coastal supervisory committee & internal auditor …

JULY 13 - 15, 2017 CHARLESTON, SC

COASTAL SUPERVISORY COMMITTEE & INTERNAL AUDITOR CONFERENCE

Hosted by:

THURSDAY, JULY 13Noon - 2:00 p.m. Registration

2:00 - 4:00 p.m. Supervisory Committee & Internal Auditor Getting It Done Together! Ed Templeton, Former CEO, SRP FCU and Former NAFCU Chairman

4:00 p.m - Until Enjoy Charleston!

FRIDAY, JULY 148:00 - 8:45 a.m. Breakfast

9:00 - 10:15 a.m. Crucial Conversations: Situational Strategies for Supervisory Committee & Internal Auditors Ancin Cooley, Principal, Synergy Credit Union Consulting

9:45 a.m. - 1:45 p.m. Guest Tour Program

10:30 - 11:45 a.m. Breakout Sessions

• Supervisory Committee Session - Deep Dives: Mock Supervisory Commitee Meeting Ancin Cooley, Principal, Synergy Credit Union Consulting

• Internal Auditor Session - How to Audit Incentive PlansLori Carmichael, DoerenMayhew

11:45 - 1:00 p.m. Lunch

1:15 - 2:30 p.m. Breakout Sessions

• Supervisory Committee Session - Top 10 Audit FindingsLori Carmichael, Doeren Mayhew

• Internal Auditor Session - CECL: Initial and Subsequent MeasurementNeekis Hammond, Sageworks

2:45 - 4:00 p.m. Cybersecurity: Everything You Need to Know Hugh Chakler, DoerenMayhew

6:00 - 7:00 p.m. Reception

7:00 - 9:30 p.m. Banquet & Entertainment (Charleston)

SATURDAY, JULY 157:30 - 8:15 a.m. Breakfast

8:15 - 9:30 a.m. Security Blunders: Show and Tell Barry Thompson, Thompson Consulting Group, LLC

9:40 - 10:40 a.m. Breakout Sessions

• Supervisory Committee Session - Internal Fraud for Boards & Supervisory CommitteesBarry Thompson, Thompson Consulting Group, LLC

• Internal Auditor Session - Enterprise Risk Management Todd Sherpy, Sherpy & Jones, P.A.

10:45 - 11:45 a.m. Conquering Emerging Fraud Trends Barry Thompson, Thompson Consulting Group, LLC

11:50 a.m. Adjourn

AGENDA

Organization First Name Last Name EmailAnMed Health FCU Marcy Pratt [email protected] FCU Paul Barton [email protected] FCU Ed Johnson [email protected] FCU Gary Skaggs [email protected] Postal CU Vanessa Meek [email protected] Postal CU David Patterson [email protected] Postal CU Jimmy Peck [email protected] Postal CU Janet Spruell [email protected] FCU Kenneth Kinsey [email protected] FCU Lisa Millwood [email protected] Foothills FCU Angela Geter [email protected] Foothills FCU Donna Hicks [email protected] Foothills FCU Dean Tucker [email protected] CU League LaTasha Cooper [email protected] FCU Victoria Montgomery [email protected] FCU Scott Eagerton [email protected] FCU Deborah Fauver [email protected] Energy CU Michael Swalley [email protected] FCU James Blassingame [email protected] FCU Emma Hubbard [email protected] FCU Georgia Montgomery [email protected] FCU Melvin Smoak [email protected] FCU James Ulmer [email protected] FCU Lee Williams [email protected] FCU Gerald Wright [email protected] Savings CU Dan Baldwin [email protected] Savings CU Ronnie Reed [email protected] Savings CU Dustin Tucker [email protected] Trust FCU Warren Barkley [email protected] Trust FCU Debbie Garrick [email protected] FCU Steve Banks [email protected] FCU Mike Humbert [email protected] FCU Rex Rodrigue [email protected] FCU Dale Suddeth [email protected] FCU Tim Toates [email protected] Heritage FCU Derrick Brown [email protected] FCU Daniel Collins [email protected] United CU Connie Mancuso [email protected] United CU Charlie Mancuso [email protected] United CU Ed Miller [email protected] Carolina CU Cheryl Colvin [email protected] Carolina CU Myron McCaskill [email protected] FCU Alexa Home [email protected] FCU Mark King [email protected] Employees CU Vicki Clarke [email protected]

Attendee List

Nucor Employees CU Mary Matthews [email protected] Health CU Marissa Evans [email protected] Health CU Nancy McLendon [email protected] Pump FCU Susan Harbin [email protected]. State FCU Sterling Allen [email protected]. State FCU Gary Bell [email protected]. State FCU Seebode Carole [email protected]. State FCU Tammy Farmer [email protected]. State FCU Brooks Galloway [email protected]. State FCU Frank Grobusky [email protected] FCU William Anderson [email protected] Telco FCU Janet Fancher [email protected] Telco FCU Kelly Jones [email protected] Telco FCU Maurice McNabb [email protected] Telco FCU Bill Milam [email protected] Telco FCU Frankie Nelson [email protected] Telco FCU Sheree Ramey [email protected] CU Greg Alexander [email protected] CU Peggi Davis [email protected] CU Lynn Harrelson [email protected] CU Jimmy Shelley [email protected] CU Helen Sherrill [email protected] CU Sylvester Wilson [email protected] FCU Mark Utley [email protected] Community CU Sharon Carter [email protected] Community CU Bill Gregory [email protected] CU Dan Behal [email protected] CU David Dyson [email protected]

as of 6.28.2017

Section1

Supervisory Committee & Internal Auditor Getting It Done Together!

Ed Templeton July, 2017

Background What in my career causes me to believe these things?

Roles of Supervisory Committee and Auditor 1. Work Together with each other and BOD2. Represent the Interest of Member3. Ensure proper Accounting Rules are followed4. Ensure Regulations are followed


Page 2

Trust No hidden agenda

No games

Be honest and be real

Give Trust to earn Trust

Do not confuse trust with swallowing anything

Asking good questions is a good thing

Truly value and respect others and it is contagious


Page 3

Respect Never think you are smartest person in the room

Give everyone their “say”

Learn from others

Have no place for rumors

Understand that different perspectives exist

Genuine feelings for mutually beneficial solutions are a win for everyone

Require that everyone support all decisions made-remember it is a TEAM effort


Page 4

Utilization Do not consume Credit Union time and resources asking for proof for everything

Understand your role and that of staff

Learn the whys and the wherefores

Use your abilities to advance Credit Unions goals

Success is where preparation meets opportunity

Combine the strengths of people through positive teamwork to achieve goals

There is no I in TEAM


Page 5

Speak Create an atmosphere of caring and positive problem solving

Speak to others as you would like to be spoken to

Insist on respectful language in all dialogues

Ensure others understand what is on your mind and why

Encourage others to verbalize their positions


Page 6

Macro Always look at and for the Big Picture

Your role is Policy

Always ask “How does this affect the members?

Ask who, what, when and where

Is it a values decision or a principles decision?

Envision what you want the future to look like


Page 7

Engagement Meet commitments

Remember everyone has a job to do if the Credit Union is to be successful

Work with staff to achieve goals desired

Education

Check in at every meeting

Do not wait to react—promote proactive thinking


Page 8

Closing Learn, commit, do

Questions and Discussion

Section2

Section3

1

Click to edit Master title style

1 Insight. Oversight. Foresight.®Florida Michigan North Carolina Texas

How to Audit Incentive Plans


2

Summary Financial Institutions Group

• Case Study – The Wells Fargo Cross-selling Scandal

• NCUA regulations - Incentive Plans

• CFPB Compliance Bulletin - 2016-03

• Incentive-Based Compensation Arrangements -Interagency Notice of Proposed Rulemaking

• Doeren Mayhew Audit Strategy


3

Financial Institutions Group

TRANSITION TITLE HEREThe Wells Fargo Cross-selling Scandal

2


4

Case Study Financial Institutions Group


5


• Wells Fargo had a reputation for sound managementand performance.

• Emerged from financial crisis largely unscathed

• Superior stock price performance

• Known for vision and values• “Satisfy our consumer needs, and help them succeed financially.”


6

Incentive plans are Important Financial Institutions Group

• A well‐designed incentive and recognition program is necessary to maximize sales and service performance.

• Speeding Analogy.

• Most employees can do a better job if they chooseto.

• Negative reinforcement causes employees to focus on the lowest level of performance you will accept.

• Positive reinforcement for exceeding the sales andservice goals will improve performance.

3


7


• Cross selling is very important to financialinstitutions.

• Cross selling results inbetter service to a customer/member.

• Cross selling results in significantly more profits on a per customer basis.


8

CASE STUDY Financial Institutions Group


9


• Incentives are effective, but can work against culture.

