Upload
community-bankers-of-iowa
View
218
Download
0
Embed Size (px)
DESCRIPTION
Community Bankers of Iowa monthly newsletter
Citation preview
Fall CommunityBank Summits
Pg. 4
OFF
ICIA
L P
UB
LIC
ATI
ON
OF
THE
CO
MM
UN
ITY
BA
NK
ERS
OF
IOW
AO
CTO
BER
201
5
Managing the Risk of
Unauthorized PaymentsPgs. 10-13
CBI Summer Intern Scholarship ProgramPg. 5
Banking on the Future In Emmetsburg
Regulatory IT ExamPgs. 6-7
5 Steps to Passing Your Next
Join a CBI CommitteePg. 8
Get Involved In YOUR Association Maintaining Net Interest MarginIn A Rising Rate Environment
Pg. 16
M&A EconomicsPg. 9
2 COMMUNITY BANKER UPDATE | OCTOBER 2015
Want To AttendA Webinar?
View a complete calendar andregister for CBI-sponsored webinarsand events at www.cbiaonline.org
or Call Us at 515.453.1495for more information.
Member FDIC Member Federal Reserve SystemOne Source. One Call.
SUPPORTING BANKSIT’S WHAT WE DO.
Your Bankers’ Bank mibanc.com
888-818-7200
Matt [email protected]
Doug [email protected]
Stacy [email protected]
Contact your relationship manager Stacy Snyder
or a MIB team member.
OCTOBER 2015 WEBINAR LINE-UP
Oct. 2 ProperRepossession,Notice&SaleofNon-RealEstateCollateralOct. 6 RegulationERequirementsforDebitCardErrorResolution:Processing, Disclosure&InvestigationOct. 7 MortgageLoanOrigination&Servicing:Issues,FAQs&LessonsLearnedOct. 8 Powers-of-Attorney&LivingTrustDocuments:GuidelinesforDeposit Accounts&LoansOct. 9 TheNewFloodRules,IncludingtheMandatoryEscrowRuleEff.Jan.1,2016Oct. 14 BSAComplianceSeries:Identifying,Reporting&MonitoringSuspicious ActivityOct. 15 NewSecurityOfficerTraining:Responsibilities,BestPractices& Skill-BuildingToolsOct. 20 NewAccountsSeries:OpeningAccountsforMinors:Ownership,Access& TransactionsOct. 21 AccountingDevelopmentsUpdate:RecentIssues&What’sontheHorizonOct. 22 AdvancedACHSpecialistSeries:Understanding&NavigatingACHRules forODFIsOct. 27 EmergingLeaderSeries:KeyLeadershipStrategiesforGrowth,Profitability &RetentionOct. 28 NetworkSecurity101:AComprehensiveOverviewOct. 29 MaintainingCompliantFDICRecords,IncludingRelatedEmail&Social MediaRetentionRules
COMMUNITY BANKER UPDATE | OCTOBER 2015 3
In This Issue
October2015WebinarLineup............................. 2
FallCommunityBankSummits............................ 4
BankingOnTheFutureInEmmetsburg:SummerInternScholarshipProgram.................. 5
PassingYourRegulatoryITExam......................6-7
JoinACBICommittee............................................ 8
M&AEconomics.................................................... 9
ManagingtheRiskofUnauthorizedPaymentsFromBusinessBankAccounts.....................10-13
RuralMainstreetSurvey...............................14-15
MaintainingNetInterestMarginInaRisingRateEnvironment.............................16
CBIMemberNews...............................................17
Community Bankers of Iowa1603 22nd St, Suite 102
West Des Moines, Iowa 50266Phone: [email protected]
EVENTS CALENDARCommunity Banking SummitsCarroll.........................................Oct. 13Johnston.....................................Oct. 14Algona.........................................Oct. 15
Building America Summit........Oct. 14
LOT Quarterly Meeting.............Nov. 19
Bank Architecture
& ConstructionPre-design
Master PlanningSite Development
ArchitectureProject Management
ConstructionPost-project SupportSecurity & Signage
TrustPersonalityExperienceIntegrityTeamwork
Steph Weiand (L) Suzanne Meyers (C) Jim Christensen (R)
112 W. Park Lane, Waterloo319-232-6554
Partner with us.Our correspondent bankers will get you clear answers and fast decisions. As your partner, we will help you enhance your customer relationships. As your bank grows, we’ll help you meet your needs.
Together,let’s make it happen.
bellbanks.com
Call me at 605.201.1864
Member FDIC
1090
7
Commercial and ag participation loans | Bank stock & ownership loans | Bank building financing | Business & personal loans for bankers
10907 CORR AD Community Bankers of Iowa.indd 1 9/15/15 11:03 AM
4 COMMUNITY BANKER UPDATE | OCTOBER 2015
Dan Gable, Olympic Wrestler & Coach
Bill Northey, Iowa Sec’y of Agriculture
Lisa Shimkat, Iowa Director, Small Business Development Center
Guest Speakers:
CBIinvitesIowa’scommunitybankerstotheFallCommunityBankSummits.Eachmeetingbeginsat3:00pm,withadinnerreceptionanddoorprizegiveawaytofollow.Attendtheseafternooneventsandbuildrelationshipswithyourpeerswhilegainingvaluableeducation.
AppearingateachSummitwillbelegendarywrestlerDan Gable,1972OlympicGoldMedalistandmultiple-timechampionandcoachatthestate,nationalandworldlevels.AstheFallSummitKeynoteSpeaker,Gablewillprovideinspirationandadviceonteambuilding,motivation,andovercomingadversity.
GuestSpeakersincludeBill Northey, IowaSecretaryofAgriculture,presentinganAg EconomyupdateattheCarrollandJohnstonmeetings,andLisa Shimkat,IowaDirectoroftheSmallBusinessDevelopmentCenter,who’lleducateattendeesonRural Economic DevelopmentattheAlgonameeting.
REGISTERTODAY;thefeeforeachSummitisonly $35 for bankers,and$50forCBIEndorsed/Associate/Affiliatemembers!Visitcbiaonline.orgtoregisterortoviewtheEventBrochure.Stillhavequestions?Callusat515.453.1495orcontactJackie [email protected].
Tuesday, Oct. 13 - CarrollSanta Maria Winery
Wednesday, Oct. 14 - JohnstonHilton Garden Inn
Thursday, Oct. 15 - AlgonaAlgona Country Club
Speaker Sponsor
Platinum Sponsors
Gold Sponsors
Thank You To The FollowingSponsors:
Silver Sponsors - Johnston
Silver Sponsor - Algona
Register Now for the FallCommunity Bank Summits
All meetings: 3:00 - 5:30 pm • Dinner reception & prize giveaway to follow
Attending Our Fall Community Banking Summit in Johnston on Oct. 14?Head to Des Moines first and attend the Building America Summit!
Co-Sponsored byCommunity Bankers of Iowa
JoinIowaFinanceAuthority,NationalAssociationofLocalHousingandFinanceAgenciesandahostofotherleadingstateandnationalorganizationsforafirst-of-its-kindbipartisannationalsummitonhousingpolicy.
Attending the discussion:•2016presidentialcandidates (invited)•leadingfederalhousingofficials•nationalhousingindustryofficials•stateagencydirectorsandstaff
Oct. 14-15Wed. Oct. 14, 12:00p -3:00pThurs. Oct. 15, 8:30a -3:00pIowa Events Center, Des Moines
Attendance is FREEfor CBI Members! Visit cbiaonline.org/building-america-summit.html
for more information and to register.If you would like to submit questions for the presidential candidates to be asked, email them to Jackie Haley at [email protected].
COMMUNITY BANKER UPDATE | OCTOBER 2015 5
Banking on the Future in EmmetsburgCBI’s Summer Intern Scholarship Program Launch A Success
InAprilCBIannouncedthelaunchoftheSummerInternScholarshipProgram.FundedentirelybytheCBIEducationFoundation,thepurposeoftheprogramistoencouragecollegeSophomoresandJuniorsinthefinance,accounting,business,agribusiness,marketing,andmanagementdisciplinestofindsummerpositionsincommunitybanksinIowa.Studentsareawardeda$1,000scholarshipuponcompletionoftheprogram.
TiffanyWagner,afinancemajorfromPocahontas,Iowaisthefirststudenttocompletetheprogram.Tiffany’sinternshipwasatIowaTrust&SavingsBank(ITSB)inEmmetsburg.MembersofthestaffrecommendedTiffanyafterlearningthatshewasinterestedininterningwithanIowabank.BeginninginMayandcompletingtheintershipinlateAugust,Tiffanyworkedineverydepartmentofthebankaspartoftheprogramcurriculumrequirements.SheshadowedbankstaffintheOperations,Drive-Up,Compliance,LoanSupport,NewAccounts,andLendingareas.
CBIinterviewedITSBExecutiveVicePresidentRickBrennanontheirsuccesseswiththeprogram.BrennanreportedthatTiffanywasinstrumentalinaprojectinvolvingabstracts,aswellasseveralotherprojectsintheMarketingandLendingdepartments.Tiffanyalsoworkedwiththebank’sCommercialLendingdepartmentandwasexposedtocallingprogramswithotherbanksthattheyworkwith.Thestaffconsideredhertobehardworking,intelligent,andwillingtoaskquestionsaboutwhytheyapproachvariousdepartmentprojectstheywaytheydo.
