coastal supervisory committee & internal auditor …
TRANSCRIPT
JULY 13 - 15, 2017 CHARLESTON, SC
COASTAL SUPERVISORY COMMITTEE & INTERNAL AUDITOR CONFERENCE
Hosted by:
THURSDAY, JULY 13Noon - 2:00 p.m. Registration
2:00 - 4:00 p.m. Supervisory Committee & Internal Auditor Getting It Done Together! Ed Templeton, Former CEO, SRP FCU and Former NAFCU Chairman
4:00 p.m - Until Enjoy Charleston!
FRIDAY, JULY 148:00 - 8:45 a.m. Breakfast
9:00 - 10:15 a.m. Crucial Conversations: Situational Strategies for Supervisory Committee & Internal Auditors Ancin Cooley, Principal, Synergy Credit Union Consulting
9:45 a.m. - 1:45 p.m. Guest Tour Program
10:30 - 11:45 a.m. Breakout Sessions
• Supervisory Committee Session - Deep Dives: Mock Supervisory Commitee Meeting Ancin Cooley, Principal, Synergy Credit Union Consulting
• Internal Auditor Session - How to Audit Incentive PlansLori Carmichael, DoerenMayhew
11:45 - 1:00 p.m. Lunch
1:15 - 2:30 p.m. Breakout Sessions
• Supervisory Committee Session - Top 10 Audit FindingsLori Carmichael, Doeren Mayhew
• Internal Auditor Session - CECL: Initial and Subsequent MeasurementNeekis Hammond, Sageworks
2:45 - 4:00 p.m. Cybersecurity: Everything You Need to Know Hugh Chakler, DoerenMayhew
6:00 - 7:00 p.m. Reception
7:00 - 9:30 p.m. Banquet & Entertainment (Charleston)
SATURDAY, JULY 157:30 - 8:15 a.m. Breakfast
8:15 - 9:30 a.m. Security Blunders: Show and Tell Barry Thompson, Thompson Consulting Group, LLC
9:40 - 10:40 a.m. Breakout Sessions
• Supervisory Committee Session - Internal Fraud for Boards & Supervisory CommitteesBarry Thompson, Thompson Consulting Group, LLC
• Internal Auditor Session - Enterprise Risk Management Todd Sherpy, Sherpy & Jones, P.A.
10:45 - 11:45 a.m. Conquering Emerging Fraud Trends Barry Thompson, Thompson Consulting Group, LLC
11:50 a.m. Adjourn
AGENDA
Organization First Name Last Name EmailAnMed Health FCU Marcy Pratt [email protected] FCU Paul Barton [email protected] FCU Ed Johnson [email protected] FCU Gary Skaggs [email protected] Postal CU Vanessa Meek [email protected] Postal CU David Patterson [email protected] Postal CU Jimmy Peck [email protected] Postal CU Janet Spruell [email protected] FCU Kenneth Kinsey [email protected] FCU Lisa Millwood [email protected] Foothills FCU Angela Geter [email protected] Foothills FCU Donna Hicks [email protected] Foothills FCU Dean Tucker [email protected] CU League LaTasha Cooper [email protected] FCU Victoria Montgomery [email protected] FCU Scott Eagerton [email protected] FCU Deborah Fauver [email protected] Energy CU Michael Swalley [email protected] FCU James Blassingame [email protected] FCU Emma Hubbard [email protected] FCU Georgia Montgomery [email protected] FCU Melvin Smoak [email protected] FCU James Ulmer [email protected] FCU Lee Williams [email protected] FCU Gerald Wright [email protected] Savings CU Dan Baldwin [email protected] Savings CU Ronnie Reed [email protected] Savings CU Dustin Tucker [email protected] Trust FCU Warren Barkley [email protected] Trust FCU Debbie Garrick [email protected] FCU Steve Banks [email protected] FCU Mike Humbert [email protected] FCU Rex Rodrigue [email protected] FCU Dale Suddeth [email protected] FCU Tim Toates [email protected] Heritage FCU Derrick Brown [email protected] FCU Daniel Collins [email protected] United CU Connie Mancuso [email protected] United CU Charlie Mancuso [email protected] United CU Ed Miller [email protected] Carolina CU Cheryl Colvin [email protected] Carolina CU Myron McCaskill [email protected] FCU Alexa Home [email protected] FCU Mark King [email protected] Employees CU Vicki Clarke [email protected]
Attendee List
Nucor Employees CU Mary Matthews [email protected] Health CU Marissa Evans [email protected] Health CU Nancy McLendon [email protected] Pump FCU Susan Harbin [email protected]. State FCU Sterling Allen [email protected]. State FCU Gary Bell [email protected]. State FCU Seebode Carole [email protected]. State FCU Tammy Farmer [email protected]. State FCU Brooks Galloway [email protected]. State FCU Frank Grobusky [email protected] FCU William Anderson [email protected] Telco FCU Janet Fancher [email protected] Telco FCU Kelly Jones [email protected] Telco FCU Maurice McNabb [email protected] Telco FCU Bill Milam [email protected] Telco FCU Frankie Nelson [email protected] Telco FCU Sheree Ramey [email protected] CU Greg Alexander [email protected] CU Peggi Davis [email protected] CU Lynn Harrelson [email protected] CU Jimmy Shelley [email protected] CU Helen Sherrill [email protected] CU Sylvester Wilson [email protected] FCU Mark Utley [email protected] Community CU Sharon Carter [email protected] Community CU Bill Gregory [email protected] CU Dan Behal [email protected] CU David Dyson [email protected]
as of 6.28.2017
Section1
Supervisory Committee & Internal Auditor Getting It Done Together!
Ed Templeton July, 2017
Background What in my career causes me to believe these things?
Roles of Supervisory Committee and Auditor 1. Work Together with each other and BOD2. Represent the Interest of Member3. Ensure proper Accounting Rules are followed4. Ensure Regulations are followed
Supervisory Committee & Internal Auditor Getting It Done Together!
Page 2
Trust No hidden agenda
No games
Be honest and be real
Give Trust to earn Trust
Do not confuse trust with swallowing anything
Asking good questions is a good thing
Truly value and respect others and it is contagious
Supervisory Committee & Internal Auditor Getting It Done Together!
Page 3
Respect Never think you are smartest person in the room
Give everyone their “say”
Learn from others
Have no place for rumors
Understand that different perspectives exist
Genuine feelings for mutually beneficial solutions are a win for everyone
Require that everyone support all decisions made-remember it is a TEAM effort
Supervisory Committee & Internal Auditor Getting It Done Together!
Page 4
Utilization Do not consume Credit Union time and resources asking for proof for everything
Understand your role and that of staff
Learn the whys and the wherefores
Use your abilities to advance Credit Unions goals
Success is where preparation meets opportunity
Combine the strengths of people through positive teamwork to achieve goals
There is no I in TEAM
Supervisory Committee & Internal Auditor Getting It Done Together!
Page 5
Speak Create an atmosphere of caring and positive problem solving
Speak to others as you would like to be spoken to
Insist on respectful language in all dialogues
Ensure others understand what is on your mind and why
Encourage others to verbalize their positions
Supervisory Committee & Internal Auditor Getting It Done Together!
Page 6
Macro Always look at and for the Big Picture
Your role is Policy
Always ask “How does this affect the members?
Ask who, what, when and where
Is it a values decision or a principles decision?
Envision what you want the future to look like
Supervisory Committee & Internal Auditor Getting It Done Together!
Page 7
Engagement Meet commitments
Remember everyone has a job to do if the Credit Union is to be successful
Work with staff to achieve goals desired
Education
Check in at every meeting
Do not wait to react—promote proactive thinking
Supervisory Committee & Internal Auditor Getting It Done Together!
Page 8
Closing Learn, commit, do
Questions and Discussion
Section2
Section3
1
Click to edit Master title style
1 Insight. Oversight. Foresight.®Florida Michigan North Carolina Texas
How to Audit Incentive Plans
Click to edit Master title style
2
Summary Financial Institutions Group
• Case Study – The Wells Fargo Cross-selling Scandal
• NCUA regulations - Incentive Plans
• CFPB Compliance Bulletin - 2016-03
• Incentive-Based Compensation Arrangements -Interagency Notice of Proposed Rulemaking
• Doeren Mayhew Audit Strategy
Click to edit Master title style
3
Financial Institutions Group
TRANSITION TITLE HEREThe Wells Fargo Cross-selling Scandal
2
Click to edit Master title style
4
Case Study Financial Institutions Group
Click to edit Master title style
5
Case Study Financial Institutions Group
• Wells Fargo had a reputation for sound managementand performance.
• Emerged from financial crisis largely unscathed
• Superior stock price performance
• Known for vision and values• “Satisfy our consumer needs, and help them succeed financially.”
Click to edit Master title style
6
Incentive plans are Important Financial Institutions Group
• A well‐designed incentive and recognition program is necessary to maximize sales and service performance.
• Speeding Analogy.
• Most employees can do a better job if they chooseto.
• Negative reinforcement causes employees to focus on the lowest level of performance you will accept.
• Positive reinforcement for exceeding the sales andservice goals will improve performance.
3
Click to edit Master title style
7
Case Study Financial Institutions Group
• Cross selling is very important to financialinstitutions.
• Cross selling results inbetter service to a customer/member.
• Cross selling results in significantly more profits on a per customer basis.
Click to edit Master title style
8
CASE STUDY Financial Institutions Group
Click to edit Master title style
9
Case Study Financial Institutions Group
• Incentives are effective, but can work against culture.
• Rewarding employees for achieving a metric may results in employees doing what they are paid to do, even it goes against the culture.
• For meeting cross selling and customer servicetargets, branch employees received significant incentives:
• MSR – up to 15‐20% of salary;
• Tellers – up to 3% of salary.
4
Click to edit Master title style
10
Case Study Financial Institutions Group
• Branch employees were put under “excessive pressure” tomeet daily sales targets.
Click to edit Master title style
11
Case Study Financial Institutions Group
• Issues came to light in 2013.
• Employees in Los Angeles were engaging in aggressive tactics to meet their daily cross‐sellingtargets.
• Approximately 30 employees were fired for issuingdebit/credit cards, without customer knowledge
• In some cases by forging signatures.
• Management refuted claims of overbearing sales culture.
• A Wells Fargo spokesman stated, “we found a breakdown in a small number of our team members.”
Click to edit Master title style
12
Case Study Financial Institutions Group
• Tim Sloan, CEO at the time, was quoted saying “I’m not aware of any overbearing sales culture,” siting mitigating controls such as:
• The company maintained an ethics programs;
• Whistleblower hotline;
• Senior management incentives included:
• Bonuses tied to instilling the company’s vision andculture;
• Bonuses related to risk management;
• Claw back triggers on bonuses (if later deemedinappropriately earned).
5
Click to edit Master title style
13
Case Study Financial Institutions Group
• Approximately 3 years later in 2016…
Click to edit Master title style
14
Case Study Financial Institutions Group
• Wells Fargo hired a CPA firm to review all account openings, 2011‐2016, to identify potentially unauthorized accounts:
• This resulted in 2.6 million refunded to consumers;
• And 5,300 employees terminated over a five‐year period.
• Wells Fargo admitted that employees had openedas many as 2 million accounts without customer authorization, including:
• 1.5 million deposit accounts;
• 500 thousand credit card applications.