• Rewarding employees for achieving a metric may results in employees doing what they are paid to do, even it goes against the culture.

• For meeting cross selling and customer servicetargets, branch employees received significant incentives:

• MSR – up to 15‐20% of salary;

• Tellers – up to 3% of salary.

4


10


• Branch employees were put under “excessive pressure” tomeet daily sales targets.


11


• Issues came to light in 2013.

• Employees in Los Angeles were engaging in aggressive tactics to meet their daily cross‐sellingtargets.

• Approximately 30 employees were fired for issuingdebit/credit cards, without customer knowledge

• In some cases by forging signatures.

• Management refuted claims of overbearing sales culture.

• A Wells Fargo spokesman stated, “we found a breakdown in a small number of our team members.”


12


• Tim Sloan, CEO at the time, was quoted saying “I’m not aware of any overbearing sales culture,” siting mitigating controls such as:

• The company maintained an ethics programs;

• Whistleblower hotline;

• Senior management incentives included:

• Bonuses tied to instilling the company’s vision andculture;

• Bonuses related to risk management;

• Claw back triggers on bonuses (if later deemedinappropriately earned).

5


13


• Approximately 3 years later in 2016…


14


• Wells Fargo hired a CPA firm to review all account openings, 2011‐2016, to identify potentially unauthorized accounts:

• This resulted in 2.6 million refunded to consumers;

• And 5,300 employees terminated over a five‐year period.

• Wells Fargo admitted that employees had openedas many as 2 million accounts without customer authorization, including:

• 1.5 million deposit accounts;

• 500 thousand credit card applications.


15


• In September 2016 Wells Fargo paid 185 million tosettle a lawsuit filed by regulators in the city/county of Los Angeles.

• John Stumpf CEO – Clawback $41 million

• Carrie Tolstedt – Clawback $9 million

• The financial impact of lawsuit and the impact oncross‐selling ratios was trivial.

6


16


17


• Reputation damage was significant.


18

7


19


20


21


• Wells Fargo implemented the following significantchanges:

• Eliminated product sales goals;

• Reconfigured branch‐level incentives to emphasizecustomer service rather than cross‐sell metrics;

• Implemented new procedures for verifying account openings;

• Introduced additional training and controls.

8


22


TRANSITION TITLE HERENCUA Regulations


23

NCUA Regulations Financial Institutions Group

• There are generally 3 NCUA rules that limit incentive compensation practices:

• Section 701.21 (c)(8) – Lending (origination)• Section 701.23(g) – Lending (sale or purchase)• Section 721.7 ‐ Incidental powers

• Per 721.2 ‐ An incidental powers activity is one that is necessary or requisite to enable you to carry on effectively the business for which you are incorporated.

• Incidental powers = “Catch all”


24

NCUA Regulations ‐ Summary Financial Institutions Group

• Senior management cannot receive incentives,unless based on overall financial performance.

• Example: bonuses

• Other employees can receive incentives, however:

• Policies

• Internal controls

• Monitoring

• More specifically ,“provided that the board of directors ofthe credit union establishes written policies and internal controls in connection with such incentive or bonus and monitors compliance with such policies and controls at least annually.”

9


25


TRANSITION TITLE HERECFPB Compliance Bulletin

2016-03


26

CFPB Compliance Bulletin 2016‐03 Financial Institutions Group

• The Consumer Financial Protection Bureau (CFPB)Bulletin:

• Provides examples of problematic incentiveplans;

• Highlights examples whereby incentives contributed to substantial consumer harm;

• Describes management steps to mitigate risks posed by incentives.


27


• Examples of problematic incentive plans include:• Sales goals or unrealistic quotas ‐ Encourage employees toopen accounts or enroll customers in services without their knowledge or consent;

• Paying more compensation for certain types of customer transactions ‐ Encourage that product when there may be abetter option of the member;

• Paying compensation based on the terms or conditions oftransactions (such as interest rate) ‐ Encourage employees orservice providers to overcharge consumers.

10


28


• Credit Card Add‐On Matters

• 12 Cases ‐ Improper practices to market credit card add‐on products, such as “credit protection” and “identify monitoring.”

• Overdraft Opt‐in Matters

• Consumers were deceived into opting in to overdraft services.

• Unfair and Abusive Sales Practices• Significant issue ‐ Opening unauthorized deposit and credit card accounts to satisfy sales goals.

• Wells Fargo


29


• Some Highlights from the CFPB Bulletin included:

• No particular management system;

• Vary based on size and complexity of an organization;

• Should involve oversight of employees and service providers.

• The strictest controls are necessary for:• Products or services less likely to benefit consumers;

• Products that have higher potential to lead to harm;

• Reward outcomes that do not necessarily align withconsumer interests;

• Implicate a significant proportion of employee compensation.


30


• Effective management systems commonly has thefollowing components:

• Board of directors and management oversight;

• Policies and procedures;

• Training;

• Monitoring and corrective action;

• Consumer complaint management program;

• Independent compliance audit.

11


31


Board of directors and management oversight:

• The positive effects and negative effects should be well understood.

• Address unintended outcomes.

• “Tone from the top” is important

• Should empower all employees to report suspected incidents

• Fostering a culture of strong customer service related toincentives.

• For example, ensuring that consumers are only offered products likely to benefit their interests.


32


• Policies and procedures:• Quotas are transparent;• Quotas are reasonably attainable;• Incentive are easy to account for an monitor;

• Clear controls for managing the inherent risks;

• Identify potential conflicts of interest (segregationof duties);

• Fair and independent processes for investigatingreported issues.


33


• Monitoring:

• Track key metrics – and outliers – that may indicateweaknesses.

• Examples of possible monitoring metrics include, but are not limited to:

• Overall product penetration rates by consumer andhousehold;

• Specific penetration rates for products and services (such as overdraft, add‐on products, and online banking);

(Continued)

12


34


• Examples of monitoring metrics (continued).

• Incentive payouts by employee and by incentive;

• Employee turnover;

• Employee satisfaction;

• Member complaint rates;

• Spikes and trends in sales (both completed and failedsales) by specific individuals and by units;

• Account opening/product enrollment;

• Account closure/product cancellation statistics.


35


• Corrective Action:• Termination of employees, service providers, andmanagers;

• Changes to the structure of incentives;

• Training on these program;

• Return of funds to all affected consumers;

• Ensure that the root causes of deficiencies are identifiedand resolved;

• Findings should be escalated.


36


• Consumer complaint management program:

• Collecting and analyzing consumer complaints;

• Look for indications that incentives are leadingto violations of law or harm to consumers.

• Independent compliance audit:

• Scheduling audits to address incentives• Ensuring audits are conducted independent of:

• The compliance program;

• The business functions.

13


37


TRANSITION TITLE HEREInteragency Proposed Rulemaking


38

Interagency Proposed Rulemaking Financial Institutions Group

• On April 26, 2016, the FDIC BOD approved, Secondjoint Notice of Proposed Rulemaking (NPR)

• Or, Section 956 of the Dodd‐Frank Wall Street Reform andConsumer Protection Act (Dodd‐Frank Act).

• The NPR seeks to strengthen the incentive‐basedcompensation practices at covered institutions.

• The NPR affects institutions greater than 1 billion intotal assets.

• Currently not final, when approved, will likely not gointo effect until 2018 or 2019


39


• Prohibit types of incentive‐based compensationarrangements that • Encourage inappropriate risks• Could lead to material financial loss

• Three basic principles:• (1) a balance between risk and reward; • (2) effective risk management and controls; and• (3) effective governance.

14


40


• Summary of Proposal Requirements:• BOD (or committee) oversight;• Appropriate recordkeeping;• Disclosures to the appropriate agency:• Deferral of awards for senior executive officers and

significant risk takers; • Prohibit certain inappropriate practices• Prohibit payouts that encourage risk taking;• Basing compensation solely on comparison to peer and

volume‐driven incentives


41


TRANSITION TITLE HEREDoeren Mayhew Audit Strategy


42

Doeren Mayhew Audit Strategy Financial Institutions Group

• Oversight and Policies:• Review all policies and procedures for adequacy and reasonableness;• Verify that these are being approved by the BOD.

• Review monitoring reports (consider BOD);• Review payroll reports or other HR provided reports to verify all employees receiving incentiveincome;

• (DM exclusive): Obtain and reviewed any of theinternal incentive audits performed by IA or management in the past two years;

15


43


• Monitoring Reports: Review monitoring reports related to incentive programs including:• Trends in incentive income by employee for a period.• Trends in incentive income by incentive type.• Trends in complaint rates or turnover rates.• Overall product penetration rates by member and product

type.• Spikes and trends in sales (both completed and failed sales)

by specific individuals and by incentive type.• Other relative monitoring controls per CFPB Compliance

Bulletin 2016‐03


44


• Interviews: Speak with a range of employees and ask keyquestions.• Including employees, such as:

• Management – Manages plan and employees;• Compliance person – Monitors/audits plan;• Employees – Receiving incentives.