BrennanwentontosaythatTiffanywasanoutstandingintern,
helpfulintheaccomplishmentofseveralbankprojectsoverthesummer.WhenaskedabouttheusefulnessofCBI’sSummerInternprogram,hehadthistosay:
“It was a great opportunity to build a program to train interns, and it helped our bank to develop better methods to train new employees. Tiffany was great to work with--the staff enjoyed her approach and she was a hard worker. She is very deserving of the CBI Summer Intern Scholarship, and we’d be glad to do it again.”
TheCBIEducationFoundationisgovernedbytheCouncilofPresidents,formerpresidentsofCBI.AnIRS-approved501(c)(3)organization,contributionsmadebybothpersonalandcorporatedonorsaretaxdeductibletothefullestextentofthelaw.Contributionsofanysizeareacceptedandencouraged.Variouslevelsofrecognitionhavealsobeenestablishedtospotlightthosewhodemonstrateenhancedsupport.
FormoreinformationabouttheCBIEducationFoundationandtolearnhowyoucanparticipate,visitourwebsiteatcbiaonline.orgorcontactDonHoleat515.453.1495ordhole@cbiaonline.org.
Finance major Tiffany Wagner completed the CBI Summer
Intern Scholarship Program at Iowa Trust & Savings Bank in
Emmetsburg.
6 COMMUNITY BANKER UPDATE | OCTOBER 2015
FollowingthepilotcybersecurityexamsconductedlastsummerbytheFederalFinancialInstitutionsExaminationCouncil(FFIEC),many
banksaren’tsurewhattoexpectattheirnextITexam—ifthat’sindeedwherecybersecuritywillbeaddressed—andfeartheworst.
But,ratherthanbeparalyzedbyfear,addressthekeyareasonwhichfederalregulatorsmostlikelywillfocusatexamtimebyfollowingthesefivesteps:
Step 1: Know Your Cybersecurity Risk Profile and Maturity LevelWhat to Expect:Regulatoryexaminerswillnowexpectbankstohaveamuchbetterunderstandingoftheircybersecurityriskprofileandmaturitylevel.
How to Prepare:ThekeytogainingthatunderstandingandprovingitatexamtimeistheFFIEC’srecentlypublishedCybersecurityAssessmentTool*.It’ssurprisinglywellorganized,easytouseandcomprehensive.So,usingeithertheFFIEC’sassessmentoracomparabletool,completethesetasks:
Determine Your Inherent Risk ProfileTheassessmenthelpsyourbankidentifyitsinherentrisksinthefollowingkeyareasandratethemaccordingly:•TechnologiesandConnectionTypes•DeliveryChannels•Online/MobileProductsandTechnologyServices•OrganizationalCharacteristics•ExternalThreats
Determine Your Cybersecurity MaturityThisportionoftheassessmentgaugeswhetheryourbank’sbehaviors,practicesandprocessesadequatelysupportyourcybersecuritypreparedness.Itcoversthefollowingdomains,towhichyourbankassignsamaturitylevelbasedonfindings:•CyberRiskManagementandOversight•ThreatIntelligenceandCollaboration•CybersecurityControls•ExternalDependencyManagement•CyberIncidentManagementandResilience
Step 2: Limit Your Exposure What to Expect:AfterStep1,youshouldhaveaclearsenseofwhereyourbankisexposed—andyoumustacttolimitthatexposure.
How to Prepare:Thisprocesscantaketwoforms,dependingontheareaofexposure:
Reduce the Level of Risk in Exposed AreasForexample,ifyourbankhastoomanyunnecessaryInternet-
facingservers,reducingthatnumbercansignificantlyloweritsriskofabreachthroughthoseservers.
Increase the Maturity Level in Exposed AreasReducingriskmaynotalwaysbefeasible.Forinstance,limitingcustomers’mobilechanneloptionsmayreducethebank’shackingrisk,butitalsowouldupsetcustomers,exchangingonerisk(breach)foranother(lostcustomers).So,increasethecybersecuritymaturitylevelinthatarea.
Step 3: Include Cybersecurity in Your BCP and Incident Response PlanWhat to Expect:FollowingthepublicationofAppendixJ**oftheFFIEC’sBusinessContinuityPlanningBooklet,regulatoryexaminerswillexpectBusinessContinuityPrograms(BCP),includingIncidentResponsePlans,tobeupdatedwithcybersecurityreferences.
AppendixJoutlinesspecificcyberriskstoconsider:1. Sophisticatedmalwarefocusedondatacorruptionand
unauthorizedfinancialtransactions2. Insiderthreatsfromdisgruntledemployeesormolesplanted
bycybercriminals3. Dataorsystemscorruptionduetoacyberattack4. Disruptionofcommunicationscapabilitiesandinfrastructure
duetoacyberattack5. Simultaneouscyberattacksonfinancialinstitutionsandtheir
TSPs
How to Prepare:Gothroughyourbank’sBCPdocumentationandensurecybersecurityisadequatelyaddressedandspecificallywrittenintotheprogram.
Step 4: Evaluate Your Vendors’ Cybersecurity Risk ProfilesWhat to Expect:AppendixJremindsbanksthattheyareultimatelyresponsibleforthesafetyandsoundnessofactivitiesoutsourcedtoTSPs,soconductathoroughexaminationofallvendors,particularlythoseinvolvedinthemostcriticaloperations.
How to Prepare:Startingwithyourmostcriticalvendors,assessthefollowingareasbasedonAppendixJ:
• Third-Party Management:Isthevendor’sriskfullyidentifiedandadequatelycontrolled?
• Third-Party Capacity:Isthevendorcapableofrestoringservicetoallclients?
• Third-Party Testing:Hasthevendor’sBCPbeenvalidatedthroughadequatetesting?
Step 5: Educate and Involve Senior Management and the BoardWhat to Expect:Bankexaminersexpecttoseeactiveinvolvement
(Passing Your Regulatory IT Exam continued on next page)
Written By: Steve SandersVP - Internal Audit, CSI Regulatory Compliance
5 Steps to Passing YourNext Regulatory IT Exam
COMMUNITY BANKER UPDATE | OCTOBER 2015 7
(Passing Your Regulatory IT Exam continued from previous page)
byseniormanagementandtheboardofdirectorsinallmatters,includingcybersecurity.
How to Prepare:SeniorleadershipneedstodomorethanrubberstampIT,InformationSecurityandBCPprogramseachyear.Theirinvolvementneedstobefeltthroughouttheenterprise.Tobegin,takethesesteps:•Routinelypresentcybersecurityupdatesatboardmeetings.•Encourageseniorleadershiptoroutinelyexpresstheimportanceofcybersecurityresiliencetoemployees.
•Ensureboardmeetingminutesreflectallcybersecuritydiscussionsandactions,andkeeparecordtoshareatexams.
Expect a Better Outcome at Exam Time by Preparing for It Examinerexpectationsregardingcybersecurityaregrowing,butcompletingtheabovestepswillprepareyourbankandensureitisspeakingthesamecybersecuritylanguageasexaminers,whichishalfthebattle.
Steve Sanders, CSI’s vice president of Internal Audit, oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. For more information about CBI Endorsed Member Computer Services, Inc., visit csiweb.com.
*Get FFIEC’s Cybersecurity Assessment Tool atwww.ffiec.gov/cyberassessmenttool.htm
**Read Appendix J at www.ffiec.gov/press/pr020615.htm
IowaTIB Ad1/2 pg.April 2015
8 COMMUNITY BANKER UPDATE | OCTOBER 2015
CommunitybankerscanmakeadifferenceintheirassociationandtheirindustrybyparticipatinginaCBIcommittee.CommunityBankersofIowacommitteesallowmemberstheopportunitytoguidethedirectionofCBIonlegislativeaffairs,education,theconvention,andmore.CBIcommitteeswillalsoprovideyouwithinformationandeducationonthelatestindustryissues;includingcompliance,lending,andeconomicdevelopment.Considervolunteeringforone(ormultiple)ofthefollowingcommitteesandmakearealdifferenceinYOURassociation:
Annual Management Conference CommitteeAnnually,theCommunityBankersofIowa’sManagementConferenceattractshundredsofbankersandthoseaffiliatedwiththeindustryfromacrossIowaandthenation;jointheAnnualManagementConferenceCommitteeandbeapartoftheteamcoordinatingtheassociation’slargestevent.MembersoftheAnnualManagementandConferenceCommitteeselectgeneralsessionspeakers,breakoutsessiontopics,assistinplanningalleventactivities,andareintegralindevelopingeachConference.
TheAnnualManagementConferenceCommitteemeetsquarterlyandviateleconferenceonanasneededbasis.CBI’sstaffliaisonfortheAnnualManagementConferenceCommitteeisDonHole.Ifyouareinterestedinjoiningorwantadditionalinformation,[email protected].