Click to edit Master title style
15
Case Study Financial Institutions Group
• In September 2016 Wells Fargo paid 185 million tosettle a lawsuit filed by regulators in the city/county of Los Angeles.
• John Stumpf CEO – Clawback $41 million
• Carrie Tolstedt – Clawback $9 million
• The financial impact of lawsuit and the impact oncross‐selling ratios was trivial.
6
Click to edit Master title style
16
Click to edit Master title style
17
Case Study Financial Institutions Group
• Reputation damage was significant.
Click to edit Master title style
18
7
Click to edit Master title style
19
Click to edit Master title style
20
Click to edit Master title style
21
Case Study Financial Institutions Group
• Wells Fargo implemented the following significantchanges:
• Eliminated product sales goals;
• Reconfigured branch‐level incentives to emphasizecustomer service rather than cross‐sell metrics;
• Implemented new procedures for verifying account openings;
• Introduced additional training and controls.
8
Click to edit Master title style
22
Financial Institutions Group
TRANSITION TITLE HERENCUA Regulations
Click to edit Master title style
23
NCUA Regulations Financial Institutions Group
• There are generally 3 NCUA rules that limit incentive compensation practices:
• Section 701.21 (c)(8) – Lending (origination)• Section 701.23(g) – Lending (sale or purchase)• Section 721.7 ‐ Incidental powers
• Per 721.2 ‐ An incidental powers activity is one that is necessary or requisite to enable you to carry on effectively the business for which you are incorporated.
• Incidental powers = “Catch all”
Click to edit Master title style
24
NCUA Regulations ‐ Summary Financial Institutions Group
• Senior management cannot receive incentives,unless based on overall financial performance.
• Example: bonuses
• Other employees can receive incentives, however:
• Policies
• Internal controls
• Monitoring
• More specifically ,“provided that the board of directors ofthe credit union establishes written policies and internal controls in connection with such incentive or bonus and monitors compliance with such policies and controls at least annually.”
9
Click to edit Master title style
25
Financial Institutions Group
TRANSITION TITLE HERECFPB Compliance Bulletin
2016-03
Click to edit Master title style
26
CFPB Compliance Bulletin 2016‐03 Financial Institutions Group
• The Consumer Financial Protection Bureau (CFPB)Bulletin:
• Provides examples of problematic incentiveplans;
• Highlights examples whereby incentives contributed to substantial consumer harm;
• Describes management steps to mitigate risks posed by incentives.
Click to edit Master title style
27
CFPB Compliance Bulletin 2016‐03 Financial Institutions Group
• Examples of problematic incentive plans include:• Sales goals or unrealistic quotas ‐ Encourage employees toopen accounts or enroll customers in services without their knowledge or consent;
• Paying more compensation for certain types of customer transactions ‐ Encourage that product when there may be abetter option of the member;
• Paying compensation based on the terms or conditions oftransactions (such as interest rate) ‐ Encourage employees orservice providers to overcharge consumers.
10
Click to edit Master title style
28
CFPB Compliance Bulletin 2016‐03 Financial Institutions Group
• Credit Card Add‐On Matters
• 12 Cases ‐ Improper practices to market credit card add‐on products, such as “credit protection” and “identify monitoring.”
• Overdraft Opt‐in Matters
• Consumers were deceived into opting in to overdraft services.
• Unfair and Abusive Sales Practices• Significant issue ‐ Opening unauthorized deposit and credit card accounts to satisfy sales goals.
• Wells Fargo
Click to edit Master title style
29
CFPB Compliance Bulletin 2016‐03 Financial Institutions Group
• Some Highlights from the CFPB Bulletin included:
• No particular management system;
• Vary based on size and complexity of an organization;
• Should involve oversight of employees and service providers.
• The strictest controls are necessary for:• Products or services less likely to benefit consumers;
• Products that have higher potential to lead to harm;
• Reward outcomes that do not necessarily align withconsumer interests;
• Implicate a significant proportion of employee compensation.
Click to edit Master title style
30
CFPB Compliance Bulletin 2016‐03 Financial Institutions Group
• Effective management systems commonly has thefollowing components:
• Board of directors and management oversight;
• Policies and procedures;
• Training;
• Monitoring and corrective action;
• Consumer complaint management program;
• Independent compliance audit.
11
Click to edit Master title style
31
CFPB Compliance Bulletin 2016‐03 Financial Institutions Group
Board of directors and management oversight:
• The positive effects and negative effects should be well understood.
• Address unintended outcomes.
• “Tone from the top” is important
• Should empower all employees to report suspected incidents
• Fostering a culture of strong customer service related toincentives.
• For example, ensuring that consumers are only offered products likely to benefit their interests.
Click to edit Master title style
32
CFPB Compliance Bulletin 2016‐03 Financial Institutions Group
• Policies and procedures:• Quotas are transparent;• Quotas are reasonably attainable;• Incentive are easy to account for an monitor;
• Clear controls for managing the inherent risks;
• Identify potential conflicts of interest (segregationof duties);
• Fair and independent processes for investigatingreported issues.
Click to edit Master title style
33
CFPB Compliance Bulletin 2016‐03 Financial Institutions Group
• Monitoring:
• Track key metrics – and outliers – that may indicateweaknesses.
• Examples of possible monitoring metrics include, but are not limited to:
• Overall product penetration rates by consumer andhousehold;
• Specific penetration rates for products and services (such as overdraft, add‐on products, and online banking);
(Continued)
12
Click to edit Master title style
34
CFPB Compliance Bulletin 2016‐03 Financial Institutions Group
• Examples of monitoring metrics (continued).
• Incentive payouts by employee and by incentive;
• Employee turnover;
• Employee satisfaction;
• Member complaint rates;
• Spikes and trends in sales (both completed and failedsales) by specific individuals and by units;
• Account opening/product enrollment;
• Account closure/product cancellation statistics.
Click to edit Master title style
35
CFPB Compliance Bulletin 2016‐03 Financial Institutions Group
• Corrective Action:• Termination of employees, service providers, andmanagers;
• Changes to the structure of incentives;
• Training on these program;
• Return of funds to all affected consumers;
• Ensure that the root causes of deficiencies are identifiedand resolved;
• Findings should be escalated.
Click to edit Master title style
36
CFPB Compliance Bulletin 2016‐03 Financial Institutions Group
• Consumer complaint management program:
• Collecting and analyzing consumer complaints;
• Look for indications that incentives are leadingto violations of law or harm to consumers.
• Independent compliance audit:
• Scheduling audits to address incentives• Ensuring audits are conducted independent of:
• The compliance program;
• The business functions.
13
Click to edit Master title style
37
Financial Institutions Group
TRANSITION TITLE HEREInteragency Proposed Rulemaking
Click to edit Master title style
38
Interagency Proposed Rulemaking Financial Institutions Group
• On April 26, 2016, the FDIC BOD approved, Secondjoint Notice of Proposed Rulemaking (NPR)
• Or, Section 956 of the Dodd‐Frank Wall Street Reform andConsumer Protection Act (Dodd‐Frank Act).
• The NPR seeks to strengthen the incentive‐basedcompensation practices at covered institutions.
• The NPR affects institutions greater than 1 billion intotal assets.
• Currently not final, when approved, will likely not gointo effect until 2018 or 2019
Click to edit Master title style
39
Interagency Proposed Rulemaking Financial Institutions Group
• Prohibit types of incentive‐based compensationarrangements that • Encourage inappropriate risks• Could lead to material financial loss
• Three basic principles:• (1) a balance between risk and reward; • (2) effective risk management and controls; and• (3) effective governance.
14
Click to edit Master title style
40
Interagency Proposed Rulemaking Financial Institutions Group
• Summary of Proposal Requirements:• BOD (or committee) oversight;• Appropriate recordkeeping;• Disclosures to the appropriate agency:• Deferral of awards for senior executive officers and
significant risk takers; • Prohibit certain inappropriate practices• Prohibit payouts that encourage risk taking;• Basing compensation solely on comparison to peer and
volume‐driven incentives
Click to edit Master title style
41
Financial Institutions Group
TRANSITION TITLE HEREDoeren Mayhew Audit Strategy
Click to edit Master title style
42
Doeren Mayhew Audit Strategy Financial Institutions Group
• Oversight and Policies:• Review all policies and procedures for adequacy and reasonableness;• Verify that these are being approved by the BOD.
• Review monitoring reports (consider BOD);• Review payroll reports or other HR provided reports to verify all employees receiving incentiveincome;
• (DM exclusive): Obtain and reviewed any of theinternal incentive audits performed by IA or management in the past two years;
15
Click to edit Master title style
43
Doeren Mayhew Audit Strategy Financial Institutions Group
• Monitoring Reports: Review monitoring reports related to incentive programs including:• Trends in incentive income by employee for a period.• Trends in incentive income by incentive type.• Trends in complaint rates or turnover rates.• Overall product penetration rates by member and product
type.• Spikes and trends in sales (both completed and failed sales)
by specific individuals and by incentive type.• Other relative monitoring controls per CFPB Compliance
Bulletin 2016‐03
Click to edit Master title style
44
Doeren Mayhew Audit Strategy Financial Institutions Group
• Interviews: Speak with a range of employees and ask keyquestions.• Including employees, such as:
• Management – Manages plan and employees;• Compliance person – Monitors/audits plan;• Employees – Receiving incentives.
• Including questions, such as:• Awareness of incentives;• Pressures caused by incentives;• Understanding of risks imposed by incentives;• Training;• Monitoring controls.
Click to edit Master title style
45
Doeren Mayhew Audit Strategy Financial Institutions Group
Vouch Incentive Payouts • We obtain a file of incentive disbursements for a
period (for a particular incentive).• We test a selected sample to verify:
• Accuracy of calculations and disbursements amounts;
• Agree to supporting documentation;• Proper approval;• Compliance with policy.
16
Click to edit Master title style
46
Doeren Mayhew Audit Strategy Financial Institutions Group
Verification of member permission – Higher Risk • Obtain a report of transactions that led to incentive
payout for a period.• For example, a file of all added accounts or services to existing members for a period, whereby an incentive is paid.
• Select a sample of transactions and send positiveverifications or perform alternate procedures, including:
• Review of any recorded calls, via member phone request;• Reviewed account notes;• Reviewed supporting documentation of the member;• Other
Click to edit Master title style
47
Doeren Mayhew Audit Strategy Financial Institutions Group
Common Comments • No periodic QCR performed on incentive payments.• No annual audits of incentive programs performed.• Recommendation on beneficial monitoring reports.• Information related to validating specific incentivepayout amounts was not available for review.
• Policy updates are needed.• Recommend reviewing certain incentives basedcertain risk considerations.
Click to edit Master title style
48 Insight. Oversight. Foresight. ®Florida Michigan North Carolina Texas
Thank You!
Lori Carmichael, CPA
Shareholder
Phone: 704.341.0970
Stephen LaBarbera
Audit Manager
Phone: 704.341.0970
Section4
1
Insight. Oversight. Foresight. ®Florida Michigan North Carolina Texas
Top 10 Audit Findings
Presented By:Lori Carmichael, CPA – ShareholderStephen LaBarbera – Audit Manager
Financial Institutions GroupClass Objectives
• Identify key audit areas subject to auditor scrutiny.• Identify ways to avoid audit findings and potential control
issues.• Ask questions you have interest in and leave this
conference more informed.