• Including questions, such as:• Awareness of incentives;• Pressures caused by incentives;• Understanding of risks imposed by incentives;• Training;• Monitoring controls.


45


Vouch Incentive Payouts • We obtain a file of incentive disbursements for a

period (for a particular incentive).• We test a selected sample to verify:

• Accuracy of calculations and disbursements amounts;

• Agree to supporting documentation;• Proper approval;• Compliance with policy.

16


46


Verification of member permission – Higher Risk • Obtain a report of transactions that led to incentive

payout for a period.• For example, a file of all added accounts or services to existing members for a period, whereby an incentive is paid.

• Select a sample of transactions and send positiveverifications or perform alternate procedures, including:

• Review of any recorded calls, via member phone request;• Reviewed account notes;• Reviewed supporting documentation of the member;• Other


47


Common Comments • No periodic QCR performed on incentive payments.• No annual audits of incentive programs performed.• Recommendation on beneficial monitoring reports.• Information related to validating specific incentivepayout amounts was not available for review.

• Policy updates are needed.• Recommend reviewing certain incentives basedcertain risk considerations.


48 Insight. Oversight. Foresight. ®Florida Michigan North Carolina Texas

Thank You!

Lori Carmichael, CPA

Shareholder

Phone: 704.341.0970

[email protected]))

Stephen LaBarbera

Audit Manager

Phone: 704.341.0970

[email protected]))

Section4

1

Insight. Oversight. Foresight. ®Florida Michigan North Carolina Texas

Top 10 Audit Findings

Presented By:Lori Carmichael, CPA – ShareholderStephen LaBarbera – Audit Manager

Financial Institutions GroupClass Objectives

• Identify key audit areas subject to auditor scrutiny.• Identify ways to avoid audit findings and potential control

issues.• Ask questions you have interest in and leave this

conference more informed.

2

3

10. Prepaid and Other Assets Financial Institutions Group

• Issues:• Incorrect prepaid terms set-up in the system.• Inappropriate capitalization of expenses.

• How to avoid:• Review invoice and perform recalculation for accuracy.• Establish a policy for capitalization thresholds.

Prepaid Assets

2

4


• Issues:• Measuring impairment on vehicles and classification.

• How to avoid:• Incorporate into the monthly financial closing process

procedures to measure and reclassify repos at the lower ofcost or market.

Other Assets: Repossessed Collateral (Repos)

5


• Issues:• Initial recording of OREO and subsequent valuations.• Costs incurred subsequent to being re-classed to OREO.

• How to avoid:• Obtain appraisal to properly record at fair value less costs to

sell and periodically obtain an updated appraisal.• Costs should be charged to expense unless the costs adds

value to the property.

Other Assets: Other Real Estate Owned (OREO)

6

9. Member Business Loans Financial Institutions Group

• Issues:• Initial recording of OREO and subsequent valuations.• Costs incurred subsequent to being re-classed to OREO.

• How to avoid:• Obtain appraisal to properly record at fair value less costs to

sell and periodically obtain an updated appraisal.• Costs should be charged to expense unless the costs adds

value to the property.

Other Assets: Other Real Estate Owned (OREO)

3

Financial Institutions Group9. Member Business Loans

• Issues:• Poor underwriting and loan monitoring.• Lack of management’s experience with member business

loan programs.• Risk ratings conducted by credit union personnel are not

done timely or are not accurate.

• How to avoid:• Ensure appropriate audit oversight of the MBL loan program

exists.

7

8

8. Deferred Compensation Plans Financial Institutions Group

• Issues:• CFOs are often not familiar with the details:

• CEO may provide the account entries.• Investment(s) used to fund the deferred compensation

arrangement(s) may be in violation of Section 701.19 of NCUA Regulations (direct benefit).

• How to avoid:• Obtain an understanding of the deferred compensation plan

agreement and the accounting.• Review the balance of the investment account to avoid over

funding.

Deferred Compensation Arrangements

9


• Issues:• Incorrect reporting of 457(b) plan balances.• Incorrect reporting of 457(f) accruals.

• How to avoid:• Report 457(b) plan balance consistent with statement.• Obtain an understanding of 457(f) plan agreement.

457 Plans

4

10


• Issues:• Not using the correct definition of compensation.• Plan document does not reflect management’s intent.• Not following audit requirements.

• How to avoid:• Obtain a good understanding of plan document.• Ensure a 401(k) plan audit is completed for plans with 100

or more eligible participants.

401(k) Plan

Financial Institutions Group7. Indirect Lending

• Issues:• Significant growth in this loan segment may include a high

volume of borrowers whose credit standing has beenembellished by the auto dealer.

• True delinquency and charge-off data regarding this loansegment may lag due to the high volume of new loans beingapproved on a monthly basis.

• How to avoid:• Establish policies and procedures which address dealer

expectations, risk tolerance and monitoring procedures.

11

12

6. Internal Controls Financial Institutions Group

• Issues:• Both plastic cards and PIN are returned to employee

creating cards.

• How to avoid:• Segregate returned mail process from employee creating

cards.

Plastic Cards

5

13


• Issues:• Unauthorized (fraudulent) transactions posted against

dormant accounts.

• How to avoid:• Set system parameters to require a supervisory override in

order to perform transactions against dormant accounts.• Perform timely review of dormant account transaction

report.

Controls – Dormant Accounts

14


• Issues:• Computer system access beyond related job function which

may allow for potential unauthorized transactions.

• How to avoid:• Restrict computer system access to match job function.• Review of computer system access reports.

Internal Controls – System Access

Financial Institutions Group5. Information Technology

• Issues:• Weak back-up procedures

• Critical servers not backed up• All back ups not sent offsite

• Lack of appropriate physical access and environmentalcontrols.

• Weak change controls and segregation of duties.• Weak password security.

15

6

Financial Institutions Group5. Information Technology

• How to avoid:• Ensure that appropriate audit oversight and testing of IT

controls exists.• Passwords should be complex (uppercase letters,

lowercase letter, numbers, special characters).

16

Financial Institutions Group4. Cash on Hand – Tellers andOperations

• Issues:• Not performing surprise cash counts.• Dual control over vault and single custody of teller drawer.• Not establishing teller drawer limits.

• How to avoid:• Perform surprise cash counts.• Vault should be maintained under dual custody and tellers

should maintain sole custody of their respective drawer.• Establish drawer limits (i.e., < $5,000).

17

Financial Institutions Group3. Reconciliations

• Issues:• Not prepared or reviewed for all general ledger (GL)

accounts.• Not supported with proper documentation.

• How to avoid:• Reconciliation should be maintained for all GL accounts and

reviewed on a timely basis.• Establish a monthly reconciliation log to assist with

monitoring and tracking reconciliations.

18

7

Financial Institutions Group2. Controls – Loans (File Maintenance &Exception Reports)

• Issues:• No formal review over loan file maintenance reports:

• Loan rate changes• Due date advances• Payment amount changes

• How to avoid:• Perform a review these reports to determine the validity of

items appearing on reports.

19

Financial Institutions Group2. Controls – Loans (File Maintenance &Exception Reports)

• Issues:• Not reviewing loan exception reports have contributed to the

following findings: • Fraudulent loans• Loan input errors• Unauthorized advancement of payment due dates• Misapplication of principal and interest payments• Over accrual of interest

• How to avoid:• Generate and review the following loan exception reports:

• Unusual accrued interest (> $500, > scheduled payment, etc.)• Unusual rates (outside normal ranges)• Paid ahead loans

20

Financial Institutions Group1. Allowance for Loan and Lease Losses(ALLL)

• Issues:• Analysis based on unreasonable historical loss period.• Analysis not considering required Q&E components.• ALLL specific reserve not compliant with GAAP.• ALLL not including TDRs.

• How to avoid:• ALLL analysis should include a reasonable historical loss

period, a Q&E component and specific reserves and or TDRreserves (if applicable).

