Financial Institutions and Banking

Bank Wire

Crypto-assets: Handle with care

In January 2023, the federal banking agencies published “Joint Statement on Crypto-Asset Risks to Banking Organizations.” The statement cautions banks to be aware of — and, if applicable, mitigate — the risks associated with crypto-assets. According to the statement, these risks include:

  • Fraud and scams,
  • Legal uncertainties regarding custody practices, redemptions and ownership rights,
  • Inaccurate or misleading representations or disclosures, including misrepresentations regarding FDIC coverage,
  • Significant volatility, including potential impacts on deposit flows,
  • Stablecoins’ susceptibility to run risk,
  • Contagion risk resulting from interconnections among crypto-asset participants,
  • Lack of mature, robust risk management and governance practices in the crypto-asset sector, and
  • Heightened risks associated with open, public or decentralized networks (for example, lack of governance mechanisms, absence of contracts, or standards to clearly establish roles, responsibilities and liabilities).

The statement instructs banks to “ensure that crypto-asset-related activities can be performed in a safe and sound manner, are legally permissible, and comply with applicable laws and regulations,” including consumer protection laws. Notably, the statement opines that “issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe and sound banking practices.”

Be prepared to report computer security incidents

As concerns over cybersecurity intensify, banks should be prepared to report computer security incidents to federal regulators quickly. Under a rule that took effect last spring, banks must report computer security incidents that rise to the level of a “notification incident” within 36 hours. The rule defines “computer security incident” as an “occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” These incidents aren’t limited to cyberattacks — they also can result from hardware or software failures, human error or other nonmalicious causes.

A computer security incident is deemed to be a notification incident if it’s reasonably likely to materially disrupt or degrade a bank’s 1) ability to carry out banking operations, activities or processes, or deliver products and services to customers, 2) business lines whose failure would result in a material loss of revenue, profit or franchise value, or 3) operations whose failure would pose a threat to U.S. financial stability. All banks should have procedures in place for identifying notification incidents and reporting them to their primary regulators on a timely basis.

© 2023

Financial Institutions and Banking

Strengthen Your Defenses: Preparing for ransomware attacks

In October 2021, a California community bank was victimized by a ransomware attack. The hackers obtained sensitive information from the bank’s systems, including loan application forms, tax returns, W-2 information, payroll records, names, addresses and Social Security numbers. They threatened to release this information if the bank failed to negotiate.

The bank incurred significant financial costs and reputational damage associated with the attack. It also offered free credit monitoring and identity theft protection services to affected customers. This is just one of many examples of community banks that have been targeted by ransomware attacks in recent years.

Double trouble

There was a time when smaller banks reasonably believed that cybercriminals would leave them alone, because larger institutions offered a bigger payoff. Recently, however, the trend has reversed. Cybercriminals are now targeting small banks, which they believe lack the wherewithal to protect against these attacks and have less robust internal controls than larger institutions.

A new ransomware scheme involves so-called “double extortion” attacks. In a traditional ransomware attack, the cybercriminal sends a phishing email to a bank employee or other user of the bank’s systems. If the recipient clicks on the link in the email, it introduces malware that infects the bank’s system, encrypting its data. The cybercriminal demands a ransom payment in exchange for the decryption key.

In some cases, however, victims were able to quickly restore their systems from unaffected backups and thus refused to pay the ransom. To avoid this result, a double extortion attack involves stealing sensitive data and threatening to release it if the ransom isn’t paid.

Protective measures

To minimize the risks associated with ransomware attacks, community banks should follow industry practices recommended by the Federal Financial Institutions Examination Council (FFIEC) and other federal banking agencies. These include:

  • Regularly assessing the bank’s exposure to ransomware risks and patching any vulnerabilities,
  • Educating employees about the risks of ransomware and training them on identifying and reporting potential attacks,
  • Inventorying hardware, software, connections and data, with programs in place that identify vulnerabilities,
  • Implementing backup systems designed to protect data from cybercriminals,
  • Segmenting networks to limit a cybercriminal’s access within the system if a breach occurs,
  • Managing third-party risks that expose the bank to ransomware attacks,
  • Implementing email filtering processes that identify malicious messages and prevent them from reaching end users, and
  • Restricting the use of employees’ personal devices on the bank’s network.