2
3
10. Prepaid and Other Assets Financial Institutions Group
• Issues:• Incorrect prepaid terms set-up in the system.• Inappropriate capitalization of expenses.
• How to avoid:• Review invoice and perform recalculation for accuracy.• Establish a policy for capitalization thresholds.
Prepaid Assets
2
4
10. Prepaid and Other Assets Financial Institutions Group
• Issues:• Measuring impairment on vehicles and classification.
• How to avoid:• Incorporate into the monthly financial closing process
procedures to measure and reclassify repos at the lower ofcost or market.
Other Assets: Repossessed Collateral (Repos)
5
10. Prepaid and Other Assets Financial Institutions Group
• Issues:• Initial recording of OREO and subsequent valuations.• Costs incurred subsequent to being re-classed to OREO.
• How to avoid:• Obtain appraisal to properly record at fair value less costs to
sell and periodically obtain an updated appraisal.• Costs should be charged to expense unless the costs adds
value to the property.
Other Assets: Other Real Estate Owned (OREO)
6
9. Member Business Loans Financial Institutions Group
• Issues:• Initial recording of OREO and subsequent valuations.• Costs incurred subsequent to being re-classed to OREO.
• How to avoid:• Obtain appraisal to properly record at fair value less costs to
sell and periodically obtain an updated appraisal.• Costs should be charged to expense unless the costs adds
value to the property.
Other Assets: Other Real Estate Owned (OREO)
3
Financial Institutions Group9. Member Business Loans
• Issues:• Poor underwriting and loan monitoring.• Lack of management’s experience with member business
loan programs.• Risk ratings conducted by credit union personnel are not
done timely or are not accurate.
• How to avoid:• Ensure appropriate audit oversight of the MBL loan program
exists.
7
8
8. Deferred Compensation Plans Financial Institutions Group
• Issues:• CFOs are often not familiar with the details:
• CEO may provide the account entries.• Investment(s) used to fund the deferred compensation
arrangement(s) may be in violation of Section 701.19 of NCUA Regulations (direct benefit).
• How to avoid:• Obtain an understanding of the deferred compensation plan
agreement and the accounting.• Review the balance of the investment account to avoid over
funding.
Deferred Compensation Arrangements
9
8. Deferred Compensation Plans Financial Institutions Group
• Issues:• Incorrect reporting of 457(b) plan balances.• Incorrect reporting of 457(f) accruals.
• How to avoid:• Report 457(b) plan balance consistent with statement.• Obtain an understanding of 457(f) plan agreement.
457 Plans
4
10
8. Deferred Compensation Plans Financial Institutions Group
• Issues:• Not using the correct definition of compensation.• Plan document does not reflect management’s intent.• Not following audit requirements.
• How to avoid:• Obtain a good understanding of plan document.• Ensure a 401(k) plan audit is completed for plans with 100
or more eligible participants.
401(k) Plan
Financial Institutions Group7. Indirect Lending
• Issues:• Significant growth in this loan segment may include a high
volume of borrowers whose credit standing has beenembellished by the auto dealer.
• True delinquency and charge-off data regarding this loansegment may lag due to the high volume of new loans beingapproved on a monthly basis.
• How to avoid:• Establish policies and procedures which address dealer
expectations, risk tolerance and monitoring procedures.
11
12
6. Internal Controls Financial Institutions Group
• Issues:• Both plastic cards and PIN are returned to employee
creating cards.
• How to avoid:• Segregate returned mail process from employee creating
cards.
Plastic Cards
5
13
6. Internal Controls Financial Institutions Group
• Issues:• Unauthorized (fraudulent) transactions posted against
dormant accounts.
• How to avoid:• Set system parameters to require a supervisory override in
order to perform transactions against dormant accounts.• Perform timely review of dormant account transaction
report.
Controls – Dormant Accounts
14
6. Internal Controls Financial Institutions Group
• Issues:• Computer system access beyond related job function which
may allow for potential unauthorized transactions.
• How to avoid:• Restrict computer system access to match job function.• Review of computer system access reports.
Internal Controls – System Access
Financial Institutions Group5. Information Technology
• Issues:• Weak back-up procedures
• Critical servers not backed up• All back ups not sent offsite
• Lack of appropriate physical access and environmentalcontrols.
• Weak change controls and segregation of duties.• Weak password security.
15
6
Financial Institutions Group5. Information Technology
• How to avoid:• Ensure that appropriate audit oversight and testing of IT
controls exists.• Passwords should be complex (uppercase letters,
lowercase letter, numbers, special characters).
16
Financial Institutions Group4. Cash on Hand – Tellers andOperations
• Issues:• Not performing surprise cash counts.• Dual control over vault and single custody of teller drawer.• Not establishing teller drawer limits.
• How to avoid:• Perform surprise cash counts.• Vault should be maintained under dual custody and tellers
should maintain sole custody of their respective drawer.• Establish drawer limits (i.e., < $5,000).
17
Financial Institutions Group3. Reconciliations
• Issues:• Not prepared or reviewed for all general ledger (GL)
accounts.• Not supported with proper documentation.
• How to avoid:• Reconciliation should be maintained for all GL accounts and
reviewed on a timely basis.• Establish a monthly reconciliation log to assist with
monitoring and tracking reconciliations.
18
7
Financial Institutions Group2. Controls – Loans (File Maintenance &Exception Reports)
• Issues:• No formal review over loan file maintenance reports:
• Loan rate changes• Due date advances• Payment amount changes
• How to avoid:• Perform a review these reports to determine the validity of
items appearing on reports.
19
Financial Institutions Group2. Controls – Loans (File Maintenance &Exception Reports)
• Issues:• Not reviewing loan exception reports have contributed to the
following findings: • Fraudulent loans• Loan input errors• Unauthorized advancement of payment due dates• Misapplication of principal and interest payments• Over accrual of interest
• How to avoid:• Generate and review the following loan exception reports:
• Unusual accrued interest (> $500, > scheduled payment, etc.)• Unusual rates (outside normal ranges)• Paid ahead loans
20
Financial Institutions Group1. Allowance for Loan and Lease Losses(ALLL)
• Issues:• Analysis based on unreasonable historical loss period.• Analysis not considering required Q&E components.• ALLL specific reserve not compliant with GAAP.• ALLL not including TDRs.
• How to avoid:• ALLL analysis should include a reasonable historical loss
period, a Q&E component and specific reserves and or TDRreserves (if applicable).
21
Section5
1
Sageworksanalyst.com 1
July13,2017
Neekis Hammond, CPAPrincipal‐ AdvisoryServices
CECL – Initial and Subsequent MeasurementA Practical Approach
Sageworksanalyst.com 2
• Riskmanagementthoughtleaderforinstitutionsandexaminers
• Regularlyfeaturedinnationalandtrademedia
• Loanportfolioandriskmanagementsolutions
• Morethan1,000financialinstitutionclients
• Foundedin1998
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples
• 326‐20‐30‐6: Lossestimatemustincludeexpectedcreditlossesoverthecontractualtermofthefinancialasset(s)
3
2
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples
• 326‐20‐30‐6: Lossestimatemustincludeexpectedcreditlossesoverthecontractualtermofthefinancialasset(s)
• 326‐20‐30‐6: Prepaymentbehaviormustbeexplicitlyorimplicitlyaddressed
4
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples
• 326‐20‐30‐6: Lossestimatemustincludeexpectedcreditlossesoverthecontractualtermofthefinancialasset(s)
• 326‐20‐30‐6: Prepaymentbehaviormustbeexplicitlyorimplicitlyaddressed
• 326‐20‐30‐6: Extensionand/orrenewalassumptionsarenotallowedexceptforTroubledDebtRestructurings
5
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples
• 326‐20‐30‐6: Lossestimatemustincludeexpectedcreditlossesoverthecontractualtermofthefinancialasset(s)
• 326‐20‐30‐6: Prepaymentbehaviormustbeexplicitlyorimplicitlyaddressed
• 326‐20‐30‐6: Extensionand/orrenewalassumptionsarenotallowedexceptforTroubledDebtRestructurings
• 326‐20‐30‐2: Analyzingassetsonacollectiveorpooledbasisisrequiredunlessuniqueriskcharacteristicsexist
6
3
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples
• 326‐20‐30‐6: Lossestimatemustincludeexpectedcreditlossesoverthecontractualtermofthefinancialasset(s)
• 326‐20‐30‐6: Prepaymentbehaviormustbeexplicitlyorimplicitlyaddressed
• 326‐20‐30‐6: Extensionand/orrenewalassumptionsarenotallowedexceptforTroubledDebtRestructurings
• 326‐20‐30‐2: Analyzingassetsonacollectiveorpooledbasisisrequiredunlessuniqueriskcharacteristicsexist
• 326‐20‐50‐6: Institutions(PBEsandSECfilers)mustprepareavintagedisclosurebypresentingtheamortizedcostbasiswithineachcreditqualityindicatorbyyearoforigination(thatis,vintageyear)
7
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples
• 326‐20‐30‐7: Internalinformation,externalinformationoracombinationofbothmaybeusedforanalyzingpasteventsandcurrentconditions,aswellasinthecreationofreasonableandsupportableforecasts
8
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples
• 326‐20‐30‐7: Internalinformation,externalinformationoracombinationofbothmaybeusedforanalyzingpasteventsandcurrentconditions,aswellasinthecreationofreasonableandsupportableforecasts
• 326‐20‐30‐9: Adjustmentstohistoricallossinformationmaybequantitativeand/orqualitativeinnature
9
4
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples
• 326‐20‐30‐7: Internalinformation,externalinformationoracombinationofbothmaybeusedforanalyzingpasteventsandcurrentconditions,aswellasinthecreationofreasonableandsupportableforecasts
• 326‐20‐30‐9: Adjustmentstohistoricallossinformationmaybequantitativeand/orqualitativeinnature
• 326‐20‐30‐9: Adjustmentsmaybebasedonreasonableandsupportableforecasts.Forperiodsbeyondareasonableforecast,revertingtohistoricallossinformationimmediately,onastraight‐linebasis,orusinganotherrationalandsystematicbasisisacceptable
10
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples
• 326‐20‐30‐7: Internalinformation,externalinformationoracombinationofbothmaybeusedforanalyzingpasteventsandcurrentconditions,aswellasinthecreationofreasonableandsupportableforecasts
• 326‐20‐30‐9: Adjustmentstohistoricallossinformationmaybequantitativeand/orqualitativeinnature
• 326‐20‐30‐9: Adjustmentsmaybebasedonreasonableandsupportableforecasts.Forperiodsbeyondareasonableforecast,revertingtohistoricallossinformationimmediately,onastraight‐linebasis,orusinganotherrationalandsystematicbasisisacceptable
• 326‐20‐30‐11: Aliabilityforcreditlossesonoff‐balance‐sheetcreditexposuresoverthecontractuallifemustberecorded
11
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples– SECFilers
SABNo.74(Topic11‐M): Disclosureoftheimpactthatrecentlyissuedaccountingstandardswillhaveonthefinancialstatementsoftheregistrantwhenadoptedinafutureperiod.