21

Section5

1

Sageworksanalyst.com 1

July13,2017

Neekis Hammond, CPAPrincipal‐ AdvisoryServices

CECL – Initial and Subsequent MeasurementA Practical Approach


• Riskmanagementthoughtleaderforinstitutionsandexaminers

• Regularlyfeaturedinnationalandtrademedia

• Loanportfolioandriskmanagementsolutions

• Morethan1,000financialinstitutionclients

• Foundedin1998

Sageworksanalyst.com

ASU 2016-13 (Topic 326/CECL)KeyPrinciples

• 326‐20‐30‐6: Lossestimatemustincludeexpectedcreditlossesoverthecontractualtermofthefinancialasset(s)

3

2




• 326‐20‐30‐6: Prepaymentbehaviormustbeexplicitlyorimplicitlyaddressed

4





• 326‐20‐30‐6: Extensionand/orrenewalassumptionsarenotallowedexceptforTroubledDebtRestructurings

5






• 326‐20‐30‐2: Analyzingassetsonacollectiveorpooledbasisisrequiredunlessuniqueriskcharacteristicsexist

6

3






• 326‐20‐30‐2: Analyzingassetsonacollectiveorpooledbasisisrequiredunlessuniqueriskcharacteristicsexist

• 326‐20‐50‐6: Institutions(PBEsandSECfilers)mustprepareavintagedisclosurebypresentingtheamortizedcostbasiswithineachcreditqualityindicatorbyyearoforigination(thatis,vintageyear)

7



• 326‐20‐30‐7: Internalinformation,externalinformationoracombinationofbothmaybeusedforanalyzingpasteventsandcurrentconditions,aswellasinthecreationofreasonableandsupportableforecasts

8




• 326‐20‐30‐9: Adjustmentstohistoricallossinformationmaybequantitativeand/orqualitativeinnature

9

4





• 326‐20‐30‐9: Adjustmentsmaybebasedonreasonableandsupportableforecasts.Forperiodsbeyondareasonableforecast,revertingtohistoricallossinformationimmediately,onastraight‐linebasis,orusinganotherrationalandsystematicbasisisacceptable

10





• 326‐20‐30‐9: Adjustmentsmaybebasedonreasonableandsupportableforecasts.Forperiodsbeyondareasonableforecast,revertingtohistoricallossinformationimmediately,onastraight‐linebasis,orusinganotherrationalandsystematicbasisisacceptable

• 326‐20‐30‐11: Aliabilityforcreditlossesonoff‐balance‐sheetcreditexposuresoverthecontractuallifemustberecorded

11


ASU 2016-13 (Topic 326/CECL)KeyPrinciples– SECFilers

SABNo.74(Topic11‐M): Disclosureoftheimpactthatrecentlyissuedaccountingstandardswillhaveonthefinancialstatementsoftheregistrantwhenadoptedinafutureperiod.

12

5




• ASU2014‐9,Revenuefromcontractswithcustomers

13





• ASU2016‐2,Leases(Topic842)

14





• ASU2016‐2,Leases(Topic842)

• ASU2016‐13,Measurementofcreditlossesonfinancialinstruments(Topic326/”CECL”)

15

6




16




• Abriefdescriptionofthenewstandard,thedatethatadoptionisrequiredandthedatethattheregistrantplanstoadopt,ifearlier.

17





• Adiscussionofthemethodsofadoptionallowedbythestandardandthemethodexpectedtobeutilizedbytheregistrant,ifdetermined.

18

7






• Adiscussionoftheimpactthatadoptionofthestandardisexpectedtohaveonthefinancialstatementsoftheregistrant,unlessnotknownorreasonablyestimable.Inthatcase,astatementtothateffectmaybemade.

19







• Disclosureofthepotentialimpactofothersignificantmattersthattheregistrantbelievesmightresultfromtheadoptionofthestandard(suchastechnicalviolationsofdebtcovenantagreements,plannedorintendedchangesinbusinesspractices,etc.)isencouraged.

20







• Disclosureofthepotentialimpactofothersignificantmatters thattheregistrantbelievesmightresultfromtheadoptionofthestandard(suchastechnicalviolationsofdebtcovenantagreements,plannedorintendedchangesinbusinesspractices,etc.)isencouraged.

21

8


ASU 2016-13 (Topic 326/CECL)

22

StrategicConsiderations

• Reasonable(FinancialConsiderations)• Costs:Initial,subsequentandrecurring• Benefits:Variance,materialityandmanagerialinsight• Risks:Modeling,volatilityandsensitivity



23


• Reasonable(FinancialConsiderations)• Costs:Initial,subsequentandrecurring(buildvs.buy)• Benefits:Variance,materialityandmanagerialinsight• Risks:Modeling,volatilityandsensitivity



24



• Supportable(LeversandElections)• Segmentation:Structure,termandcreditrisk• Methodology:Alignment,strengths/weaknessesanddataconstraints• Forecast:Source,sensitivityanddataconstraints

9



25




• Applicable(AccuracyandMeaningfulness)• GAAP:Complianceandauditability• Regulatory:Adequateandtransparent• Strategic:Crossapplicationandmanagerialinsight



26

TacticalConsiderations

• Data• Adequacy• Retention• Process



27



• ContractualLife/Prepayment• Calculation• Support

10



28




• Segmentation• Flexibility• Comparability• Support



29





• Methodologies• Flexibility• Comparability• Support



30






• ForecastingandAdjustments• Flexibility• Comparability• Support

11



31







• Documentation• Completeness• Auditability• Efficiency



32










33








12


Data - AdequacyInteragencyGuidance– December19,2016

“Specificallywithregardtodata,toimplementCECL,aninstitutionshouldcollectandmaintainrelevantdatatosupportitsestimatesoflifetimeexpectedcreditlossesinawaythatalignswiththemethodormethodsitwillusetoestimateitsallowancesforcreditlosses.Assuch,theagenciesencourageinstitutionstodiscusstheavailabilityofhistoricallossdatainternallyandwiththeircoreloanserviceprovidersbecausesystemchangesrelatedtothecollectionandretentionofdatamaybewarranted.Dependingontheestimationmethodormethodsselected,institutionsmayneedtocaptureadditionaldataandretaindatalongerthantheyhaveinthepastonloansthathavebeenpaidofforchargedofftoimplementCECL.”

34




35



“Specificallywithregardtodata,toimplementCECL,aninstitutionshouldcollectandmaintainrelevantdatatosupportitsestimatesoflifetimeexpectedcreditlossesinawaythatalignswiththemethodormethodsitwillusetoestimateitsallowancesforcreditlosses.Assuch,theagenciesencourageinstitutionstodiscusstheavailabilityofhistoricallossdatainternallyandwiththeircoreloanserviceprovidersbecause systemchangesrelatedtothecollectionandretentionofdatamaybewarranted. Dependingontheestimationmethodormethodsselected,institutionsmayneedtocaptureadditionaldataandretaindatalongerthantheyhaveinthepastonloansthathavebeenpaidofforchargedofftoimplementCECL.”

36

13




37


Data - Retention

38

2‐year3‐year4‐year

2‐year3‐year4‐year

5‐year


Data - Process

14



40









Contractual Life (Attrition)

41

1.25

3.25

3.75

2.15

1.75

4.25

WORKING CAPITAL LOC

EQUIPMENT VEHICLE CREDIT CARD CONSTRUCTION SBA

AverageLife(years)



42

15



43



44



45

16



46



47



48

Application

• Cumulative/StaticPoolAnalysis

• Migration

• ProbabilityofDefault&LossGivenDefault(PD&LGD)

• RollRate

• MarkovChainMonteCarlo(MCMC)

17


Prepayment (CPR/SMM)

49

20%

25%

30%

20%

15%

EQUIPMENT VEHICLE CREDIT CARD CONSTRUCTION SBA

ConditionalPrepaymentRate(CPR)





18






Application

• DCF(DiscountedCashFlow)


19



55









Segmentation

56

CumulativeLoss&Migration


Segmentation

57

CumulativeLoss&Migration

20


Segmentation

58

DCFRisk‐Level(Top)&DCFRisk‐Rating(Bottom)


Segmentation

59

DCFRisk‐Level(Top) &DCFRisk‐Rating(Bottom)



60








21


Methodologies

61

DCFRisk‐Level

MigrationRisk‐Level

PD&LGD


Methodologies

62

CumulativeLoss


0.33%

0.25%

0.42%

0.79%

DCF RISK‐LEVEL MIGRATION RISK‐LEVEL PD & LGD RISK‐LEVEL CUMULATIVE LOSS

Methodologies

63

Life‐of‐LoanLossExperience

22


Methodologies

64

“Theallowanceforcreditlossesmaybedeterminedusingvariousmethods.Forexample,anentitymayusediscountedcashflowmethods,loss‐ratemethods,roll‐ratemethods,probabilityofdefaultmethods,ormethodsthatutilizeanagingschedule:”

• Loss‐rate‐method:Netcharge‐offs/averagebalanceisoflittleworth.Cumulativelossratesareappropriate.Formoreinformation:http://web.sageworks.com/CECL‐Historical‐Loss‐Misconceptions/

• Roll‐rate‐method:Netchangeinbalancesassumedtoindicatemigrationthroughdefaulttoloss

• Vintage: Suitableforinstallmentloans;notforrevolvingcredits.

• Migration:Observedlossexperienceatthesubsegment‐level overnperiods.Misalignmentbetweenthelifeoftheassetandthemigration/lossexperienceisacommonerrorinlogic.