Be aware that payment of ransomware may result in sanctions if the cybercriminal is listed by the Office of Foreign Assets Control (OFAC) as a known or suspected terrorist or terrorist organization. Reporting ransomware demands promptly to the federal authorities can help mitigate these sanctions. Banks also may need to file Suspicious Activity Reports (SARs) in connection with ransomware payments.

Another critical tool for defending your bank against cyberattacks is a program of regular system vulnerability assessments and penetration tests. Vulnerability assessments involve scanning all internal and external networks to identify security flaws or weaknesses. Penetration testing — a form of “ethical hacking” — involves the intentional launching of simulated cyberattacks to identify any vulnerabilities that can be exploited to compromise the bank’s systems or data. It can also be used to test the bank’s security policies, employees’ security awareness, and the bank’s ability to flag and respond to security issues as they happen.

Typically, vulnerability assessments should be conducted twice a year and penetration testing should be done annually. But the appropriate frequency of testing depends on your bank’s circumstances and resources.

Have a plan

As cyber risks continue to mount, your bank needs a comprehensive cybersecurity plan that reduces risks and minimizes damages should they occur. It should include an incident response protocol for containing an incident, coordinating with law enforcement and third parties, restoring systems, preserving data and evidence, providing customer assistance, and reporting the incident to the relevant federal banking regulator within 36 hours.

© 2023

Financial Institutions and Banking

How To Assess and Deal With BSA/AML Risks

Over the past few years, many people have turned to electronic banking (e-banking), whether for individual or business purposes. While e-banking may be convenient, it also may increase the possibility of hidden criminal behavior. In addition, compliance with Bank Secrecy Act/Anti-Money Laundering (BSA/AML) laws and regulations is increasingly scrutinized by banking regulators. This puts banks in the middle of a potentially difficult — even dangerous — situation, unless they develop strategies to both assess and handle any related risks.

Get with the program

To help combat money laundering and terrorist financing, banks must develop and implement comprehensive BSA/AML programs. These programs ensure banks know their customers, monitor transactions, identify suspicious activity, and share information with the government and other financial institutions.

Federal regulators emphasize a risk-based approach to BSA/AML compliance. In other words, a bank is expected to conduct a thorough risk assessment and develop policies, procedures and processes that are adequate for its size, location, customer base, products and services.

Determine the impact

E-banking — including online account opening, ATM transactions, Internet banking transactions, remote deposit capture (RDC), telephone banking and mobile banking apps — can increase a bank’s BSA/AML risks. The lack of face-to-face contact in e-banking transactions introduces a heightened level of risk to institutions by making them vulnerable to unauthorized users accessing customer accounts. As your bank introduces new e-banking products and services, it’s imperative to evaluate their impact on your BSA/AML program.

For example, online account opening without face-to-face contact may heighten your risk because:

  • Verifying the customer’s identity is more difficult,
  • The customer may be outside the bank’s targeted geographic area,
  • The customer may perceive these transactions as less transparent, and
  • A front company or unknown third party may use the account.

To mitigate these risks, banks should ensure that their BSA/AML monitoring, identification and reporting systems are properly equipped to flag unusual and suspicious activities conducted electronically. Useful tools include ATM activity reports, funds-transfer reports, new-account-activity reports and change-of-Internet-address reports. Reports that identify related or linked accounts are particularly effective in an e-banking context. These reports reveal accounts with common addresses, phone numbers, email addresses and taxpayer identification numbers.

Additional risk-mitigating controls may include imposing limits on 1) the types and sizes of transactions that can be conducted through e-banking platforms, 2) the volume and frequency of online-initiated transactions, if allowed, and 3) online accounts to ensure they’re offered only to established customers. Banks need to develop effective and reliable methods for authenticating customers’ identities when they open accounts online (such as “out of wallet” questions that only that person can answer).