12
5
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples– SECFilers
SABNo.74(Topic11‐M): Disclosureoftheimpactthatrecentlyissuedaccountingstandardswillhaveonthefinancialstatementsoftheregistrantwhenadoptedinafutureperiod.
• ASU2014‐9,Revenuefromcontractswithcustomers
13
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples– SECFilers
SABNo.74(Topic11‐M): Disclosureoftheimpactthatrecentlyissuedaccountingstandardswillhaveonthefinancialstatementsoftheregistrantwhenadoptedinafutureperiod.
• ASU2014‐9,Revenuefromcontractswithcustomers
• ASU2016‐2,Leases(Topic842)
14
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples– SECFilers
SABNo.74(Topic11‐M): Disclosureoftheimpactthatrecentlyissuedaccountingstandardswillhaveonthefinancialstatementsoftheregistrantwhenadoptedinafutureperiod.
• ASU2014‐9,Revenuefromcontractswithcustomers
• ASU2016‐2,Leases(Topic842)
• ASU2016‐13,Measurementofcreditlossesonfinancialinstruments(Topic326/”CECL”)
15
6
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples– SECFilers
SABNo.74(Topic11‐M): Disclosureoftheimpactthatrecentlyissuedaccountingstandardswillhaveonthefinancialstatementsoftheregistrantwhenadoptedinafutureperiod.
16
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples– SECFilers
SABNo.74(Topic11‐M): Disclosureoftheimpactthatrecentlyissuedaccountingstandardswillhaveonthefinancialstatementsoftheregistrantwhenadoptedinafutureperiod.
• Abriefdescriptionofthenewstandard,thedatethatadoptionisrequiredandthedatethattheregistrantplanstoadopt,ifearlier.
17
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples– SECFilers
SABNo.74(Topic11‐M): Disclosureoftheimpactthatrecentlyissuedaccountingstandardswillhaveonthefinancialstatementsoftheregistrantwhenadoptedinafutureperiod.
• Abriefdescriptionofthenewstandard,thedatethatadoptionisrequiredandthedatethattheregistrantplanstoadopt,ifearlier.
• Adiscussionofthemethodsofadoptionallowedbythestandardandthemethodexpectedtobeutilizedbytheregistrant,ifdetermined.
18
7
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples– SECFilers
SABNo.74(Topic11‐M): Disclosureoftheimpactthatrecentlyissuedaccountingstandardswillhaveonthefinancialstatementsoftheregistrantwhenadoptedinafutureperiod.
• Abriefdescriptionofthenewstandard,thedatethatadoptionisrequiredandthedatethattheregistrantplanstoadopt,ifearlier.
• Adiscussionofthemethodsofadoptionallowedbythestandardandthemethodexpectedtobeutilizedbytheregistrant,ifdetermined.
• Adiscussionoftheimpactthatadoptionofthestandardisexpectedtohaveonthefinancialstatementsoftheregistrant,unlessnotknownorreasonablyestimable.Inthatcase,astatementtothateffectmaybemade.
19
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples– SECFilers
SABNo.74(Topic11‐M): Disclosureoftheimpactthatrecentlyissuedaccountingstandardswillhaveonthefinancialstatementsoftheregistrantwhenadoptedinafutureperiod.
• Abriefdescriptionofthenewstandard,thedatethatadoptionisrequiredandthedatethattheregistrantplanstoadopt,ifearlier.
• Adiscussionofthemethodsofadoptionallowedbythestandardandthemethodexpectedtobeutilizedbytheregistrant,ifdetermined.
• Adiscussionoftheimpactthatadoptionofthestandardisexpectedtohaveonthefinancialstatementsoftheregistrant,unlessnotknownorreasonablyestimable.Inthatcase,astatementtothateffectmaybemade.
• Disclosureofthepotentialimpactofothersignificantmattersthattheregistrantbelievesmightresultfromtheadoptionofthestandard(suchastechnicalviolationsofdebtcovenantagreements,plannedorintendedchangesinbusinesspractices,etc.)isencouraged.
20
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)KeyPrinciples– SECFilers
SABNo.74(Topic11‐M): Disclosureoftheimpactthatrecentlyissuedaccountingstandardswillhaveonthefinancialstatementsoftheregistrantwhenadoptedinafutureperiod.
• Abriefdescriptionofthenewstandard,thedatethatadoptionisrequiredandthedatethattheregistrantplanstoadopt,ifearlier.
• Adiscussionofthemethodsofadoptionallowedbythestandardandthemethodexpectedtobeutilizedbytheregistrant,ifdetermined.
• Adiscussionoftheimpactthatadoptionofthestandardisexpectedtohaveonthefinancialstatementsoftheregistrant,unlessnotknownorreasonablyestimable.Inthatcase,astatementtothateffectmaybemade.
• Disclosureofthepotentialimpactofothersignificantmatters thattheregistrantbelievesmightresultfromtheadoptionofthestandard(suchastechnicalviolationsofdebtcovenantagreements,plannedorintendedchangesinbusinesspractices,etc.)isencouraged.
21
8
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
22
StrategicConsiderations
• Reasonable(FinancialConsiderations)• Costs:Initial,subsequentandrecurring• Benefits:Variance,materialityandmanagerialinsight• Risks:Modeling,volatilityandsensitivity
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
23
StrategicConsiderations
• Reasonable(FinancialConsiderations)• Costs:Initial,subsequentandrecurring(buildvs.buy)• Benefits:Variance,materialityandmanagerialinsight• Risks:Modeling,volatilityandsensitivity
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
24
StrategicConsiderations
• Reasonable(FinancialConsiderations)• Costs:Initial,subsequentandrecurring• Benefits:Variance,materialityandmanagerialinsight• Risks:Modeling,volatilityandsensitivity
• Supportable(LeversandElections)• Segmentation:Structure,termandcreditrisk• Methodology:Alignment,strengths/weaknessesanddataconstraints• Forecast:Source,sensitivityanddataconstraints
9
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
25
StrategicConsiderations
• Reasonable(FinancialConsiderations)• Costs:Initial,subsequentandrecurring• Benefits:Variance,materialityandmanagerialinsight• Risks:Modeling,volatilityandsensitivity
• Supportable(LeversandElections)• Segmentation:Structure,termandcreditrisk• Methodology:Alignment,strengths/weaknessesanddataconstraints• Forecast:Source,sensitivityanddataconstraints
• Applicable(AccuracyandMeaningfulness)• GAAP:Complianceandauditability• Regulatory:Adequateandtransparent• Strategic:Crossapplicationandmanagerialinsight
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
26
TacticalConsiderations
• Data• Adequacy• Retention• Process
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
27
TacticalConsiderations
• Data• Adequacy• Retention• Process
• ContractualLife/Prepayment• Calculation• Support
10
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
28
TacticalConsiderations
• Data• Adequacy• Retention• Process
• ContractualLife/Prepayment• Calculation• Support
• Segmentation• Flexibility• Comparability• Support
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
29
TacticalConsiderations
• Data• Adequacy• Retention• Process
• ContractualLife/Prepayment• Calculation• Support
• Segmentation• Flexibility• Comparability• Support
• Methodologies• Flexibility• Comparability• Support
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
30
TacticalConsiderations
• Data• Adequacy• Retention• Process
• ContractualLife/Prepayment• Calculation• Support
• Segmentation• Flexibility• Comparability• Support
• Methodologies• Flexibility• Comparability• Support
• ForecastingandAdjustments• Flexibility• Comparability• Support
11
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
31
TacticalConsiderations
• Data• Adequacy• Retention• Process
• ContractualLife/Prepayment• Calculation• Support
• Segmentation• Flexibility• Comparability• Support
• Methodologies• Flexibility• Comparability• Support
• ForecastingandAdjustments• Flexibility• Comparability• Support
• Documentation• Completeness• Auditability• Efficiency
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
32
TacticalConsiderations
• Data• Adequacy• Retention• Process
• ContractualLife/Prepayment• Calculation• Support
• Segmentation• Flexibility• Comparability• Support
• Methodologies• Flexibility• Comparability• Support
• ForecastingandAdjustments• Flexibility• Comparability• Support
• Documentation• Completeness• Auditability• Efficiency
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
33
TacticalConsiderations
• Data• Adequacy• Retention• Process
• ContractualLife/Prepayment• Calculation• Support
• Segmentation• Flexibility• Comparability• Support
• Methodologies• Flexibility• Comparability• Support
• ForecastingandAdjustments• Flexibility• Comparability• Support
• Documentation• Completeness• Auditability• Efficiency
12
Sageworksanalyst.com
Data - AdequacyInteragencyGuidance– December19,2016
“Specificallywithregardtodata,toimplementCECL,aninstitutionshouldcollectandmaintainrelevantdatatosupportitsestimatesoflifetimeexpectedcreditlossesinawaythatalignswiththemethodormethodsitwillusetoestimateitsallowancesforcreditlosses.Assuch,theagenciesencourageinstitutionstodiscusstheavailabilityofhistoricallossdatainternallyandwiththeircoreloanserviceprovidersbecausesystemchangesrelatedtothecollectionandretentionofdatamaybewarranted.Dependingontheestimationmethodormethodsselected,institutionsmayneedtocaptureadditionaldataandretaindatalongerthantheyhaveinthepastonloansthathavebeenpaidofforchargedofftoimplementCECL.”
34
Sageworksanalyst.com
Data - AdequacyInteragencyGuidance– December19,2016
“Specificallywithregardtodata,toimplementCECL,aninstitutionshouldcollectandmaintainrelevantdatatosupportitsestimatesoflifetimeexpectedcreditlossesinawaythatalignswiththemethodormethodsitwillusetoestimateitsallowancesforcreditlosses.Assuch,theagenciesencourageinstitutionstodiscusstheavailabilityofhistoricallossdatainternallyandwiththeircoreloanserviceprovidersbecausesystemchangesrelatedtothecollectionandretentionofdatamaybewarranted.Dependingontheestimationmethodormethodsselected,institutionsmayneedtocaptureadditionaldataandretaindatalongerthantheyhaveinthepastonloansthathavebeenpaidofforchargedofftoimplementCECL.”
35
Sageworksanalyst.com
Data - AdequacyInteragencyGuidance– December19,2016
“Specificallywithregardtodata,toimplementCECL,aninstitutionshouldcollectandmaintainrelevantdatatosupportitsestimatesoflifetimeexpectedcreditlossesinawaythatalignswiththemethodormethodsitwillusetoestimateitsallowancesforcreditlosses.Assuch,theagenciesencourageinstitutionstodiscusstheavailabilityofhistoricallossdatainternallyandwiththeircoreloanserviceprovidersbecause systemchangesrelatedtothecollectionandretentionofdatamaybewarranted. Dependingontheestimationmethodormethodsselected,institutionsmayneedtocaptureadditionaldataandretaindatalongerthantheyhaveinthepastonloansthathavebeenpaidofforchargedofftoimplementCECL.”