• PD&LGD: Probabilityofdefaultingovernperiods.Misalignmentbetweenthelifeoftheassetandtheprobabilitythataloanwilldefaultisacommonerrorinlogic.

• DCF: Inputspriortoexecutingamortizationschedulesrequiremodelsaswell;loss‐rateorprobability‐of‐default,prepayment,loss‐given‐default,recoverylag,etc.


Transition/Execution

65

Asinstitutionssearchforsolutionsthatarebothcost‐effectiveandaccommodating,understandingcriticalcapabilitieswillleadtoamoresuccessfulinvestment.

Buildingperipheralspreadsheet‐basedmodels,purchasingdatatoderiveandsupportmaterialinputsandassumptions,limitingmethodologyoptionsandmanuallycompilingsupportingdocumentationand/ordisclosurescanleadtodissatisfactionandcanprovecostly.

Thefollowingitemsmustbeunderstood/evaluated:

• Datafit/gapanalysisandaclearunderstandingofdata‐drivenlimitations

• Dataremediationassistance

• Adequatetraining,support,andadvisoryservices

• Life‐of‐loanandprepaymentcalculations

• Rapidsegmentationelections


Transition/Execution

66

Thefollowingitemsmustbeunderstood/evaluated(continued):

• Multiplemethodologyoptionsavailableatthepool‐level

• Forecastcreation,support,andapplicationcapabilities

• Supportingdocumentationanddisclosurepreparation

• Cleardevelopmentalroadmapcommitmentsandcontractualobligationstoremaincompliant

23


CECL Summary

67




CECL Summary

68


• Reasonable(FinancialConsiderations)• Costs:Initial,subsequentandrecurring(buildvs.buy)• Benefits:Variance,materialityandmanagerialinsight• Risks:Modeling,volatilityandsensitivity


CECL Summary

69




24


CECL Summary

70




• Applicable(AccuracyandMeaningfulness)• GAAP:Complianceandauditability• Regulatory:Adequateandtransparent• Strategic:Crossapplicationandmanagerialinsight

Section6

1


Cybersecurity: Everything You Need to Know

Presented by:Hugh S. Chakler, CPA, CISA, CITP, CFE

Financial Institutions GroupToday’s Objectives

• Why are we talking about cybersecurity?• Who is at risk and what are the threats?• What is the goal of cybersecurity attacks?• What are the strengths of the threats?• FFIEC Cybersecurity Framework• FFIEC Cybersecurity Assessment Tool

• Inherent Risk Profile• Maturity Profile

• Cyber risk mitigation• What should you do next?

2

Cyberattack – WannaCry

• Biggest cyberattack ever 150 countries• At least 200,000 computers according to Europol (European

law enforcement agency)

• Locks down all files on an infected computer• $300 ransom to release the files• Microsoft Windows vulnerability

• Patch was released in March

• Failure to update your systems

3

http://money.cnn.com/technology


2


• Victims• FedEx• Nissan• United Kingdom’s National Health Service

• Numbers of affected systems expected to rise aspeople return to work this week

4



• How to protect yourself personally• Install any software updates immediately and make it a habit

• Turn on the auto-updater (Microsoft)

• Use anti-virus software that updates

• Backup and regularly save copies of your files

• Don’t click on links from people you don’t know personally

• Watch for links that look somewhat familiar – but a little “off”

5


Data Breaches

• February 2015 – Anthem Blue Cross• 80 million victims, probably a Chinese cyber-espionage

campaign

• Target breach settles for $10 million dollars• Target has said its computer security systems alerted it to

suspicious activity after hackers had infiltrated its networks,but it decided to ignore the alert, allowing what wouldbecome one of the largest data breaches recorded

6


3

Breaches vs. Incident

• Incident: Security event compromising the integrity,confidentiality or availability of an information asset.

• Breach: An incident that results in the confirmeddisclosure (not just potential exposure) of data to anunauthorized party

7


8

Breach Actors

Source: Verizon DBIR 2017 Report


Breach Tactics

9



4

Breach Victims

10



Breach Similarities

11



Compromise on Organizations

• In 60% of cases, attackers are able to compromise anorganization within minutes

12

Source: Verizon 2015 Data Breach Investigations Report


5

Compromise on Organizations

• In 60% of cases, attackers are able to compromise anorganization within minutes

13


Percent of breaches where time to compromise / time to discovery was days or less


Who Are Cyber Attackers?

• Nation-states• China• Russia

• Terrorists• Criminal enterprises• Insiders

14


Confirmed Data Breaches

• 63% of confirmed data breaches involved weak, defaultor stolen passwords• Top threat action varieties within incidents involving

credentials (below)

15



6

Rise in Misuse Breaches by External Actors Only

• This was solely associated with TGYFBFTDHRA

• THAT GUY YOU FIRED BUT FORGOT TO DISABLEHIS REMOTE ACCESS


Insider and Privilege Misuse



Insider and Privilege Misuse

• Mainly insider-only misuse, but outsiders (due tocollusion) and partners (because they are grantedprivileges).

• Key findings:• They’re behind your firewall.• They are often end users and they are comfortable

exfiltrating data out in the open on the corporate LAN.• Insider incidents are the hardest (and take the longest) to

detect.• Of all the incidents, these insider misuse cases are the most

likely to take months or years to discover.


7

Who Are These Insiders?

• Leadership = 14% executive or other management

• Elevated access privilege jobs = 14% such as systemadministrators or developers

• The moral of this story is to worry less about job titles andmore about the level of access (and your ability tomonitor)

• At the end of the day, keep up a healthy level of suspiciontoward all employees.


Cyber Threats: Phishing

• 30% of phishing messages are opened

•12% click the maliciousattachment or link


Cyber Attackers: What is Their Motivation?

• Espionage (political and corporate)

• Fraud

• Disruption

• Destruction

• Social or political message

• “Shock and Awe”

• Recruitment


BUT MOSTLY

8

Cyber Attackers: Strengths

• Technical expertise

• Financial sponsors

• International reach

• Weak legal reach

• Anonymity


Insight. Oversight. Foresight. ®

Where Do We Start?

23

Risk Assessment

• Considered to be the first and most important strategy

• Fully understand how technology facilitates theachievement of it business objectives

• Determine your tolerance for technology related loss

• Remember: IT IS NOT A MATTER OF “IF” IT WILLHAPPEN, BUT WHEN WILL IT HAPPEN


9

Risk Assessment

• Need to understand the risks to properly allocate

• Management time

• Financial resources

• Know the threats and projected costs

Allocation of Resources


Risk Assessment Quality

• Consider the issues identified in the assessments• Discuss the contents of the risk assessment• Consider

• Reliance on technology• Presence of member data• Regulations• Risk mitigation



FFIEC Cybersecurity Assessment Tool

27

10

Cybersecurity

• The ability to protect or defend the use of cyberspacefrom cyber attacks.

Source: CNSSI-4009 - NIST.IR.7298r2


Cybersecurity

• The state of being protected against the criminal orunauthorized use of electronic data, or the measurestaken to achieve this.

Or, how about this?


Cybersecurity Assessment Tool

• Objective:

• To help credit unions identify their risks and determine theircybersecurity maturity.

• The assessment provides institutions with a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.

June 30, 2015


11

Strong Industry Foundation and Benchmark

Public & Industry

Guidance

Cybersecurity Assessment

Tool

Effective Cyber Risk Management

FFIEC IT Handbooks

NIST Cybersecurity Framework

Source: NCUA Cybersecurity Industry Webinar, 2015


General Observations

• During the summer of 2014, Federal Financial InstitutionsExamination Council (FFIEC) members piloted acybersecurity examination work program (Cybersecurity Assessment) at over 500 community financial institutionsto evaluate their preparedness to mitigate cyber risks.

• The Cybersecurity Assessment found the level ofcybersecurity inherent risk varies significantly acrossfinancial institutions.


Assessments Consists of Two Parts

• Inherent Risk Profile and Cybersecurity Maturity

• Inherent Risk Profile: identifies the institution’s inherent riskbefore implementing controls.

• Cybersecurity Maturity: includes domains, assessmentfactors, components, and individual declarative statementsacross five maturity levels to identify specific controls andpractices that are in place.


12

Inherent Risk Profile

• Management first assesses the institution’s inherent riskprofile based on five categories:

• Technologies and connection types

• Delivery channels

• Online/mobile products and technology services

• Organizational characteristics

• External threats


Cybersecurity Maturity

• Management then evaluates the institution’sCybersecurity Maturity level for each of five domains:

• Cyber risk management and oversight

• Threat intelligence and collaboration

• Cybersecurity controls

• External dependency management

• Cyber incident management and resilience



FFIEC Cybersecurity

36

13

FFIEC Response Framework

• Every institution should maintain a framework

• Security

• Resilience

Identify Prevent Detect Respond Recover


Five Key “Domains” for Cybersecurity Preparedness1. Cyber risk management & oversight

• Strong governance is essential

2. Threat intelligence & collaboration

• Strength in numbers

3. Cybersecurity controls

• More than one kind of control

4. External dependency management

• Your security starts with their security

5. Incident management & resilience

• Mitigation and recovery are a must


Cyber Risk Management and Oversight

• Policies and risk management strategies

• Commit sufficient resources, including expertise andtraining

For two years, more than two-thirds of incidents that comprise the Cyber-Espionage pattern

have featured phishing


14

Threat Intelligence and Collaboration

• Monitor timely threat information and intelligence todiscover threats and identify attack methods.