Reduce RDC risks

While RDC provides obvious benefits to customers, it exposes banks to money laundering, fraud and information security risks. For example, fraudulent, sequentially numbered or physically altered checks may be harder to detect when they’re submitted via RDC. Plus, it’s difficult for banks to control or locate RDC equipment, particularly when foreign correspondents and foreign money service businesses increasingly rely on RDC.

Inadequate controls can result in altered deposit data, duplicate deposits and other problems. Also, customers or service providers typically retain original checks or other deposit items, which may create recordkeeping, data safety and integrity issues.

Potential risk mitigation steps include:

  • Performing a comprehensive RDC risk assessment before implementation,
  • Conducting appropriate customer due diligence and enhanced due diligence,
  • Establishing risk-based parameters for RDC customer suitability, such as lists of acceptable industries and standardized underwriting criteria,
  • Comparing an RDC customer’s expected account activity to actual activity,
  • Establishing RDC transaction limits, and
  • Ensuring that RDC customers receive adequate training.

Contracts should clearly set out the relative roles, responsibilities and liabilities of the bank and its customers with respect to RDC transactions. This includes procedures for handling and disposing of original documents.

Being vigilant

Make sure your bank remains watchful for ongoing BSA/AML issues and other potential risks resulting from e-banking. There’s no going back — e-banking is here to stay. The best strategy is to ensure your bank remains fully compliant, with all appropriate processes and procedures in place.

© 2023

Financial Institutions and Banking

Should You Outsource The Internal Audit Function?

A solid internal audit program is one of the most effective tools a bank has to inspire confidence — among directors, investors, regulators, and other stakeholders — in its financial processes and reporting practices. Many banks outsource the internal audit function, in whole or in part, to take advantage of external auditors’ special skills and independence, address internal staffing shortages, and control costs. Here are some factors to consider when deciding whether to outsource this function.

Advantages of outsourcing

First and foremost, by outsourcing the internal audit, a community bank can tap a level of skill and expertise — critical in the highly regulated banking industry — that may be difficult to find or too expensive to maintain in-house. Access to this expertise is particularly beneficial for banks in smaller communities and those that want to expand their product or service offerings or enter new markets. External auditors may also have access to more sophisticated software or other audit tools that would otherwise be cost-prohibitive for a community bank.

Second, in the wake of the COVID-19 pandemic, many businesses, including banks, are facing severe labor shortages. Outsourcing the internal audit function allows them to focus on filling core positions.

Third, outsourcing can help a bank control costs. It allows the bank to set an internal audit budget that meets its needs and design a program that has more flexibility. The bank avoids the fixed labor and overhead costs associated with an internal audit staff, and it can adjust the use of outside consultants as its internal audit needs fluctuate or special projects arise.

Finally, outsourcing can help enhance auditor independence. In-house auditors who develop relationships with other bank staff may lose some objectivity — or at least the appearance of objectivity. Outsourcing also facilitates the rotation of internal auditors, something that’s difficult to do in-house.

Disadvantages of outsourcing

One potential downside is that outside consultants generally lack an insider’s in-depth knowledge about the bank’s operations, particularly when outsourced auditors are rotated frequently. The resulting learning curve may reduce the cost-effectiveness of an outsourced audit. To overcome this obstacle, some community banks outsource the internal audit function to their external auditors. Although doing so is permissible under specific circumstances, a bank should consider the potential impact on the external auditor’s independence before taking this approach.

Also, outsourcing arrangements require meticulous planning and monitoring, including a comprehensive engagement letter and regular communication. It’s critical to ensure that the parties are on the same page regarding the auditing firm’s activities, the scope of the audit and the advice provided by the auditor.

Outsourcing vs. co-sourcing

Co-sourcing can be an attractive alternative to fully outsourcing the internal audit function. As the name suggests, it involves splitting internal audit activities between internal and external auditors. This approach can take many forms, depending on the bank’s needs. A short-staffed bank might use outside auditors to supplement its staff and share various auditing tasks and responsibilities.

