Financial Institutions and Banking

Bank Wire: BNPL Loans: Managing the Risk

In a recent bulletin, the Office of the Comptroller of the Currency (OCC) offers guidance to community banks on managing the risks associated with buy now, pay later (BNPL) loans. These loans can take many forms, but the bulletin focuses on those that are payable in four or fewer installments and carry no finance charges. Typically, these loans are offered at the point of sale. The lender pays the merchant a discounted price for the good or service and, in exchange, assumes responsibility for granting credit and collecting payments from the borrower. The lender’s primary source of revenue is the difference between the total installment payments and the discounted purchase price, though it may also collect late fees from the borrower.

The bulletin warns banks of various risks associated with BNPL loans. For example, borrowers may overextend themselves or not fully understand their repayment obligations; applicants with limited or no credit history may present underwriting challenges; and the lack of clear, standardized disclosure language may obscure the true nature of the loan, creating a risk of violating prohibitions against unfair, deceptive or abusive acts or practices. The OCC offers tips on designing risk management systems that “capture the unique characteristics and risks of BNPL loans.” You can find the bulletin at

Guidance on venture loans

In another recent bulletin, the OCC offers guidance to banks considering venture lending — that is, commercial lending activities that target high-risk borrowers in the early, expansion, or late stages of development. According to the bulletin, the primary risks associated with venture lending include unproven cash flows, untested business models, difficulty projecting future cash flows, high liquidity needs, high investment spending, and limited refinancing or business exit options.

Typically, these risks are greater for borrowers at an earlier stage of development. The bulletin — which can be found at — provides guidance on managing these risks.

CFPB proposal would close overdraft loophole

The Consumer Financial Protection Bureau (CFPB) recently issued a proposed rule designed to rein in excessive overdraft fees charged by large banks. The proposal would end the exemption of overdraft lending services from the Truth in Lending Act and other consumer protection laws.

Banks would be permitted to extend overdraft loans if they comply with the requirements of these laws or, alternatively, charge a fee to recoup their costs at an established benchmark (as low as $3) or at a cost they calculate (provided they show their cost data). The proposed rule would apply only to insured financial institutions with more than $10 billion in assets, but it may be expanded to smaller institutions in the future.

© 2024

Financial Institutions and Banking

Staying Atop the New-and-Improved CRA Rules

Final rules to strengthen and modernize the Community Reinvestment Act (CRA) were unveiled by the Federal Reserve, Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation (FDIC) late last year. Among other things, the new rules strive to adapt the CRA regulations to changes in the banking industry, including the expanded role of mobile and online banking.

At nearly 1,500 pages, the new rules are complex. Fortunately, with the exception of provisions that are similar to current CRA regulations, banks have until January 1, 2026, to comply. All banks should reevaluate their CRA programs in light of the new rules, and prepare for any necessary adjustments.

CRA in a nutshell

The CRA encourages banks to help meet the credit needs of the communities in which they operate — including low and moderate-income neighborhoods — consistent with safe and sound banking operations. To monitor compliance, the federal banking agencies periodically evaluate banks’ records in meeting their communities’ credit needs and make their performance evaluations and CRA ratings available to the public. The agencies take a bank’s CRA rating into account when considering requests to approve bank mergers, acquisitions, charters, branch openings and deposit facilities. A bank’s CRA rating may also affect its reputation in the community.

Highlights of the new rules

CRA evaluation standards vary depending on a bank’s size. The new rules increase the asset size thresholds as follows:

  • Small banks are defined as those with less than $600 million in assets (up from $357 million).
  • Intermediate banks are those with $600 million but less than $2 billion in assets (up from $1.503 billion).
  • Large banks are those with $2 billion or more in assets (up from $1.503 billion).

The final rules create a new evaluation framework that rates a bank’s CRA performance based on four tests: 1) a retail lending test, 2) a community development financing test, 3) a community development services test, and 4) a retail products and services test. These new tests, which are more stringent than existing standards, have varying applicability depending on a bank’s asset size.

