Financial Institutions and Banking Milan, TN

What’s Your Bank’s Plan to Counter Ransomware Attacks?

Cybersecurity continues to be a key risk that businesses face today, and banking is among the industries most affected by cyberattacks. Some experts estimate that around a quarter of all malware attacks target financial institutions. Of particular concern are ransomware attacks, which have increased dramatically in the past couple of years.

The threat of ransomware is so serious that the National Institute of Standards and Technology (NIST) — developer of a widely used cybersecurity framework — recently published a draft Cybersecurity Framework Profile for Ransomware Risk Management (the Ransomware Profile).

Ransomware and risk management

Ransomware is a type of malware that encrypts an organization’s data. Once malware has infected a system, the attackers demand payment in exchange for the encryption key that unlocks the data. In some cases, they may also steal an organization’s information and demand additional payment to avoid disclosure of that information to authorities, competitors or the public.

The Ransomware Profile outlines several basic preventive steps organizations can take to protect themselves against the ransomware threat, including:

  • Use antivirus software at all times,
  • Keep computers updated with the latest security patches,
  • Segment internal networks to prevent malware from proliferating among potential target systems,
  • Continuously monitor for indicators of compromise or active attack,
  • Block access to potentially malicious web resources,
  • Allow only authorized apps, and avoid use of personal apps — such as email, chat and social media — on work computers,
  • Use standard user accounts, rather than accounts with administrative privileges, whenever possible,
  • Restrict personally owned devices on work networks,
  • Educate employees about social engineering (for example, to not open files or click on links from unknown sources without scanning for viruses or taking other precautions), and
  • Assign and manage credential authorization for all enterprise assets and software, and periodically verify that each account has only the appropriate access.

Organizations also should take steps that will help them recover from future ransomware events, including developing and implementing rigorous backup and incident recovery plans.

Backup strategies and incident response plans

Simply keeping backups of data isn’t enough. Any significant gaps in recoverable data or delays in restoring systems can be devastating for banks. So, they must back up data daily and test and periodically validate it. Also, banks should store backups offline to prevent a ransomware attack.

A well-designed backup strategy is worthless, however, without a solid incident response plan. This critical step helps banks restore systems quickly and minimize downtime in the event of a ransomware or other attack. A cyberattack is highly stressful. So, to avoid a paralyzing panic, your response plan should provide step-by-step instructions on who does what and when. The plan also should be kept offline to ensure that it’s accessible if your systems aren’t.

Be prepared

All banks should have a comprehensive cybersecurity plan to prevent ransomware and other cyberattacks and to minimize damages should an attack occur. If your bank doesn’t have a plan or you’re unsure whether your plan provides the protection you need, contact one of our industry leaders about conducting a cybersecurity risk assessment with ATA Secure.

© 2022

Financial Institutions and Banking

Bank Wire

CAA provides COVID-19 relief for banks

The Consolidated Appropriations Act (CAA), passed in late December 2020, contains a variety of COVID-19 relief provisions, including a second round of stimulus payments to individuals, enhanced unemployment benefits, and expansion of the Paycheck Protection Program (PPP). The act also offers some bank-specific relief. For example, it:

  • Delays the compliance deadline for the current expected credit loss (CECL) accounting standard until the earlier of 1) the first day of the bank’s fiscal year that begins after termination of the COVID-19 public health emergency, or 2) January 1, 2022; and
  • Extends the time during which banks may elect to temporarily suspend troubled debt restructuring (TDR) accounting for certain COVID-19-related loan modifications until the earlier of 1) 60 days after the public health emergency ends, or 2) January 1, 2022.

It also establishes a $9 billion fund to provide low-cost, long-term capital investments to qualifying banks. To qualify, they need to be community development financial institutions or minority depository institutions.

SBA guidance on PPP loans

After the CAA authorized “second-draw” forgivable PPP loans, the Small Business Administration (SBA) and Treasury Department issued rules for these loans. Among other things, the rules clarify that: the SBA will guarantee 100% of second-draw loans; no collateral or personal guarantees will be required; the interest rate will be 1%, calculated on a noncompounding, nonadjustable basis; maturity will be five years; and all loans will be processed by lenders under delegated authority.