Economic Development CommitteeThiscommitteediscussestheneedsandissuesrelatingtoeconomicdevelopmentformainstreetIowa.Committeememberswilldevelopastructureofresourcestohelpcommunitybanksimproveandsupporteconomicdevelopmentintheircommunities.Legislationinvolvingeconomicdevelopmentonthestateandfederallevelswillalsobeaddressedbythiscommittee.
TheEconomicDevelopmentCommitteewillmeetinpersontwiceayearandviateleconferenceonanasneededbasis.CBI’sstaffliaisonsforthiscommitteeareDonHoleandJackieHaley.Ifyouareinterestedinjoiningorwantadditionalinformation,[email protected]@cbiaonline.org.
Education and Compliance CommitteeAsamemberofthiscommitteeyouwilldirectandapprovetheeducationalofferingsoftheassociationthatwillmeettheneedsofcommunitybankers.Committeememberswillalsodetermineseminartopicsandassistwithselectingspeakers.Complianceproductsandprogramswillalsobereviewedbythiscommittee.
TheEducationandComplianceCommitteewillmeetquarterly.CBI’sstaffliaisonforthiscommitteeisPrettyPatel.IfyouareinterestedinjoiningorwantadditionalinformationontheEducationandComplianceCommittee,[email protected].
Legislative CommitteeThroughastrategicplanningprocesswithCBI’slobbyist,theLegislativeCommitteewillguideanddeterminetheassociation’slegislativeagenda.ReviewandapprovePACcontributions.Committeemembersalsoprovidelobbyingsupportwhenneededduringthelegislativesession,andtheyarevitaltoCBI’sgrassrootsadvocacyefforts.
TheLegislativeCommitteemeetstwiceayearandasneededduringthelegislativesession.CBI’sstaffliaisonisDonHole.Ifyouareinterestedinjoiningthiscommitteeorwantadditionalinformation,[email protected].
Membership and Marketing CommitteeTheMembershipandMarketingCommitteereviewsproductsandservicesthatCBSIisconsideringforendorsement.Committeemembersalsorecommendproducts,companies,andservices.DiscussthestrengthsandweaknessesofCBImembership,identifytheneedsofmembers,andhelpestablishthenecessarybenefits.Membersareadvocatesfortheassociation,andhelpcreateastrongerandunifiedvoicefortheCommunityBankersofIowa.
TheMembershipandMarketingCommitteehastwomeetingsperyear.Twoconferencecallsarealsoscheduledthroughouttheyear.CBI’sstaffliaisontotheMembershipandMarketingCommitteeisJackieHaley.Ifyouareinterestedinjoiningthecommitteeorwantadditionalinformation,[email protected].
Networking and Events CommitteeMembersoftheNetworkingandEventsCommitteeguidetheimplementationofallCBIevents–golfoutings,StateFairConference,andSummits.Reviewcurrentofferingsanddetermineifnewopportunitiesneedtobecreatedand/oreventsneedtoberestructured.
Committeememberswillmeetquarterly.CBI’sstaffliaisonfortheNetworkingandEventsCommitteeisJackieHaley.Ifyouareinterestedinjoiningthecommitteeorwantadditionalinformation,[email protected].
CBIcommitteesareopentoallmembers.CommitteesareanopportunitytonetworkwithyourpeerswhilemakinganimpactinYOURassociation.Ifyouhavequestionsaboutaspecificcommittee,pleasecontactthestaffliaisonorcalltheofficeat515.453.1495.
Make a Difference in YOUR AssociationVolunteer for a Community Bankers of Iowa Committee
JOIN NOW ONLINE!Get more information and sign up to joinCBI Committees by visiting our website at
www.cbiaonline.org/committees.html
COMMUNITY BANKER UPDATE | OCTOBER 2015 9
AlthoughbankM&Adealsareessentiallyflatversuslastyear,iftherewereametricthatmeasuredtheamountofM&Achatterinthemarket,itwouldlikelybeatanall-timehigh.Ourclientsarelookingatmoredealsatamorerapidpacethaneverbefore,andthat
trendwillonlyincreaseasthebusinesscyclechanges.
Butthenwhyaren’tmoredealsgettingdone?Theshortanswerisbecausetoolargeaspreadstillexistsbetweenthe“bid”andthe“ask.”
Onthe“ask”front,manyinvestmentbankersarecreatingunreasonableexpectationsintheboardroomwithrespecttothepricingandvaluationasellingbankcouldfetchinthemarket.Asfarasthe“bid”sidegoes,buyersareperhapsoverlyfocusedondilutiontotangiblebookvalueandthecorrespondingpaybackperiod.Buyersareessentiallystrugglingwithweighingtheboosttoearningsfromadealagainstthedilutiontotangiblebookvalueandhowlongittakestorecoupthedilution.Communitybankstendtoshyawayfromadealifthepaybackperiodislongerthanfouryears.
However,thebetterwaytothinkaboutM&Aisfromarisk/rewardperspective.Theanalysesthatbuyersshouldfocusonshouldbeguidedbythefollowingquestions:
•Howmuchcapitalarewedeployingbasedontheriskprofileofthetargetandthestructureofthetransaction?
•Whatisthereturnoncapitalwearegettingasmeasuredbyincreasedearnings?
•HowdoesthatROIcomparetootherviablealternativessuchasorganicgrowth?
•Whatisthetimevalueofmoneyrelativetoorganicgrowth,whichisamuchslowerandfranklymoreuncertainprocess?
Banksarmedwiththenecessaryarrayofanalyticaltoolsshouldbeabletoquantifytheanswerstothesequestionsveryquicklywhenassessingagivendeal.Absentachangeineconomicconditionsandthelowinterestrateenvironment,M&Abecomesaveryattractivewaytodeploycapital,perhapsbydefault.Thisisbecausetherisk/rewardcharacteristicofmakingnewloansinthisenvironmentcontinuestorapidlyerode.Banksthatanalyzeagivendealinavacuumandareunabletoquantifythereturnoncapitalofpursuingorganicgrowthorotherstrategicactions(includingreturningcapitaltoshareholders)willfallintothetrapofoverlyfocusingonTBVdilutionanditscorrespondingpaybackperiod.
Insummary,buyerstendtofocustoomuchonTBVdilutionandthepay-backperiodforthedilution.Instead,theemphasisshouldbeonreturnoncapital.However,inordertomeasurecapitalandthereturnoncapitalproperly,forward-lookinganalyticaltoolsarerequired.
Managementteamswillneedtobeabletoeducatetheirboardsandshareholdersonthiscriticaldistinction.ThosewhoareabletodosowillfindthemselveswithamassivecompetitiveedgeintheM&Amarket.
Adam Mustafa is Co-Founder and Managing Partner at Invictus Consulting Group. For more information on CBI Affiliate Member Invictus Consulting, visit invictusgrp.com.
Navigating the Trade-off betweenEPS Accretion and TBV Dilution
M&A Economics:
Written By: Adam MustafaManaging Partner & Co-Founder - Invictus Consulting Group
Certified Community Banking
Security Professional™
Onsite Training
The onsite CCBSP™ is a management-level cyber security program designed to:
n Enhance your skill set and knowledge base in cyber security n Provide a framework for an entire information security program n Demonstrate how to manage each component of the information security program to ensure successful implementation
Who should attend? ISO, Auditor, IT Manager, Compliance Officer, Security Officer, Operations Officer
Date: November 17-18Location: Prairie Meadows - Altoona, IARegister: http://iowa.protectmybank.com
10 COMMUNITY BANKER UPDATE | OCTOBER 2015
Unauthorizedelectronicpaymentsfrombusinessbankaccountsareagrowingconcernforbanks,businesses,andthegeneralpublic.Criminalsareusingavarietyoftechniques,suchasphishinge-mailsandmalware,totakecontrolofbusinessaccountstoinitiatepaymentstoanaccompliceoraforeignaccount.Accordingtothe2015surveyoftheAssociationforFinancialProfessionals,27percentofrespondentorganizationswereaffectedbywiretransferfraud(anearly100percentincreasefromthe2014survey),and10percentwereaffectedbyautomatedclearinghouse(ACH)creditfraud(fraudinvolvinganACHpaymentorderinitiatedbythepersonsendingthepayment).1
Forexample,inJune2012,alawfirmwitharealestateescrowaccounthaditscomputersystemcompromisedanditsbankingcredentialsstolen,whichresultedin$1.66millioninunauthorizedwiretransfers.2Similarly,in2009,aMichigancorporationwassubjecttoaphishingschemethatresultedin$560,000inunauthorizedwiretransfersfromitsbankaccount.3AndinApril2011,theFederalBureauofInvestigation(FBI)issuedanalertaboutthegrowingnumberofunauthorizedwiretransferstoChina,inwhichsmallandmedium-sizedbusinessessufferedtotallossesof$11millionin20separateincidents.4ThisproblemisalsoreflectedintheincreasednumberofSuspiciousActivityReportsfiledbyfinancialinstitutionsfor“accounttakeovers,”inwhichanunauthorizedpersontakescontrolofacustomer’saccount.5
Theseheadlinesunderminethepublic’sconfidenceinthepaymentsystem.Theyalsoraiseacriticalquestionforbanksandtheirbusiness6customers:Whenfundsarestolenfromabankaccountofabusinesscustomerthroughanunauthorizedpaymentorder,whobearstheloss?ForunauthorizedwiretransfersandACHcredittransfers,Article4AoftheUniformCommercialCode(UCC)providesthelegalframeworkfordeterminingwhoisresponsibleforanyresultinglosses.7ThisarticleexaminestherelevantprovisionsofArticle4A,reviewstworecentfederalappealscourtdecisionsinterpretingtheseprovisionsinthecontextoffundsstolenthroughunauthorizedwiretransfersandACHcredittransfers,anddiscussessoundpracticestomitigatethisriskinlightoftheUCC’srequirementsandthesecourtcases.