Small banks will be evaluated under the current “small bank lending test,” though they may opt into the new retail lending test. Intermediate banks will be subject to the new retail lending test — plus, they’ll have the option of having their community development loans and investments evaluated under the existing community development test or the new community development financing test. Finally, large banks will be evaluated under all four new tests.

Rules matter

As before, banks of all sizes will still be able to request an evaluation under an approved strategic plan. The new rules also provide for the evaluation of lending by certain large banks outside traditional assessment areas generated by the growth of new delivery systems, such as online and mobile banking. Staying current with the latest CRA rules will help your bank pass the tests and maintain its good standing over time.

© 2024

Financial Institutions and Banking

Federal Court: Financial Institution Liable for ACH Fraud Losses

In a recent case — Studco Building Systems US, LLC v. 1st Advantage Federal Credit Union — the U.S. District Court for the Eastern District of Virginia held a credit union liable for more than $500,000 in fraudulent ACH payments deposited into a member’s account and quickly withdrawn. The payments were the result of a business email compromise scam. There was little or no evidence that the credit union had actual knowledge of the scam. But the court found that such knowledge was imputed to the credit union based on real-time alerts from its anti-money laundering system and various red flags indicating that the account was being used for fraudulent purposes.

Compromised email scam

The plaintiff in Studco was a manufacturer of commercial metal building products. A supplier informed the plaintiff that it would be sending a change in banking instructions. However, a third party, which had gained access to the plaintiff’s email system, prevented the plaintiff from receiving the legitimate email from the supplier with the new banking instructions. Instead, the third party sent the plaintiff a spoofed email, purportedly from the supplier, instructing it to direct future payments to a personal account at the defendant credit union. Neither the plaintiff nor its supplier had accounts at the credit union.

Over the next few weeks, the plaintiff made four ACH deposits — totaling $558,869 — that named its supplier as beneficiary but listed the account number for the personal account created by the scammers. The individual owner of that account quickly dispersed all the funds. Although the credit union declined to make attempted international wire transfers from the account — based on Office of Foreign Assets Control alerts — it didn’t otherwise stop activity into or out of the account.

The credit union’s computer system automatically generates warnings for ACH transactions when, as in this case, the identified payee doesn’t exactly match the name of the receiving account holder. However, the system generates “hundreds to thousands” of these warnings per day, the majority of which aren’t significant, so the credit union’s personnel doesn’t actively monitor them.

Court decision

The court said, under the Uniform Commercial Code (UCC) as adopted by Virginia, the plaintiff had the right to recover the fraudulent ACH deposits received by the credit union if it showed that the credit union “‘[knew] that the name and [account] number’ of the incoming ACHs from [the plaintiff] ‘identif[ied] different persons.’” According to the UCC, “know” means “actual knowledge,” defined as follows:

Actual knowledge of information received by the organization is effective for a particular transaction from the time it is brought to the attention of the individual conducting that transaction and, in any event, from the time it would have been brought to the individual’s attention if the organization had exercised due diligence. [Emphasis added]

The UCC further provides that an organization exercises due diligence if it “maintains reasonable routines for communicating significant information to the person conducting the transaction and there is reasonable compliance with the routines.”

In Studco, the court held that the credit union would have discovered the mismatch between the intended payee and the recipient if it had exercised due diligence. Evidence at trial showed that the credit union failed to do so. Among other things:

  • The credit union allowed the recipient to open the account even though it triggered an “ID verification warning,” stating that the system was unable to verify the address provided.
  • The credit union failed to establish a reasonable routine for monitoring suspicious activity alerts. It wasn’t reasonable to ignore those alerts because of their sheer volume. The credit union could have implemented a system to “escalate pertinent alerts of high-value transactions.”
  • It was unreasonable for the credit union to allow the deposits into the personal account, which was a new account that had a small starting balance followed by multiple high-value transactions.