36
13
Sageworksanalyst.com
Data - AdequacyInteragencyGuidance– December19,2016
“Specificallywithregardtodata,toimplementCECL,aninstitutionshouldcollectandmaintainrelevantdatatosupportitsestimatesoflifetimeexpectedcreditlossesinawaythatalignswiththemethodormethodsitwillusetoestimateitsallowancesforcreditlosses.Assuch,theagenciesencourageinstitutionstodiscusstheavailabilityofhistoricallossdatainternallyandwiththeircoreloanserviceprovidersbecausesystemchangesrelatedtothecollectionandretentionofdatamaybewarranted.Dependingontheestimationmethodormethodsselected,institutionsmayneedtocaptureadditionaldataandretaindatalongerthantheyhaveinthepastonloansthathavebeenpaidofforchargedofftoimplementCECL.”
37
Sageworksanalyst.com
Data - Retention
38
2‐year3‐year4‐year
2‐year3‐year4‐year
5‐year
Sageworksanalyst.com
Data - Process
14
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
40
TacticalConsiderations
• Data• Adequacy• Retention• Process
• ContractualLife/Prepayment• Calculation• Support
• Segmentation• Flexibility• Comparability• Support
• Methodologies• Flexibility• Comparability• Support
• ForecastingandAdjustments• Flexibility• Comparability• Support
• Documentation• Completeness• Auditability• Efficiency
Sageworksanalyst.com
Contractual Life (Attrition)
41
1.25
3.25
3.75
2.15
1.75
4.25
WORKING CAPITAL LOC
EQUIPMENT VEHICLE CREDIT CARD CONSTRUCTION SBA
AverageLife(years)
Sageworksanalyst.com
Contractual Life (Attrition)
42
15
Sageworksanalyst.com
Contractual Life (Attrition)
43
Sageworksanalyst.com
Contractual Life (Attrition)
44
Sageworksanalyst.com
Contractual Life (Attrition)
45
16
Sageworksanalyst.com
Contractual Life (Attrition)
46
Sageworksanalyst.com
Contractual Life (Attrition)
47
Sageworksanalyst.com
Contractual Life (Attrition)
48
Application
• Cumulative/StaticPoolAnalysis
• Migration
• ProbabilityofDefault&LossGivenDefault(PD&LGD)
• RollRate
• MarkovChainMonteCarlo(MCMC)
17
Sageworksanalyst.com
Prepayment (CPR/SMM)
49
20%
25%
30%
20%
15%
EQUIPMENT VEHICLE CREDIT CARD CONSTRUCTION SBA
ConditionalPrepaymentRate(CPR)
Sageworksanalyst.com 50
Prepayment (CPR/SMM)
Sageworksanalyst.com 51
Prepayment (CPR/SMM)
18
Sageworksanalyst.com 52
Prepayment (CPR/SMM)
Sageworksanalyst.com 53
Prepayment (CPR/SMM)
Sageworksanalyst.com 54
Application
• DCF(DiscountedCashFlow)
Prepayment (CPR/SMM)
19
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
55
TacticalConsiderations
• Data• Adequacy• Retention• Process
• ContractualLife/Prepayment• Calculation• Support
• Segmentation• Flexibility• Comparability• Support
• Methodologies• Flexibility• Comparability• Support
• ForecastingandAdjustments• Flexibility• Comparability• Support
• Documentation• Completeness• Auditability• Efficiency
Sageworksanalyst.com
Segmentation
56
CumulativeLoss&Migration
Sageworksanalyst.com
Segmentation
57
CumulativeLoss&Migration
20
Sageworksanalyst.com
Segmentation
58
DCFRisk‐Level(Top)&DCFRisk‐Rating(Bottom)
Sageworksanalyst.com
Segmentation
59
DCFRisk‐Level(Top) &DCFRisk‐Rating(Bottom)
Sageworksanalyst.com
ASU 2016-13 (Topic 326/CECL)
60
TacticalConsiderations
• Data• Adequacy• Retention• Process
• ContractualLife/Prepayment• Calculation• Support
• Segmentation• Flexibility• Comparability• Support
• Methodologies• Flexibility• Comparability• Support
• ForecastingandAdjustments• Flexibility• Comparability• Support
• Documentation• Completeness• Auditability• Efficiency
21
Sageworksanalyst.com
Methodologies
61
DCFRisk‐Level
MigrationRisk‐Level
PD&LGD
Sageworksanalyst.com
Methodologies
62
CumulativeLoss
Sageworksanalyst.com
0.33%
0.25%
0.42%
0.79%
DCF RISK‐LEVEL MIGRATION RISK‐LEVEL PD & LGD RISK‐LEVEL CUMULATIVE LOSS
Methodologies
63
Life‐of‐LoanLossExperience
22
Sageworksanalyst.com
Methodologies
64
“Theallowanceforcreditlossesmaybedeterminedusingvariousmethods.Forexample,anentitymayusediscountedcashflowmethods,loss‐ratemethods,roll‐ratemethods,probabilityofdefaultmethods,ormethodsthatutilizeanagingschedule:”
• Loss‐rate‐method:Netcharge‐offs/averagebalanceisoflittleworth.Cumulativelossratesareappropriate.Formoreinformation:http://web.sageworks.com/CECL‐Historical‐Loss‐Misconceptions/
• Roll‐rate‐method:Netchangeinbalancesassumedtoindicatemigrationthroughdefaulttoloss
• Vintage: Suitableforinstallmentloans;notforrevolvingcredits.
• Migration:Observedlossexperienceatthesubsegment‐level overnperiods.Misalignmentbetweenthelifeoftheassetandthemigration/lossexperienceisacommonerrorinlogic.
• PD&LGD: Probabilityofdefaultingovernperiods.Misalignmentbetweenthelifeoftheassetandtheprobabilitythataloanwilldefaultisacommonerrorinlogic.
• DCF: Inputspriortoexecutingamortizationschedulesrequiremodelsaswell;loss‐rateorprobability‐of‐default,prepayment,loss‐given‐default,recoverylag,etc.
Sageworksanalyst.com
Transition/Execution
65
Asinstitutionssearchforsolutionsthatarebothcost‐effectiveandaccommodating,understandingcriticalcapabilitieswillleadtoamoresuccessfulinvestment.
Buildingperipheralspreadsheet‐basedmodels,purchasingdatatoderiveandsupportmaterialinputsandassumptions,limitingmethodologyoptionsandmanuallycompilingsupportingdocumentationand/ordisclosurescanleadtodissatisfactionandcanprovecostly.
Thefollowingitemsmustbeunderstood/evaluated:
• Datafit/gapanalysisandaclearunderstandingofdata‐drivenlimitations
• Dataremediationassistance
• Adequatetraining,support,andadvisoryservices
• Life‐of‐loanandprepaymentcalculations
• Rapidsegmentationelections
Sageworksanalyst.com
Transition/Execution
66
Thefollowingitemsmustbeunderstood/evaluated(continued):
• Multiplemethodologyoptionsavailableatthepool‐level
• Forecastcreation,support,andapplicationcapabilities
• Supportingdocumentationanddisclosurepreparation
• Cleardevelopmentalroadmapcommitmentsandcontractualobligationstoremaincompliant
23
Sageworksanalyst.com
CECL Summary
67
StrategicConsiderations
• Reasonable(FinancialConsiderations)• Costs:Initial,subsequentandrecurring• Benefits:Variance,materialityandmanagerialinsight• Risks:Modeling,volatilityandsensitivity
Sageworksanalyst.com
CECL Summary
68
StrategicConsiderations
• Reasonable(FinancialConsiderations)• Costs:Initial,subsequentandrecurring(buildvs.buy)• Benefits:Variance,materialityandmanagerialinsight• Risks:Modeling,volatilityandsensitivity
Sageworksanalyst.com
CECL Summary
69
StrategicConsiderations
• Reasonable(FinancialConsiderations)• Costs:Initial,subsequentandrecurring• Benefits:Variance,materialityandmanagerialinsight• Risks:Modeling,volatilityandsensitivity
• Supportable(LeversandElections)• Segmentation:Structure,termandcreditrisk• Methodology:Alignment,strengths/weaknessesanddataconstraints• Forecast:Source,sensitivityanddataconstraints
24
Sageworksanalyst.com
CECL Summary
70
StrategicConsiderations
• Reasonable(FinancialConsiderations)• Costs:Initial,subsequentandrecurring• Benefits:Variance,materialityandmanagerialinsight• Risks:Modeling,volatilityandsensitivity
• Supportable(LeversandElections)• Segmentation:Structure,termandcreditrisk• Methodology:Alignment,strengths/weaknessesanddataconstraints• Forecast:Source,sensitivityanddataconstraints
• Applicable(AccuracyandMeaningfulness)• GAAP:Complianceandauditability• Regulatory:Adequateandtransparent• Strategic:Crossapplicationandmanagerialinsight
Section6
1
Insight. Oversight. Foresight. ®Florida Michigan North Carolina Texas
Cybersecurity: Everything You Need to Know
Presented by:Hugh S. Chakler, CPA, CISA, CITP, CFE
Financial Institutions GroupToday’s Objectives
• Why are we talking about cybersecurity?• Who is at risk and what are the threats?• What is the goal of cybersecurity attacks?• What are the strengths of the threats?• FFIEC Cybersecurity Framework• FFIEC Cybersecurity Assessment Tool
• Inherent Risk Profile• Maturity Profile
• Cyber risk mitigation• What should you do next?
2
Cyberattack – WannaCry
• Biggest cyberattack ever 150 countries• At least 200,000 computers according to Europol (European
law enforcement agency)
• Locks down all files on an infected computer• $300 ransom to release the files• Microsoft Windows vulnerability
• Patch was released in March
• Failure to update your systems
3
http://money.cnn.com/technology
Financial Institutions Group
2
Cyberattack – WannaCry
• Victims• FedEx• Nissan• United Kingdom’s National Health Service
• Numbers of affected systems expected to rise aspeople return to work this week
4
Financial Institutions Group
Cyberattack – WannaCry
• How to protect yourself personally• Install any software updates immediately and make it a habit
• Turn on the auto-updater (Microsoft)
• Use anti-virus software that updates
• Backup and regularly save copies of your files
• Don’t click on links from people you don’t know personally
• Watch for links that look somewhat familiar – but a little “off”
5
Financial Institutions Group
Data Breaches
• February 2015 – Anthem Blue Cross• 80 million victims, probably a Chinese cyber-espionage
campaign
• Target breach settles for $10 million dollars• Target has said its computer security systems alerted it to
suspicious activity after hackers had infiltrated its networks,but it decided to ignore the alert, allowing what wouldbecome one of the largest data breaches recorded
6
Financial Institutions Group
3
Breaches vs. Incident
• Incident: Security event compromising the integrity,confidentiality or availability of an information asset.
• Breach: An incident that results in the confirmeddisclosure (not just potential exposure) of data to anunauthorized party
7
Financial Institutions Group
8
Breach Actors
Source: Verizon DBIR 2017 Report
Financial Institutions Group
Breach Tactics
9
Source: Verizon DBIR 2017 Report
Financial Institutions Group
4
Breach Victims
10
Source: Verizon DBIR 2017 Report
Financial Institutions Group
Breach Similarities
11
Source: Verizon DBIR 2017 Report
Financial Institutions Group
Compromise on Organizations
• In 60% of cases, attackers are able to compromise anorganization within minutes
12
Source: Verizon 2015 Data Breach Investigations Report
Financial Institutions Group
5
Compromise on Organizations
• In 60% of cases, attackers are able to compromise anorganization within minutes
13
Source: Verizon 2016 Data Breach Investigations Report
Percent of breaches where time to compromise / time to discovery was days or less
Financial Institutions Group
Who Are Cyber Attackers?