Co-sourcing also can be a good strategy if a bank’s internal audit staff lacks certain specialized skills. For example, if in-house staff isn’t equipped to perform specialized audits — such as information technology or Bank Secrecy Act/Anti-Money Laundering (BSA/AML) audits — the bank might engage an outside auditor to conduct those audits while its internal staff focuses on areas within its skill set.

A powerful tool

A well-designed internal audit program can be a powerful tool for evaluating a bank’s internal controls, processes, and procedures. Internal auditors also can recommend improvements and share their findings with the bank’s board of directors and other stakeholders. Whether conducted in-house, outsourced or co-sourced, an internal audit provides an opportunity for a fresh look at a bank’s operations by auditors who are independent from management.

Sidebar: Managing third-party risk

For banks that outsource or co-source the internal audit function, it’s important to recognize that doing so doesn’t absolve the bank’s board or management from responsibility for the internal audit. This function also doesn’t relieve the bank from liability for compliance or consumer protection issues associated with outsourced activities.

Before you enter an outsourcing relationship, review the federal banking regulators’ guidance on managing third-party risk, including the Office of the Comptroller of the Currency’s “Interagency Policy Statement on the Internal Audit Function and its Outsourcing.” Failure to properly manage this risk can result in financial loss and regulatory action. It can also jeopardize your bank’s reputation.

Among other things, a bank should:

  • Conduct a risk assessment to weigh the benefits and risks, including service provider risk, of outsourcing the internal audit.
  • Exercise due diligence in vetting the provider — including an examination of its background, reputation, financial condition, internal controls, disaster recovery plans, and business continuity plans.
  • Be sure that the contract or engagement letter clearly spells out each party’s rights and responsibilities. (For example, it should provide details on performance benchmarks, information sharing, audit rights, compliance, confidentiality, and indemnification.)
  • Monitor the provider’s performance and compliance with contract terms throughout the life of the arrangement.
  • Have a contingency plan in place in the event there are any disruptions in service.

© 2023

Financial Institutions and Banking

FinCEN’s National AML/CFT Priorities Set the Tone

In June 2021, the Financial Crimes Enforcement Network (FinCEN) issued its first set of government-wide priorities (the Priorities) for anti-money laundering and countering the financing of terrorism (AML/CFT). As required by the Anti-Money Laundering Act of 2020 (AML Act), the Priorities identify and describe the most significant AML/CFT threats currently facing the United States.

FinCEN will soon issue regulations that instruct banks and other financial institutions on how to incorporate the Priorities into their risk-based AML/CFT programs. In addition, though not required by the AML Act, federal banking agencies plan to revise their Bank Secrecy Act (BSA) regulations to explain how the Priorities will be incorporated into banks’ BSA requirements.

What are the Priorities?

FinCEN developed the Priorities after consulting with various Treasury Department offices, federal and state regulators, law enforcement, and national security agencies. Pursuant to the AML Act, FinCEN will update the Priorities at least once every four years in consultation with the same government agencies. These updates will reflect new and emerging threats.

The Priorities are:

Corruption. According to FinCEN, corrupt actors often exploit vulnerabilities in the U.S. financial system to launder assets and obscure crime proceeds. Past advisories on human rights abuses enabled by corrupt foreign political figures describe typologies and red flags that can help banks identify these actors and activities.

Cybercrime. Treasury is particularly concerned about cyber-enabled financial crime, ransomware attacks and misuse of virtual assets to launder illicit proceeds. Referencing past FinCEN and Treasury advisories regarding ransomware and COVID-19-related cybercrime, the Priorities note that banks are uniquely positioned to observe suspicious activity related to cyber-enabled financial crime and other cybercrime.

Terrorist financing. International and domestic terrorists require financing to support members, fund logistics and conduct operations. So, preventing such financing is essential to U.S. counterterrorism efforts. The Priorities remind banks of existing obligations to file suspicious activity reports (SARs) on potential terrorist financing transactions, follow requirements for reporting violations that require immediate attention and comply with required sanctions programs.