The court essentially applied a “knew or should have known” standard that’s a departure from the “actual knowledge” standard used by many courts. (See “What other courts have said” on page X.) As the court explained, the credit union couldn’t “ignore their own systems to prevent fraud in order to claim that they did not have actual knowledge of said fraud.”

Stay tuned

It remains to be seen whether the Studco case is an aberration, or whether it heralds a shift in how courts view financial institutions’ responsibility to monitor ACH transactions for potential fraud. The credit union has appealed the decision to the Fourth U.S. Circuit Court of Appeals.

Sidebar: What other courts have said

Before Studco (see main article), most courts have focused on a bank’s state of knowledge at the time an ACH payment is credited to the recipient’s account. They point to language in the Uniform Commercial Code regarding misdescription of the beneficiary: “If the beneficiary’s bank does not know that the name and number refer to different persons, it may rely on the number as the proper identification of the beneficiary of the order. The beneficiary’s bank need not determine whether the name and number refer to the same person.” As the comments to this provision explain, “It is possible for the beneficiary’s bank to determine whether the name and number refer to the same person, but if a duty to make that determination is imposed on the beneficiary’s bank the benefits of automated payment are lost.”

In Shapiro v. Wells Fargo Bank, a case with similar facts to Studco, the 11th U.S. Circuit Court of Appeals found that it wasn’t unreasonable for Wells Fargo to allow its automated payment system to ignore a potential name mismatch and rely on the number as the proper identification.

© 2024

Financial Institutions and Banking

FAQs About Selling Mortgages on the Secondary Market

In an increasingly volatile marketplace, community banks need to be resourceful to take advantage of strategies that can help them maintain profitability and stability over time. Selling mortgage loans that your bank originated to secondary market investors can create a much-needed influx of cash, but it’s important to understand and mitigate the risks.

How did we get here?

Traditionally, community banks that participated in the secondary market were brokers, originating mortgages closed on behalf of larger financial institutions. In 2013, the Consumer Financial Protection Bureau (CFPB) finalized new loan originator compensation rules, which substantially limited the fees a broker could earn.

Since then, many community banks, in an effort to enhance noninterest income, have begun originating mortgages on their own behalf and then selling them to secondary market investors.

What are the risks?

Community banks that move away from the broker role and originate their own loans increase their risk exposure. For one thing, they become subject to CFPB rules, including the Ability-to-Repay (ATR) and Qualified Mortgage (QM) rules, which were revised in April 2021 with a mandatory compliance date of October 1, 2022. Even after selling a loan to the secondary market, a bank remains liable under these rules. A bank might even be required to buy back the loan years later if it’s determined that it failed to properly evaluate the borrower’s ability to repay or to meet qualified mortgage standards.

To mitigate these risks, it’s important for banks to develop or update underwriting policies, procedures and internal controls to ensure compliance with the revised ATR and QM rules. It’s also critical for banks to have loan officers and other personnel in place with the skill and training necessary to implement the rules.

Moreover, there’s a risk that contracts to sell mortgages to the secondary market will have a negative effect on a bank’s regulatory capital. Often, these contracts contain credit-enhancing representations and warranties, under which the seller assumes some of the risk of default or nonperformance. Generally, these exposures must be reported and risk-weighted (using one of several approaches) on a bank’s call reports. In turn, this can increase the amount of capital or reserves the bank is required to maintain.

Will updated Basel III rules add risk?

In addition, the Basel III capital rules are currently being updated to reduce operational risk in banks. The update was made in response, in part, to several 2023 regional bank failures largely caused by inadequate levels of capital. Known as the Basel III endgame, the update is somewhat controversial because some see its requirements as excessively stringent. Currently, the Basel III endgame is scheduled to take effect July 1, 2025, and will phase in the capital ratio impact over three years.

Among other things, the updated rules would reduce banks’ ability to use their own models for calculating capital requirements for loans. Banks would instead be required to use standardized measures and models to evaluate loan risks.

Stay vigilant.

