Community Banker Update - October 2015

Fall CommunityBank Summits

Pg. 4

OFF

ICIA

L P

UB

LIC

ATI

ON

OF

THE

CO

MM

UN

ITY

BA

NK

ERS

OF

IOW

AO

CTO

BER

201

5

Managing the Risk of

Unauthorized PaymentsPgs. 10-13

CBI Summer Intern Scholarship ProgramPg. 5

Banking on the Future In Emmetsburg

Regulatory IT ExamPgs. 6-7

5 Steps to Passing Your Next

Join a CBI CommitteePg. 8

Get Involved In YOUR Association Maintaining Net Interest MarginIn A Rising Rate Environment

Pg. 16

M&A EconomicsPg. 9

2 COMMUNITY BANKER UPDATE | OCTOBER 2015

Want To AttendA Webinar?

View a complete calendar andregister for CBI-sponsored webinarsand events at www.cbiaonline.org

or Call Us at 515.453.1495for more information.

Member FDIC Member Federal Reserve SystemOne Source. One Call.

SUPPORTING BANKSIT’S WHAT WE DO.

Your Bankers’ Bank mibanc.com

888-818-7200

Matt [email protected]

Doug [email protected]

Stacy [email protected]

Contact your relationship manager Stacy Snyder

or a MIB team member.

OCTOBER 2015 WEBINAR LINE-UP

Oct. 2 ProperRepossession,Notice&SaleofNon-RealEstateCollateralOct. 6 RegulationERequirementsforDebitCardErrorResolution:Processing, Disclosure&InvestigationOct. 7 MortgageLoanOrigination&Servicing:Issues,FAQs&LessonsLearnedOct. 8 Powers-of-Attorney&LivingTrustDocuments:GuidelinesforDeposit Accounts&LoansOct. 9 TheNewFloodRules,IncludingtheMandatoryEscrowRuleEff.Jan.1,2016Oct. 14 BSAComplianceSeries:Identifying,Reporting&MonitoringSuspicious ActivityOct. 15 NewSecurityOfficerTraining:Responsibilities,BestPractices& Skill-BuildingToolsOct. 20 NewAccountsSeries:OpeningAccountsforMinors:Ownership,Access& TransactionsOct. 21 AccountingDevelopmentsUpdate:RecentIssues&What’sontheHorizonOct. 22 AdvancedACHSpecialistSeries:Understanding&NavigatingACHRules forODFIsOct. 27 EmergingLeaderSeries:KeyLeadershipStrategiesforGrowth,Profitability &RetentionOct. 28 NetworkSecurity101:AComprehensiveOverviewOct. 29 MaintainingCompliantFDICRecords,IncludingRelatedEmail&Social MediaRetentionRules

COMMUNITY BANKER UPDATE | OCTOBER 2015 3

In This Issue

October2015WebinarLineup............................. 2

FallCommunityBankSummits............................ 4

BankingOnTheFutureInEmmetsburg:SummerInternScholarshipProgram.................. 5

PassingYourRegulatoryITExam......................6-7

JoinACBICommittee............................................ 8

M&AEconomics.................................................... 9

ManagingtheRiskofUnauthorizedPaymentsFromBusinessBankAccounts.....................10-13

RuralMainstreetSurvey...............................14-15

MaintainingNetInterestMarginInaRisingRateEnvironment.............................16

CBIMemberNews...............................................17

Community Bankers of Iowa1603 22nd St, Suite 102

West Des Moines, Iowa 50266Phone: [email protected]

EVENTS CALENDARCommunity Banking SummitsCarroll.........................................Oct. 13Johnston.....................................Oct. 14Algona.........................................Oct. 15

Building America Summit........Oct. 14

LOT Quarterly Meeting.............Nov. 19

Bank Architecture

& ConstructionPre-design

Master PlanningSite Development

ArchitectureProject Management

ConstructionPost-project SupportSecurity & Signage

TrustPersonalityExperienceIntegrityTeamwork

Steph Weiand (L) Suzanne Meyers (C) Jim Christensen (R)

112 W. Park Lane, Waterloo319-232-6554

Partner with us.Our correspondent bankers will get you clear answers and fast decisions. As your partner, we will help you enhance your customer relationships. As your bank grows, we’ll help you meet your needs.

Together,let’s make it happen.

bellbanks.com

Call me at 605.201.1864

Member FDIC

1090

7

Commercial and ag participation loans | Bank stock & ownership loans | Bank building financing | Business & personal loans for bankers

10907 CORR AD Community Bankers of Iowa.indd 1 9/15/15 11:03 AM


Dan Gable, Olympic Wrestler & Coach

Bill Northey, Iowa Sec’y of Agriculture

Lisa Shimkat, Iowa Director, Small Business Development Center

Guest Speakers:

CBIinvitesIowa’scommunitybankerstotheFallCommunityBankSummits.Eachmeetingbeginsat3:00pm,withadinnerreceptionanddoorprizegiveawaytofollow.Attendtheseafternooneventsandbuildrelationshipswithyourpeerswhilegainingvaluableeducation.

AppearingateachSummitwillbelegendarywrestlerDan Gable,1972OlympicGoldMedalistandmultiple-timechampionandcoachatthestate,nationalandworldlevels.AstheFallSummitKeynoteSpeaker,Gablewillprovideinspirationandadviceonteambuilding,motivation,andovercomingadversity.

GuestSpeakersincludeBill Northey, IowaSecretaryofAgriculture,presentinganAg EconomyupdateattheCarrollandJohnstonmeetings,andLisa Shimkat,IowaDirectoroftheSmallBusinessDevelopmentCenter,who’lleducateattendeesonRural Economic DevelopmentattheAlgonameeting.

REGISTERTODAY;thefeeforeachSummitisonly $35 for bankers,and$50forCBIEndorsed/Associate/Affiliatemembers!Visitcbiaonline.orgtoregisterortoviewtheEventBrochure.Stillhavequestions?Callusat515.453.1495orcontactJackie [email protected].

Tuesday, Oct. 13 - CarrollSanta Maria Winery

Wednesday, Oct. 14 - JohnstonHilton Garden Inn

Thursday, Oct. 15 - AlgonaAlgona Country Club

Speaker Sponsor

Platinum Sponsors

Gold Sponsors

Thank You To The FollowingSponsors:

Silver Sponsors - Johnston

Silver Sponsor - Algona

Register Now for the FallCommunity Bank Summits

All meetings: 3:00 - 5:30 pm • Dinner reception & prize giveaway to follow

Attending Our Fall Community Banking Summit in Johnston on Oct. 14?Head to Des Moines first and attend the Building America Summit!

Co-Sponsored byCommunity Bankers of Iowa

JoinIowaFinanceAuthority,NationalAssociationofLocalHousingandFinanceAgenciesandahostofotherleadingstateandnationalorganizationsforafirst-of-its-kindbipartisannationalsummitonhousingpolicy.

Attending the discussion:•2016presidentialcandidates (invited)•leadingfederalhousingofficials•nationalhousingindustryofficials•stateagencydirectorsandstaff

Oct. 14-15Wed. Oct. 14, 12:00p -3:00pThurs. Oct. 15, 8:30a -3:00pIowa Events Center, Des Moines

Attendance is FREEfor CBI Members! Visit cbiaonline.org/building-america-summit.html

for more information and to register.If you would like to submit questions for the presidential candidates to be asked, email them to Jackie Haley at [email protected].


Banking on the Future in EmmetsburgCBI’s Summer Intern Scholarship Program Launch A Success

InAprilCBIannouncedthelaunchoftheSummerInternScholarshipProgram.FundedentirelybytheCBIEducationFoundation,thepurposeoftheprogramistoencouragecollegeSophomoresandJuniorsinthefinance,accounting,business,agribusiness,marketing,andmanagementdisciplinestofindsummerpositionsincommunitybanksinIowa.Studentsareawardeda$1,000scholarshipuponcompletionoftheprogram.

TiffanyWagner,afinancemajorfromPocahontas,Iowaisthefirststudenttocompletetheprogram.Tiffany’sinternshipwasatIowaTrust&SavingsBank(ITSB)inEmmetsburg.MembersofthestaffrecommendedTiffanyafterlearningthatshewasinterestedininterningwithanIowabank.BeginninginMayandcompletingtheintershipinlateAugust,Tiffanyworkedineverydepartmentofthebankaspartoftheprogramcurriculumrequirements.SheshadowedbankstaffintheOperations,Drive-Up,Compliance,LoanSupport,NewAccounts,andLendingareas.

CBIinterviewedITSBExecutiveVicePresidentRickBrennanontheirsuccesseswiththeprogram.BrennanreportedthatTiffanywasinstrumentalinaprojectinvolvingabstracts,aswellasseveralotherprojectsintheMarketingandLendingdepartments.Tiffanyalsoworkedwiththebank’sCommercialLendingdepartmentandwasexposedtocallingprogramswithotherbanksthattheyworkwith.Thestaffconsideredhertobehardworking,intelligent,andwillingtoaskquestionsaboutwhytheyapproachvariousdepartmentprojectstheywaytheydo.