• Nation-states• China• Russia
• Terrorists• Criminal enterprises• Insiders
14
Financial Institutions Group
Confirmed Data Breaches
• 63% of confirmed data breaches involved weak, defaultor stolen passwords• Top threat action varieties within incidents involving
credentials (below)
15
Source: Verizon 2016 Data Breach Investigations Report
Financial Institutions Group
6
Rise in Misuse Breaches by External Actors Only
• This was solely associated with TGYFBFTDHRA
• THAT GUY YOU FIRED BUT FORGOT TO DISABLEHIS REMOTE ACCESS
Financial Institutions Group
Insider and Privilege Misuse
Source: Verizon 2016 Data Breach Investigations Report
Financial Institutions Group
Insider and Privilege Misuse
• Mainly insider-only misuse, but outsiders (due tocollusion) and partners (because they are grantedprivileges).
• Key findings:• They’re behind your firewall.• They are often end users and they are comfortable
exfiltrating data out in the open on the corporate LAN.• Insider incidents are the hardest (and take the longest) to
detect.• Of all the incidents, these insider misuse cases are the most
likely to take months or years to discover.
Financial Institutions Group
7
Who Are These Insiders?
• Leadership = 14% executive or other management
• Elevated access privilege jobs = 14% such as systemadministrators or developers
• The moral of this story is to worry less about job titles andmore about the level of access (and your ability tomonitor)
• At the end of the day, keep up a healthy level of suspiciontoward all employees.
Financial Institutions Group
Cyber Threats: Phishing
• 30% of phishing messages are opened
•12% click the maliciousattachment or link
Financial Institutions Group
Cyber Attackers: What is Their Motivation?
• Espionage (political and corporate)
• Fraud
• Disruption
• Destruction
• Social or political message
• “Shock and Awe”
• Recruitment
Financial Institutions Group
BUT MOSTLY
8
Cyber Attackers: Strengths
• Technical expertise
• Financial sponsors
• International reach
• Weak legal reach
• Anonymity
Financial Institutions Group
Insight. Oversight. Foresight. ®
Where Do We Start?
23
Risk Assessment
• Considered to be the first and most important strategy
• Fully understand how technology facilitates theachievement of it business objectives
• Determine your tolerance for technology related loss
• Remember: IT IS NOT A MATTER OF “IF” IT WILLHAPPEN, BUT WHEN WILL IT HAPPEN
Financial Institutions Group
9
Risk Assessment
• Need to understand the risks to properly allocate
• Management time
• Financial resources
• Know the threats and projected costs
Allocation of Resources
Financial Institutions Group
Risk Assessment Quality
• Consider the issues identified in the assessments• Discuss the contents of the risk assessment• Consider
• Reliance on technology• Presence of member data• Regulations• Risk mitigation
Financial Institutions Group
Insight. Oversight. Foresight. ®
FFIEC Cybersecurity Assessment Tool
27
10
Cybersecurity
• The ability to protect or defend the use of cyberspacefrom cyber attacks.
Source: CNSSI-4009 - NIST.IR.7298r2
Financial Institutions Group
Cybersecurity
• The state of being protected against the criminal orunauthorized use of electronic data, or the measurestaken to achieve this.
Or, how about this?
Financial Institutions Group
Cybersecurity Assessment Tool
• Objective:
• To help credit unions identify their risks and determine theircybersecurity maturity.
• The assessment provides institutions with a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.
June 30, 2015
Financial Institutions Group
11
Strong Industry Foundation and Benchmark
Public & Industry
Guidance
Cybersecurity Assessment
Tool
Effective Cyber Risk Management
FFIEC IT Handbooks
NIST Cybersecurity Framework
Source: NCUA Cybersecurity Industry Webinar, 2015
Financial Institutions Group
General Observations
• During the summer of 2014, Federal Financial InstitutionsExamination Council (FFIEC) members piloted acybersecurity examination work program (Cybersecurity Assessment) at over 500 community financial institutionsto evaluate their preparedness to mitigate cyber risks.
• The Cybersecurity Assessment found the level ofcybersecurity inherent risk varies significantly acrossfinancial institutions.
Financial Institutions Group
Assessments Consists of Two Parts
• Inherent Risk Profile and Cybersecurity Maturity
• Inherent Risk Profile: identifies the institution’s inherent riskbefore implementing controls.
• Cybersecurity Maturity: includes domains, assessmentfactors, components, and individual declarative statementsacross five maturity levels to identify specific controls andpractices that are in place.
Financial Institutions Group
12
Inherent Risk Profile
• Management first assesses the institution’s inherent riskprofile based on five categories:
• Technologies and connection types
• Delivery channels
• Online/mobile products and technology services
• Organizational characteristics
• External threats
Financial Institutions Group
Cybersecurity Maturity
• Management then evaluates the institution’sCybersecurity Maturity level for each of five domains:
• Cyber risk management and oversight
• Threat intelligence and collaboration
• Cybersecurity controls
• External dependency management
• Cyber incident management and resilience
Financial Institutions Group
Insight. Oversight. Foresight. ®
FFIEC Cybersecurity
36
13
FFIEC Response Framework
• Every institution should maintain a framework
• Security
• Resilience
Identify Prevent Detect Respond Recover
Financial Institutions Group
Five Key “Domains” for Cybersecurity Preparedness1. Cyber risk management & oversight
• Strong governance is essential
2. Threat intelligence & collaboration
• Strength in numbers
3. Cybersecurity controls
• More than one kind of control
4. External dependency management
• Your security starts with their security
5. Incident management & resilience
• Mitigation and recovery are a must
Financial Institutions Group
Cyber Risk Management and Oversight
• Policies and risk management strategies
• Commit sufficient resources, including expertise andtraining
For two years, more than two-thirds of incidents that comprise the Cyber-Espionage pattern
have featured phishing
Financial Institutions Group
14
Threat Intelligence and Collaboration
• Monitor timely threat information and intelligence todiscover threats and identify attack methods.
• Leverage known intelligence sources to developpreventative and responsive strategies.
• Share crucial threat information and intelligence withpartners and stakeholders to strengthen your securityposture.
75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours)
Financial Institutions Group
Cybersecurity Controls
• Physical and environmental controls
• Logical access controls
• Cybersecurity controls to prevent, detect, and mitigatecyber attacks
• Preventative controls to minimize the impact and likelihoodof successful attacks
• Detective controls to identify attacks in early stages
• Corrective controls to mitigate the impact
Financial Institutions Group
External Dependency Management: GLBA Vendor Management
• Identify your critical external dependencies.
• Establish rigorous vendor management controls,including ongoing due diligence and monitoring.
• Define third parties’ responsibilities and associatedservice level metrics.
• Evaluate vendors’ incident response and resilience.
Financial Institutions Group
15
External Dependency Management: GLBA Vendor Management
Federal Appeals Court grants the Federal Trade Commission authority to litigate on behalf of cyber-security
issues (Wyndam hotel case)
Financial Institutions Group
Wyndham Hotel Case
• Allowed its hotels to store payment card information in clear,readable text.
• Allowed the use of easily guessed passwords to access theproperty management systems.
• Failed to use readily available security measures, such asfirewalls to limit access between the hotels’ propertymanagement systems, corporate network and the Internet.
• Did not ensure that its hotels implemented adequateinformation security policies and procedures.
Wyndham allegedly:
Financial Institutions Group
Wyndham Hotel Case
• Failed to restrict access of its network and servers from thirdparty vendors.
• Failed to employ reasonable measures to detect and preventunauthorized access to its computer network or to conductsecurity investigations.
• Did not follow proper incident response procedures.
• Wyndham did not monitor its network for malware used in the prior intrusions.
• As a result, the hackers in each of the three breaches used similar methods to gain access to credit card information.
Wyndham allegedly:
Financial Institutions Group
16
Incident Management and Resilience
• Prepare incident management procedures• Speed your ability to respond and recover • Mitigate the loss of member confidence through timely and
appropriate member notification. • Develop policies and implement adequate incident response
programs.• Define capabilities and required resources to address threats
and recovery.• Use monitoring tools to capture events, and to identify
anomalous behaviors and attacks.• Escalate and report cyber incidents to the institution’s board of
directors and senior management when warranted.
Financial Institutions Group
Maturity Levels Financial Institutions Group
Maturity Levels: Defined
Baseline Baseline maturity is characterized by minimum expectations required by law and regulations or recommended in supervisory guidance. This level includes compliance-driven objectives. Management has reviewed and evaluated guidance.
Evolving Evolving maturity is characterized by additional formality of documented procedures and policies that are not already required. Risk-driven objectives are in place. Accountability for cybersecurity is formally assigned and broadened beyond protection of customer information to incorporate information assets and systems.
Intermediate Intermediate maturity is characterized by detailed, formal processes. Controls are validated and consistent. Risk-management practices and analysis are integrated into business strategies.
Advanced Advanced maturity is characterized by cybersecurity practices and analytics that are integrated across lines of business. Majority of risk-management processes are automated and include continuous process improvement. Accountability for risk decisions by frontline businesses is formally assigned.
Innovative Innovative maturity is characterized by driving innovation in people, processes, and technology for the institution and the industry to manage cyber risks. This may entail developing new controls, new tools, or creating new information-sharing groups. Real-time, predictive analytics are tied to automated responses.
Financial Institutions Group
17
FFIEC Maturity
All declarative statements in each maturity level, and
previous levels, must be attained and sustained to
achieve that domain’s maturity level.
Financial Institutions Group
Insight. Oversight. Foresight. ®
Cyber-Risk Mitigation
50
Cyber-Risk Mitigation
• Change risk profile (streamline risk)
• Increase cybersecurity investment (staff, infrastructure,services)
• Increase capital (accept the risk)
• Alternative risk management approaches
• Cyber insurance (insure what you can’t control)
Financial Institutions Group
18
Cybersecurity and the Board
• Cyber security is not an IT issue• It is a business issue that requires enterprise-wide buy-in to
be managed successfully
• Cyber security has a history of being a low priority on thelist of governing bodies• This needs to change to a top priority• A successful strategy used to gain buy-in from my
board/executive team has been to align security initiativeswith the organization’s strategic goals, illustrating howimplementing controls early in a process can reduce thelikelihood of future audit findings.
Financial Institutions Group
Cybersecurity and the Board
• Express risk in terms that matter to the board (i.e., lossesin units produced, losses in loans, etc.), and not thenumber of threats blocked or vulnerabilities patched
• Leverage internal audit as an ally and collaborate todevelop action plans to address risk. Cooperation fostersbuy-in.