Community banks have much to gain by selling their mortgage loans to the secondary market, but only if they fully understand and take steps to mitigate the potential problems. Staying on top of the latest regulatory updates and developing proper procedures and internal controls will help ensure the rewards outweighs the risks.

© 2024

Financial Institutions and Banking

Bank Wire

Regulators focusing on liquidity risk management

Liquidity risk is in the spotlight, given last year’s notable bank failures and federal banking regulators’ explanations of the underlying causes. As regulators focus on liquidity risk management, they’re reminding banks that their 2010 “Interagency Policy Statement on Funding and Liquidity Risk Management (SR 10-06)” continues to be the primary guidance on the subject.

The policy statement discusses eight critical elements of sound liquidity risk management:

  1. Effective corporate governance,
  2. Appropriate strategies, policies, procedures, and limits used to manage and mitigate liquidity risk,
  3. Comprehensive liquidity risk measurement and monitoring systems that are commensurate with the bank’s complexity and business activities,
  4. Active management of intraday liquidity and collateral,
  5. An appropriately diverse mix of existing and potential future funding sources,
  6. Adequate levels of highly liquid marketable securities free of legal, regulatory or operational impediments that can be used to meet liquidity needs in stressful situations,
  7. Comprehensive contingency funding plans that sufficiently address potential adverse liquidity events and emergency cash flow requirements, and
  8. Internal controls and internal audit processes sufficient to determine the adequacy of the bank’s liquidity risk management process.

Banks need to follow these guidelines to ensure appropriate liquidity risk management.

Junk fees in the crosshairs

Federal agencies, including the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB), are cracking down on so-called “junk fees” charged by banks and other businesses. Recently, the FTC issued a proposed “Rule on Unfair or Deceptive Fees,” which would prohibit businesses from misrepresenting the total cost of goods or services by omitting mandatory fees from advertised prices and misrepresenting, or failing to disclose, the nature and purpose of fees. Although the FTC has no authority over banks, the CFPB has indicated that it will enforce the rule against violators in the financial industry.

Watch out for pig butchering scam

In a recent alert, the Financial Crimes Enforcement Network (FinCEN) warned banks about a dangerous virtual currency investment scam known as “pig butchering.” Given the devastating impact of this scam, FinCEN has asked banks to report suspicious activities indicative of this scheme. According to FinCEN, the scam resembles “the practice of fattening a hog before slaughter.” Criminals use fake identities, elaborate storylines and other techniques to convince victims they’re in a trusted partnership before defrauding them of their assets.

The alert explains the scheme and provides a detailed list of behavioral, financial, and technical red flags to help banks identify and report suspicious activity. It also reminds banks of their reporting obligations under the Bank Secrecy Act and reviews the filing instructions for suspicious activity reports.

© 2023

Financial Institutions and Banking

What Can Visual Analytics Do For Your Bank?

Criminals are continuously looking for ways to use rapidly advancing technology for their own nefarious purposes. This is an ongoing issue for many community banks as they try to prevent money laundering and other crimes from happening within their operations. To protect your bank from criminal infiltration and ensure your bank remains in compliance with Bank Secrecy Act/Anti-Money Laundering (BSA/AML) laws and regulations, it’s best to fight fire with fire. Consider using data visualization software to help detect possible crimes before they can take hold.

How to comply with BSA/AML

Banks that fail to take reasonable steps to detect and prevent money-laundering activity risk government fines. They also may receive severe negative publicity that harms their reputations.

Several developments over the past few years reflect the federal banking agencies’ increasing concern about BSA/AML compliance efforts. For one thing, the Financial Crimes Enforcement Network (FinCEN) introduced customer due diligence (CDD) rules that require institutions to incorporate beneficial ownership identification requirements into existing CDD policies and procedures.

Within the past few years, the Office of the Comptroller of the Currency (OCC) alerted banks to increasing BSA/AML risks associated with technological developments and new product offerings in the banking industry. In addition, regulators increasingly have been scrutinizing automated monitoring systems used by banks to detect suspicious activity to ensure that they’re configured properly.