BrennanwentontosaythatTiffanywasanoutstandingintern,

helpfulintheaccomplishmentofseveralbankprojectsoverthesummer.WhenaskedabouttheusefulnessofCBI’sSummerInternprogram,hehadthistosay:

“It was a great opportunity to build a program to train interns, and it helped our bank to develop better methods to train new employees. Tiffany was great to work with--the staff enjoyed her approach and she was a hard worker. She is very deserving of the CBI Summer Intern Scholarship, and we’d be glad to do it again.”

TheCBIEducationFoundationisgovernedbytheCouncilofPresidents,formerpresidentsofCBI.AnIRS-approved501(c)(3)organization,contributionsmadebybothpersonalandcorporatedonorsaretaxdeductibletothefullestextentofthelaw.Contributionsofanysizeareacceptedandencouraged.Variouslevelsofrecognitionhavealsobeenestablishedtospotlightthosewhodemonstrateenhancedsupport.

FormoreinformationabouttheCBIEducationFoundationandtolearnhowyoucanparticipate,visitourwebsiteatcbiaonline.orgorcontactDonHoleat515.453.1495ordhole@cbiaonline.org.

Finance major Tiffany Wagner completed the CBI Summer

Intern Scholarship Program at Iowa Trust & Savings Bank in

Emmetsburg.


FollowingthepilotcybersecurityexamsconductedlastsummerbytheFederalFinancialInstitutionsExaminationCouncil(FFIEC),many

banksaren’tsurewhattoexpectattheirnextITexam—ifthat’sindeedwherecybersecuritywillbeaddressed—andfeartheworst.

But,ratherthanbeparalyzedbyfear,addressthekeyareasonwhichfederalregulatorsmostlikelywillfocusatexamtimebyfollowingthesefivesteps:

Step 1: Know Your Cybersecurity Risk Profile and Maturity LevelWhat to Expect:Regulatoryexaminerswillnowexpectbankstohaveamuchbetterunderstandingoftheircybersecurityriskprofileandmaturitylevel.

How to Prepare:ThekeytogainingthatunderstandingandprovingitatexamtimeistheFFIEC’srecentlypublishedCybersecurityAssessmentTool*.It’ssurprisinglywellorganized,easytouseandcomprehensive.So,usingeithertheFFIEC’sassessmentoracomparabletool,completethesetasks:

Determine Your Inherent Risk ProfileTheassessmenthelpsyourbankidentifyitsinherentrisksinthefollowingkeyareasandratethemaccordingly:•TechnologiesandConnectionTypes•DeliveryChannels•Online/MobileProductsandTechnologyServices•OrganizationalCharacteristics•ExternalThreats

Determine Your Cybersecurity MaturityThisportionoftheassessmentgaugeswhetheryourbank’sbehaviors,practicesandprocessesadequatelysupportyourcybersecuritypreparedness.Itcoversthefollowingdomains,towhichyourbankassignsamaturitylevelbasedonfindings:•CyberRiskManagementandOversight•ThreatIntelligenceandCollaboration•CybersecurityControls•ExternalDependencyManagement•CyberIncidentManagementandResilience

Step 2: Limit Your Exposure What to Expect:AfterStep1,youshouldhaveaclearsenseofwhereyourbankisexposed—andyoumustacttolimitthatexposure.

How to Prepare:Thisprocesscantaketwoforms,dependingontheareaofexposure:

Reduce the Level of Risk in Exposed AreasForexample,ifyourbankhastoomanyunnecessaryInternet-

facingservers,reducingthatnumbercansignificantlyloweritsriskofabreachthroughthoseservers.

Increase the Maturity Level in Exposed AreasReducingriskmaynotalwaysbefeasible.Forinstance,limitingcustomers’mobilechanneloptionsmayreducethebank’shackingrisk,butitalsowouldupsetcustomers,exchangingonerisk(breach)foranother(lostcustomers).So,increasethecybersecuritymaturitylevelinthatarea.

Step 3: Include Cybersecurity in Your BCP and Incident Response PlanWhat to Expect:FollowingthepublicationofAppendixJ**oftheFFIEC’sBusinessContinuityPlanningBooklet,regulatoryexaminerswillexpectBusinessContinuityPrograms(BCP),includingIncidentResponsePlans,tobeupdatedwithcybersecurityreferences.

AppendixJoutlinesspecificcyberriskstoconsider:1. Sophisticatedmalwarefocusedondatacorruptionand

unauthorizedfinancialtransactions2. Insiderthreatsfromdisgruntledemployeesormolesplanted

bycybercriminals3. Dataorsystemscorruptionduetoacyberattack4. Disruptionofcommunicationscapabilitiesandinfrastructure

duetoacyberattack5. Simultaneouscyberattacksonfinancialinstitutionsandtheir

TSPs

How to Prepare:Gothroughyourbank’sBCPdocumentationandensurecybersecurityisadequatelyaddressedandspecificallywrittenintotheprogram.

Step 4: Evaluate Your Vendors’ Cybersecurity Risk ProfilesWhat to Expect:AppendixJremindsbanksthattheyareultimatelyresponsibleforthesafetyandsoundnessofactivitiesoutsourcedtoTSPs,soconductathoroughexaminationofallvendors,particularlythoseinvolvedinthemostcriticaloperations.

How to Prepare:Startingwithyourmostcriticalvendors,assessthefollowingareasbasedonAppendixJ:

• Third-Party Management:Isthevendor’sriskfullyidentifiedandadequatelycontrolled?

• Third-Party Capacity:Isthevendorcapableofrestoringservicetoallclients?

• Third-Party Testing:Hasthevendor’sBCPbeenvalidatedthroughadequatetesting?

Step 5: Educate and Involve Senior Management and the BoardWhat to Expect:Bankexaminersexpecttoseeactiveinvolvement

(Passing Your Regulatory IT Exam continued on next page)

Written By: Steve SandersVP - Internal Audit, CSI Regulatory Compliance

5 Steps to Passing YourNext Regulatory IT Exam


(Passing Your Regulatory IT Exam continued from previous page)

byseniormanagementandtheboardofdirectorsinallmatters,includingcybersecurity.

How to Prepare:SeniorleadershipneedstodomorethanrubberstampIT,InformationSecurityandBCPprogramseachyear.Theirinvolvementneedstobefeltthroughouttheenterprise.Tobegin,takethesesteps:•Routinelypresentcybersecurityupdatesatboardmeetings.•Encourageseniorleadershiptoroutinelyexpresstheimportanceofcybersecurityresiliencetoemployees.

•Ensureboardmeetingminutesreflectallcybersecuritydiscussionsandactions,andkeeparecordtoshareatexams.

Expect a Better Outcome at Exam Time by Preparing for It Examinerexpectationsregardingcybersecurityaregrowing,butcompletingtheabovestepswillprepareyourbankandensureitisspeakingthesamecybersecuritylanguageasexaminers,whichishalfthebattle.

Steve Sanders, CSI’s vice president of Internal Audit, oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. For more information about CBI Endorsed Member Computer Services, Inc., visit csiweb.com.

*Get FFIEC’s Cybersecurity Assessment Tool atwww.ffiec.gov/cyberassessmenttool.htm

**Read Appendix J at www.ffiec.gov/press/pr020615.htm

IowaTIB Ad1/2 pg.April 2015


CommunitybankerscanmakeadifferenceintheirassociationandtheirindustrybyparticipatinginaCBIcommittee.CommunityBankersofIowacommitteesallowmemberstheopportunitytoguidethedirectionofCBIonlegislativeaffairs,education,theconvention,andmore.CBIcommitteeswillalsoprovideyouwithinformationandeducationonthelatestindustryissues;includingcompliance,lending,andeconomicdevelopment.Considervolunteeringforone(ormultiple)ofthefollowingcommitteesandmakearealdifferenceinYOURassociation:

Annual Management Conference CommitteeAnnually,theCommunityBankersofIowa’sManagementConferenceattractshundredsofbankersandthoseaffiliatedwiththeindustryfromacrossIowaandthenation;jointheAnnualManagementConferenceCommitteeandbeapartoftheteamcoordinatingtheassociation’slargestevent.MembersoftheAnnualManagementandConferenceCommitteeselectgeneralsessionspeakers,breakoutsessiontopics,assistinplanningalleventactivities,andareintegralindevelopingeachConference.

TheAnnualManagementConferenceCommitteemeetsquarterlyandviateleconferenceonanasneededbasis.CBI’sstaffliaisonfortheAnnualManagementConferenceCommitteeisDonHole.Ifyouareinterestedinjoiningorwantadditionalinformation,[email protected].

Economic Development CommitteeThiscommitteediscussestheneedsandissuesrelatingtoeconomicdevelopmentformainstreetIowa.Committeememberswilldevelopastructureofresourcestohelpcommunitybanksimproveandsupporteconomicdevelopmentintheircommunities.Legislationinvolvingeconomicdevelopmentonthestateandfederallevelswillalsobeaddressedbythiscommittee.