It may rely on borrower certifications to determine the borrower’s eligibility and use of loan proceeds. (Note: The borrower must substantiate compliance with eligibility requirements by the time they submit a forgiveness application.)

Simplified PPP forgiveness application

The CAA simplifies the forgiveness application for businesses that borrow less than $150,000. These borrowers will submit a one-page application that includes the total loan value, the estimated portion of the loan spent on payroll, and the number of employees retained as a result.

Fintech partnership guide

Community banks are increasingly partnering with “fintech” companies to offer their customers access to the latest banking technology tools. But these partnerships are fraught with practical and regulatory compliance challenges. Recently, a member of the Federal Reserve Board announced that the Fed would work with other banking agencies to develop a fintech vendor due diligence guide for community banks as well as enhanced interagency guidance for third-party risk management. This guidance is expected to “eliminate the need for community banks to navigate multiple supervisory guidance documents on the same issue” and “enhance clarity on supervisory expectations for community bank partnerships with fintech companies.”




Financial Institutions and Banking

Online Account Opening: Managing the Risk

In recent years, banking customers have increasingly relied on electronic banking tools to open accounts, make deposits, transfer funds and otherwise manage their money — and the COVID-19 pandemic has accelerated this trend. All of these activities increase an institution’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance risks, particularly the opening of online accounts. So, while offering these conveniences can be attractive to current and prospective customers, you’ll need to implement policies, procedures and controls to mitigate the risk.

Recognizing risk factors

In its BSA/AML Manual, the Federal Financial Institutions Examination Council (FFIEC) emphasizes that accounts opened online — that is, without face-to-face contact — pose a greater risk for money laundering and terrorist financing because:

  • It’s more difficult to positively verify the applicant’s identity,
  • The customer may be outside the bank’s targeted geographic area or country,
  • Customers — particularly those with ill intent — may view online transactions as less transparent,
  • Transactions are instantaneous, and
  • Online accounts may be used by a “front” company or unknown third party.

In light of this enhanced risk, the FFIEC cautions banks to consider how an account was opened as a factor in determining the appropriate level of account monitoring.

Minimizing risks

To reduce the risks associated with online account opening, banks should develop an effective customer identification program (CIP) and ongoing customer due diligence (CDD) processes as part of a robust, risk-based BSA/AML compliance strategy.

To comply with CIP requirements, an individual opening an account must provide, at a minimum, his or her name, date of birth, address and taxpayer identification number (or other acceptable identification number for non-U.S. persons). In addition, if an account is opened for a legal entity — such as a corporation, partnership or LLC — the bank must verify the identities of the entity’s beneficial owners.

Verifying applicants’ identities

A significant challenge in electronic banking is verifying the identity of someone opening an account online (including a person opening an account on behalf of a legal entity). For in-person transactions, bank personnel often examine identification documents, such as driver’s licenses or passports, but this may not be possible for accounts opened online.

For online transactions, banks should develop reliable nondocumentary methods of verifying an individual’s identity. These may include comparing the information provided at account opening with information from a credit reporting agency, public database or other source. They also may include contacting the person (for example, calling them at work or sending them a piece of mail they must respond to), checking references with other financial institutions, obtaining a financial statement, or asking “out of wallet” questions, such as previous addresses, former employers or mortgage loan amounts.

The bank should develop alternate or backup verification methods for situations in which one of these methods fails. For example, if there’s an identification mismatch, the applicant may be required to bring identification in person to a bank branch.

In addition, as with accounts opened in person, the bank should check the person’s name against lists of known or suspected terrorists or terrorist organizations maintained by the Office of Foreign Assets Control. It’s also a good idea, for ongoing monitoring and CDD purposes, to collect information about the purpose of the account, the occupations of the account owners and the source of funds.

Due diligence

After an account is opened online and the applicant’s identity is verified, you’ll want to conduct ongoing customer due diligence. That means, among other things, monitoring account activity for unusual or suspicious activities.