Fraud. The Priorities emphasize that fraud — including bank, consumer, health care, securities and tax scams — is believed to generate the largest share of illicit proceeds in the United States. These proceeds may be laundered through a variety of methods, including transfers through accounts of offshore legal entities, accounts controlled by cyberactors and money mules. Of particular concern are business email compromise and, most recently, COVID-19-related schemes.

Transnational criminal organization activity. These organizations — which may be involved in cybercrime; drug, wildlife, human, and weapons smuggling or trafficking; intellectual property theft; and corruption — are priority threats due to the “crime-terror nexus” of their illicit activities. According to the Priorities, these organizations are increasingly relying on professional money laundering networks.

Drug trafficking organization activity. Drug trafficking organizations tend to rely on Asian professional money laundering networks that facilitate exchanges of Chinese and U.S. currency or serve as money brokers in trade-based money laundering schemes. The Priorities note a substantial increase in complex schemes involving Mexican drug trafficking organizations that launder narcotics sale proceeds through Chinese citizens residing in the United States, including the use of front companies or couriers that deposit these proceeds in the banking system.

Human trafficking and smuggling. Human trafficking and smuggling networks use various mechanisms to move illicit proceeds, including cash smuggling by individual victims and sophisticated operations involving professional money laundering networks and criminal organizations. They may establish shell companies to hide the true nature of their business. They also may receive payments through such methods as funnel accounts and trade-based money laundering schemes.

Weapons proliferation financing. The principal threat here comes from proliferation support networks. These networks include individuals and entities, such as trade brokers and front companies, that exploit the U.S. financial system to move funds used to acquire nuclear, chemical or biological weapons or to further state-sponsored weapons programs. The principal driver of proliferation financing risk in the United States is global correspondent banking, due to its central role in processing U.S. dollar transactions.

What’s next?

Banks aren’t required to take any action with respect to the Priorities until final regulations are issued. When that happens, banks will need to review and incorporate, if appropriate, these Priorities based on their broader risk-based AML/CFT programs. Although it’s not certain when regulations will be finalized, it’s a good idea for banks to begin evaluating the potential risks associated with the products and services they offer, the customers they serve and the geographic areas in which they operate.

To begin evaluating potential risks and plan for final regulations, contact Jack Matthis at

Financial Institutions and Banking

Get Ready for General Qualified Mortgage Final Rule

In April 2021, the Consumer Financial Protection Bureau (CFPB) delayed the deadline for compliance with its revised general qualified mortgage (QM) rule to October 1, 2022. But it’s a good idea for banks to start reviewing the requirements now and determine how they’ll need to update their procedures to incorporate the new rule. QMs — which avoid certain risky features and meet other requirements designed to make them safer and easier for borrowers to understand — are presumed to comply with ability-to-repay rules.

Currently, for a loan to be a QM, the borrower must have a total monthly debt-to-income ratio (including mortgage payments) of 43% or less. The revised rule greatly simplifies the definition of a QM by discarding the debt-to-income limit in favor of a price-based model. For loan applications received on or after March 1, 2021, but before October 1, 2022, lenders have the option of complying with either the current or the revised general QM loan definition. (Note: Separate rules apply to “seasoned” QMs.)

New lease accounting rules back on banks’ radar

After several delays — including a one-year postponement due to COVID-19 — the new lease accounting standard is scheduled to take effect for private companies for fiscal years beginning after December 15, 2021, and interim periods within fiscal years beginning after December 15, 2022. If your compliance efforts have been on hold, it’s time to ramp them up again. The upcoming transition to the new rules may influence current negotiations between banks and their loan customers, and banks that lease their facilities, equipment or other fixed assets should prepare for the rules’ potential impact on their balance sheets and regulatory capital. Plus, the standard’s transition approach may require banks to implement certain changes before the rules take effect.