TheEconomicDevelopmentCommitteewillmeetinpersontwiceayearandviateleconferenceonanasneededbasis.CBI’sstaffliaisonsforthiscommitteeareDonHoleandJackieHaley.Ifyouareinterestedinjoiningorwantadditionalinformation,[email protected]@cbiaonline.org.

Education and Compliance CommitteeAsamemberofthiscommitteeyouwilldirectandapprovetheeducationalofferingsoftheassociationthatwillmeettheneedsofcommunitybankers.Committeememberswillalsodetermineseminartopicsandassistwithselectingspeakers.Complianceproductsandprogramswillalsobereviewedbythiscommittee.

TheEducationandComplianceCommitteewillmeetquarterly.CBI’sstaffliaisonforthiscommitteeisPrettyPatel.IfyouareinterestedinjoiningorwantadditionalinformationontheEducationandComplianceCommittee,[email protected].

Legislative CommitteeThroughastrategicplanningprocesswithCBI’slobbyist,theLegislativeCommitteewillguideanddeterminetheassociation’slegislativeagenda.ReviewandapprovePACcontributions.Committeemembersalsoprovidelobbyingsupportwhenneededduringthelegislativesession,andtheyarevitaltoCBI’sgrassrootsadvocacyefforts.

TheLegislativeCommitteemeetstwiceayearandasneededduringthelegislativesession.CBI’sstaffliaisonisDonHole.Ifyouareinterestedinjoiningthiscommitteeorwantadditionalinformation,[email protected].

Membership and Marketing CommitteeTheMembershipandMarketingCommitteereviewsproductsandservicesthatCBSIisconsideringforendorsement.Committeemembersalsorecommendproducts,companies,andservices.DiscussthestrengthsandweaknessesofCBImembership,identifytheneedsofmembers,andhelpestablishthenecessarybenefits.Membersareadvocatesfortheassociation,andhelpcreateastrongerandunifiedvoicefortheCommunityBankersofIowa.

TheMembershipandMarketingCommitteehastwomeetingsperyear.Twoconferencecallsarealsoscheduledthroughouttheyear.CBI’sstaffliaisontotheMembershipandMarketingCommitteeisJackieHaley.Ifyouareinterestedinjoiningthecommitteeorwantadditionalinformation,[email protected].

Networking and Events CommitteeMembersoftheNetworkingandEventsCommitteeguidetheimplementationofallCBIevents–golfoutings,StateFairConference,andSummits.Reviewcurrentofferingsanddetermineifnewopportunitiesneedtobecreatedand/oreventsneedtoberestructured.

Committeememberswillmeetquarterly.CBI’sstaffliaisonfortheNetworkingandEventsCommitteeisJackieHaley.Ifyouareinterestedinjoiningthecommitteeorwantadditionalinformation,[email protected].

CBIcommitteesareopentoallmembers.CommitteesareanopportunitytonetworkwithyourpeerswhilemakinganimpactinYOURassociation.Ifyouhavequestionsaboutaspecificcommittee,pleasecontactthestaffliaisonorcalltheofficeat515.453.1495.

Make a Difference in YOUR AssociationVolunteer for a Community Bankers of Iowa Committee

JOIN NOW ONLINE!Get more information and sign up to joinCBI Committees by visiting our website at

www.cbiaonline.org/committees.html


AlthoughbankM&Adealsareessentiallyflatversuslastyear,iftherewereametricthatmeasuredtheamountofM&Achatterinthemarket,itwouldlikelybeatanall-timehigh.Ourclientsarelookingatmoredealsatamorerapidpacethaneverbefore,andthat

trendwillonlyincreaseasthebusinesscyclechanges.

Butthenwhyaren’tmoredealsgettingdone?Theshortanswerisbecausetoolargeaspreadstillexistsbetweenthe“bid”andthe“ask.”

Onthe“ask”front,manyinvestmentbankersarecreatingunreasonableexpectationsintheboardroomwithrespecttothepricingandvaluationasellingbankcouldfetchinthemarket.Asfarasthe“bid”sidegoes,buyersareperhapsoverlyfocusedondilutiontotangiblebookvalueandthecorrespondingpaybackperiod.Buyersareessentiallystrugglingwithweighingtheboosttoearningsfromadealagainstthedilutiontotangiblebookvalueandhowlongittakestorecoupthedilution.Communitybankstendtoshyawayfromadealifthepaybackperiodislongerthanfouryears.

However,thebetterwaytothinkaboutM&Aisfromarisk/rewardperspective.Theanalysesthatbuyersshouldfocusonshouldbeguidedbythefollowingquestions:

•Howmuchcapitalarewedeployingbasedontheriskprofileofthetargetandthestructureofthetransaction?

•Whatisthereturnoncapitalwearegettingasmeasuredbyincreasedearnings?

•HowdoesthatROIcomparetootherviablealternativessuchasorganicgrowth?

•Whatisthetimevalueofmoneyrelativetoorganicgrowth,whichisamuchslowerandfranklymoreuncertainprocess?

Banksarmedwiththenecessaryarrayofanalyticaltoolsshouldbeabletoquantifytheanswerstothesequestionsveryquicklywhenassessingagivendeal.Absentachangeineconomicconditionsandthelowinterestrateenvironment,M&Abecomesaveryattractivewaytodeploycapital,perhapsbydefault.Thisisbecausetherisk/rewardcharacteristicofmakingnewloansinthisenvironmentcontinuestorapidlyerode.Banksthatanalyzeagivendealinavacuumandareunabletoquantifythereturnoncapitalofpursuingorganicgrowthorotherstrategicactions(includingreturningcapitaltoshareholders)willfallintothetrapofoverlyfocusingonTBVdilutionanditscorrespondingpaybackperiod.

Insummary,buyerstendtofocustoomuchonTBVdilutionandthepay-backperiodforthedilution.Instead,theemphasisshouldbeonreturnoncapital.However,inordertomeasurecapitalandthereturnoncapitalproperly,forward-lookinganalyticaltoolsarerequired.

Managementteamswillneedtobeabletoeducatetheirboardsandshareholdersonthiscriticaldistinction.ThosewhoareabletodosowillfindthemselveswithamassivecompetitiveedgeintheM&Amarket.

Adam Mustafa is Co-Founder and Managing Partner at Invictus Consulting Group. For more information on CBI Affiliate Member Invictus Consulting, visit invictusgrp.com.

Navigating the Trade-off betweenEPS Accretion and TBV Dilution

M&A Economics:

Written By: Adam MustafaManaging Partner & Co-Founder - Invictus Consulting Group

Certified Community Banking

Security Professional™

Onsite Training

The onsite CCBSP™ is a management-level cyber security program designed to:

n Enhance your skill set and knowledge base in cyber security n Provide a framework for an entire information security program n Demonstrate how to manage each component of the information security program to ensure successful implementation

Who should attend? ISO, Auditor, IT Manager, Compliance Officer, Security Officer, Operations Officer

Date: November 17-18Location: Prairie Meadows - Altoona, IARegister: http://iowa.protectmybank.com


Unauthorizedelectronicpaymentsfrombusinessbankaccountsareagrowingconcernforbanks,businesses,andthegeneralpublic.Criminalsareusingavarietyoftechniques,suchasphishinge-mailsandmalware,totakecontrolofbusinessaccountstoinitiatepaymentstoanaccompliceoraforeignaccount.Accordingtothe2015surveyoftheAssociationforFinancialProfessionals,27percentofrespondentorganizationswereaffectedbywiretransferfraud(anearly100percentincreasefromthe2014survey),and10percentwereaffectedbyautomatedclearinghouse(ACH)creditfraud(fraudinvolvinganACHpaymentorderinitiatedbythepersonsendingthepayment).1

Forexample,inJune2012,alawfirmwitharealestateescrowaccounthaditscomputersystemcompromisedanditsbankingcredentialsstolen,whichresultedin$1.66millioninunauthorizedwiretransfers.2Similarly,in2009,aMichigancorporationwassubjecttoaphishingschemethatresultedin$560,000inunauthorizedwiretransfersfromitsbankaccount.3AndinApril2011,theFederalBureauofInvestigation(FBI)issuedanalertaboutthegrowingnumberofunauthorizedwiretransferstoChina,inwhichsmallandmedium-sizedbusinessessufferedtotallossesof$11millionin20separateincidents.4ThisproblemisalsoreflectedintheincreasednumberofSuspiciousActivityReportsfiledbyfinancialinstitutionsfor“accounttakeovers,”inwhichanunauthorizedpersontakescontrolofacustomer’saccount.5

Theseheadlinesunderminethepublic’sconfidenceinthepaymentsystem.Theyalsoraiseacriticalquestionforbanksandtheirbusiness6customers:Whenfundsarestolenfromabankaccountofabusinesscustomerthroughanunauthorizedpaymentorder,whobearstheloss?ForunauthorizedwiretransfersandACHcredittransfers,Article4AoftheUniformCommercialCode(UCC)providesthelegalframeworkfordeterminingwhoisresponsibleforanyresultinglosses.7ThisarticleexaminestherelevantprovisionsofArticle4A,reviewstworecentfederalappealscourtdecisionsinterpretingtheseprovisionsinthecontextoffundsstolenthroughunauthorizedwiretransfersandACHcredittransfers,anddiscussessoundpracticestomitigatethisriskinlightoftheUCC’srequirementsandthesecourtcases.