• Leverage known intelligence sources to developpreventative and responsive strategies.

• Share crucial threat information and intelligence withpartners and stakeholders to strengthen your securityposture.

75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours)


Cybersecurity Controls

• Physical and environmental controls

• Logical access controls

• Cybersecurity controls to prevent, detect, and mitigatecyber attacks

• Preventative controls to minimize the impact and likelihoodof successful attacks

• Detective controls to identify attacks in early stages

• Corrective controls to mitigate the impact


External Dependency Management: GLBA Vendor Management

• Identify your critical external dependencies.

• Establish rigorous vendor management controls,including ongoing due diligence and monitoring.

• Define third parties’ responsibilities and associatedservice level metrics.

• Evaluate vendors’ incident response and resilience.


15

External Dependency Management: GLBA Vendor Management

Federal Appeals Court grants the Federal Trade Commission authority to litigate on behalf of cyber-security

issues (Wyndam hotel case)


Wyndham Hotel Case

• Allowed its hotels to store payment card information in clear,readable text.

• Allowed the use of easily guessed passwords to access theproperty management systems.

• Failed to use readily available security measures, such asfirewalls to limit access between the hotels’ propertymanagement systems, corporate network and the Internet.

• Did not ensure that its hotels implemented adequateinformation security policies and procedures.

Wyndham allegedly:


Wyndham Hotel Case

• Failed to restrict access of its network and servers from thirdparty vendors.

• Failed to employ reasonable measures to detect and preventunauthorized access to its computer network or to conductsecurity investigations.

• Did not follow proper incident response procedures.

• Wyndham did not monitor its network for malware used in the prior intrusions.

• As a result, the hackers in each of the three breaches used similar methods to gain access to credit card information.

Wyndham allegedly:


16

Incident Management and Resilience

• Prepare incident management procedures• Speed your ability to respond and recover • Mitigate the loss of member confidence through timely and

appropriate member notification. • Develop policies and implement adequate incident response

programs.• Define capabilities and required resources to address threats

and recovery.• Use monitoring tools to capture events, and to identify

anomalous behaviors and attacks.• Escalate and report cyber incidents to the institution’s board of

directors and senior management when warranted.


Maturity Levels Financial Institutions Group

Maturity Levels: Defined

Baseline Baseline maturity is characterized by minimum expectations required by law and regulations or recommended in supervisory guidance. This level includes compliance-driven objectives. Management has reviewed and evaluated guidance.

Evolving Evolving maturity is characterized by additional formality of documented procedures and policies that are not already required. Risk-driven objectives are in place. Accountability for cybersecurity is formally assigned and broadened beyond protection of customer information to incorporate information assets and systems.

Intermediate Intermediate maturity is characterized by detailed, formal processes. Controls are validated and consistent. Risk-management practices and analysis are integrated into business strategies.

Advanced Advanced maturity is characterized by cybersecurity practices and analytics that are integrated across lines of business. Majority of risk-management processes are automated and include continuous process improvement. Accountability for risk decisions by frontline businesses is formally assigned.

Innovative Innovative maturity is characterized by driving innovation in people, processes, and technology for the institution and the industry to manage cyber risks. This may entail developing new controls, new tools, or creating new information-sharing groups. Real-time, predictive analytics are tied to automated responses.


17

FFIEC Maturity

All declarative statements in each maturity level, and

previous levels, must be attained and sustained to

achieve that domain’s maturity level.



Cyber-Risk Mitigation

50

Cyber-Risk Mitigation

• Change risk profile (streamline risk)

• Increase cybersecurity investment (staff, infrastructure,services)

• Increase capital (accept the risk)

• Alternative risk management approaches

• Cyber insurance (insure what you can’t control)


18

Cybersecurity and the Board

• Cyber security is not an IT issue• It is a business issue that requires enterprise-wide buy-in to

be managed successfully

• Cyber security has a history of being a low priority on thelist of governing bodies• This needs to change to a top priority• A successful strategy used to gain buy-in from my

board/executive team has been to align security initiativeswith the organization’s strategic goals, illustrating howimplementing controls early in a process can reduce thelikelihood of future audit findings.


Cybersecurity and the Board

• Express risk in terms that matter to the board (i.e., lossesin units produced, losses in loans, etc.), and not thenumber of threats blocked or vulnerabilities patched

• Leverage internal audit as an ally and collaborate todevelop action plans to address risk. Cooperation fostersbuy-in.


Center for Internet Security

• CSC-1 Inventory of Authorized and Unauthorized Devices• CSC-2 Inventory of Authorized and Unauthorized Software• CSC-3 Secure Configurations for Hardware and Software on Mobile

Devices, Laptops, Workstations and Servers• CSC-4 Continuous Vulnerability Assessment and Remediation• CSC-5 Controlled Use of Administrative Privileges• CSC-6 Maintenance, Monitoring and Analysis of Audit Logs• CSC-7 Email and Web Browser Protections• CSC-8 Malware Defenses• CSC-9 Limitation and Control of Network Ports, Protocols and

Services• CSC-10 Data Recovery Capability

Top 20 Critical Security Controls (CSCs)

CIS CSC Version 6.1


19

Center for Internet Security

• CSC-11 Secure Configurations for Network Devices such as Firewalls, Routers and Switches

• CSC-12 Boundary Defense• CSC-13 Data Protection• CSC-14 Controlled Access Based on the Need to Know• CSC-15 Wireless Access Control• CSC-16 Account Monitoring and Control• CSC-17 Security Skills Assessment and Appropriate Training to Fill

Gaps• CSC-18 Application Software Security• CSC-19 Incident Response and Management• CSC-20 Penetration Tests and Red Team Exercises

Top 20 Critical Security Controls (CSCs)

CIS CSC Version 6.1



Thank You!

Hugh S. Chakler, CPA, CISA, CIST, CFEShareholderPhone: [email protected]

56

Section7

Security Blunders:Show and TellBARRY THOMPSON, CRCM

Have you ever thought of how you would rob your financial institution?

Human Equation Monthly or Quarterly Branch ReportsPeople will do what is easiest for them!Power of Burger KingTraining

1

Political SituationDon’t Believe Security OfficerTurf WarsTree HuggerNew Security OfficerBoard InvolvementLaw Suits

Law Enforcement: Suggested Best Practices

Closed-Circuit Television SystemLighting/CamerasBullet-resistant Bandit BarriersEmployees to Greet CustomersDye Packs/Serialized CurrencyGPS packsDirect Telephone Numbers to Police

Law Enforcement: Suggested Best Practices

Employee TrainingUnobstructed ViewsSignageAlarm Systems UL RatedSafes/Vaults UL RatedBank/Police Department CommunicationsHeight Markers

2

Branch LocationNext to National MonumentsMallsRural Areas

If you build it, they will come!

“So will their lawyers!"

Financial Institution Exterior

3

Financial Institution Exterior

Financial Institution Interior

Financial Institution Interior

4

Exterior Problems with Interior Implications

Night Inspections

Your Turn

5

CPTEDCrime Prevention Through Environmental Design

Conclusions Using outside consultants:Send requested items to reviewerShow all material requested

Handle reviewer’s suggestions exactly asyou would a regulatory exam.

Questions?

6

For More InformationBarry Thompson, CRCM

Thompson Consulting Group, LLC315.342.5931

[email protected]

This presentation is designed to provide accurate and authoritative information with regard to the subject matter covered. It is provided with the understanding that the publisher is not rendering legal, accounting, or other professional services.

If legal or other advice for your specific situation is needed, the services of a professional should be sought.

7

Section8

1

Internal Fraud forBoards & Supervisory CommitteesBARRY THOMPSON, CRCM

Association of Certified Fraud Examiners: Report to the Nation Cash is the targeted asset 90% of the time. The average scheme lasted 18 months before itwas detected. CFE estimate that 5% of revenues will be lost as aresult of occupational fraud and abuse. Organizations with fraud hotlines cut their fraudlosses by approximately 50% per scheme. Internal audits, external audits, and backgroundchecks also significantly reduce fraud losses.

Management Must Be Ethical! Rules apply to everyone. Cost-cutting measures apply to everyone.