Guide to conducting due diligence on FinTech companies

Community banks are under increasing pressure to provide their customers with digital products and services, and many banks are partnering with financial technology (FinTech) companies as a strategy for developing innovative, customized, cost-effective solutions. These partnerships can be complex ventures that involve a variety of risks, so thorough due diligence is critical. To assist banks with these efforts, federal banking agencies have published “Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks.”

The due diligence practices described in the guide are voluntary and don’t establish any new risk-management requirements. But they provide valuable guidance on what community banks should be looking for when they evaluate potential FinTech providers in six areas: 1) business experience and qualifications, 2) financial condition, 3) legal and regulatory compliance, 4) risk management and controls, 5) information security, and 6) operational resilience.

For more guidance regarding your bank’s compliance, contact Jack Matthis at

© 2022

Financial Institutions and Banking Milan, TN

What’s Your Bank’s Plan to Counter Ransomware Attacks?

Cybersecurity continues to be a key risk that businesses face today, and banking is among the industries most affected by cyberattacks. Some experts estimate that around a quarter of all malware attacks target financial institutions. Of particular concern are ransomware attacks, which have increased dramatically in the past couple of years.

The threat of ransomware is so serious that the National Institute of Standards and Technology (NIST) — developer of a widely used cybersecurity framework — recently published a draft Cybersecurity Framework Profile for Ransomware Risk Management (the Ransomware Profile).

Ransomware and risk management

Ransomware is a type of malware that encrypts an organization’s data. Once malware has infected a system, the attackers demand payment in exchange for the encryption key that unlocks the data. In some cases, they may also steal an organization’s information and demand additional payment to avoid disclosure of that information to authorities, competitors or the public.

The Ransomware Profile outlines several basic preventive steps organizations can take to protect themselves against the ransomware threat, including:

  • Use antivirus software at all times,
  • Keep computers updated with the latest security patches,
  • Segment internal networks to prevent malware from proliferating among potential target systems,
  • Continuously monitor for indicators of compromise or active attack,
  • Block access to potentially malicious web resources,
  • Allow only authorized apps, and avoid use of personal apps — such as email, chat and social media — on work computers,
  • Use standard user accounts, rather than accounts with administrative privileges, whenever possible,
  • Restrict personally owned devices on work networks,
  • Educate employees about social engineering (for example, to not open files or click on links from unknown sources without scanning for viruses or taking other precautions), and
  • Assign and manage credential authorization for all enterprise assets and software, and periodically verify that each account has only the appropriate access.

Organizations also should take steps that will help them recover from future ransomware events, including developing and implementing rigorous backup and incident recovery plans.

Backup strategies and incident response plans

Simply keeping backups of data isn’t enough. Any significant gaps in recoverable data or delays in restoring systems can be devastating for banks. So, they must back up data daily and test and periodically validate it. Also, banks should store backups offline to prevent a ransomware attack.

A well-designed backup strategy is worthless, however, without a solid incident response plan. This critical step helps banks restore systems quickly and minimize downtime in the event of a ransomware or other attack. A cyberattack is highly stressful. So, to avoid a paralyzing panic, your response plan should provide step-by-step instructions on who does what and when. The plan also should be kept offline to ensure that it’s accessible if your systems aren’t.

Be prepared

All banks should have a comprehensive cybersecurity plan to prevent ransomware and other cyberattacks and to minimize damages should an attack occur. If your bank doesn’t have a plan or you’re unsure whether your plan provides the protection you need, contact one of our industry leaders about conducting a cybersecurity risk assessment with ATA Secure.

© 2022

Financial Institutions and Banking Helpful Articles

Keeping Branch Banking Profitable in the Digital Age

The COVID-19 pandemic has led to an increase in online banking; however, the transition to virtual banking was already well underway. As community banks look to the future, they need to re-imagine branch banking for the digital age. This means strengthening what’s working and getting rid of what isn’t. Direct banking at branches can still be vital to community banks’ financial health as long as they measure branch performance and correct as necessary.

Customer location

A significant challenge in measuring branch performance is assigning customers to particular locations. Traditional measures (such as new accounts opened or teller activity) no longer suffice. Just because a customer opened an account at a branch doesn’t necessarily mean that account should count toward the branch’s performance.