Impact on Community BanksAccounttakeoversareanimportantissueforcommunitybanksbecausecriminalsareincreasinglytargetingsmallandmid-sizedcompanies,whicharebelievedtohaveless-sophisticatedsecuritysystemsthanlargercompanies.8Thesecompanies,inturn,oftenbankwithcommunitybanks.9AccordingtoSymantec,thesoftwaresecurityfirm,50percentofall“spear-phishing”attacks(inwhichthecriminalsendsane-mailwithamalwareattachmentormaliciouslinksthatappearstobefromanindividualorbusinessknowntotherecipient)targetedbusinesseswith2,500orfeweremployeesin2011,andby2013,thisnumberhadincreasedto61percentofallattacks.10Byinfiltratingabusiness’scomputersystem,thecriminalcanobtainthelog-incredentialstothebusinessbankaccountsandinitiateunauthorizedpaymentorders.

Thus,itisimportantforcommunitybankstounderstandtherequirementsofArticle4AoftheUCCthatcomeintoplaywhenadisputearisesbetweenabankanditsbusinesscustomersbecauseofunauthorizedwiretransfersorACHcredittransfers,aswellaswaystoaddresstherisksarisingfromunauthorizedtransfers.

UCC Article 4ABydefault,Section4A-204(a)providesthatabankisresponsibleforanyunauthorizedelectronicpaymentordersonanon-consumeraccount.However,Section4A-202(b)permitsabanktoshifttheriskoflosstoitscustomersifitfollowstheseprocedures:

•Thebankanditscustomeragreethatthebankwillauthenticateanypaymentordersontheaccountunderanagreed-uponsecurityprocedure.

•Thesecurityprocedureis“commerciallyreasonable.”•Thebankcompliedwiththeprocedure,actedingoodfaith,andimplementedthecustomer’swritteninstructions(ifany)restrictingpayment.

Becausetheserequirementsfocusheavilyonabank’suseofa“commerciallyreasonable”securityprocedure,thedefinitionofthistermiscritical.Article4Aprovidestwowaysforabanktoestablishthatitssecurityprocedureiscommerciallyreasonable.First,underSection4A–202(c),abankcanshowthatitsproceduretookintoaccount:

•thewishesofthecustomerexpressedtothebank;•thecircumstancesofthecustomerknowntothebank,includingthesize,type,andfrequencyofpaymentordersnormallyissuedbythecustomertothebank;

•alternativesecurityproceduresofferedtothecustomer;and•theproceduresingeneralusebycustomersandreceivingbankssimilarlysituated.11

TheUCCincludesOfficialCommentsforclarification.AccordingtoComment4forSection4A–202(c),whichisreferencedinSection4A-203,themeaningof“commerciallyreasonable”isflexibleanddependsontheparticularcircumstancesofthebankanditscustomer.Forexample,acustomertransmittingalargenumber ofhigh-dollarpaymentordersmayreasonablyexpectstate-of-the-artsecurityprocedures,whileacustomerwithasmallnumberoftransactionsorlow-dollaramounttransactionsmayhavedifferentexpectations.Similarly,“itisreasonabletorequirelargemoneycenterbankstomakeavailablestate-of-the-artsecurityprocedures.Ontheotherhand,thesamerequirementmaynotbereasonableforasmallcountrybank.”12Thecommentalsonotesthatthe“standardisnotwhetherthesecurityprocedureisthebestavailable.Ratheritiswhethertheprocedureisreasonablefortheparticularcustomerandtheparticularbank,whichisalowerstandard.Ontheotherhand,asecurityprocedurethatfailstomeetprevailingstandardsofgoodbankingpracticeapplicable

LegalDisclaimer:TheanalysesandconclusionssetforthinthispublicationarethoseoftheauthorsanddonotnecessarilyindicateconcurrencebytheBoardofGovernors,theFederalReserveBanks,orthemembersoftheirstaffs.Althoughwestrivetomaketheinformationinthispublicationasaccurateaspossible,itismadeavailableforeducationalandinformationalpurposesonly.Accordingly,forpurposesofdeterminingcompliancewithanylegalrequirement,thestatementsandviewsexpressedinthispublicationdonotconstituteaninterpretationofanylaw,rule,orregulationbytheBoardorbytheofficialsoremployeesoftheFederalReserveSystem.

Reprinted with permission of Community Banking Connections®. Copyright 2015 Federal Reserve System.

Written By: Kenneth Benton, Senior Consumer Regulations Specialist, Federal Reserve Bank of Philadelphia

Manage The Risk of Unauthorized PaymentsFrom Business Bank Accounts


totheparticularbankshouldnotbeheldtobecommerciallyreasonable.”

Thesecondwaytoestablishthataprocedureiscommerciallyreasonableapplieswhenacustomerdeclinesasecurityprocedureofferedbyabankbecausethecustomerwantstouseitsownsecurityprocedure.Ifthecustomeragreesinwritingtobeboundbyanypaymentorder,whetherornotauthorized,thatisissuedinitsnameandacceptedbythebankthatcomplieswiththecustomer’schosensecurityprocedure,theprocedureisdeemedcommerciallyreasonable,providedthattheprocedureofferedbythebankthatthecustomerdeclinedsatisfiedthecommerciallyreasonablerequirementssetforthpreviously.13

Recent Court Cases Interpreting Commercially Reasonable Security ProceduresTworecentfederalappellatecourtdecisionsexamineddifferentaspectsofArticle4A’srequirementsandhelptoclarifythestepsfinancialinstitutionsmustundertaketoavoidresponsibilityforlossesincurredbytheircustomers.14

Case One: Bank’s Security Procedure Is Not Commercially ReasonableInPatco Construction Co. v. People’s United Bank,15unauthorizedACHcredittransferstotaling$588,851weretakenfromPATCOConstructionCompany’saccountwithOceanBank,amid-sizedbanklateracquiredbyPeople’sUnitedBank.PATCOwasabletorecover$243,406,leavinganetlossof$345,444.PATCOsuedthebanktorecoveritsloss.Thecrucialissueonappealwaswhetherthebank’ssecuritysystemwascommerciallyreasonableasdefinedintheUCC.

Thecourtfoundflawsinthewaythebankimplementeditssecuritysystem.First,ifatransactionexceededaspecifiedthreshold,thecustomerhadtoanswerchallengeresponsequestions(forexample,“Whatisyourmother’smaidenname?”).Thebanksetthethresholdatonedollarormoreforallofitscustomers.Thecourtfoundtheone-dollarthresholdmeantthateverytransferwouldtriggerchallengeresponsequestions.Ifacustomer’scomputerswereinfectedwithkey-loggingmalware,whichrecordsacomputeruser’skeystrokesandtransmitstheinformationovertheInternet,theriskofmalwarerecordingtheanswerstothechallengequestionsincreasedsubstantiallybecauseeverytransaction—whichforPATCOincludedallpayrolltransfers—triggeredachallengeresponse.

Second,thebankfailedtomonitorthewarningsfromitssecuritysoftware.ThesoftwaregeneratedascoreforeveryACHtransactionbasedoncertainriskfactors.Thesecuritysystemflaggedtheunauthorizedtransactionsasveryhighrisk.However,becausethebankdidnotmonitortheriskscores,itdidnotnotify

PATCOortrytostopthetransactionspendingverification.

Finally,thecourtnotedthatkey-loggingmalwarewasanindustryconcernwhenthetransactionsoccurredandthatmanyInternetbankingsecuritysystemswereusinghardwaretokensasanadditionalsecuritymeasure,whichtheFederalFinancialInstitutionsExaminationCouncil(FFIEC)hadrecommendedasausefulpartofamultifactorauthenticationscheme.16Otherbanksperformedmanualreviewsorcustomerverificationforhigh-risktransactions.OceanBankdidnotuseanyofthesesecuritymeasuresandthuswasnotcomplyingwiththeUCCrequirementtoconsiderthesecurityproceduresusedbycustomersandatsimilarlysituatedbanks.