2

Framework of the Risk Management Committee Two Members of the Board The Security Officer Senior Officers – Human Resources,Facility Management

Action Plan Considers…1. Suspending all suspects during an

investigation.2. Prosecuting identified thieves.3. Terminating employees who violate

procedures.4. Protecting employees who report internal

problems from future retaliation.

Who Will Investigate and How? Security Officer Human Resources Director Internal Audit

3

Communicate!Ensure open lines of communication between staff and management.

Why People Fail to Report Fraud Fear of being wrong The person suspected is an immediatesupervisor A belief management just isn’t interested

How to Increase Reporting Management should institute a ReportingSystem Identify two people as contacts One Male and One Female Anonymous hotline-reporting system

4

Institute a Mandatory Fraud Training ProgramThe Program should:

1. Teach actual case scenarios showing what should be reported.

2. Stress a “no retaliation” policy.3. Be mandatory for all new hires.4. Be offered annually.5. Include an ethics statement to be signed after training and

before job promotions.6. Name members of the Risk Management Committee and

contact methods.

When an Incident Occurs Management must investigate Person reporting deserves follow-up,including detailed steps taken to resolve situation

Internal Fraud Exposed Management should follow steps outlinedin Ethics Policy and Action Plan. If policy is not followed, an explanation tostaff is required.

5

A Doomed Program A report is overlooked or buried Reporting person is identified to staff Anonymous reporter is identified Reporter later dismissed for any reason

Management Motivation of Staff Compensation Perks Intimidation

Questions?

INTERNAL FRAUD INFORMATION SHEET

What Is Fraud? In the broadest sense, fraud can encompass any crime for gain that uses decep6on as its principal modus operandi. More specifically, fraud is defined by Black’s Law Dic-onary as: “A knowing misrepresenta-on of the truth or concealment of a material fact to induce another to act to his or her detriment”.

Internal Fraud Internal fraud, also called occupa-onal fraud, is defined by the Associa6on of Cer6fied Fraud Examiners as: “the use of one’s occupa-on for personal enrichment through the deliberate misuse or misapplica-on of the organiza-on’s resources or assets.” Simply stated, this type of fraud occurs when an employee, manager, or execu6ve commits fraud against his or her employer.

Why Do People Steal?They might be in senior management, worked for the organiza6on for over 30 years, or a teller working their first job. The first ques6on that many people ask themselves is why is this person embezzling from the financial ins6tu6on?

Some6mes the financial ins6tu6on can point out how it went out of its way to help the individual gain an educa6on, supported them through a family crisis, or accommodated the individual in some way. People working with the individual can feel violated, compromised, or just plain mad at the colleague.

Over the years we have witnessed many different scenarios of why people embezzle from financial ins6tu6ons. The word “drag,” really answers the ques6on about 90% of the 6me as to why a person steals from a financial ins6tu6on. What it stands for are the five main reasons we have found that people embezzle from the ins6tu6ons that employ them.

• Drugs

• Rela6onships

• Alcohol

• Gambling and Greed

Drugs The branch manager is well respected in the local community. He has been involved with all the civic groups the posi6on requires to be successful in his field. His habit caused him to start embezzling from the ins6tu6on. What's sad is we could name several different individuals who fit this story. Whether the individual is laundering money for drug dealers, has become addicted to illegal narco6cs, or is trying to make money on the side, drugs lead inevitably to embezzlement.

Rela:onships Rela6onships cover a wide range of human failings. This could be a marriage that is floundering because of financial strains, so the spouse decides to embezzle to make things beXer at home. It could be the spouse is trying to support the family and their new significant other at the same 6me. It might be as simple as a

Thompson Consulting Group, LLC • P.O. Box 5303 • Oswego, New York 13126-5303 • (315) 342.5931 • [email protected] • www.tgrouponline.com

husband who can't afford all the things he feels the family deserves so he provides them anyway.

Medical condi6ons leading to expenses that the family cannot afford may result in someone absconding with funds to pay the debt. A college student needing to make tui6on payments to stay in school may feel that “the financial ins6tu6on can afford it”. No maXer the situa6on, rela6onships where funds are needed can lead to embezzlement.

Alcohol People reading the newspapers many 6mes are amazed at who has been arrested for driving while their ability has been impaired (DWI) or under the influence (DUI). Alcohol impairs an individual's judgment to such an extent that embezzlement becomes an op6on. We need not go into any great depth about what alcohol can do to an individual as nearly everyone knows someone who has been affected by it. Working in a financial ins6tu6on is no different when someone has a drinking problem, it will manifest itself in the workplace.

Gambling Like alcohol, gambling is an addic6on. To people with gambling addic6on, they just cannot stop playing. “Owning Mahoney,” a movie released in 2003, is based on a true story of a banker from Canada who was addicted to gambling. This is a movie that anyone interested in how gambling can affect a banker should see. While most cases are not as extreme as the one portrayed the results are almost always as devasta6ng.

One individual had been a senior officer in the financial ins6tu6on’s loan department. A gambling casino had opened near the financial ins6tu6on. Shortly aber it opened, examina6ons of the ins6tu6on started to report problems with internal controls in the loan area. The CEO was unconcerned as he trusted the senior loan officer taking the warnings as something he did not need to be concerned about. When the internal embezzlement was discovered, the loan officer had stolen over $1 million which had been gambled over the tables at the local casino. The financial ins6tu6on became vulnerable and could not avoid being taken over by another financial ins6tu6on.

Greed Some people just can't be trusted, they enter the ins6tu6on for the express purpose of walking away with the money. The Associa6on of Cer6fied Fraud Examiners con6nually updates a report en6tled, “Report to the Na6on.” It regularly points out that the item most oben stolen from businesses is cash. As the business of banking is cash this is a field where people wan6ng to get rich quick find a wonderful place to work.

All of the people described above may operate below the radar of management! The reality is someone on the staff will have an inkling that something is wrong. People won't report it because they are afraid of accusing someone wrongly or finding that management will not take the report seriously.

The Possible Results of CommiBng Fraud The possible ramifica6ons of commifng a fraudulent act could be very broad and devasta6ng. Let’s take a look at some possible results and how they may affect the individual.


Possible Results of Such Ac:on

What is a Red Flag? A “Red Flag” is a set of circumstances that are unusual in nature or vary from normal ac6vity. It’s a signal that something is out of the ordinary and may need to be inves6gated further. Remember that Red Flags do not indicate guilt or innocence, but merely provide possible warning signs of fraud.

Red Flags

Advanced Warning Signs

Ways to Embezzle • Use GL 6ckets to refund fees on personal account.• Use Debit/Credit 6ckets to move money between accounts.• Account Takeover—Opening a new customer account and sefng up online banking without the customer’s

knowledge• Iden6ty Theb: Using or selling stolen customer iden6fica6on to create bank accounts, generate loans, and

open credit cards.

• Incarcera6on

• Fines

• Retribu6on

• Banned from Future Employment in Financial

Industry

• IRS Tax Liens

• Criminal Record

• Impact on Self/Reputa6on

• Impact on Family/Friends

• Future Employment Opportuni6es

• Reputa6on Impact on Organiza6on

• Poten6al Failure of Organiza6on

• Cash draw frequently out of balance

• Unusual cash deposits in personal account

• Frequent “Cash Advance” ac6vity

• Ki6ng Ac6vity

• General Ledger 6cket ac6vity in personal

account

• Refusal to take vaca6ons or sick leave

• Employee regularly works aber hours

• Carrying unusual amounts of money

• Employee takes work home or works frequently

on weekends

• Easily annoyed at reasonable ques6oning

• Providing unreasonable responses to ques6ons

• Individual regularly works aber hours

• Refusal to accept promo6ons

• Poor communica6on

• Staff considers policies unimportant

• Employee will not allow anyone to balance

accounts in their area of responsibility

• Employee has con6nual overdrabs on their

personal account

• High turnover

• Weak internal controls cited during audit or

regulatory review

• Creditors or collectors appearing at the financial

ins6tu6on

• Employee in6midates rest of staff

• Lack of segrega6on of du6es in their assigned

area

• Borrowing money from co-workers

• Absence of duel control

• InaXen6on to suspense accounts by not balancing

them frequently


WARNING SIGNS OF INTERNAL FRAUD

Warning signs do not indicate guilt or innocence, but merely provide a signal of cau�on.