Regulators haven’t limited their heightened scrutiny to larger banks. In fact, some large banks have restricted certain customers’ activities or closed their accounts because of BSA/AML concerns. As a result, higher-risk customers often have moved to smaller banks with less experience managing the associated BSA/AML risks.

How to use visual analytics

Data visualization software — also known as visual analytics — can be a powerful AML tool. Traditional AML software products and methods do a good job of detecting known AML issues. But data visualization software, which is commonly used as an antifraud weapon, excels at spotting new or unknown AML activity.

As criminal activity becomes more sophisticated and more difficult to detect, traditional AML software or methods may no longer be enough. Data visualization software creates visual representations of data. These representations may take many different forms, from pie charts and bar graphs to scatter plots, decision trees and geospatial maps. Visualization helps banks identify suspicious patterns, relationships, trends or anomalies that are difficult to spot using traditional tools alone. It’s particularly useful in identifying new or emerging risks before they do lasting damage.

Criminal enterprises that wish to launder money typically use multiple entities and multiple bank accounts, both domestic and foreign. Using data visualization software, banks can map out the flow of funds across various accounts, identifying relationships between accounts and the entities associated with them. Data visualization can reveal clusters of interrelated entities that would be difficult and time-consuming to spot using traditional methods.

These clusters or other relationships don’t necessarily indicate criminal activity. But they help focus a bank’s AML efforts by pinpointing suspicious activities that warrant further investigation.

Use all the tools at your disposal

Money-laundering is an insidious and ever-present risk, and fraudsters are increasingly technology-savvy. Your bank needs to be alert to the potential dangers and use every analytic tool available to head them off, including data visualization software mapping.

© 2024

Financial Institutions and Banking

7 Ways AI is Transforming the Banking Industry

Abstract:   Artificial intelligence (AI) is impacting businesses in virtually every industry today, and banking is no exception. This article notes that banks of all sizes increasingly recognize AI’s potential to help them improve efficiency, reduce costs, enhance the customer experience and combat fraud. It offers seven examples of how banks are using AI, including in customer service, fraud prevention and underwriting decisions.

7 ways AI is transforming the banking industry

Artificial intelligence (AI) is impacting businesses in virtually every industry today, and banking is no exception. Banks of all sizes increasingly recognize AI’s potential to help them improve efficiency, reduce costs, enhance the customer experience and combat fraud. Here are seven examples of how banks are using AI:

  1. Customer service. Banks are using natural language processing and other AI applications to create conversational interfaces, or “chatbots,” that can improve the customer experience. These applications are available to customers 24/7. Plus, with access to troves of data and the ability to learn about specific customers’ behavior and usage patterns, they can offer highly personalized customer support at a fraction of the cost, and often more effectively, than humans.

Among other things, chatbots can answer account inquiries, reset passwords, assist with fund transfers and automatic payments, and assist with loan applications. Some banks also are using AI to recommend financial services and products, though the Consumer Financial Protection Bureau (CFPB) has been critical of the use of AI and chatbots in underwriting in some instances.

  1. Fraud prevention and detection. Traditional approaches to combating fraud are becoming more challenging due to the number of daily transactions and the many customer behaviors that need to be monitored to identify anomalies. AI applications can quickly detect even subtle deviations from customers’ usual account activity and behavior patterns. These trends can alert bank personnel to potentially fraudulent activities that warrant further investigation.

AI also has the ability to monitor bank systems and provide early warnings of cyberthreats, enabling bank personnel to respond quickly and minimize the damage. Examples of cyberattacks include phishing scams, ransomware and other malware, and identity theft.