Financial Institutions and Banking

Should your bank use third-party vendors?

In the uncertain economy resulting from the COVID-19 pandemic, community banks continue to streamline operations, improve efficiency and eliminate waste so that they can survive — and thrive. To help in this process, they’re increasingly turning to outside vendors to provide specialized services beyond the bank’s usual offerings. If your bank uses third-party vendors, though, you need to be aware of the ins and outs.

Evaluate liability

Outsourcing to a third party doesn’t relieve a bank from responsibility and legal liability for compliance or consumer protection issues. And as banks and vendors increasingly rely on evolving technologies to deliver products and services, their exposure to ever-changing cybersecurity risks demands constant vigilance.

Even if you have a solid vendor risk management program in place, you’ll need to review it periodically. Banking regulators expect your program to be “risk-based” — that is, the level of oversight and controls should be commensurate with the level of risk an outsourcing activity entails. But here’s an important caveat: That risk can change over time. Some vendors, such as appraisal and loan collection companies, have traditionally been viewed as relatively low risk. But in today’s increasingly cloud-based world, any vendor with access to your IT network or sensitive nonpublic customer data poses a substantial risk.

Assess risk

Here are some ways to review your vendor risk management program:

Conduct a risk assessment. Determine whether outsourcing a particular activity is consistent with your strategic plan. Evaluate the benefits and risks of outsourcing that activity as well as the service provider risk. This assessment should be updated periodically.

Generally, examiners expect a bank’s vendor management policies to be appropriate in light of the institution’s size and complexity. They also expect more rigorous oversight of critical activities, such as payments, clearing, settlements, custody, IT or other activities that could have a significant impact on customers — or could cause significant harm to the bank if the vendor fails to perform.

Thoroughly vet your service providers. Review each provider’s business background, reputation and strategy, financial performance operations, and internal controls. The depth and formality of due diligence depends on the risks associated with the outsourcing relationship and your familiarity with the vendor. If your agreement allows the provider to outsource some or all of its services to subcontractors, be sure that the provider has properly vetted each subcontractor. The same contractual provisions must apply to subcontractors and the provider should be contractually accountable for the subcontractor’s services.

Diversify vendors. Using a single vendor may provide cost savings and simplify the oversight process, but diversification of vendors can significantly reduce your outsourcing risks, particularly if a vendor has an especially long disaster recovery timeframe.

Ensure contracts clearly define the parties’ rights and responsibilities. In addition to costs, deliverables, service levels, termination, dispute resolution and other terms of the outsourcing relationship, key provisions include compliance with applicable laws, regulations and regulatory guidance; information security; cybersecurity; ability to subcontract services; right to audit; establishment and monitoring of performance standards; confidentiality (in the case of access to sensitive information); ownership of intellectual property; insurance, indemnification and business continuity; and disaster recovery.

Review vendors’ disaster recovery and business continuity plans. Be sure that these plans align with your own and are reviewed at least annually, and that vendors have the ability to implement their plans if necessary.

Monitor vendor performance. Monitor vendors to ensure they’re delivering the expected quality and quantity of services and to assess their financial strength and security controls. It’s particularly important to closely monitor and control external network connections, given the potential cybersecurity risks.

Conduct independent reviews. Banking regulators recommend periodic independent reviews of your risk management processes to help you assess whether they align with the bank’s strategy and effectively manage risks posed by third-party relationships. The frequency of these reviews depends on the vendor’s risk-level assessment, and they may be conducted by the bank’s internal auditor or an independent third party. The results should be reported to the board of directors.

Stay aware

Having a robust vendor risk management program in place at your bank is the key to benefiting from vendors’ specialized skills and abilities while avoiding legal and regulatory problems. We can help you stay on top of the latest regulations and rules pertaining to third-party vendor use.