Financial Institutions Group
Center for Internet Security
• CSC-1 Inventory of Authorized and Unauthorized Devices• CSC-2 Inventory of Authorized and Unauthorized Software• CSC-3 Secure Configurations for Hardware and Software on Mobile
Devices, Laptops, Workstations and Servers• CSC-4 Continuous Vulnerability Assessment and Remediation• CSC-5 Controlled Use of Administrative Privileges• CSC-6 Maintenance, Monitoring and Analysis of Audit Logs• CSC-7 Email and Web Browser Protections• CSC-8 Malware Defenses• CSC-9 Limitation and Control of Network Ports, Protocols and
Services• CSC-10 Data Recovery Capability
Top 20 Critical Security Controls (CSCs)
CIS CSC Version 6.1
Financial Institutions Group
19
Center for Internet Security
• CSC-11 Secure Configurations for Network Devices such as Firewalls, Routers and Switches
• CSC-12 Boundary Defense• CSC-13 Data Protection• CSC-14 Controlled Access Based on the Need to Know• CSC-15 Wireless Access Control• CSC-16 Account Monitoring and Control• CSC-17 Security Skills Assessment and Appropriate Training to Fill
Gaps• CSC-18 Application Software Security• CSC-19 Incident Response and Management• CSC-20 Penetration Tests and Red Team Exercises
Top 20 Critical Security Controls (CSCs)
CIS CSC Version 6.1
Financial Institutions Group
Insight. Oversight. Foresight. ®Florida Michigan North Carolina Texas
Thank You!
Hugh S. Chakler, CPA, CISA, CIST, CFEShareholderPhone: [email protected]
56
Section7
Security Blunders:Show and TellBARRY THOMPSON, CRCM
Have you ever thought of how you would rob your financial institution?
Human Equation Monthly or Quarterly Branch ReportsPeople will do what is easiest for them!Power of Burger KingTraining
1
Political SituationDon’t Believe Security OfficerTurf WarsTree HuggerNew Security OfficerBoard InvolvementLaw Suits
Law Enforcement: Suggested Best Practices
Closed-Circuit Television SystemLighting/CamerasBullet-resistant Bandit BarriersEmployees to Greet CustomersDye Packs/Serialized CurrencyGPS packsDirect Telephone Numbers to Police
Law Enforcement: Suggested Best Practices
Employee TrainingUnobstructed ViewsSignageAlarm Systems UL RatedSafes/Vaults UL RatedBank/Police Department CommunicationsHeight Markers
2
Branch LocationNext to National MonumentsMallsRural Areas
If you build it, they will come!
“So will their lawyers!"
Financial Institution Exterior
3
Financial Institution Exterior
Financial Institution Interior
Financial Institution Interior
4
Exterior Problems with Interior Implications
Night Inspections
Your Turn
5
CPTEDCrime Prevention Through Environmental Design
Conclusions Using outside consultants:Send requested items to reviewerShow all material requested
Handle reviewer’s suggestions exactly asyou would a regulatory exam.
Questions?
6
For More InformationBarry Thompson, CRCM
Thompson Consulting Group, LLC315.342.5931
This presentation is designed to provide accurate and authoritative information with regard to the subject matter covered. It is provided with the understanding that the publisher is not rendering legal, accounting, or other professional services.
If legal or other advice for your specific situation is needed, the services of a professional should be sought.
7
Section8
1
Internal Fraud forBoards & Supervisory CommitteesBARRY THOMPSON, CRCM
Association of Certified Fraud Examiners: Report to the Nation Cash is the targeted asset 90% of the time. The average scheme lasted 18 months before itwas detected. CFE estimate that 5% of revenues will be lost as aresult of occupational fraud and abuse. Organizations with fraud hotlines cut their fraudlosses by approximately 50% per scheme. Internal audits, external audits, and backgroundchecks also significantly reduce fraud losses.
Management Must Be Ethical! Rules apply to everyone. Cost-cutting measures apply to everyone.
2
Framework of the Risk Management Committee Two Members of the Board The Security Officer Senior Officers – Human Resources,Facility Management
Action Plan Considers…1. Suspending all suspects during an
investigation.2. Prosecuting identified thieves.3. Terminating employees who violate
procedures.4. Protecting employees who report internal
problems from future retaliation.
Who Will Investigate and How? Security Officer Human Resources Director Internal Audit
3
Communicate!Ensure open lines of communication between staff and management.
Why People Fail to Report Fraud Fear of being wrong The person suspected is an immediatesupervisor A belief management just isn’t interested
How to Increase Reporting Management should institute a ReportingSystem Identify two people as contacts One Male and One Female Anonymous hotline-reporting system
4
Institute a Mandatory Fraud Training ProgramThe Program should:
1. Teach actual case scenarios showing what should be reported.
2. Stress a “no retaliation” policy.3. Be mandatory for all new hires.4. Be offered annually.5. Include an ethics statement to be signed after training and
before job promotions.6. Name members of the Risk Management Committee and
contact methods.
When an Incident Occurs Management must investigate Person reporting deserves follow-up,including detailed steps taken to resolve situation
Internal Fraud Exposed Management should follow steps outlinedin Ethics Policy and Action Plan. If policy is not followed, an explanation tostaff is required.
5
A Doomed Program A report is overlooked or buried Reporting person is identified to staff Anonymous reporter is identified Reporter later dismissed for any reason
Management Motivation of Staff Compensation Perks Intimidation
Questions?
INTERNAL FRAUD INFORMATION SHEET
What Is Fraud? In the broadest sense, fraud can encompass any crime for gain that uses decep6on as its principal modus operandi. More specifically, fraud is defined by Black’s Law Dic-onary as: “A knowing misrepresenta-on of the truth or concealment of a material fact to induce another to act to his or her detriment”.
Internal Fraud Internal fraud, also called occupa-onal fraud, is defined by the Associa6on of Cer6fied Fraud Examiners as: “the use of one’s occupa-on for personal enrichment through the deliberate misuse or misapplica-on of the organiza-on’s resources or assets.” Simply stated, this type of fraud occurs when an employee, manager, or execu6ve commits fraud against his or her employer.
Why Do People Steal?They might be in senior management, worked for the organiza6on for over 30 years, or a teller working their first job. The first ques6on that many people ask themselves is why is this person embezzling from the financial ins6tu6on?
Some6mes the financial ins6tu6on can point out how it went out of its way to help the individual gain an educa6on, supported them through a family crisis, or accommodated the individual in some way. People working with the individual can feel violated, compromised, or just plain mad at the colleague.
Over the years we have witnessed many different scenarios of why people embezzle from financial ins6tu6ons. The word “drag,” really answers the ques6on about 90% of the 6me as to why a person steals from a financial ins6tu6on. What it stands for are the five main reasons we have found that people embezzle from the ins6tu6ons that employ them.
• Drugs
• Rela6onships
• Alcohol
• Gambling and Greed
Drugs The branch manager is well respected in the local community. He has been involved with all the civic groups the posi6on requires to be successful in his field. His habit caused him to start embezzling from the ins6tu6on. What's sad is we could name several different individuals who fit this story. Whether the individual is laundering money for drug dealers, has become addicted to illegal narco6cs, or is trying to make money on the side, drugs lead inevitably to embezzlement.
Rela:onships Rela6onships cover a wide range of human failings. This could be a marriage that is floundering because of financial strains, so the spouse decides to embezzle to make things beXer at home. It could be the spouse is trying to support the family and their new significant other at the same 6me. It might be as simple as a
Thompson Consulting Group, LLC • P.O. Box 5303 • Oswego, New York 13126-5303 • (315) 342.5931 • [email protected] • www.tgrouponline.com
husband who can't afford all the things he feels the family deserves so he provides them anyway.
Medical condi6ons leading to expenses that the family cannot afford may result in someone absconding with funds to pay the debt. A college student needing to make tui6on payments to stay in school may feel that “the financial ins6tu6on can afford it”. No maXer the situa6on, rela6onships where funds are needed can lead to embezzlement.
Alcohol People reading the newspapers many 6mes are amazed at who has been arrested for driving while their ability has been impaired (DWI) or under the influence (DUI). Alcohol impairs an individual's judgment to such an extent that embezzlement becomes an op6on. We need not go into any great depth about what alcohol can do to an individual as nearly everyone knows someone who has been affected by it. Working in a financial ins6tu6on is no different when someone has a drinking problem, it will manifest itself in the workplace.
Gambling Like alcohol, gambling is an addic6on. To people with gambling addic6on, they just cannot stop playing. “Owning Mahoney,” a movie released in 2003, is based on a true story of a banker from Canada who was addicted to gambling. This is a movie that anyone interested in how gambling can affect a banker should see. While most cases are not as extreme as the one portrayed the results are almost always as devasta6ng.
One individual had been a senior officer in the financial ins6tu6on’s loan department. A gambling casino had opened near the financial ins6tu6on. Shortly aber it opened, examina6ons of the ins6tu6on started to report problems with internal controls in the loan area. The CEO was unconcerned as he trusted the senior loan officer taking the warnings as something he did not need to be concerned about. When the internal embezzlement was discovered, the loan officer had stolen over $1 million which had been gambled over the tables at the local casino. The financial ins6tu6on became vulnerable and could not avoid being taken over by another financial ins6tu6on.
Greed Some people just can't be trusted, they enter the ins6tu6on for the express purpose of walking away with the money. The Associa6on of Cer6fied Fraud Examiners con6nually updates a report en6tled, “Report to the Na6on.” It regularly points out that the item most oben stolen from businesses is cash. As the business of banking is cash this is a field where people wan6ng to get rich quick find a wonderful place to work.
All of the people described above may operate below the radar of management! The reality is someone on the staff will have an inkling that something is wrong. People won't report it because they are afraid of accusing someone wrongly or finding that management will not take the report seriously.
The Possible Results of CommiBng Fraud The possible ramifica6ons of commifng a fraudulent act could be very broad and devasta6ng. Let’s take a look at some possible results and how they may affect the individual.
Thompson Consulting Group, LLC • P.O. Box 5303 • Oswego, New York 13126-5303 • (315) 342.5931 • [email protected] • www.tgrouponline.com
Possible Results of Such Ac:on
What is a Red Flag? A “Red Flag” is a set of circumstances that are unusual in nature or vary from normal ac6vity. It’s a signal that something is out of the ordinary and may need to be inves6gated further. Remember that Red Flags do not indicate guilt or innocence, but merely provide possible warning signs of fraud.
Red Flags
Advanced Warning Signs
Ways to Embezzle • Use GL 6ckets to refund fees on personal account.• Use Debit/Credit 6ckets to move money between accounts.• Account Takeover—Opening a new customer account and sefng up online banking without the customer’s
knowledge• Iden6ty Theb: Using or selling stolen customer iden6fica6on to create bank accounts, generate loans, and
open credit cards.
• Incarcera6on
• Fines
• Retribu6on
• Banned from Future Employment in Financial
Industry
• IRS Tax Liens
• Criminal Record
• Impact on Self/Reputa6on
• Impact on Family/Friends
• Future Employment Opportuni6es
• Reputa6on Impact on Organiza6on
• Poten6al Failure of Organiza6on
• Cash draw frequently out of balance
• Unusual cash deposits in personal account
• Frequent “Cash Advance” ac6vity
• Ki6ng Ac6vity
• General Ledger 6cket ac6vity in personal
account
• Refusal to take vaca6ons or sick leave
• Employee regularly works aber hours
• Carrying unusual amounts of money
• Employee takes work home or works frequently
on weekends
• Easily annoyed at reasonable ques6oning
• Providing unreasonable responses to ques6ons
• Individual regularly works aber hours
• Refusal to accept promo6ons
• Poor communica6on
• Staff considers policies unimportant
• Employee will not allow anyone to balance
accounts in their area of responsibility
• Employee has con6nual overdrabs on their
personal account
• High turnover
• Weak internal controls cited during audit or
regulatory review
• Creditors or collectors appearing at the financial
ins6tu6on
• Employee in6midates rest of staff
• Lack of segrega6on of du6es in their assigned
area
• Borrowing money from co-workers
• Absence of duel control
• InaXen6on to suspense accounts by not balancing
them frequently
Thompson Consulting Group, LLC • P.O. Box 5303 • Oswego, New York 13126-5303 • (315) 342.5931 • [email protected] • www.tgrouponline.com
WARNING SIGNS OF INTERNAL FRAUD
Warning signs do not indicate guilt or innocence, but merely provide a signal of cau�on.