  1. Underwriting decisions. Banks are beginning to use AI to improve their loan and credit decisions. AI-based systems are able to sift through vast amounts of data to analyze customer behavior and activity patterns that evince creditworthiness. They can also help spot, and flag, behaviors or characteristics that might increase the chances an applicant will default.
  2. Collections. By analyzing customer data, AI can spot warning signs that indicate potential delinquencies or defaults. It also can communicate with customers and offer personalized solutions for helping them get current on their payments and avoid default.
  3. Automation. Strictly speaking, robotic process automation (RPA) isn’t AI, but it has a similar impact on banking processes. RPA refers to software tools that automate time-consuming, repetitive tasks.

Not only does RPA free up bank personnel to focus on higher-value activities, but it also can improve productivity and reduce errors. Examples of the many uses of RPA include inputting data and documents, opening accounts, and processing address changes. In addition, it can be used to automate and standardize many tasks related to customer communications and regulatory compliance.

  1. BSA/AML compliance. AI can be invaluable to Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance efforts. It can sift through enormous amounts of transaction data and identify suspicious activities that would be difficult, if not impossible, to detect using traditional methods.
  2. Marketing. By processing and analyzing huge amounts of data, AI can help banks track and even predict market trends. And by collecting data about a bank’s customers, it can reveal untapped sales and cross-selling opportunities.

Here to stay

For banks interested in taking advantage of AI, significant challenges remain, including implementing and maintaining the systems and the extensive data needed to support it. However, as this technology becomes more commonplace and cheaper, its benefits will be difficult to ignore.

© 2023

Financial Institutions and Banking

Learn From Past Mistakes

 “Postmortems” on failed institutions are instructive for community banks

In the aftermath of three notable bank failures in 2023, federal banking regulators issued comprehensive reports detailing the underlying causes of those failures. These postmortems are must-reads for banks of all sizes because they point out management shortcomings that led to the bank failures — as well as regulators’ plans to become more proactive in addressing bank risks. Here are some highlights of the three reports.

  1. Silicon Valley Bank

According to the Federal Reserve (Fed) report, Silicon Valley Bank (SVB) was “a textbook case” of bank mismanagement. Its senior leadership failed to manage basic interest rate and liquidity risk, which led to a run by depositors. The causes of SVB’s failure were tied to 1) its business model, which was highly concentrated in early-stage and start-up technology companies and relied heavily on uninsured deposits, and 2) its failure to sufficiently address interest rate and liquidity risk. These factors left SVB “acutely exposed to the specific combination of rising interest rates and slowing activity in the technology sector that materialized in 2022 and early 2023,” observed the Fed. Also, SVB had accumulated substantial unrealized losses on available-for-sale (AFS) securities.

In addition to the fact that SVB’s directors didn’t receive adequate risk-related information from management, SVB:

  • Didn’t hold management accountable for effective risk management,
  • Failed its own internal liquidity stress tests and had no workable plan to access liquidity in times of stress, and
  • Managed interest rate risk with a focus on short-term profits, rather than on managing long-term risks and the risk of rising rates.

The Fed also took some of the blame, noting that supervisors didn’t fully appreciate the extent of SVB’s vulnerabilities as it grew rapidly in size and complexity. Thus, it failed to take sufficient steps to ensure that SVB addressed those problems quickly.

  1. Signature Bank

According to the Federal Deposit Insurance Corporation (FDIC) postmortem, the primary cause of Signature Bank’s failure was “illiquidity precipitated by contagion effects in the wake of” deposit runs that led to the failure of SVB and the self-liquidation of Silvergate Bank. The FDIC noted other causes of Signature Bank’s failure included its:

  • Pursuit of “rapid, unrestrained growth” without developing risk management practices and controls appropriate for its size and complexity,
  • Failure to prioritize good corporate governance and heed FDIC examiner concerns,
  • Overreliance on uninsured deposits to fund its rapid growth, without implementing fundamental liquidity risk management practices and controls, and
  • Failure to understand the risks associated with reliance on cryptocurrency deposits.

Like the Fed, the FDIC accepted some responsibility for Signature Bank’s failure, noting that it “could have escalated supervisory actions sooner,” its “examination work products could have been timelier,” and it could have communicated more effectively with the bank’s board and management.