What if the customer relocated? What if he or she uses more than one branch? What if the customer does everything online and doesn’t visit branches at all? There are no easy answers to these questions. To get an accurate picture of branch performance, banks need to develop models that better reflect a branch’s interactions with customers and its contribution to the bank’s overall performance.

Measurement strategies

Some banks are developing point systems to measure the value of products sold, customer service and retention. For example, core accounts like checking accounts generally are more valuable than CDs, which often constitute “hot money” — that is, funds frequently transferred between financial institutions in an attempt to maximize returns. The analysis might be different, however, if a checking account has a small average monthly balance or if a CD has a relatively long term.

For services, one set of point values might be assigned to transaction processing — such as cashing checks or accepting deposits — with higher values assigned to loans or consultative services.

According to financial services technology provider Fiserv, customers with one banking product stay with a bank around 18 months on average. The average relationship increases to four years for customers with two products and to almost seven years for customers with three products. So, branches with more customers purchasing multiple products tend to contribute more value, and transfers of funds among branches affect branch profitability.

Differences in markets

Too often, banks’ business development plans fail to reflect the differences among their branches’ local markets, which can be dramatic. Many simply allocate their budgets uniformly among locations and demand that each branch achieve similar profitability and growth goals.

There are two problems with this approach. First, it establishes unachievable goals for branches in some markets, while allowing other locations to coast. Second, it may cause a bank to miss opportunities to enhance branch performance.

A better approach is to benchmark the bank’s performance against that of its peers. After identifying areas in which performance is falling short, the bank can examine individual branches, analyze their local markets and develop strategies for enhancing performance.

It’s important to analyze each branch’s current customer base as well as the various commercial and consumer segments that make up its local market. Armed with this information, you can develop marketing strategies that make the most of each location’s unique profitability and growth opportunities.

For example, a branch in an area with a lot of high-income consumers might target those consumers and also focus on cross-selling to existing customers. (Of course, it’s important to keep in mind fair lending exposure and Community Reinvestment Act considerations.) As noted above, providing multiple products to customers improves retention rates. On the commercial side, analyzing local markets may reveal opportunities to serve previously untapped commercial sectors or business niches.

Analysis and measurement are key

Your community bank will thrive if its branches thrive. Understanding your local customers and their banking preferences has never been more challenging — or more important. Closing branches if they’re no longer profitable is one solution, but developing them in ways that make them more useful to customers might be the best strategy over the long run.

© 2022

Financial Institutions and Banking Financial News Henderson, KY Henderson, TN Jackson, TN Martin, TN Memphis, TN Milan, TN Murray, KY Nashville, TN Owensboro, KY Paris, TN Trenton, TN Tupelo, MS Union City, TN

Keep Your Customers Satisfied

Over the past few years, community banking has withstood rapid technological changes, unprecedented economic challenges during a pandemic and new demands from its customer base. To maintain profitability amidst all this turmoil, you need to ensure that your bank retains its existing customers. After all, studies show that attracting a new customer typically costs five times more than retaining an existing one.

Here are three fundamental questions to help improve customer satisfaction and, ultimately, retention.

  1. What’s your core deposit base?

A good first step is to identify your core deposits and develop an understanding of customer behaviors. Differentiate loyal, long-term customers from those motivated primarily by interest rates. A core deposit study can help you distinguish between the two types of depositors and predict the impact of fluctuating interest rates on customer retention. Banking regulators strongly encourage banks to conduct these studies as part of their overall asset-liability management efforts.

Core deposit studies assess how much of your bank’s deposit base is interest-rate-sensitive by examining past depositor behavior. They also look at factors that tend to predict depositor longevity. For example, customers may be less likely to switch banks if they have higher average deposit balances and use multiple banking products (such as checking and savings accounts, mortgages and auto loans).

  1. How can you get to know your customers better?

To build customer loyalty, it’s critical to ensure that customers are engaged. According to research by Gallup, engaged customers are more loyal, and they’re more likely to recommend the bank to family and friends. They also represent a bigger “share of wallet” (that is, the percentage of a customer’s banking business captured by the bank).

