to increased safety and soundness risks, as well as consumer harm.” The statement lists several examples of potential consumer harm, such as:

• Denial of access to credit for which a consumer is otherwise qualified,
• Offering consumers credit at less favorable terms, and
• Steering consumers to a narrower class of loan products.

Banks whose internal controls fail to identify, monitor and control valuation discrimination or bias may be exposed to legal and compliance risks or negative assessments by regulators. To avoid these issues, the FFIEC encourages banks to establish a formal valuation review program consistent with the Interagency Appraisal and Evaluation Guidelines.

Consumers are skeptical of AI

Banks increasingly use artificial intelligence (AI) to streamline and enhance various processes, including customer service, fraud prevention and detection, compliance, underwriting, collections, and marketing. But it’s important to recognize that customers may not be fully on board.

According to a recent survey by J.D. Power, “While banks are investing time and resources to integrating AI into their offerings, customers are simply not convinced that AI is to be trusted. More than half (56%) say they only somewhat trust the quality of the output generated by their bank’s use of AI, with 32% saying they don’t trust it at all.”

Part of the problem, the report theorizes, may be that banking customers “view their institution’s use of AI as less advanced than other industries’ solutions.” To get customers more comfortable with AI, J.D. Power says, banks “need to go the extra mile by making [customers] understand how they’ll personally benefit from it.”

Watch out for counterfeit U.S. passport cards

In a recent notice, the Financial Crimes Enforcement Network (FinCen) warned financial institutions about the use of counterfeit U.S. passport cards to perpetrate identify theft and fraud schemes. Some examples of warning signs include:

• Photos that are in color, have a white, blurry border or have a dark gray square surrounding them,
• Account holder photos on file that don’t match the photo on the card or the individual presenting it, and
• A missing holographic U.S. Department of State seal or a seal from an unrelated agency.

The notice provides an overview of these schemes and highlights 17 selected technical, behavioral and financial red flags to assist banks in identifying and reporting suspicious activity. Contact us for more information.

© 2024

Is your bank ready for FDICIA compliance?

The Federal Deposit Insurance Corporation (FDIC) reports that the number of insured financial institutions has dropped from around 8,000 to just under 4,600 over the last 14 years. When institutions consolidate, their average asset size swells, so it’s important for banks to be mindful of their obligations under the FDIC Improvement Act of 1991 (FDICIA).

What does the FDICIA require?

The FDICIA imposes stricter auditing, reporting and governance obligations once banks have $500 million in total assets, followed by even more rigorous requirements at $1 billion in assets. According to the FDIC’s most recent Community Banking Study (December 2020), the average asset size of community banks in 2019 was approximately $470 million. So, it’s likely that many community banks will cross the $500 million threshold in the future.

It’s important to monitor your bank’s assets closely to prepare for FDICIA compliance before you reach the threshold (ideally one to two years). An early start will help ensure a smooth transition. It will also give you an opportunity to test new controls and procedures, allowing you to remedy any deficiencies before you start submitting reports to federal regulators.

What’s required before reaching $500 million?

Your bank should take several steps as you approach the first reporting threshold. The FDICIA will require submission of comparative financial statements. If you don’t currently prepare audited financials, you can use unaudited ones for the year before you’re subject to the FDICIA. Nevertheless, it’s a good idea to obtain at least a balance sheet audit for the previous year. That way, any material weaknesses or significant deficiencies the auditor identifies can be addressed before you report to federal regulators.

Additionally, review your audit committee’s composition to ensure that a majority of its members are independent. You may need to replace some members who have conflicts and add new directors, so leave plenty of time to conduct a diligent search.

Also review your accountants’ services for potential independence issues. Early preparation will provide time to arrange separate firms for audit services and prohibited nonaudit services. Your auditor won’t be allowed to prepare financial statements, so management should be prepared to assume greater responsibility for financial statement preparation and review.

What’s required at $500 million?

When your bank’s total assets reach $500 million, key requirements include:

• Audited financial statements. Audited financial statements must be submitted with the independent auditor’s report to the relevant federal banking agency within 120 days after the fiscal year-end (90 days for publicly traded banks).
• Auditor independence. Your bank must comply with the strictest auditor independence standards applicable to public companies. That means your auditor must avoid conflicts of interest and prohibited financial relationships with your bank, rotate audit partners at least every five years, and refrain from providing prohibited nonaudit services to your bank. Examples include bookkeeping, financial statement preparation, valuation, internal audits and tax services for certain bank insiders.
• Management reports. Annual reports must include statements on management’s responsibility for 1) preparing financial statements, 2) establishing and maintaining adequate internal control over financial reporting (ICFR), and 3) complying with certain safety and soundness laws and regulations.
• Audit committee composition. Your bank’s board must have a separate audit committee, and a majority of the committee’s members must be outside directors who are independent of management.

Remember these requirements when preparing to comply.

What’s required at $1 billion?

The following additional requirements apply when your bank’s total assets reach $1 billion:

• Expanded management reports. Your bank must submit an evaluation of the effectiveness of its ICFR as of the fiscal year-end, based on a recognized framework.
• External opinion on ICFR. You must submit an independent auditor’s attestation report on the effectiveness of ICFR as of the fiscal year-end.
• Fully independent audit committee. All members of your audit committee must be independent of management.

These time- and resource-intensive steps require an early start.

Create a roadmap

A smooth journey to FDICIA compliance requires a detailed plan. Contact your CPA to discuss steps needed as your bank’s total assets approach the $500 million and $1 billion mileposts.

Sidebar:   Measuring assets for FDICIA purposes

The applicability of the FDIC Improvement Act (FDICIA) is based on total assets as of the beginning of your bank’s fiscal year, per your most recent Call Report. Banks that operate on a calendar year should consult their December 31 Call Reports to determine total assets on January 1 of the following calendar year.

FDICIA coverage for a given fiscal year is based on a bank’s total assets as of the first day of that year, regardless of asset-level fluctuations during the year. For example, if a calendar-year institution’s total assets are $550 million as of September 30, 2024, it won’t be subject to the FDICIA in 2025 if total assets drop to $495 million as of December 31, 2024.

However, if the bank’s assets are greater than $500 million as of the end of 2024, it will be subject to the FDICIA throughout 2025, even if its total assets dip below the threshold during the year. Contact us for more information.

© 2024