Impact on Community BanksAccounttakeoversareanimportantissueforcommunitybanksbecausecriminalsareincreasinglytargetingsmallandmid-sizedcompanies,whicharebelievedtohaveless-sophisticatedsecuritysystemsthanlargercompanies.8Thesecompanies,inturn,oftenbankwithcommunitybanks.9AccordingtoSymantec,thesoftwaresecurityfirm,50percentofall“spear-phishing”attacks(inwhichthecriminalsendsane-mailwithamalwareattachmentormaliciouslinksthatappearstobefromanindividualorbusinessknowntotherecipient)targetedbusinesseswith2,500orfeweremployeesin2011,andby2013,thisnumberhadincreasedto61percentofallattacks.10Byinfiltratingabusiness’scomputersystem,thecriminalcanobtainthelog-incredentialstothebusinessbankaccountsandinitiateunauthorizedpaymentorders.
Thus,itisimportantforcommunitybankstounderstandtherequirementsofArticle4AoftheUCCthatcomeintoplaywhenadisputearisesbetweenabankanditsbusinesscustomersbecauseofunauthorizedwiretransfersorACHcredittransfers,aswellaswaystoaddresstherisksarisingfromunauthorizedtransfers.
UCC Article 4ABydefault,Section4A-204(a)providesthatabankisresponsibleforanyunauthorizedelectronicpaymentordersonanon-consumeraccount.However,Section4A-202(b)permitsabanktoshifttheriskoflosstoitscustomersifitfollowstheseprocedures:
•Thebankanditscustomeragreethatthebankwillauthenticateanypaymentordersontheaccountunderanagreed-uponsecurityprocedure.
•Thesecurityprocedureis“commerciallyreasonable.”•Thebankcompliedwiththeprocedure,actedingoodfaith,andimplementedthecustomer’swritteninstructions(ifany)restrictingpayment.
Becausetheserequirementsfocusheavilyonabank’suseofa“commerciallyreasonable”securityprocedure,thedefinitionofthistermiscritical.Article4Aprovidestwowaysforabanktoestablishthatitssecurityprocedureiscommerciallyreasonable.First,underSection4A–202(c),abankcanshowthatitsproceduretookintoaccount:
•thewishesofthecustomerexpressedtothebank;•thecircumstancesofthecustomerknowntothebank,includingthesize,type,andfrequencyofpaymentordersnormallyissuedbythecustomertothebank;
•alternativesecurityproceduresofferedtothecustomer;and•theproceduresingeneralusebycustomersandreceivingbankssimilarlysituated.11
TheUCCincludesOfficialCommentsforclarification.AccordingtoComment4forSection4A–202(c),whichisreferencedinSection4A-203,themeaningof“commerciallyreasonable”isflexibleanddependsontheparticularcircumstancesofthebankanditscustomer.Forexample,acustomertransmittingalargenumber ofhigh-dollarpaymentordersmayreasonablyexpectstate-of-the-artsecurityprocedures,whileacustomerwithasmallnumberoftransactionsorlow-dollaramounttransactionsmayhavedifferentexpectations.Similarly,“itisreasonabletorequirelargemoneycenterbankstomakeavailablestate-of-the-artsecurityprocedures.Ontheotherhand,thesamerequirementmaynotbereasonableforasmallcountrybank.”12Thecommentalsonotesthatthe“standardisnotwhetherthesecurityprocedureisthebestavailable.Ratheritiswhethertheprocedureisreasonablefortheparticularcustomerandtheparticularbank,whichisalowerstandard.Ontheotherhand,asecurityprocedurethatfailstomeetprevailingstandardsofgoodbankingpracticeapplicable
LegalDisclaimer:TheanalysesandconclusionssetforthinthispublicationarethoseoftheauthorsanddonotnecessarilyindicateconcurrencebytheBoardofGovernors,theFederalReserveBanks,orthemembersoftheirstaffs.Althoughwestrivetomaketheinformationinthispublicationasaccurateaspossible,itismadeavailableforeducationalandinformationalpurposesonly.Accordingly,forpurposesofdeterminingcompliancewithanylegalrequirement,thestatementsandviewsexpressedinthispublicationdonotconstituteaninterpretationofanylaw,rule,orregulationbytheBoardorbytheofficialsoremployeesoftheFederalReserveSystem.
Reprinted with permission of Community Banking Connections®. Copyright 2015 Federal Reserve System.
Written By: Kenneth Benton, Senior Consumer Regulations Specialist, Federal Reserve Bank of Philadelphia
Manage The Risk of Unauthorized PaymentsFrom Business Bank Accounts
COMMUNITY BANKER UPDATE | OCTOBER 2015 11
totheparticularbankshouldnotbeheldtobecommerciallyreasonable.”
Thesecondwaytoestablishthataprocedureiscommerciallyreasonableapplieswhenacustomerdeclinesasecurityprocedureofferedbyabankbecausethecustomerwantstouseitsownsecurityprocedure.Ifthecustomeragreesinwritingtobeboundbyanypaymentorder,whetherornotauthorized,thatisissuedinitsnameandacceptedbythebankthatcomplieswiththecustomer’schosensecurityprocedure,theprocedureisdeemedcommerciallyreasonable,providedthattheprocedureofferedbythebankthatthecustomerdeclinedsatisfiedthecommerciallyreasonablerequirementssetforthpreviously.13
Recent Court Cases Interpreting Commercially Reasonable Security ProceduresTworecentfederalappellatecourtdecisionsexamineddifferentaspectsofArticle4A’srequirementsandhelptoclarifythestepsfinancialinstitutionsmustundertaketoavoidresponsibilityforlossesincurredbytheircustomers.14
Case One: Bank’s Security Procedure Is Not Commercially ReasonableInPatco Construction Co. v. People’s United Bank,15unauthorizedACHcredittransferstotaling$588,851weretakenfromPATCOConstructionCompany’saccountwithOceanBank,amid-sizedbanklateracquiredbyPeople’sUnitedBank.PATCOwasabletorecover$243,406,leavinganetlossof$345,444.PATCOsuedthebanktorecoveritsloss.Thecrucialissueonappealwaswhetherthebank’ssecuritysystemwascommerciallyreasonableasdefinedintheUCC.
Thecourtfoundflawsinthewaythebankimplementeditssecuritysystem.First,ifatransactionexceededaspecifiedthreshold,thecustomerhadtoanswerchallengeresponsequestions(forexample,“Whatisyourmother’smaidenname?”).Thebanksetthethresholdatonedollarormoreforallofitscustomers.Thecourtfoundtheone-dollarthresholdmeantthateverytransferwouldtriggerchallengeresponsequestions.Ifacustomer’scomputerswereinfectedwithkey-loggingmalware,whichrecordsacomputeruser’skeystrokesandtransmitstheinformationovertheInternet,theriskofmalwarerecordingtheanswerstothechallengequestionsincreasedsubstantiallybecauseeverytransaction—whichforPATCOincludedallpayrolltransfers—triggeredachallengeresponse.
Second,thebankfailedtomonitorthewarningsfromitssecuritysoftware.ThesoftwaregeneratedascoreforeveryACHtransactionbasedoncertainriskfactors.Thesecuritysystemflaggedtheunauthorizedtransactionsasveryhighrisk.However,becausethebankdidnotmonitortheriskscores,itdidnotnotify
PATCOortrytostopthetransactionspendingverification.
Finally,thecourtnotedthatkey-loggingmalwarewasanindustryconcernwhenthetransactionsoccurredandthatmanyInternetbankingsecuritysystemswereusinghardwaretokensasanadditionalsecuritymeasure,whichtheFederalFinancialInstitutionsExaminationCouncil(FFIEC)hadrecommendedasausefulpartofamultifactorauthenticationscheme.16Otherbanksperformedmanualreviewsorcustomerverificationforhigh-risktransactions.OceanBankdidnotuseanyofthesesecuritymeasuresandthuswasnotcomplyingwiththeUCCrequirementtoconsiderthesecurityproceduresusedbycustomersandatsimilarlysituatedbanks.