Inlightoftheseproblems,theFirstCircuitconcludedthatOceanBank’ssecurityprocedureswerenotcommerciallyreasonable.However,thecourtnotedthatPATCOalsohadresponsibilitiesforimplementingsecurityprocedures,sothecourtsentthecasebacktothetrialjudgetodetermineifPATCOboreanyresponsibilityfortheunauthorizedtransactions.ButaftertheFirstCircuitissueditsopinion,thebanksettledthecasefortheamountoftheloss($345,444)plusinterest.17

Case Two: Bank’s Security Procedure Is Commercially ReasonableThesecondcase,Choice Escrow & Land Title, LLC v. BancorpSouth Bank,18concernedtheresponsibilitybetweenBancorpSouthBankanditsbusinesscustomer,ChoiceEscrow&LandTitle,for$440,000inunauthorizedACHtransactions.AnemployeeatChoiceclickedonalinkinaphishinge-mailthatallowedmalwaretobeinstalledonanetworkcomputer.Asaresult,hackerswereabletoissueafraudulentpaymentorderfor$440,000thatwassenttoaforeigncountry.Choicesuedthebanktorecoverthe$440,000.

Thebank’ssecuritysystemofferedfoursecurityfeatures:(1)userIDandpasswordrequirement;(2)registrationofanauthorizeduser’sInternetprotocol(IP)addressandcomputerinformationwhentheuserfirstregistered;(3)thecustomer’sabilitytoplacedollarlimitsontransactions;and(4)dualcontrol,whichrequiredthateverypaymentorderrequestbyanauthorizeduserbeapprovedbyasecondauthorizeduser.Ifacustomerdeclinedthedual-controlfeature,thebankhadthecustomersignawaiveracknowledgingitunderstoodtherisksofasingle-controlsecuritysystem.

Choicedeclinedthedollarlimitontransactionsandthedual-controlfeatureandsignedthewaiver.Thus,thesecurityprocedureforChoice’sACHtransactionsconsistedofauserIDandpasswordandverificationofIPaddressandcomputerinformation.ChoicehadalsoaskedthebankwhetheritssystemhadthecapabilitytolimitACHtransferstoforeignbanksbecauseofaconcernaboutphishingscams.Thebankrespondedthatitwasnotpossible,butthatChoicecouldmitigatetheriskofunauthorizedACHtransactionsifitimplementeddualcontrol,whichChoicedeclined.Thecourtreviewedthebank’ssecurityprocedureanddetermineditwascommerciallyreasonable.Fortherequirementthatasecurityproceduremustbeoneingeneralusebysimilarlysituatedcustomerandbanks,thecourtfocusedontheFFIEC’s2005guidance.Theguidancestatesthatmostmodernauthenticationismultifactorandthat“single-factorauthentication,astheonlycontrolmechanism,[is]inadequateforhigh-risktransactionsinvolvingaccesstocustomerinformationorthemovementoffundstootherparties.”19

ThecourtalsonotedthattheFFIECguidancestatesthatthreatsUnauthorized Payments continued on next page)


(Unauthorized Payments continued from previous page)

changeovertimeandthatbanksmust“[a]djust,asappropriate,theirinformationsecurityprogram[s]inlightofanyrelevantchangesintechnology,thesensitivityofitscustomerinformation,andinternalorexternalthreatstoinformation.”Thecourtnotedthebankofferedthedual-controloptioninresponsetoincreasedsecuritythreats,whichthecourtsaidwasareasonableresponsetothethreatofphishingscamsandthuswasconsistentwiththeFFIECguidance.

Thecourtnextconsideredtherequirementthatabank’ssecurityproceduresmustbesuitableforthecustomerinlightof“thewishesofthecustomerexpressedtothebank”and“thecircumstancesofthecustomerknowntothebank,includingthesize,type,andfrequencyofpaymentordersnormallyissuedbythecustomertothebank.”20

Choicearguedthatthedual-controloptionfailedtotakeintoaccountChoice’scircumstancesbecausedual-controlverificationofeverywiretransferwasnotfeasibleforChoicebecauseofitssmallstaff.ButthecourtfoundthatdualcontrolwasfeasibleforChoice:Choice’sACHtransfersusuallydidnotrequireimmediateprocessing,soifanACHrequestwasreceivedonadaywhenthedual-controlemployeewasunavailable,thatemployeecouldapproveitthenextdaywithoutadverseconsequence.WhenChoicedeclinedthedual-controloption,thecourtnotedthatitassumedtherisksofthisdecisionundertheUCC,whichstatesthatwhen“aninformedcustomerrefusesasecurityprocedurethatiscommerciallyreasonableandsuitableforthatcustomerandinsistsonusingahigher-riskprocedurebecauseitismoreconvenientorcheaper,”thecustomerassumes“theriskoffailureoftheprocedureandcannotshiftthelosstothebank.”21

Thecourtconcludedthatthebank’ssecurityproceduresofpasswordprotection,dailytransferlimits,deviceauthentication,anddualcontrolwerecommerciallyreasonableforthebank’scustomer.

Section4A-202(b)(ii)imposesonefinalrequirementfortransferringliabilitytothecustomer:Thebankmusthave“acceptedthepaymentorderingoodfaithandincompliancewiththesecurityprocedureandanywrittenagreementorinstructionofthecustomerrestrictingacceptanceofpaymentordersissuedinthenameofthecustomer.”Thecourtdistilledthistomean

that“thebankmustabidebyits[security]proceduresinawaythatreflectstheparties’reasonableexpectationsastohowthoseprocedureswilloperate.”

ThecourtnotedthatChoicewasawarethatwhenapaymentorderwasapprovedthroughtheagreed-uponsecurityprocedure,thebankemployee’srolewasnottolookforirregularitiesbuttosendthepayment.Thebankprovidedtestimonythatthiswascommonpracticeintheindustry.Thebankthussatisfiedthefinalrequirement.

Afterconsideringthiswholeanalysis,theEighthCircuitupheldthelowercourtrulingthatthebank’ssecurityprocedurewascommerciallyreasonable,andthebankwas,therefore,notresponsiblefortheunauthorizedtransactions.

Sound Practices in Light of Patco and ChoiceThesetwocaseshelpclarifythemeaningofacommerciallyreasonablesecurityprocedureundertheUCCforpurposesofdeterminingwhetherabankoritscommercialcustomerbearstheriskoflossforunauthorizedwiretransfersandACHcredittransfers.Severalthemesthatarerelevantforcommunitybanksemergefromtheseopinions:

• Understand and compare security procedures offered by different vendors and document the rationale for the procedure selected.TheUCCrequiresthatacommerciallyreasonablesecurityprocedurebe“ingeneralusebycustomersandreceivingbankssimilarlysituated.”Thecommentaryalsostatesthat“asecurityprocedurethatfailstomeetprevailingstandardsofgoodbankingpracticeapplicabletotheparticularbankshouldnotbeheldtobecommerciallyreasonable.”Therefore,itisimportantforbankstodiscusswithsecurityvendorstheproceduresothersimilarlysituatedbanksareusingforcomparablecustomersituations.InPATCO,thecourtnotedthatOceanBank’speerswereusingtokensandone-timepasswords,butOceanBankhadnotimplementedeither.

• Use security procedures that meet the FFIEC guidelines. BoththePATCOandChoicecasesestablishthatcompliancewiththeFFIECguidelines,includingsupplements,iscrucialbecausetheseguidelinesareviewedbythecourtsaspartoftheindustrysecuritystandard.TheFFIECguidelinesstatethat“financialinstitutionsshouldperformperiodicriskassessmentsconsideringnewandevolvingthreatstoonlineaccountsandadjusttheircustomerauthentication,layeredsecurityandothercontrolsasappropriateinresponsetoidentifiedattacks.”Asacorollary,abankisexpectedtomonitorchangestotheFFIECguidanceandrespondaccordingly.Forexample,the2011guidancestatesthatfinancialinstitutionsshouldadopt“layeredsecurityprograms”thatdetectandrespondtosuspiciousactivityandincludeenhancedcontrolsforsystemadministrators,whohaveauthoritytochangecomputersystemconfigurations.

•Have staff monitor and respond to security software notifications.Itisnotenoughtohavesecuritysoftwarethatidentifiesrisks;itisimportantthatstaffcontinuouslymonitorsecurityalertsfromthesoftwareandrespondappropriately.InPATCO,thesoftwareidentifiedhigh-risktransactions,butthebankwasnotmonitoringthisinformationwhenthesecuritybreachesoccurred.TheUCCcommentaryforSection4A-203confirmstheimportanceofthisbystating:“Ifthefraudwasnotdetectedbecausethebank’semployeedidnotperformtheactsrequiredbythesecurityprocedure,thebankhasnotcomplied[withthesecurityprocedure].”


•Be aware that security should not be “one-size-fits-all.” Thesecurityprocedureshouldtakeintoaccount“thecircumstancesofthecustomerknowntothebank,includingthesize,type,andfrequencyofpaymentordersnormallyissuedbythecustomertothebank.”Acustomerwhomakesfivewiretransfersoflessthan$5,000peryear,forexample,requiresadifferentsecurityprocedurethanacustomermakingthousandsofwiretransferseveryyear,inlargeamounts,andtomanyforeigncountries.