  1. First Republic Bank

According to the FDIC, First Republic Bank failed primarily because of “a loss of market and depositor confidence” in the wake of the SVB and Signature Bank failures, resulting in a bank run. Notably, the FDIC found that First Republic Bank was well run, responsive to supervisory feedback, and implemented appropriate infrastructure, controls and risk management processes as it grew. Nevertheless, specific attributes of its business model and management strategies made it vulnerable to interest rate changes and the contagion effects of previous bank failures, including:

  • Rapid growth,
  • Loan and funding concentrations,
  • Overreliance on uninsured deposits and depositor loyalty, and
  • Failure to sufficiently mitigate interest rate risk.

Again, the FDIC examined its own possible role in First Republic Bank’s failure. Although it was unclear whether earlier supervisory action would have made a difference, the report noted that “meaningful action to mitigate interest rate risk and address funding concentrations would have made the bank more resilient and less vulnerable.”

Stay tuned

To help avoid future bank failures, regulators are considering several changes, including rethinking stress testing requirements; imposing additional capital or liquidity requirements on banks with inadequate capital planning, liquidity risk management, or governance and controls; incorporating unrealized losses and gains into regulatory capital rules; and encouraging banks to avoid concentrations on both sides of the balance sheet.

The extent to which these changes will trickle down to community banks is uncertain. But expect greater regulatory scrutiny in the future, particularly with respect to capital, liquidity risk and interest rate risk.

Sidebar: Role of social media in liquidity risk

An interesting takeaway from the regulators’ postmortems (see main article) is the role that social media, together with banking technology, plays in liquidity risk. In its postmortem on Silicon Valley Bank (SVB), the Federal Reserve (Fed) commented that “social media enabled depositors to instantly spread concerns about a bank run, and technology enabled immediate withdrawals of funding.”

On March 8, 2023, for example, SVB announced a balance sheet restructuring, including a sale of certain securities and an intention to raise capital. The next day, SVB experienced deposit outflows totaling over $40 billion, as uninsured depositors, interpreting the announcement as a signal of financial distress, began withdrawing their funds “in a coordinated manner with unprecedented speed.” According to the Fed, the run appeared to be fueled by social media and the bank’s concentrated network of venture capital investors and technology firms.

© 2023

Financial Institutions and Banking

Bank Wire

Crypto-assets: Handle with care

In January 2023, the federal banking agencies published “Joint Statement on Crypto-Asset Risks to Banking Organizations.” The statement cautions banks to be aware of — and, if applicable, mitigate — the risks associated with crypto-assets. According to the statement, these risks include:

  • Fraud and scams,
  • Legal uncertainties regarding custody practices, redemptions and ownership rights,
  • Inaccurate or misleading representations or disclosures, including misrepresentations regarding FDIC coverage,
  • Significant volatility, including potential impacts on deposit flows,
  • Stablecoins’ susceptibility to run risk,
  • Contagion risk resulting from interconnections among crypto-asset participants,
  • Lack of mature, robust risk management and governance practices in the crypto-asset sector, and
  • Heightened risks associated with open, public or decentralized networks (for example, lack of governance mechanisms, absence of contracts, or standards to clearly establish roles, responsibilities and liabilities).

The statement instructs banks to “ensure that crypto-asset-related activities can be performed in a safe and sound manner, are legally permissible, and comply with applicable laws and regulations,” including consumer protection laws. Notably, the statement opines that “issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe and sound banking practices.”

Be prepared to report computer security incidents

As concerns over cybersecurity intensify, banks should be prepared to report computer security incidents to federal regulators quickly. Under a rule that took effect last spring, banks must report computer security incidents that rise to the level of a “notification incident” within 36 hours. The rule defines “computer security incident” as an “occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” These incidents aren’t limited to cyberattacks — they also can result from hardware or software failures, human error or other nonmalicious causes.