Inlightoftheseproblems,theFirstCircuitconcludedthatOceanBank’ssecurityprocedureswerenotcommerciallyreasonable.However,thecourtnotedthatPATCOalsohadresponsibilitiesforimplementingsecurityprocedures,sothecourtsentthecasebacktothetrialjudgetodetermineifPATCOboreanyresponsibilityfortheunauthorizedtransactions.ButaftertheFirstCircuitissueditsopinion,thebanksettledthecasefortheamountoftheloss($345,444)plusinterest.17
Case Two: Bank’s Security Procedure Is Commercially ReasonableThesecondcase,Choice Escrow & Land Title, LLC v. BancorpSouth Bank,18concernedtheresponsibilitybetweenBancorpSouthBankanditsbusinesscustomer,ChoiceEscrow&LandTitle,for$440,000inunauthorizedACHtransactions.AnemployeeatChoiceclickedonalinkinaphishinge-mailthatallowedmalwaretobeinstalledonanetworkcomputer.Asaresult,hackerswereabletoissueafraudulentpaymentorderfor$440,000thatwassenttoaforeigncountry.Choicesuedthebanktorecoverthe$440,000.
Thebank’ssecuritysystemofferedfoursecurityfeatures:(1)userIDandpasswordrequirement;(2)registrationofanauthorizeduser’sInternetprotocol(IP)addressandcomputerinformationwhentheuserfirstregistered;(3)thecustomer’sabilitytoplacedollarlimitsontransactions;and(4)dualcontrol,whichrequiredthateverypaymentorderrequestbyanauthorizeduserbeapprovedbyasecondauthorizeduser.Ifacustomerdeclinedthedual-controlfeature,thebankhadthecustomersignawaiveracknowledgingitunderstoodtherisksofasingle-controlsecuritysystem.
Choicedeclinedthedollarlimitontransactionsandthedual-controlfeatureandsignedthewaiver.Thus,thesecurityprocedureforChoice’sACHtransactionsconsistedofauserIDandpasswordandverificationofIPaddressandcomputerinformation.ChoicehadalsoaskedthebankwhetheritssystemhadthecapabilitytolimitACHtransferstoforeignbanksbecauseofaconcernaboutphishingscams.Thebankrespondedthatitwasnotpossible,butthatChoicecouldmitigatetheriskofunauthorizedACHtransactionsifitimplementeddualcontrol,whichChoicedeclined.Thecourtreviewedthebank’ssecurityprocedureanddetermineditwascommerciallyreasonable.Fortherequirementthatasecurityproceduremustbeoneingeneralusebysimilarlysituatedcustomerandbanks,thecourtfocusedontheFFIEC’s2005guidance.Theguidancestatesthatmostmodernauthenticationismultifactorandthat“single-factorauthentication,astheonlycontrolmechanism,[is]inadequateforhigh-risktransactionsinvolvingaccesstocustomerinformationorthemovementoffundstootherparties.”19
ThecourtalsonotedthattheFFIECguidancestatesthatthreatsUnauthorized Payments continued on next page)
12 COMMUNITY BANKER UPDATE | OCTOBER 2015
(Unauthorized Payments continued from previous page)
changeovertimeandthatbanksmust“[a]djust,asappropriate,theirinformationsecurityprogram[s]inlightofanyrelevantchangesintechnology,thesensitivityofitscustomerinformation,andinternalorexternalthreatstoinformation.”Thecourtnotedthebankofferedthedual-controloptioninresponsetoincreasedsecuritythreats,whichthecourtsaidwasareasonableresponsetothethreatofphishingscamsandthuswasconsistentwiththeFFIECguidance.
Thecourtnextconsideredtherequirementthatabank’ssecurityproceduresmustbesuitableforthecustomerinlightof“thewishesofthecustomerexpressedtothebank”and“thecircumstancesofthecustomerknowntothebank,includingthesize,type,andfrequencyofpaymentordersnormallyissuedbythecustomertothebank.”20
Choicearguedthatthedual-controloptionfailedtotakeintoaccountChoice’scircumstancesbecausedual-controlverificationofeverywiretransferwasnotfeasibleforChoicebecauseofitssmallstaff.ButthecourtfoundthatdualcontrolwasfeasibleforChoice:Choice’sACHtransfersusuallydidnotrequireimmediateprocessing,soifanACHrequestwasreceivedonadaywhenthedual-controlemployeewasunavailable,thatemployeecouldapproveitthenextdaywithoutadverseconsequence.WhenChoicedeclinedthedual-controloption,thecourtnotedthatitassumedtherisksofthisdecisionundertheUCC,whichstatesthatwhen“aninformedcustomerrefusesasecurityprocedurethatiscommerciallyreasonableandsuitableforthatcustomerandinsistsonusingahigher-riskprocedurebecauseitismoreconvenientorcheaper,”thecustomerassumes“theriskoffailureoftheprocedureandcannotshiftthelosstothebank.”21
Thecourtconcludedthatthebank’ssecurityproceduresofpasswordprotection,dailytransferlimits,deviceauthentication,anddualcontrolwerecommerciallyreasonableforthebank’scustomer.
Section4A-202(b)(ii)imposesonefinalrequirementfortransferringliabilitytothecustomer:Thebankmusthave“acceptedthepaymentorderingoodfaithandincompliancewiththesecurityprocedureandanywrittenagreementorinstructionofthecustomerrestrictingacceptanceofpaymentordersissuedinthenameofthecustomer.”Thecourtdistilledthistomean
that“thebankmustabidebyits[security]proceduresinawaythatreflectstheparties’reasonableexpectationsastohowthoseprocedureswilloperate.”
ThecourtnotedthatChoicewasawarethatwhenapaymentorderwasapprovedthroughtheagreed-uponsecurityprocedure,thebankemployee’srolewasnottolookforirregularitiesbuttosendthepayment.Thebankprovidedtestimonythatthiswascommonpracticeintheindustry.Thebankthussatisfiedthefinalrequirement.
Afterconsideringthiswholeanalysis,theEighthCircuitupheldthelowercourtrulingthatthebank’ssecurityprocedurewascommerciallyreasonable,andthebankwas,therefore,notresponsiblefortheunauthorizedtransactions.
Sound Practices in Light of Patco and ChoiceThesetwocaseshelpclarifythemeaningofacommerciallyreasonablesecurityprocedureundertheUCCforpurposesofdeterminingwhetherabankoritscommercialcustomerbearstheriskoflossforunauthorizedwiretransfersandACHcredittransfers.Severalthemesthatarerelevantforcommunitybanksemergefromtheseopinions:
• Understand and compare security procedures offered by different vendors and document the rationale for the procedure selected.TheUCCrequiresthatacommerciallyreasonablesecurityprocedurebe“ingeneralusebycustomersandreceivingbankssimilarlysituated.”Thecommentaryalsostatesthat“asecurityprocedurethatfailstomeetprevailingstandardsofgoodbankingpracticeapplicabletotheparticularbankshouldnotbeheldtobecommerciallyreasonable.”Therefore,itisimportantforbankstodiscusswithsecurityvendorstheproceduresothersimilarlysituatedbanksareusingforcomparablecustomersituations.InPATCO,thecourtnotedthatOceanBank’speerswereusingtokensandone-timepasswords,butOceanBankhadnotimplementedeither.
• Use security procedures that meet the FFIEC guidelines. BoththePATCOandChoicecasesestablishthatcompliancewiththeFFIECguidelines,includingsupplements,iscrucialbecausetheseguidelinesareviewedbythecourtsaspartoftheindustrysecuritystandard.TheFFIECguidelinesstatethat“financialinstitutionsshouldperformperiodicriskassessmentsconsideringnewandevolvingthreatstoonlineaccountsandadjusttheircustomerauthentication,layeredsecurityandothercontrolsasappropriateinresponsetoidentifiedattacks.”Asacorollary,abankisexpectedtomonitorchangestotheFFIECguidanceandrespondaccordingly.Forexample,the2011guidancestatesthatfinancialinstitutionsshouldadopt“layeredsecurityprograms”thatdetectandrespondtosuspiciousactivityandincludeenhancedcontrolsforsystemadministrators,whohaveauthoritytochangecomputersystemconfigurations.
•Have staff monitor and respond to security software notifications.Itisnotenoughtohavesecuritysoftwarethatidentifiesrisks;itisimportantthatstaffcontinuouslymonitorsecurityalertsfromthesoftwareandrespondappropriately.InPATCO,thesoftwareidentifiedhigh-risktransactions,butthebankwasnotmonitoringthisinformationwhenthesecuritybreachesoccurred.TheUCCcommentaryforSection4A-203confirmstheimportanceofthisbystating:“Ifthefraudwasnotdetectedbecausethebank’semployeedidnotperformtheactsrequiredbythesecurityprocedure,thebankhasnotcomplied[withthesecurityprocedure].”
COMMUNITY BANKER UPDATE | OCTOBER 2015 13
•Be aware that security should not be “one-size-fits-all.” Thesecurityprocedureshouldtakeintoaccount“thecircumstancesofthecustomerknowntothebank,includingthesize,type,andfrequencyofpaymentordersnormallyissuedbythecustomertothebank.”Acustomerwhomakesfivewiretransfersoflessthan$5,000peryear,forexample,requiresadifferentsecurityprocedurethanacustomermakingthousandsofwiretransferseveryyear,inlargeamounts,andtomanyforeigncountries.