• Proactively discuss security issues and best practices with customers.Manyunauthorizedtransactioncasesoccurwhenabankcustomer’semployeereceivesaphishingormalwaree-mailthatenablescriminalstoobtainlog-incredentialstoperformunauthorizedtransactions.Inparticular,spearphishinge-mailsoftentargetkeyemployeeswhohaveaccesstoaccounts.Banksshouldbeproactivewiththeircustomerstodiscusswaystomitigatethisrisk.Forexample,abankcouldrecommendthatthecustomerallowonlyelectronictransferstobeperformedonadedicatedcomputerthatcannotaccesse-mailortheInternet,toreducetheriskofexposuretophishing,malwaree-mails,andwebpageswithmalware.22Bankscouldalsoencouragecustomerstoconductregularcybersecuritytrainingtoreducetheriskofanemployeefallingvictimtoaphishingormalwaree-mailattack.Banksshouldalsoencouragetheircustomerstouseanti-phishingsoftwaretohelpdetectandprotectagainstphishinge-mails.

ConclusionCybersecuritybreachesareontherise,andlawsuitsseekingreimbursementfortheresultinglossesarerising,too.IntheeventofalegaldisputeoverresponsibilityforunauthorizedwiretransfersandACHcredittransfersforabusinessbankaccount,courtswilllooktoArticle4AoftheUCCtodeterminewhobearsthelossbasedprimarilyonwhetherabankhasimplementedacommerciallyreasonablesecurityprocedure.ThestandardundertheUCCisnotwhetherthesecurityprocedureisthebestavailable;ratheritiswhethertheprocedureisreasonablefortheparticularcustomerandtheparticularbank.

Ofcourse,nobankwantstobeinlitigationwithitscustomers.Thus,banksshouldproactivelydiscusswiththeirbusinesscustomerswaystoappropriatelyidentify,measure,monitor,andcontrolcybersecurityrisks,takingintoaccounttheparticularrisksandcircumstancesofthecustomer’soperations.Thiswillhelpbankstopreventunauthorizedpaymentsfromoccurring,reducelosses,retainsatisfiedcustomers,andincreasepublicconfidenceinpaymentsystems.

NOTES1.AssociationforFinancialProfessionals,2015 AFP Payments Fraud and Control Survey: Report of Survey Results, 2015.Bethesda,MD:AssociationforFinancialProfessionals,availableathttp://ow.ly/MIraf.

2.SeeBrianKrebs,“$1.66MinLimboAfterFBISeizesFundsfromCyberheist,”Krebs on Security,September14,2014,availableathttp://krebsonsecurity.com/tag/luna-luna-llp/.Actually,$1.75millionintransfersweremade,andthebankwasabletorecover$89,651,leavinganetlossof$1.66million.Thebankiscurrentlyinlitigationwiththelawfirmoverresponsibilityforthelosses.Texas Brand Bank v. Luna & Luna, LLP(CaseNo.3:14-1134,N.D.Tex.2014),availableathttp://ow.ly/NTVqy.

3.SeeExperi-Metal, Inc. v. Comerica Bank,2011WL2433383(E.D.Mich.2011),availableathttp://ow.ly/MRdsC.Theinitialamountofunauthorizedwiretransferswas$1,901,269,butthebankwasabletoreversesomeofthetransfers.

4.FBI,FinancialServicesInformationSharingandAnalysisCenter,and

InternetCrimeComplaintCenter,“FraudAlertInvolvingUnauthorizedWireTransferstoChina,”April26,2011,availableatwww.ic3.gov/media/2011/chinawiretransferfraudalert.pdf.5.SuspiciousActivityReportsforaccounttakeoversarediscussedintheU.S.DepartmentoftheTreasury,FinancialCrimesEnforcementNetwork,“AccountTakeoverActivity,”AdvisoryFIN-2011-A016,December19,2011,availableathttp://ow.ly/MIyUU.AdditionalinformationontheincidenceofpaymentfraudisavailableonthewebsiteoftheAssociationforFinancialProfessionals,whichpublishesanannualsurveyofitsmembers,atwww.afponline.org/fraud/.

6.Forconsumerbankaccounts,theElectronicFundTransferAct(EFTA),asimplementedbyRegulationE,determineswhoisresponsibleforunauthorizedtransactions.See15U.S.C.1693g,availableathttp://ow.ly/MQDXX,and12CFR1005.6,availableathttp://ow.ly/MQE9N.

7.Article4AdoesnotapplytoanACHdebittransfer,whichisinitiatedbythepersonreceivingthetransferinsteadofthepersonsendingit.SeeOfficialComment4toUCCsection4A-104,availableathttp://ow.ly/MQG4s.ACHdebittransfersaregovernedbytherulesoftheNationalAutomatedClearingHouseAssociation.Keppler v. RBS Citizens N.A.,2014WL2892352(D.Mass.2014)(discussingdifferentrulesthatapplytoACHcredittransfersanddebittransfers).

8.GeoffreyFowlerandBenWorthen,“HackersShiftAttackstoSmallFirms,”Wall Street Journal,July21,2011.

9.AllenN.Berger,WilliamGoulding,andTaraRice,“DoSmallBusinessesStillPreferCommunityBanks?”BoardofGovernorsoftheFederalReserveSystem,InternationalFinanceDiscussionPapers1096,December2013,availableatwww.federalreserve.gov/pubs/ifdp/2013/1096/ifdp1096.pdf.

10.SymantecCorporation,Internet Security Threat Report 2014,vol.19,April2014,availableathttp://ow.ly/MRfQO.

11.TheserequirementsappearinUCCSection4A–202(c).

12.OfficialComment4toUCCSection4A-203.

13.UCCSection4A–202(c).

14.Decisionsoffederalappealscourtsarebindingonthefederalcourtsintheirjurisdiction.TheFirstCircuitencompassesMassachusetts,Maine,NewHampshire,RhodeIsland,andPuertoRico,whereastheEighthCircuitencompassesArkansas,Iowa,Minnesota,Missouri,Nebraska,NorthDakota,andSouthDakota.Forbanksoperatinginotherstates,thesedecisionsarepersuasivebutnotbindingauthority.

15.Patco Construction Co. v. People’s United Bank,684F.3d197(1stCir.2012),availableathttp://ow.ly/MQNCG.

16.FFIEC,“AuthenticationinanInternetBankingEnvironment,”2005,availableathttp://www.ffiec.gov/pdf/authentication_guidance.pdf.In2011,theFFIECpublishedsupplementalauthenticationguidancetoupdatethememberagencies’expectations“regardingcustomerauthentication,layeredsecurity,orothercontrolsintheincreasinglyhostileonlineenvironment.”

17.TracyKitten,“PATCOSettlement:WhatItMeans,”Bank Info Security,December24,2012,availableathttp://ow.ly/MQQ9U.

18.Choice Escrow & Land Title, LLC v. BancorpSouth Bank,754F.3d611(8thCir.2014).

19.FFIECguidance,p.4.

20.Section4A-202(c).

21.Section4A-203,Comment4.

22.Forotherexamplesofwaystomitigatecybersecurityrisk,seetheMarch12,2010,CyberSecurityAdvisory,“InformationandRecommendationsRegardingUnauthorizedWireTransfersRelatingtoCompromisedCyberNetworks,”oftheNationalCouncilofInformationSharingandAnalysisCentersathttp://ow.ly/NTVK8.Inaddition,theTexasBankersElectronicCrimesTaskForce,workingwithotheragencies,published“BestPractices:ReducingtheRisksofCorporateAccountTakeovers”in2011,whichisavailableathttp://ow.ly/NTVMw.


September Survey Results at a Glance:• TheRuralMainstreetIndexsinksbelowgrowthneutralfor

September.• Farmlandpricesdeclineforthe22ndstraightmonth.• Farmequipmentsalesremainnearrecordlows.• BankCEOssupportremovingtheFarmCredit’staxexempt

statusanditsquasi-governmentpositiontolevelthefinancialplayingfieldforRuralMainstreetloans.

OMAHA,Neb.–TheCreightonUniversityHeiderCollegeofBusinessRuralMainstreetIndexforSeptemberfellfromAugust’sweakreading,accordingtothemonthlysurveyofbankCEOsinruralareasofa10-stateregiondependentonagricultureand/orenergy.

Overall:TheRuralMainstreetIndex(RMI),whichrangesbetween0and100,sankto49.0fromAugust’sgrowthneutral50.0.

“Thisisthesecondstraightmonththeoverallindexhasdeclinedreflectingweaknessstemmingfromloweragriculturalandenergycommodityprices,”saidErnieGoss,JackA.MacAllisterChairinRegionalEconomicsatCreightonUniversity’sHeiderCollegeofBusiness.

Farming and Ranching:ThefarmlandandranchlandpriceindexforSeptemberincreasedto35.5from32.7inAugust.“Thisisthe22ndstraightmonththeindexhasmovedbelowgrowthneutral.But,asinpreviousmonths,thereisagreatdealofvariationacrosstheregioninthedirectionandmagnitudeoffarmlandprices.Onanannualizedbasisfarmlandpricesaredecliningby6percentto7percent,”saidGoss.