Warning Signs for Management
♦ Absence of background checks
♦ Background checks not being made when promo�ng people to management posi�ons
♦ Budget cutbacks
♦ Failure to inves�gate or prosecute internal fraud to the fullest extent of the law
♦ High turnover
♦ Ina�en�on to suspense accounts by not balancing them frequently
♦ Keeping problems a secret
♦ Manager or key employee con�nually downplays ethics training, internal controls, or company policies
♦ Weak internal controls cited during audit or regulatory reviews
Employee Red Flags
Thompson Consulting Group, LLC • P.O. Box 5303 • Oswego, New York 13126-5303 • (315) 342.5931 • [email protected] • www.tgrouponline.com
♦ Behavioral changes: these may be an indica�on of
drugs, rela�onships, alcohol, gambling
♦ Borrowing money from co-workers
♦ Carrying unusual amounts of money
♦ Creditors or collectors appearing at the financial
ins�tu�on
♦ Easily annoyed at reasonable ques�oning
♦ Lack of segrega�on of du�es in their assigned areas
♦ Lifestyle or behavioral changes
♦ Providing unreasonable responses to ques�ons
♦ Recent changes in lifestyle
♦ Refusal to accept promo�ons
♦ Refusal to take vaca�ons or sick leave
♦ Significant personal debt and credit problems
♦ Staff member is living beyond their means
♦ Staff member lifestyle changes: expensive cars,
jewelry, homes, clothes
♦ Staff member will not allow anyone to balance
accounts in their area of responsibility
♦ Staff member regularly waves or overrides internal
controls because “they don't apply to me”
♦ Staff member regularly works a3er hours, takes work
home, works frequently on weekends
♦ Staff member con�nually in�midates the rest of the
staff
Section9
1
By:R. Todd SherpySherpy & Jones Law P.A.Credit Union Resources & Educational Services, LLCPost Office Box 2599Lexington, SC 29071Atlanta Phone 770-631-3527SC Phone 803 [email protected]
Copyright: © CURES, LLC, 1994-2017 - all rights reserved.
Sherpy & Jones Enterprise Risk Management for
Credit Unions
First Notes – Today’s World & --- It Changes
If We do not Change --
2
Eagles and Ducks.
Thinking you know it all …
Copyright: © CURES, LLC, 1994-2016 - all rights reserved.
Thirty Years Later –
I know what a genius really is.
3
Then it hit me – why I chose to work with entities regulated by NCUA
Reality I
Reality II
4
ERM is an overall Goal from my
Perspective – Always has been.
ERM Allows a Return to TQM and an
Integrated Approach
Accept what we do has many Inherent
Risks
5
Expand Horizons and Risk Mitigation
To me – it harkens a return to an era of common sense …
What is ERM -- It is an Overall Concept … Global to the Credit Union
6
Let’s Start with What we Do Have
NCUA Supervisory Letter No.: 13-12
Page 1: “Natural Person Credit Unions are not required to implement a formal ERM framework.”
But See Page 5 … .
What do “Real” Regulators Say?
How do You Know Your Risks Until You Know Them?
7
To Start With …
Build a Knowledge Base of Things You Really do know …
Copyright: © CURES, LLC, 1994-2016 - all rights reserved.
Knowledge Allows You to Create a
Game Plan
ERM “The Opening of Eyes”
8
ERM “The Opening of Eyes” II
ERM – How it Can Fail
ERM & Risk Identification
9
ERM & Risk Identification II
ERM & Risk Identification III
ERM & Risk Identification IV
10
ERM & Risk Identification V
Assessment Factors
Getting “Sideways” with the process … not focusing on the real world – Legal and Common Sense
Perspectives .
11
Bylaws – Board -Volunteers
Reminder: Corporate culture starts at the top.
32
Culture of Compliance
33
12
Risk Management & Safety
34
Let’s Learn / Address Some Basic Considerations Known to All …
Remember who is in control and why?
13
Why you select the option, but the options you must know …
Recent History
Lessons for All FI’s from the Wells-Fargo and CFPB $185 Million Consent Order
14
It takes a long time to build a reputation—and a short time to lose one.
40
Compensation and Incentives // Revisit Ethics Policies and Training
41
Just being dumb …
15
Navy Federal Credit Union’s
$28.5 Million CFPB Consent Order
Un-Social Media
By: R. Todd SherpySherpy & Jones Law P.A.Credit Union Resources &
Educational Services, LLCPost Office Box 2599Lexington, SC 29071Atlanta Phone 770-631-3527SC Phone 803 [email protected]
Credit Union Mythology
16
More Practical Stuff:
More Practical Stuff:
Questions: Sherpy & Jones P.A.
POST OFFICE BOX 2599
LEXINGTON, SC 29071
CREDIT UNION RESOURCES AND
EDUCATIONAL SERVICES, LLC (“CURES”)
104 PENINSULA DRIVE
PEACHTREE CITY, GA 30269
770-631-3527
PHONE: (803) 3563327
Section10
Copyright, 2017, Thompson Consulting Group, LLC. All rights reserved. 1
Conquering Emerging Fraud TrendsBARRY THOMPSON, CRCM
Top 5 Bank FraudsDebit CardBusiness Email CompromiseElder FraudChecking FraudWire Fraud
2016 Survey conducted by Thompson Consulting Group, LLC
Generational ConsiderationFive Generations LivingThe Greatest Generation – Pre-1944The Baby Boomers - 1945 - 1964Generation X - 1965 – 1984Millennials - 1985 – 2004“As Yet Unnamed” Generation - 2005 - Present
It is important to note that generational constructs are fluid. Generations have not been defined by the U.S. Census Bureau, with the exception of the Baby Boomers.
Copyright, 2017, Thompson Consulting Group, LLC. All rights reserved. 2
Information Needed to Steal Your Identity:1. Name2. Address3. Social Security Number4. Telephone Number5. Birth Date6. Mother’s Maiden Name7. Employment
Effective For Social Engineering8. Past Addresses9. Financial Account Numbers10. Children’s Names11. Family Information
IRS Phone ScamScammers are calling under the guise of the IRS. They are threatening people with arrest, deportation, and/or public humiliation for having unpaid taxes. They state you must immediately pay by going to a store, purchase prepaid cards, and give them the access numbers off the back of the card. This is a SCAM. Hang up and report incident at ftc.gov.
Copyright, 2017, Thompson Consulting Group, LLC. All rights reserved. 3
Hostage Phone ScamScammers are calling saying a loved one was in an accident and are being held hostage until money is sent to pay for the accident. They state you must immediately pay by going to a store, purchase prepaid cards, and give them the access numbers off the back of the card.
Overpayment – Oops!Scammers overpay for products or services offered online and then tell the victim to cash the check and keep a good portion for their troubles. They are then to send the remainder of the money to the scammer. The original check bounces and victim is out all the money. Do not cash checks for others. Note: Banks offer funds available in 1-2 days as a service for cashed/deposited checks. The actual check could take several weeks to be returned.
Lottery Winner!Victims are contacted by phone, text, email, or mail and told they won millions of dollars and need to send money to pay for lawyers, taxes, and processing fees. A true lottery would remove all such fees from the dollar amount won and send you the difference. Do not send any money to process a “winning” or even reply. This will get you on a scammer’s mailing and phone list and you will get constant communications and no money.
Copyright, 2017, Thompson Consulting Group, LLC. All rights reserved. 4
Work From Home ScamScammers solicit victims to assist with cashing checks and money orders and then wiring money to “boss” who is traveling overseas on business. This is how a scammer moves money from victims to avoid detection. Law enforcement follows the paper trail to the “Work from Home” assistant and scammer cuts ties, leaving assistant to deal with investigation.
Secret ShopperThe letter invites you to become a paid mystery shopper in your area and the letterhead and check appear to come from a legitimate U.S. company. The letter instructs you to deposit the check into your checking account, wire an amount using a company like Western Union or Money Gram, and keep some as pay. Shoppers are asked to purchase merchandise and complete a survey regarding their experience.
Craig’s List Rental / Vacation RentalThe victim is convinced to pay a large cash/wired deposit to reserve a vacation rental property or an apartment. Many times they are asked to sign agreements and are given keys, which add to the perceived legitimacy. They usually have the victim complete a rental agreement that requires name, date of birth, and social security number, which can also lead to identity theft.
Copyright, 2017, Thompson Consulting Group, LLC. All rights reserved. 5
Fake RelationshipsDating and romance scams take advantage of people looking for romantic partners and play on emotional triggers to get the victims to provide money, gifts, or personal information. Often, the scammer will pretend to need the money for some sort of personal emergency.
Hacked EmailEmail is sent from a friend’s hacked email account requesting money to be sent immediately to help the friend out. Many different reasons are given.Do not click on any links.Do not click on any attachments.Delete immediately.
Online Technical AssistanceVictims receive a warning and sign up for “technical support” to “repair” slowness or clean viruses. Once the remote access is established, scammer has full access to all of your computer files and applications.
Copyright, 2017, Thompson Consulting Group, LLC. All rights reserved. 6
Locked Debit CardVictim receives messages through voice, text, and/or email claiming a debit card has been deactivated and to call immediately. Return calls will ask for the 16 digit card number, PIN, and CVC codes.Do not give it!
Can You Hear Me?The scammer gets the victim to say ”yes” to the statement “Can you hear me?” The response is recorded and edited to use as voice authentication/authorization for unwanted charges.
Pay a TicketThe New York State Department of Motor Vehicles (DMV) is cautioning consumers against an email “phishing” campaign that sends a notice stating the victim must pay a ticket within 48 hours or their license will be revoked. While the notice is made to appear as if it comes from the DMV, it is a hoax.
Copyright, 2017, Thompson Consulting Group, LLC. All rights reserved. 7
Credit/Debit Card SkimmersDevices affixed to the reader of ATMs, gas pumps, etc. to record debit and credit card information.Do not use the machine.Do not touch the device.Call 911 immediately.
Protect YourselfUse different long and complex passwords.Guard your personal information.Check your credit reports.Monitor your statements. Use USPS drop boxes for outgoing mail.Shred documents with personal information.Don’t open suspicious emails.Verify callers before giving out any information.
Questions?
Copyright, 2017, Thompson Consulting Group, LLC. All rights reserved. 8
For More InformationBarry Thompson, CRCM
Thompson Consulting Group, LLC315.342.5931
This presentation is designed to provide accurate and authoritative information with regard to the subject matter covered. It is provided with the understanding that the publisher is not rendering legal, accounting, or other professional services.
If legal or other advice for your specific situation is needed, the services of a professional should be sought.