• Proactively discuss security issues and best practices with customers.Manyunauthorizedtransactioncasesoccurwhenabankcustomer’semployeereceivesaphishingormalwaree-mailthatenablescriminalstoobtainlog-incredentialstoperformunauthorizedtransactions.Inparticular,spearphishinge-mailsoftentargetkeyemployeeswhohaveaccesstoaccounts.Banksshouldbeproactivewiththeircustomerstodiscusswaystomitigatethisrisk.Forexample,abankcouldrecommendthatthecustomerallowonlyelectronictransferstobeperformedonadedicatedcomputerthatcannotaccesse-mailortheInternet,toreducetheriskofexposuretophishing,malwaree-mails,andwebpageswithmalware.22Bankscouldalsoencouragecustomerstoconductregularcybersecuritytrainingtoreducetheriskofanemployeefallingvictimtoaphishingormalwaree-mailattack.Banksshouldalsoencouragetheircustomerstouseanti-phishingsoftwaretohelpdetectandprotectagainstphishinge-mails.
ConclusionCybersecuritybreachesareontherise,andlawsuitsseekingreimbursementfortheresultinglossesarerising,too.IntheeventofalegaldisputeoverresponsibilityforunauthorizedwiretransfersandACHcredittransfersforabusinessbankaccount,courtswilllooktoArticle4AoftheUCCtodeterminewhobearsthelossbasedprimarilyonwhetherabankhasimplementedacommerciallyreasonablesecurityprocedure.ThestandardundertheUCCisnotwhetherthesecurityprocedureisthebestavailable;ratheritiswhethertheprocedureisreasonablefortheparticularcustomerandtheparticularbank.
Ofcourse,nobankwantstobeinlitigationwithitscustomers.Thus,banksshouldproactivelydiscusswiththeirbusinesscustomerswaystoappropriatelyidentify,measure,monitor,andcontrolcybersecurityrisks,takingintoaccounttheparticularrisksandcircumstancesofthecustomer’soperations.Thiswillhelpbankstopreventunauthorizedpaymentsfromoccurring,reducelosses,retainsatisfiedcustomers,andincreasepublicconfidenceinpaymentsystems.
NOTES1.AssociationforFinancialProfessionals,2015 AFP Payments Fraud and Control Survey: Report of Survey Results, 2015.Bethesda,MD:AssociationforFinancialProfessionals,availableathttp://ow.ly/MIraf.
2.SeeBrianKrebs,“$1.66MinLimboAfterFBISeizesFundsfromCyberheist,”Krebs on Security,September14,2014,availableathttp://krebsonsecurity.com/tag/luna-luna-llp/.Actually,$1.75millionintransfersweremade,andthebankwasabletorecover$89,651,leavinganetlossof$1.66million.Thebankiscurrentlyinlitigationwiththelawfirmoverresponsibilityforthelosses.Texas Brand Bank v. Luna & Luna, LLP(CaseNo.3:14-1134,N.D.Tex.2014),availableathttp://ow.ly/NTVqy.
3.SeeExperi-Metal, Inc. v. Comerica Bank,2011WL2433383(E.D.Mich.2011),availableathttp://ow.ly/MRdsC.Theinitialamountofunauthorizedwiretransferswas$1,901,269,butthebankwasabletoreversesomeofthetransfers.
4.FBI,FinancialServicesInformationSharingandAnalysisCenter,and
InternetCrimeComplaintCenter,“FraudAlertInvolvingUnauthorizedWireTransferstoChina,”April26,2011,availableatwww.ic3.gov/media/2011/chinawiretransferfraudalert.pdf.5.SuspiciousActivityReportsforaccounttakeoversarediscussedintheU.S.DepartmentoftheTreasury,FinancialCrimesEnforcementNetwork,“AccountTakeoverActivity,”AdvisoryFIN-2011-A016,December19,2011,availableathttp://ow.ly/MIyUU.AdditionalinformationontheincidenceofpaymentfraudisavailableonthewebsiteoftheAssociationforFinancialProfessionals,whichpublishesanannualsurveyofitsmembers,atwww.afponline.org/fraud/.
6.Forconsumerbankaccounts,theElectronicFundTransferAct(EFTA),asimplementedbyRegulationE,determineswhoisresponsibleforunauthorizedtransactions.See15U.S.C.1693g,availableathttp://ow.ly/MQDXX,and12CFR1005.6,availableathttp://ow.ly/MQE9N.
7.Article4AdoesnotapplytoanACHdebittransfer,whichisinitiatedbythepersonreceivingthetransferinsteadofthepersonsendingit.SeeOfficialComment4toUCCsection4A-104,availableathttp://ow.ly/MQG4s.ACHdebittransfersaregovernedbytherulesoftheNationalAutomatedClearingHouseAssociation.Keppler v. RBS Citizens N.A.,2014WL2892352(D.Mass.2014)(discussingdifferentrulesthatapplytoACHcredittransfersanddebittransfers).
8.GeoffreyFowlerandBenWorthen,“HackersShiftAttackstoSmallFirms,”Wall Street Journal,July21,2011.
9.AllenN.Berger,WilliamGoulding,andTaraRice,“DoSmallBusinessesStillPreferCommunityBanks?”BoardofGovernorsoftheFederalReserveSystem,InternationalFinanceDiscussionPapers1096,December2013,availableatwww.federalreserve.gov/pubs/ifdp/2013/1096/ifdp1096.pdf.
10.SymantecCorporation,Internet Security Threat Report 2014,vol.19,April2014,availableathttp://ow.ly/MRfQO.
11.TheserequirementsappearinUCCSection4A–202(c).
12.OfficialComment4toUCCSection4A-203.
13.UCCSection4A–202(c).
14.Decisionsoffederalappealscourtsarebindingonthefederalcourtsintheirjurisdiction.TheFirstCircuitencompassesMassachusetts,Maine,NewHampshire,RhodeIsland,andPuertoRico,whereastheEighthCircuitencompassesArkansas,Iowa,Minnesota,Missouri,Nebraska,NorthDakota,andSouthDakota.Forbanksoperatinginotherstates,thesedecisionsarepersuasivebutnotbindingauthority.
15.Patco Construction Co. v. People’s United Bank,684F.3d197(1stCir.2012),availableathttp://ow.ly/MQNCG.
16.FFIEC,“AuthenticationinanInternetBankingEnvironment,”2005,availableathttp://www.ffiec.gov/pdf/authentication_guidance.pdf.In2011,theFFIECpublishedsupplementalauthenticationguidancetoupdatethememberagencies’expectations“regardingcustomerauthentication,layeredsecurity,orothercontrolsintheincreasinglyhostileonlineenvironment.”
17.TracyKitten,“PATCOSettlement:WhatItMeans,”Bank Info Security,December24,2012,availableathttp://ow.ly/MQQ9U.
18.Choice Escrow & Land Title, LLC v. BancorpSouth Bank,754F.3d611(8thCir.2014).
19.FFIECguidance,p.4.
20.Section4A-202(c).
21.Section4A-203,Comment4.
22.Forotherexamplesofwaystomitigatecybersecurityrisk,seetheMarch12,2010,CyberSecurityAdvisory,“InformationandRecommendationsRegardingUnauthorizedWireTransfersRelatingtoCompromisedCyberNetworks,”oftheNationalCouncilofInformationSharingandAnalysisCentersathttp://ow.ly/NTVK8.Inaddition,theTexasBankersElectronicCrimesTaskForce,workingwithotheragencies,published“BestPractices:ReducingtheRisksofCorporateAccountTakeovers”in2011,whichisavailableathttp://ow.ly/NTVMw.
14 COMMUNITY BANKER UPDATE | OCTOBER 2015
September Survey Results at a Glance:• TheRuralMainstreetIndexsinksbelowgrowthneutralfor
September.• Farmlandpricesdeclineforthe22ndstraightmonth.• Farmequipmentsalesremainnearrecordlows.• BankCEOssupportremovingtheFarmCredit’staxexempt
statusanditsquasi-governmentpositiontolevelthefinancialplayingfieldforRuralMainstreetloans.
OMAHA,Neb.–TheCreightonUniversityHeiderCollegeofBusinessRuralMainstreetIndexforSeptemberfellfromAugust’sweakreading,accordingtothemonthlysurveyofbankCEOsinruralareasofa10-stateregiondependentonagricultureand/orenergy.
Overall:TheRuralMainstreetIndex(RMI),whichrangesbetween0and100,sankto49.0fromAugust’sgrowthneutral50.0.
“Thisisthesecondstraightmonththeoverallindexhasdeclinedreflectingweaknessstemmingfromloweragriculturalandenergycommodityprices,”saidErnieGoss,JackA.MacAllisterChairinRegionalEconomicsatCreightonUniversity’sHeiderCollegeofBusiness.
Farming and Ranching:ThefarmlandandranchlandpriceindexforSeptemberincreasedto35.5from32.7inAugust.“Thisisthe22ndstraightmonththeindexhasmovedbelowgrowthneutral.But,asinpreviousmonths,thereisagreatdealofvariationacrosstheregioninthedirectionandmagnitudeoffarmlandprices.Onanannualizedbasisfarmlandpricesaredecliningby6percentto7percent,”saidGoss.