TheSeptemberfarmequipment-salesindexwasunchangedfromAugust’sanemic14.2.“The2014and2015downturnsinfarmincomecontinuetoreducesalesandproductionofagricultureequipmentdealersandproducersacrosstheregion.BankersremainpessimisticabouttheshortandintermediateprospectsforagricultureequipmentdealersandproducersonRuralMainstreet,”saidGoss.

Banking:TheSeptemberloan-volumeindexdippedto72.0fromlastmonth’s73.0.Thechecking-depositindexdeclinedto54.2fromAugust’s55.0,whiletheindexforcertificatesofdepositandothersavingsinstrumentsadvancedto41.7from34.0inAugust.

“InprevioussurveysbankCEOshaveidentifiedFarmCreditastheirmajorfinancialcompetitor.Thismonthweaskedhowthiscompetitionwasmanifested.BankerssingledoutFarmCredit’s

quasi-governmentstatusandtheirtaxexemptstatusasthemostimportantcompetitiveissues,”saidGoss.

AccordingtoJeffreyGerhart,chairmanofBankofNewmanGrove,Nebraska,andformerchairmanoftheIndependentCommunityBankersofAmerica,“FarmCredithasbeenathorninoursidefordecades.Lowercostoffunds,lowercreditstandards,andquasi-governmentstatusgivethemanunfairadvantageoverthecommunitybank.”

Almosttwo-thirds,or65percent,ofbankersreportedthatFarmCredit’stax-exemptstatusproducedunfaircompetitionforagricultureloans.Another84percentindicatedthatFarmCredit’squasi-governmentstatusallowedthemtoborrowincreditmarketsatmuchlowerratesthancommercialbanks.

JimEckert,presidentofAnchorStateBankinAnchor,Illinois,said,“TheFarmCreditSystemhasgrownbeyonditsoriginalpurpose.It’stimefortheirtaxexemptstatustochange.Theyshouldpaytaxesjustlikecommunitybanksdo.”

Hiring:Despiteweakercroppricesandpullbacksfrombusinesseswithclosetiestoagricultureandenergy,RuralMainstreetbusinessescontinuetoaddworkerstotheirpayrolls.TheSeptemberhiringindexfelltoastillsolid54.3from63.3inAugust.“RuralMainstreetbusinessescontinuetohireadditionalworkers,butataslowerpace.Fromlastyearatthistime,annualizedjobgrowthwasdroppedfrom1.2percentto0.2percent,”saidGoss.

Confidence:Theconfidenceindex,whichreflectsexpectationsfortheeconomysixmonthsout,roseto43.8from42.0inAugust.“Declinesforagriculturalcommodityandenergypricespushedbankers’economicoutlookbelowgrowthneutralforthemonth,”saidGoss.

Home and Retail Sales:TheSeptemberhome-salesindexdeclinedtoa56.4from70.4inAugust.TheSeptemberretail-salesindexdecreasedto49.0from50.0lastmonth.“HomesalesonRuralMainstreethavebeenveryhealthyoverthelastseveralmonths.Ontheotherhand,Creighton’smonthlysurveyhasyettomeasureanyupturninretailsalesresultingfromthedownturninfuelprices,”saidGoss.Eachmonth,communitybankpresidentsandCEOsinnonurbanagriculturallyandenergy-dependentportionsofa10-statearea

(Rural Mainstreet continued on next page)

Main Street Economic Survey

C r e i g h t o nU N I V E R S I T Y

Rural Mainstreet Index Falls Below Growth Neutral for September:Agricultural Equipment Sales Near Record Low

Ernie Goss


(Rural Mainstreet continued from previous page)

aresurveyedregardingcurrenteconomicconditionsintheircommunitiesandtheirprojectedeconomicoutlookssixmonthsdowntheroad.BankersfromColorado,Illinois,Iowa,Kansas,Minnesota,Missouri,Nebraska,NorthDakota,SouthDakotaandWyomingareincluded.ThesurveyissupportedbyagrantfromSecurityStateBankinAnsley,Neb.

Thissurveyrepresentsanearlysnapshotoftheeconomyofruralagriculturallyandenergy-dependentportionsofthenation.TheRuralMainstreetIndex(RMI)isauniqueindexcovering10regionalstates,focusingonapproximately200ruralcommunitieswithanaveragepopulationof1,300.Itgivesthemostcurrentreal-timeanalysisoftheruraleconomy.GossandBillMcQuillan,formerchairmanoftheIndependentCommunityBanksofAmerica,createdthemonthlyeconomicsurveyin2005.

Colorado:Colorado’sRuralMainstreetIndex(RMI)dippedto48.8from51.5inAugust.Thefarmlandandranchlandpriceindexexpandedto47.4fromAugust’s38.4.Colorado’shiringindexforSeptemberdeclinedtoastillhealthy60.1fromAugust’s65.5.

Illinois:TheSeptemberRMIforIllinoisdeclinedto49.0from50.0inAugust.Thefarmland-priceindexdroppedto28.8fromAugust’s29.5.Thestate’snew-hiringindexsankto53.3fromlastmonth’s62.0.

Iowa:TheSeptemberRMIforIowaimprovedto54.2fromAugust’s53.4.Iowa’sfarmland-priceindexforSeptemberroseto47.2fromAugust’s44.0.Iowa’snew-hiringindexforSeptemberdecreasedto60.0from67.8inAugust.

Kansas:TheKansasRMIforSeptemberslidto48.6fromAugust’s49.8.Thestate’sfarmland-priceindexforSeptemberslipped

to27.0fromAugust’s27.8.Thenew-hiringindexforthestatedeclinedto51.9from61.3inAugust.

Minnesota:TheSeptemberRMIforMinnesotaexpandedto49.2fromAugust’s48.4.Minnesota’sfarmland-priceindexslippedto33.0from33.7inAugust.Thenew-hiringindexforthestatedeclinedto54.6fromlastmonth’shealthy58.2.

Missouri:TheSeptemberRMIforMissouriimprovedto47.4from43.2inAugust.Thefarmland-priceindexgrewto30.9fromAugust’s29.5.Missouri’snew-hiringindexdecreasedto44.0fromAugust’s51.3.Nebraska:TheNebraskaRMIforSeptemberslumpedto47.3from48.4inAugust.Thestate’sfarmland-priceindexfellto18.7fromAugust’s19.6.Nebraska’snew-hiringindexslumpedto48.6from58.0inAugust.

North Dakota:TheNorthDakotaRMIforSeptemberdecreasedto40.8fromAugust’s47.1Thefarmland-priceindexfellto17.8from24.8inAugust.NorthDakota’snew-hiringindexdeclinedto44.2fromAugust’s60.1.

South Dakota:TheSeptemberRMIforSouthDakotaslippedto54.4fromAugust’s55.1.Thefarmland-priceindexroseto53.3from47.2inAugust.SouthDakota’snew-hiringindexfelltoastillstrong62.4from69.1inAugust.

Wyoming:TheSeptemberRMIforWyomingclimbedto50.4fromAugust’s49.2.TheSeptemberfarmlandandranchland-priceindexsankto30.8from47.2inAugust.Wyoming’snew-hiringindexdeclinedto53.4fromAugust’s60.9.

Table 1 summarizes survey findingsNext month’s survey results will be released on the third Thursday of the month, October 15.

NOTE: THERE IS NO RURAL MAINSTREET ECONOMY SURVEYPOLL FOR THE MONTH OF SEPTEMBER, 2015

Table 1: Rural Mainstreet Economy One Year Ago and Last Two Months: (index > 50 indicates expansion)

September 2014

August2015

September 2015

Area economic index 48.2 50.0 49.0

Loan volume 75.9 73.0 72.0Checking deposits 56.4 55.0 54.2

Certificates of deposit and savings instruments 42.8 34.0 41.7Farmland prices 33.7 32.7 35.5Farm equipment sales 17.6 14.2 14.2Home sales 57.3 70.4 56.4Hiring 56.5 63.3 54.3Retail business 49.9 50.0 49.0Confidence index (area economy six months out) 33.4 42.0 43.8

Follow Ernie Goss on Twitter: www.twitter.com/erniegossFor historical data and forecasts, visit: www2.creighton.edu/business/economicoutlook


Weallknowitwillhappen,therealquestioniswhen?AstheFederalReservemonitorsunemploymentinflationandglobalmarketsclosely,

itiswidelyexpectedthatthefederal-fundsratewillbeincreasedinthelastquarterof2015.IthasbeenalmosttenyearssincetheFedraisedrates!TheFeddroppedratesfrom2006to2008andhasheldthemsteadyeversince.Anincreaseinthefederal-fundsratewouldsignaladramaticchangeandshouldcauseallfinancialinstitutionstoconsidertheimpactofarisingrateenvironmentontheirportfolio.Thiswilllikelycauseclientstoreassesstheirproducts,services,andrateswiththeirexistingFI.