Recent retail banking studies show that fewer than half of customers at community banks and small regional banks (less than $40 billion in deposits) are actively engaged. The percentages are even smaller at large regional banks (over $90 billion in deposits) and nationwide banks (over $500 billion in deposits). That’s the good news. The bad news is that 50% of customers at online-only banks are fully engaged.

So, how can community banks do a better job of engaging their customers to compete with online banks? The answer lies in leveraging their “local touch” by knowing their customers, delivering superior service, and providing customized solutions and advice. To do that, banks must ensure that their front-line employees — tellers, loan officers, branch managers and call center representatives — are fully engaged in their jobs.

Encouraging employees to engage with customers has little to do with competitive salaries and benefits. Rather, it means providing employees with opportunities for challenging work, responsibility, recognition and personal growth.

  1. How can you develop your online presence?

An increasing number of customers — younger people in particular — use multiple channels and devices to interact with their banks. These include online banking, mobile banking applications and two-way texting.

To build loyalty, banks should enable customers to use their preferred channels and ensure that their experiences across channels are seamless. And don’t overlook the importance of social media platforms. Younger customers are more likely to use these platforms to recommend your bank to their friends and families.

Ask the right questions

Your customer retention strategies shouldn’t be based on guesswork. Consider periodically engaging with customers concerning their level of satisfaction with your current systems and processes. Ask what they’d like to see improved. A brief survey, or even a short conversation, can provide valuable input on ways to keep your customers satisfied with your bank’s services over the long term.


Financial Institutions and Banking

Bank Wire

CAA provides COVID-19 relief for banks

The Consolidated Appropriations Act (CAA), passed in late December 2020, contains a variety of COVID-19 relief provisions, including a second round of stimulus payments to individuals, enhanced unemployment benefits, and expansion of the Paycheck Protection Program (PPP). The act also offers some bank-specific relief. For example, it:

  • Delays the compliance deadline for the current expected credit loss (CECL) accounting standard until the earlier of 1) the first day of the bank’s fiscal year that begins after termination of the COVID-19 public health emergency, or 2) January 1, 2022; and
  • Extends the time during which banks may elect to temporarily suspend troubled debt restructuring (TDR) accounting for certain COVID-19-related loan modifications until the earlier of 1) 60 days after the public health emergency ends, or 2) January 1, 2022.

It also establishes a $9 billion fund to provide low-cost, long-term capital investments to qualifying banks. To qualify, they need to be community development financial institutions or minority depository institutions.

SBA guidance on PPP loans

After the CAA authorized “second-draw” forgivable PPP loans, the Small Business Administration (SBA) and Treasury Department issued rules for these loans. Among other things, the rules clarify that: the SBA will guarantee 100% of second-draw loans; no collateral or personal guarantees will be required; the interest rate will be 1%, calculated on a noncompounding, nonadjustable basis; maturity will be five years; and all loans will be processed by lenders under delegated authority.

It may rely on borrower certifications to determine the borrower’s eligibility and use of loan proceeds. (Note: The borrower must substantiate compliance with eligibility requirements by the time they submit a forgiveness application.)

Simplified PPP forgiveness application

The CAA simplifies the forgiveness application for businesses that borrow less than $150,000. These borrowers will submit a one-page application that includes the total loan value, the estimated portion of the loan spent on payroll, and the number of employees retained as a result.

Fintech partnership guide

Community banks are increasingly partnering with “fintech” companies to offer their customers access to the latest banking technology tools. But these partnerships are fraught with practical and regulatory compliance challenges. Recently, a member of the Federal Reserve Board announced that the Fed would work with other banking agencies to develop a fintech vendor due diligence guide for community banks as well as enhanced interagency guidance for third-party risk management. This guidance is expected to “eliminate the need for community banks to navigate multiple supervisory guidance documents on the same issue” and “enhance clarity on supervisory expectations for community bank partnerships with fintech companies.”