TheSeptemberfarmequipment-salesindexwasunchangedfromAugust’sanemic14.2.“The2014and2015downturnsinfarmincomecontinuetoreducesalesandproductionofagricultureequipmentdealersandproducersacrosstheregion.BankersremainpessimisticabouttheshortandintermediateprospectsforagricultureequipmentdealersandproducersonRuralMainstreet,”saidGoss.
Banking:TheSeptemberloan-volumeindexdippedto72.0fromlastmonth’s73.0.Thechecking-depositindexdeclinedto54.2fromAugust’s55.0,whiletheindexforcertificatesofdepositandothersavingsinstrumentsadvancedto41.7from34.0inAugust.
“InprevioussurveysbankCEOshaveidentifiedFarmCreditastheirmajorfinancialcompetitor.Thismonthweaskedhowthiscompetitionwasmanifested.BankerssingledoutFarmCredit’s
quasi-governmentstatusandtheirtaxexemptstatusasthemostimportantcompetitiveissues,”saidGoss.
AccordingtoJeffreyGerhart,chairmanofBankofNewmanGrove,Nebraska,andformerchairmanoftheIndependentCommunityBankersofAmerica,“FarmCredithasbeenathorninoursidefordecades.Lowercostoffunds,lowercreditstandards,andquasi-governmentstatusgivethemanunfairadvantageoverthecommunitybank.”
Almosttwo-thirds,or65percent,ofbankersreportedthatFarmCredit’stax-exemptstatusproducedunfaircompetitionforagricultureloans.Another84percentindicatedthatFarmCredit’squasi-governmentstatusallowedthemtoborrowincreditmarketsatmuchlowerratesthancommercialbanks.
JimEckert,presidentofAnchorStateBankinAnchor,Illinois,said,“TheFarmCreditSystemhasgrownbeyonditsoriginalpurpose.It’stimefortheirtaxexemptstatustochange.Theyshouldpaytaxesjustlikecommunitybanksdo.”
Hiring:Despiteweakercroppricesandpullbacksfrombusinesseswithclosetiestoagricultureandenergy,RuralMainstreetbusinessescontinuetoaddworkerstotheirpayrolls.TheSeptemberhiringindexfelltoastillsolid54.3from63.3inAugust.“RuralMainstreetbusinessescontinuetohireadditionalworkers,butataslowerpace.Fromlastyearatthistime,annualizedjobgrowthwasdroppedfrom1.2percentto0.2percent,”saidGoss.
Confidence:Theconfidenceindex,whichreflectsexpectationsfortheeconomysixmonthsout,roseto43.8from42.0inAugust.“Declinesforagriculturalcommodityandenergypricespushedbankers’economicoutlookbelowgrowthneutralforthemonth,”saidGoss.
Home and Retail Sales:TheSeptemberhome-salesindexdeclinedtoa56.4from70.4inAugust.TheSeptemberretail-salesindexdecreasedto49.0from50.0lastmonth.“HomesalesonRuralMainstreethavebeenveryhealthyoverthelastseveralmonths.Ontheotherhand,Creighton’smonthlysurveyhasyettomeasureanyupturninretailsalesresultingfromthedownturninfuelprices,”saidGoss.Eachmonth,communitybankpresidentsandCEOsinnonurbanagriculturallyandenergy-dependentportionsofa10-statearea
(Rural Mainstreet continued on next page)
Main Street Economic Survey
C r e i g h t o nU N I V E R S I T Y
Rural Mainstreet Index Falls Below Growth Neutral for September:Agricultural Equipment Sales Near Record Low
Ernie Goss
COMMUNITY BANKER UPDATE | OCTOBER 2015 15
(Rural Mainstreet continued from previous page)
aresurveyedregardingcurrenteconomicconditionsintheircommunitiesandtheirprojectedeconomicoutlookssixmonthsdowntheroad.BankersfromColorado,Illinois,Iowa,Kansas,Minnesota,Missouri,Nebraska,NorthDakota,SouthDakotaandWyomingareincluded.ThesurveyissupportedbyagrantfromSecurityStateBankinAnsley,Neb.
Thissurveyrepresentsanearlysnapshotoftheeconomyofruralagriculturallyandenergy-dependentportionsofthenation.TheRuralMainstreetIndex(RMI)isauniqueindexcovering10regionalstates,focusingonapproximately200ruralcommunitieswithanaveragepopulationof1,300.Itgivesthemostcurrentreal-timeanalysisoftheruraleconomy.GossandBillMcQuillan,formerchairmanoftheIndependentCommunityBanksofAmerica,createdthemonthlyeconomicsurveyin2005.
Colorado:Colorado’sRuralMainstreetIndex(RMI)dippedto48.8from51.5inAugust.Thefarmlandandranchlandpriceindexexpandedto47.4fromAugust’s38.4.Colorado’shiringindexforSeptemberdeclinedtoastillhealthy60.1fromAugust’s65.5.
Illinois:TheSeptemberRMIforIllinoisdeclinedto49.0from50.0inAugust.Thefarmland-priceindexdroppedto28.8fromAugust’s29.5.Thestate’snew-hiringindexsankto53.3fromlastmonth’s62.0.
Iowa:TheSeptemberRMIforIowaimprovedto54.2fromAugust’s53.4.Iowa’sfarmland-priceindexforSeptemberroseto47.2fromAugust’s44.0.Iowa’snew-hiringindexforSeptemberdecreasedto60.0from67.8inAugust.
Kansas:TheKansasRMIforSeptemberslidto48.6fromAugust’s49.8.Thestate’sfarmland-priceindexforSeptemberslipped
to27.0fromAugust’s27.8.Thenew-hiringindexforthestatedeclinedto51.9from61.3inAugust.
Minnesota:TheSeptemberRMIforMinnesotaexpandedto49.2fromAugust’s48.4.Minnesota’sfarmland-priceindexslippedto33.0from33.7inAugust.Thenew-hiringindexforthestatedeclinedto54.6fromlastmonth’shealthy58.2.
Missouri:TheSeptemberRMIforMissouriimprovedto47.4from43.2inAugust.Thefarmland-priceindexgrewto30.9fromAugust’s29.5.Missouri’snew-hiringindexdecreasedto44.0fromAugust’s51.3.Nebraska:TheNebraskaRMIforSeptemberslumpedto47.3from48.4inAugust.Thestate’sfarmland-priceindexfellto18.7fromAugust’s19.6.Nebraska’snew-hiringindexslumpedto48.6from58.0inAugust.
North Dakota:TheNorthDakotaRMIforSeptemberdecreasedto40.8fromAugust’s47.1Thefarmland-priceindexfellto17.8from24.8inAugust.NorthDakota’snew-hiringindexdeclinedto44.2fromAugust’s60.1.
South Dakota:TheSeptemberRMIforSouthDakotaslippedto54.4fromAugust’s55.1.Thefarmland-priceindexroseto53.3from47.2inAugust.SouthDakota’snew-hiringindexfelltoastillstrong62.4from69.1inAugust.
Wyoming:TheSeptemberRMIforWyomingclimbedto50.4fromAugust’s49.2.TheSeptemberfarmlandandranchland-priceindexsankto30.8from47.2inAugust.Wyoming’snew-hiringindexdeclinedto53.4fromAugust’s60.9.
Table 1 summarizes survey findingsNext month’s survey results will be released on the third Thursday of the month, October 15.
NOTE: THERE IS NO RURAL MAINSTREET ECONOMY SURVEYPOLL FOR THE MONTH OF SEPTEMBER, 2015
Table 1: Rural Mainstreet Economy One Year Ago and Last Two Months: (index > 50 indicates expansion)
September 2014
August2015
September 2015
Area economic index 48.2 50.0 49.0
Loan volume 75.9 73.0 72.0Checking deposits 56.4 55.0 54.2
Certificates of deposit and savings instruments 42.8 34.0 41.7Farmland prices 33.7 32.7 35.5Farm equipment sales 17.6 14.2 14.2Home sales 57.3 70.4 56.4Hiring 56.5 63.3 54.3Retail business 49.9 50.0 49.0Confidence index (area economy six months out) 33.4 42.0 43.8
Follow Ernie Goss on Twitter: www.twitter.com/erniegossFor historical data and forecasts, visit: www2.creighton.edu/business/economicoutlook
16 COMMUNITY BANKER UPDATE | OCTOBER 2015
Weallknowitwillhappen,therealquestioniswhen?AstheFederalReservemonitorsunemploymentinflationandglobalmarketsclosely,
itiswidelyexpectedthatthefederal-fundsratewillbeincreasedinthelastquarterof2015.IthasbeenalmosttenyearssincetheFedraisedrates!TheFeddroppedratesfrom2006to2008andhasheldthemsteadyeversince.Anincreaseinthefederal-fundsratewouldsignaladramaticchangeandshouldcauseallfinancialinstitutionstoconsidertheimpactofarisingrateenvironmentontheirportfolio.Thiswilllikelycauseclientstoreassesstheirproducts,services,andrateswiththeirexistingFI.