A computer security incident is deemed to be a notification incident if it’s reasonably likely to materially disrupt or degrade a bank’s 1) ability to carry out banking operations, activities or processes, or deliver products and services to customers, 2) business lines whose failure would result in a material loss of revenue, profit or franchise value, or 3) operations whose failure would pose a threat to U.S. financial stability. All banks should have procedures in place for identifying notification incidents and reporting them to their primary regulators on a timely basis.

© 2023

Financial Institutions and Banking

Strengthen Your Defenses: Preparing for ransomware attacks

In October 2021, a California community bank was victimized by a ransomware attack. The hackers obtained sensitive information from the bank’s systems, including loan application forms, tax returns, W-2 information, payroll records, names, addresses and Social Security numbers. They threatened to release this information if the bank failed to negotiate.

The bank incurred significant financial costs and reputational damage associated with the attack. It also offered free credit monitoring and identity theft protection services to affected customers. This is just one of many examples of community banks that have been targeted by ransomware attacks in recent years.

Double trouble

There was a time when smaller banks reasonably believed that cybercriminals would leave them alone, because larger institutions offered a bigger payoff. Recently, however, the trend has reversed. Cybercriminals are now targeting small banks, which they believe lack the wherewithal to protect against these attacks and have less robust internal controls than larger institutions.

A new ransomware scheme involves so-called “double extortion” attacks. In a traditional ransomware attack, the cybercriminal sends a phishing email to a bank employee or other user of the bank’s systems. If the recipient clicks on the link in the email, it introduces malware that infects the bank’s system, encrypting its data. The cybercriminal demands a ransom payment in exchange for the decryption key.

In some cases, however, victims were able to quickly restore their systems from unaffected backups and thus refused to pay the ransom. To avoid this result, a double extortion attack involves stealing sensitive data and threatening to release it if the ransom isn’t paid.

Protective measures

To minimize the risks associated with ransomware attacks, community banks should follow industry practices recommended by the Federal Financial Institutions Examination Council (FFIEC) and other federal banking agencies. These include:

  • Regularly assessing the bank’s exposure to ransomware risks and patching any vulnerabilities,
  • Educating employees about the risks of ransomware and training them on identifying and reporting potential attacks,
  • Inventorying hardware, software, connections and data, with programs in place that identify vulnerabilities,
  • Implementing backup systems designed to protect data from cybercriminals,
  • Segmenting networks to limit a cybercriminal’s access within the system if a breach occurs,
  • Managing third-party risks that expose the bank to ransomware attacks,
  • Implementing email filtering processes that identify malicious messages and prevent them from reaching end users, and
  • Restricting the use of employees’ personal devices on the bank’s network.

Be aware that payment of ransomware may result in sanctions if the cybercriminal is listed by the Office of Foreign Assets Control (OFAC) as a known or suspected terrorist or terrorist organization. Reporting ransomware demands promptly to the federal authorities can help mitigate these sanctions. Banks also may need to file Suspicious Activity Reports (SARs) in connection with ransomware payments.

Another critical tool for defending your bank against cyberattacks is a program of regular system vulnerability assessments and penetration tests. Vulnerability assessments involve scanning all internal and external networks to identify security flaws or weaknesses. Penetration testing — a form of “ethical hacking” — involves the intentional launching of simulated cyberattacks to identify any vulnerabilities that can be exploited to compromise the bank’s systems or data. It can also be used to test the bank’s security policies, employees’ security awareness, and the bank’s ability to flag and respond to security issues as they happen.

Typically, vulnerability assessments should be conducted twice a year and penetration testing should be done annually. But the appropriate frequency of testing depends on your bank’s circumstances and resources.

Have a plan

As cyber risks continue to mount, your bank needs a comprehensive cybersecurity plan that reduces risks and minimizes damages should they occur. It should include an incident response protocol for containing an incident, coordinating with law enforcement and third parties, restoring systems, preserving data and evidence, providing customer assistance, and reporting the incident to the relevant federal banking regulator within 36 hours.

© 2023