Financial Institutions and Banking

Bank Stress Tests – Two Approaches, Four Methods

Should you be stress testing your borrowers?
Most banks are familiar with the concept of stress testing: By evaluating the impact of adverse external events on a bank’s earnings, capital adequacy and other financial measures, stress testing can be a highly effective risk management tool. And while community banks generally aren’t required to conduct stress testing, banking regulators view it as a best practice.
For example, Office of the Comptroller of the Currency (OCC) guidance considers “some form of stress testing or sensitivity analysis of loan portfolios on at least an annual basis to be a key part of sound risk management for community banks.” Stress testing is often performed at the enterprise, or portfolio, level. However, testing at the individual loan level — beginning during the underwriting process — can be a powerful technique for revealing hidden risks.
Two approaches, four methods
Stress testing generally involves scenario analysis. This consists of applying historical or hypothetical scenarios to predict the financial impact of various events, such as a severe recession, loss of a major client or a localized economic downturn. Tools for performing such tests can range from simple spreadsheet programs to sophisticated computer models.
The OCC’s guidance doesn’t prescribe any particular methods of stress testing. It describes two basic approaches to stress testing: “bottom up” and “top down.” A bottom-up approach generally involves conducting stress tests at the individual loan level and aggregating the results. In contrast, a top-down approach applies estimated stress loss rates under various scenarios to pools of loans with similar risk characteristics.
The guidance outlines four methods to consider:
  1. Transaction level stress testing. This estimates potential losses at the loan level by assessing the impact of changing economic conditions on a borrower’s ability to service debt.
  2. Portfolio level stress testing. This method helps identify current and emerging loan portfolio risks and vulnerabilities (and their potential impact on earnings and capital) by assessing the impact of changing economic conditions on borrower performance, identifying credit concentrations and gauging the resulting change in overall portfolio credit quality.
  3. Enterprisewide stress testing. This considers various types of risk — such as credit risk within loan and security portfolios, counterparty credit risk, interest rate risk and liquidity risk — and their interrelated effects on the overall financial impact under a given economic scenario.
  4. Reverse stress testing. This approach assumes a specific adverse outcome, such as credit losses severe enough to result in failure to meet regulatory capital ratios. It then works backward to deduce the types of events that could produce such an outcome.
The right approach and method for a particular bank depends on its portfolio risk and complexity, as well as its resources. Even a simple stress-testing approach can produce positive results. (See “Canada’s mortgage stress-testing law.”)
Stress testing and the underwriting process
A bottom-up approach at the transaction level may offer a significant advantage: In addition to assessing the potential impact of various scenarios on a bank’s earnings and capital, it can, according to the OCC, help the bank “gauge a borrower’s vulnerability to default and loss, foster early problem loan identification and strategic decision making, and strengthen strategic decisions about key loans.”
For example, when evaluating a loan application, consider gathering information on the various risks the borrower faces — including operational, financial, compliance, strategic and reputational risks. This information can be used to run stress tests that measure the potential impact of various risk-related scenarios on the borrower’s ability to pay. An added benefit of this process is that, by discussing identified risks and stress test results with borrowers, you can help them understand their risks and develop strategies for managing and mitigating them, such as tightening internal controls, developing business continuity / disaster recovery plans or purchasing insurance.
A powerful tool
Stress testing is an important part of a community bank’s risk management process. It can also be a powerful tool for evaluating loan applications and revealing hidden vulnerabilities that may jeopardize potential borrowers’ ability to pay down the road. 
Sidebar: Canada’s mortgage stress-testing law
Canada takes an interesting approach to evaluating mortgage loans. Under a law that took effect in 2018, federally regulated banks are required to “stress test” all mortgage applicants. To pass the stress test, an applicant must qualify for a loan at the contractual interest rate plus 2% or at the Bank of Canada’s five-year benchmark rate (5.19% at press time), whichever is higher. So, for example, a borrower applying for a 3.75% mortgage would have to qualify for a mortgage at 5.75%. The rule doesn’t apply to borrowers who are renewing a mortgage with the same lender.
The idea behind the law is that requiring borrowers to qualify at a higher rate than they’re actually paying prevents them from overextending themselves. And since the law took effect, delinquency rates are down. But the law is also controversial because, among other things, it reduces purchasing power for many homebuyers and the benchmark rate is susceptible to manipulation by the largest banks. © 2020