Now is the time to:1. Quantifytheimpactofrisingratesonyourearnings–thruthe
useofanAssetLiabilityManagement(ALM)toolorservice.2. Devisecustomerfacingstrategiestoprotectprofitableclients
andprovidepricingguidance.
TodayI’llfocusonthecustomerfacingstrategies.
Background-Asratesrise,wewillfeelpressuretopayhigherratestodepositorsandseektogainhigherratesfromloanclients.Ourexistingportfoliooffixedrateinstruments(fixedrateloans,CDsandvariablerateloanswith“inthemoney”floors)willnotimmediatelychange.TheserisingrateswilllikelycauseanFI’sinterestexpensetorisemorequicklythantheirinterestincome,therebycausingsomemargincompression.Sincemarginhashistoricallyrepresented60-65%ofanFI’srevenue,thismargincompressionshouldbeofparamountconcern.(See below)
Inlookingatmargintrendsthisreturntowardmorenormalloantodepositspreadsshouldn’tbeasurprise.
In2007,ourloantodepositspreadwas265bp(7.07%-4.42%).ItthengrewdramaticallyduringthefinancialdownturnasdepositsmovedtoFIsandthefedpushedrateslower.Theresultwasahealthyloantodepositmarginof420–480bpfrom2009to2015.Thisadditional200bpofspreadforthebankingindustryhasbeenworthover$300millioninadditionalmarginannually,butitislikelytodeclineasratesrise.
Asweseerisinginterestrates,thekeyclientfacingquestionsbecome:
1. Howdowe“protect”ourmostprofitablerelationships?2. Howdowepricetransactionscompetitivelyand
aggressivelytowinprofitablebusiness?
How do we “protect” our most profitable relationships?Toprotecttheserelationshipsthefirstthingwemustdoisunderstandwhotheseclientsare.InmostFIs,weseethattheprofitablerelationshipsareconcentratedinthetop20%ofclients.Asillustratedbelow,thetop10%ofclientsdeliveranaverageprofitof$4,623!These“protect”clientstendtohavelargerbalances,payhigherfees,andhavehigherspreadsthanotherclients.
Wemustidentifytheseclientsandbuildstrategiestomakesuretheyneverleave.Severaltacticsaroundprotectingtheseclientsinclude:•Segmenttheseclientsintovariousprofittiers(orranks)•Buildaseriesof“benefits”associatedwitheachrank•FeedtheseranksintoyourcoreandCRMsolutions•Trainyouremployeesonhowtoextendthesebenefitstokeyclients
How do we price transactions competitively and aggressively to win profitable business?Whenpricingnewbusinesswemustfocusontheproposedtransactionandensurethatwearecompetitiveenoughtowinthebusinesswhilealsomaintaininganadequatereturn.
Competitionistightbutwemustavoid“blindlymatchingourcompetitors”oneverytransaction.Thiswouldcreatea“racetothebottom”withtheclientsbenefittingattheFIscost.
Wemustestablishtargetedreturnsandprovidethelenderstoolsandeducationtoeffectivelycompete.Alendermusthaveatoolthatallowsthemtoquicklyenterinparametersofthetransactionandgeneratevariousalternativescenarioswithcomparablereturns.
(Maintaining Net Interest Margin continued on page 18)
Written By: Brad DahlmanProduct Manager - ProfitStars
Maintaining Net Interest Margin InA Rising Interest Rate Environment
Source:FDIC
REVENUE SOURCES
Source:FDIC
DEPOSIT TO LOAN SPREADS
COMMUNITY BANKER UPDATE | OCTOBER 2015 17
NewsfromCBIAffiliate&AssociateMembers
TheCommunityBankersofIowa’sLeadersofTomorrow(LOT)programisholdingtheirQuarterlyMeetingonNovember19attheHiltonGardenInninJohnston.Markyourcalendarstodayandplanonsendingtheup-and-comingleadersin
yourbanktothiseducational,networkingevent.
GuestspeakersincludeIowaSenatorMattMcCoywhowillupdateLOTmembersondevelopmentsonIowa’sCapitolHill.AlsoappearingtodiscusstheirrecentissueswithbankfraudarePresidentKrisAusbornandExecutiveVicePresidentRickBrennanfromIowaTrust&SavingsBankinEmmetsburg.
Visitcbiaonline.org/lot-quarterly-meetings.htmltofinddetailsonNovember’sQuarterlyMeeting.IfyouareinterestedinbecomingaLOTmemberandformoreinformation,contactusat515.453.1495orvisitourwebsiteatcbiaonline.org.
TheLeadersofTomorrowisaprogramcreatedbyCBItoenhancethegrowth,leadership,andnetworkingskillsoffuturebankingleaders.LOTestablishesanetworkofleaderswhoserveandstrengthentheircommunitiesandadvocateforthecommunitybankingindustry.
The Leaders of Tomorrow Group’s Next Quarterly Meeting Is Nov. 19
CBIEndorsedmemberICBASecurities/ViningSparksisholdingtheirBondAcademyNov.8-10atThePeabodyHotelinMemphis,TN.TheICBABondAcademyisdesignedtoprovidecommunitybankerswiththeknowledgeneededtoplanandmanageeffectivecommunitybankportfolios.Theupdatedcurriculumhasbeenspecificallydesignedtoequipaportfoliomanagertodealwithcurrentportfoliomanagementissues.
Who Should AttendCommunitybankCEOs,CFOs,investmentofficers,andheirsapparent/risingsuccessorsICBABondAcademyalumniwillfindthistobenewinformation.
Visithttp://icbasecurities.sitewrench.com/2015bondacademyformoreinformationandtoregister,orcontact(800)422-6442withquestions.
Iowa Land RecordsElectronic Filing Seminar Series
CBIAffiliateMemberIowaLandRecordsisholdingaseriesofin-personseminarsthatcoverhowtoelectronicallyfiledocumentsthroughtheIowaLandRecordssystem.Theone-hourprogramsincludebasicelectronicfilingskillsandwillexplainhowtosubmitelectronicdocumentstoIowaCountyRecorders.
Thesequick-pacedseminarswillshowyouhowtoelectronicallyfiledocumentsstepbystep,includinghowto:AccesstheSecureIowaLandRecordsE-SubmissionWebSite,CreateDocumentGroups,Scan,AttachandSubmitDocumentImagestoCountyRecorders,TrackStatusofSubmittedDocuments,CorrectSubmissionErrors,PayRecordingFeesElectronically,andmore.
Thereisnocosttoattend!RSVPbycalling888.790.2246orsendane-mailtosupport@clris.com.
Upcoming Seminar Dates:
October 15 • 10am - Johnston, IowaPublicLibrary–LargeMeetingRoom(6700MerleHayRoad)
October 21 • 10am - Mason City, IowaCerroGordoCountyCourthouse(220NorthWashington)
October 22 • 10am - Eldora, IowaHardinCountyEngineersOffice(70816thSt.)
October 27 • 10am - Ames, IowaPublicLibrary-Auditorium(515DouglasAve.)
November 4 • 10am - Sioux City, IowaPublicLibrary-GlessonRoom(529PierceSt.)
November 5 • 10am - Council Bluffs, IowaPublicLibrary-RoomA(400WillowAve.)
ICBA Securities/Vining SparksBond Academy Nov. 8-10
CBIAssociateMemberUnitedBankers’Bankiscelebratingtheir40thyearwithaGrandEvent,October22nd&23rdattheWestin
HotelinEdina,Minnesota.FeaturedspeakersincludeGeneralBarryMcCaffrey,USA(Ret.)andMikeAbrashof.
FormoreinformationcontactUBB’sMarketingCoordinatorCaitieWeldingatCaitie.Welding@ubb.comor952-886-9588.
UBB Holding 40th Anniversary“Grand Event” Celebration
18 COMMUNITY BANKER UPDATE | OCTOBER 2015
Data BusinessEquipment
Welcome NewCBI Member!
The Community Bankers of Iowawould like to welcome the following
company to the association, and thank them for their support:
(Maintaining Net Interest Margin continued from page 16)
FIsthatoffertheirclients’optionswinmorebusiness.Clientslikechoices:fixed,variable,adjustable,lowerrates/highfees,floors,etc.Theoptionsputtheclientinthedriver’sseatbutalsoensuretheFIsreturnsareadequate.
Pricingisverycomplexwithbalance,creditrisk,terms,floors/ceilings,andcompensatingbalanceallplayingafactorintohowatransactionshouldbepriced.
Conclusion:Withratesrisingandriskofmargincompressionsquarelyinfrontofus,wemustmakesureourfront-linestaffhasthetoolsnecessarytoidentifyandprotectprofitablerelationshipsandeffectivelypricenewtransactions.
Call SHAZAM today.
Delivering Unlimited Possibilities
855-314-1212 | shazam.net | @SHAZAMNetwork
We believe community financial institutions must stay in control of their
future. Since 1976, we’ve been providing community financial institutions
with choice and innovation to compete in the market. From debit cards
to core processing to marketing services and more, we deliver.
SHAZAM is a financial services company offering you choice and flexibility to use the products and services that meet YOUR needs.
MET