Now is the time to:1. Quantifytheimpactofrisingratesonyourearnings–thruthe

useofanAssetLiabilityManagement(ALM)toolorservice.2. Devisecustomerfacingstrategiestoprotectprofitableclients

andprovidepricingguidance.

TodayI’llfocusonthecustomerfacingstrategies.

Background-Asratesrise,wewillfeelpressuretopayhigherratestodepositorsandseektogainhigherratesfromloanclients.Ourexistingportfoliooffixedrateinstruments(fixedrateloans,CDsandvariablerateloanswith“inthemoney”floors)willnotimmediatelychange.TheserisingrateswilllikelycauseanFI’sinterestexpensetorisemorequicklythantheirinterestincome,therebycausingsomemargincompression.Sincemarginhashistoricallyrepresented60-65%ofanFI’srevenue,thismargincompressionshouldbeofparamountconcern.(See below)

Inlookingatmargintrendsthisreturntowardmorenormalloantodepositspreadsshouldn’tbeasurprise.

In2007,ourloantodepositspreadwas265bp(7.07%-4.42%).ItthengrewdramaticallyduringthefinancialdownturnasdepositsmovedtoFIsandthefedpushedrateslower.Theresultwasahealthyloantodepositmarginof420–480bpfrom2009to2015.Thisadditional200bpofspreadforthebankingindustryhasbeenworthover$300millioninadditionalmarginannually,butitislikelytodeclineasratesrise.

Asweseerisinginterestrates,thekeyclientfacingquestionsbecome:

1. Howdowe“protect”ourmostprofitablerelationships?2. Howdowepricetransactionscompetitivelyand

aggressivelytowinprofitablebusiness?

How do we “protect” our most profitable relationships?Toprotecttheserelationshipsthefirstthingwemustdoisunderstandwhotheseclientsare.InmostFIs,weseethattheprofitablerelationshipsareconcentratedinthetop20%ofclients.Asillustratedbelow,thetop10%ofclientsdeliveranaverageprofitof$4,623!These“protect”clientstendtohavelargerbalances,payhigherfees,andhavehigherspreadsthanotherclients.

Wemustidentifytheseclientsandbuildstrategiestomakesuretheyneverleave.Severaltacticsaroundprotectingtheseclientsinclude:•Segmenttheseclientsintovariousprofittiers(orranks)•Buildaseriesof“benefits”associatedwitheachrank•FeedtheseranksintoyourcoreandCRMsolutions•Trainyouremployeesonhowtoextendthesebenefitstokeyclients

How do we price transactions competitively and aggressively to win profitable business?Whenpricingnewbusinesswemustfocusontheproposedtransactionandensurethatwearecompetitiveenoughtowinthebusinesswhilealsomaintaininganadequatereturn.

Competitionistightbutwemustavoid“blindlymatchingourcompetitors”oneverytransaction.Thiswouldcreatea“racetothebottom”withtheclientsbenefittingattheFIscost.

Wemustestablishtargetedreturnsandprovidethelenderstoolsandeducationtoeffectivelycompete.Alendermusthaveatoolthatallowsthemtoquicklyenterinparametersofthetransactionandgeneratevariousalternativescenarioswithcomparablereturns.

(Maintaining Net Interest Margin continued on page 18)

Written By: Brad DahlmanProduct Manager - ProfitStars

[email protected]

Maintaining Net Interest Margin InA Rising Interest Rate Environment

Source:FDIC

REVENUE SOURCES

Source:FDIC

DEPOSIT TO LOAN SPREADS


NewsfromCBIAffiliate&AssociateMembers

TheCommunityBankersofIowa’sLeadersofTomorrow(LOT)programisholdingtheirQuarterlyMeetingonNovember19attheHiltonGardenInninJohnston.Markyourcalendarstodayandplanonsendingtheup-and-comingleadersin

yourbanktothiseducational,networkingevent.

GuestspeakersincludeIowaSenatorMattMcCoywhowillupdateLOTmembersondevelopmentsonIowa’sCapitolHill.AlsoappearingtodiscusstheirrecentissueswithbankfraudarePresidentKrisAusbornandExecutiveVicePresidentRickBrennanfromIowaTrust&SavingsBankinEmmetsburg.

Visitcbiaonline.org/lot-quarterly-meetings.htmltofinddetailsonNovember’sQuarterlyMeeting.IfyouareinterestedinbecomingaLOTmemberandformoreinformation,contactusat515.453.1495orvisitourwebsiteatcbiaonline.org.

TheLeadersofTomorrowisaprogramcreatedbyCBItoenhancethegrowth,leadership,andnetworkingskillsoffuturebankingleaders.LOTestablishesanetworkofleaderswhoserveandstrengthentheircommunitiesandadvocateforthecommunitybankingindustry.

The Leaders of Tomorrow Group’s Next Quarterly Meeting Is Nov. 19

CBIEndorsedmemberICBASecurities/ViningSparksisholdingtheirBondAcademyNov.8-10atThePeabodyHotelinMemphis,TN.TheICBABondAcademyisdesignedtoprovidecommunitybankerswiththeknowledgeneededtoplanandmanageeffectivecommunitybankportfolios.Theupdatedcurriculumhasbeenspecificallydesignedtoequipaportfoliomanagertodealwithcurrentportfoliomanagementissues.

Who Should AttendCommunitybankCEOs,CFOs,investmentofficers,andheirsapparent/risingsuccessorsICBABondAcademyalumniwillfindthistobenewinformation.

Visithttp://icbasecurities.sitewrench.com/2015bondacademyformoreinformationandtoregister,orcontact(800)422-6442withquestions.

Iowa Land RecordsElectronic Filing Seminar Series

CBIAffiliateMemberIowaLandRecordsisholdingaseriesofin-personseminarsthatcoverhowtoelectronicallyfiledocumentsthroughtheIowaLandRecordssystem.Theone-hourprogramsincludebasicelectronicfilingskillsandwillexplainhowtosubmitelectronicdocumentstoIowaCountyRecorders.

Thesequick-pacedseminarswillshowyouhowtoelectronicallyfiledocumentsstepbystep,includinghowto:AccesstheSecureIowaLandRecordsE-SubmissionWebSite,CreateDocumentGroups,Scan,AttachandSubmitDocumentImagestoCountyRecorders,TrackStatusofSubmittedDocuments,CorrectSubmissionErrors,PayRecordingFeesElectronically,andmore.

Thereisnocosttoattend!RSVPbycalling888.790.2246orsendane-mailtosupport@clris.com.

Upcoming Seminar Dates:

October 15 • 10am - Johnston, IowaPublicLibrary–LargeMeetingRoom(6700MerleHayRoad)

October 21 • 10am - Mason City, IowaCerroGordoCountyCourthouse(220NorthWashington)

October 22 • 10am - Eldora, IowaHardinCountyEngineersOffice(70816thSt.)

October 27 • 10am - Ames, IowaPublicLibrary-Auditorium(515DouglasAve.)

November 4 • 10am - Sioux City, IowaPublicLibrary-GlessonRoom(529PierceSt.)

November 5 • 10am - Council Bluffs, IowaPublicLibrary-RoomA(400WillowAve.)

ICBA Securities/Vining SparksBond Academy Nov. 8-10

CBIAssociateMemberUnitedBankers’Bankiscelebratingtheir40thyearwithaGrandEvent,October22nd&23rdattheWestin

HotelinEdina,Minnesota.FeaturedspeakersincludeGeneralBarryMcCaffrey,USA(Ret.)andMikeAbrashof.

FormoreinformationcontactUBB’sMarketingCoordinatorCaitieWeldingatCaitie.Welding@ubb.comor952-886-9588.

UBB Holding 40th Anniversary“Grand Event” Celebration


Data BusinessEquipment

Welcome NewCBI Member!

The Community Bankers of Iowawould like to welcome the following

company to the association, and thank them for their support:

(Maintaining Net Interest Margin continued from page 16)

FIsthatoffertheirclients’optionswinmorebusiness.Clientslikechoices:fixed,variable,adjustable,lowerrates/highfees,floors,etc.Theoptionsputtheclientinthedriver’sseatbutalsoensuretheFIsreturnsareadequate.

Pricingisverycomplexwithbalance,creditrisk,terms,floors/ceilings,andcompensatingbalanceallplayingafactorintohowatransactionshouldbepriced.

Conclusion:Withratesrisingandriskofmargincompressionsquarelyinfrontofus,wemustmakesureourfront-linestaffhasthetoolsnecessarytoidentifyandprotectprofitablerelationshipsandeffectivelypricenewtransactions.

Call SHAZAM today.

Delivering Unlimited Possibilities

855-314-1212 | shazam.net | @SHAZAMNetwork

We believe community financial institutions must stay in control of their

future. Since 1976, we’ve been providing community financial institutions

with choice and innovation to compete in the market. From debit cards

to core processing to marketing services and more, we deliver.

SHAZAM is a financial services company offering you choice and flexibility to use the products and services that meet YOUR needs.

MET