Warning Signs for Management

♦ Absence of background checks

♦ Background checks not being made when promo�ng people to management posi�ons

♦ Budget cutbacks

♦ Failure to inves�gate or prosecute internal fraud to the fullest extent of the law

♦ High turnover

♦ Ina�en�on to suspense accounts by not balancing them frequently

♦ Keeping problems a secret

♦ Manager or key employee con�nually downplays ethics training, internal controls, or company policies

♦ Weak internal controls cited during audit or regulatory reviews

Employee Red Flags


♦ Behavioral changes: these may be an indica�on of

drugs, rela�onships, alcohol, gambling

♦ Borrowing money from co-workers

♦ Carrying unusual amounts of money

♦ Creditors or collectors appearing at the financial

ins�tu�on

♦ Easily annoyed at reasonable ques�oning

♦ Lack of segrega�on of du�es in their assigned areas

♦ Lifestyle or behavioral changes

♦ Providing unreasonable responses to ques�ons

♦ Recent changes in lifestyle

♦ Refusal to accept promo�ons

♦ Refusal to take vaca�ons or sick leave

♦ Significant personal debt and credit problems

♦ Staff member is living beyond their means

♦ Staff member lifestyle changes: expensive cars,

jewelry, homes, clothes

♦ Staff member will not allow anyone to balance

accounts in their area of responsibility

♦ Staff member regularly waves or overrides internal

controls because “they don't apply to me”

♦ Staff member regularly works a3er hours, takes work

home, works frequently on weekends

♦ Staff member con�nually in�midates the rest of the

staff

Section9

1

By:R. Todd SherpySherpy & Jones Law P.A.Credit Union Resources & Educational Services, LLCPost Office Box 2599Lexington, SC 29071Atlanta Phone 770-631-3527SC Phone 803 [email protected]

Copyright: © CURES, LLC, 1994-2017 - all rights reserved.

Sherpy & Jones Enterprise Risk Management for

Credit Unions

First Notes – Today’s World & --- It Changes

If We do not Change --

2

Eagles and Ducks.

Thinking you know it all …


Thirty Years Later –

I know what a genius really is.

3

Then it hit me – why I chose to work with entities regulated by NCUA

Reality I

Reality II

4

ERM is an overall Goal from my

Perspective – Always has been.

ERM Allows a Return to TQM and an

Integrated Approach

Accept what we do has many Inherent

Risks

5

Expand Horizons and Risk Mitigation

To me – it harkens a return to an era of common sense …

What is ERM -- It is an Overall Concept … Global to the Credit Union

6

Let’s Start with What we Do Have

NCUA Supervisory Letter No.: 13-12

Page 1: “Natural Person Credit Unions are not required to implement a formal ERM framework.”

But See Page 5 … .

What do “Real” Regulators Say?

How do You Know Your Risks Until You Know Them?

7

To Start With …

Build a Knowledge Base of Things You Really do know …


Knowledge Allows You to Create a

Game Plan

ERM “The Opening of Eyes”

8

ERM “The Opening of Eyes” II

ERM – How it Can Fail

ERM & Risk Identification

9

ERM & Risk Identification II

ERM & Risk Identification III

ERM & Risk Identification IV

10

ERM & Risk Identification V

Assessment Factors

Getting “Sideways” with the process … not focusing on the real world – Legal and Common Sense

Perspectives .

11

Bylaws – Board -Volunteers

Reminder: Corporate culture starts at the top.

32

Culture of Compliance

33

12

Risk Management & Safety

34

Let’s Learn / Address Some Basic Considerations Known to All …

Remember who is in control and why?

13

Why you select the option, but the options you must know …

Recent History

Lessons for All FI’s from the Wells-Fargo and CFPB $185 Million Consent Order

14

It takes a long time to build a reputation—and a short time to lose one.

40

Compensation and Incentives // Revisit Ethics Policies and Training

41

Just being dumb …

15

Navy Federal Credit Union’s

$28.5 Million CFPB Consent Order

Un-Social Media

By: R. Todd SherpySherpy & Jones Law P.A.Credit Union Resources &

Educational Services, LLCPost Office Box 2599Lexington, SC 29071Atlanta Phone 770-631-3527SC Phone 803 [email protected]

Credit Union Mythology

16

More Practical Stuff:

More Practical Stuff:

Questions: Sherpy & Jones P.A.

POST OFFICE BOX 2599

LEXINGTON, SC 29071

CREDIT UNION RESOURCES AND

EDUCATIONAL SERVICES, LLC (“CURES”)

104 PENINSULA DRIVE

PEACHTREE CITY, GA 30269

770-631-3527

PHONE: (803) 3563327

[email protected]

Section10

Copyright, 2017, Thompson Consulting Group, LLC. All rights reserved. 1

Conquering Emerging Fraud TrendsBARRY THOMPSON, CRCM

Top 5 Bank FraudsDebit CardBusiness Email CompromiseElder FraudChecking FraudWire Fraud

2016 Survey conducted by Thompson Consulting Group, LLC

Generational ConsiderationFive Generations LivingThe Greatest Generation – Pre-1944The Baby Boomers - 1945 - 1964Generation X - 1965 – 1984Millennials - 1985 – 2004“As Yet Unnamed” Generation - 2005 - Present

It is important to note that generational constructs are fluid. Generations have not been defined by the U.S. Census Bureau, with the exception of the Baby Boomers.


Information Needed to Steal Your Identity:1. Name2. Address3. Social Security Number4. Telephone Number5. Birth Date6. Mother’s Maiden Name7. Employment

Effective For Social Engineering8. Past Addresses9. Financial Account Numbers10. Children’s Names11. Family Information

IRS Phone ScamScammers are calling under the guise of the IRS. They are threatening people with arrest, deportation, and/or public humiliation for having unpaid taxes. They state you must immediately pay by going to a store, purchase prepaid cards, and give them the access numbers off the back of the card. This is a SCAM. Hang up and report incident at ftc.gov.


Hostage Phone ScamScammers are calling saying a loved one was in an accident and are being held hostage until money is sent to pay for the accident. They state you must immediately pay by going to a store, purchase prepaid cards, and give them the access numbers off the back of the card.

Overpayment – Oops!Scammers overpay for products or services offered online and then tell the victim to cash the check and keep a good portion for their troubles. They are then to send the remainder of the money to the scammer. The original check bounces and victim is out all the money. Do not cash checks for others. Note: Banks offer funds available in 1-2 days as a service for cashed/deposited checks. The actual check could take several weeks to be returned.

Lottery Winner!Victims are contacted by phone, text, email, or mail and told they won millions of dollars and need to send money to pay for lawyers, taxes, and processing fees. A true lottery would remove all such fees from the dollar amount won and send you the difference. Do not send any money to process a “winning” or even reply. This will get you on a scammer’s mailing and phone list and you will get constant communications and no money.


Work From Home ScamScammers solicit victims to assist with cashing checks and money orders and then wiring money to “boss” who is traveling overseas on business. This is how a scammer moves money from victims to avoid detection. Law enforcement follows the paper trail to the “Work from Home” assistant and scammer cuts ties, leaving assistant to deal with investigation.

Secret ShopperThe letter invites you to become a paid mystery shopper in your area and the letterhead and check appear to come from a legitimate U.S. company. The letter instructs you to deposit the check into your checking account, wire an amount using a company like Western Union or Money Gram, and keep some as pay. Shoppers are asked to purchase merchandise and complete a survey regarding their experience.

Craig’s List Rental / Vacation RentalThe victim is convinced to pay a large cash/wired deposit to reserve a vacation rental property or an apartment. Many times they are asked to sign agreements and are given keys, which add to the perceived legitimacy. They usually have the victim complete a rental agreement that requires name, date of birth, and social security number, which can also lead to identity theft.


Fake RelationshipsDating and romance scams take advantage of people looking for romantic partners and play on emotional triggers to get the victims to provide money, gifts, or personal information. Often, the scammer will pretend to need the money for some sort of personal emergency.

Hacked EmailEmail is sent from a friend’s hacked email account requesting money to be sent immediately to help the friend out. Many different reasons are given.Do not click on any links.Do not click on any attachments.Delete immediately.

Online Technical AssistanceVictims receive a warning and sign up for “technical support” to “repair” slowness or clean viruses. Once the remote access is established, scammer has full access to all of your computer files and applications.


Locked Debit CardVictim receives messages through voice, text, and/or email claiming a debit card has been deactivated and to call immediately. Return calls will ask for the 16 digit card number, PIN, and CVC codes.Do not give it!

Can You Hear Me?The scammer gets the victim to say ”yes” to the statement “Can you hear me?” The response is recorded and edited to use as voice authentication/authorization for unwanted charges.

Pay a TicketThe New York State Department of Motor Vehicles (DMV) is cautioning consumers against an email “phishing” campaign that sends a notice stating the victim must pay a ticket within 48 hours or their license will be revoked. While the notice is made to appear as if it comes from the DMV, it is a hoax.


Credit/Debit Card SkimmersDevices affixed to the reader of ATMs, gas pumps, etc. to record debit and credit card information.Do not use the machine.Do not touch the device.Call 911 immediately.

Protect YourselfUse different long and complex passwords.Guard your personal information.Check your credit reports.Monitor your statements. Use USPS drop boxes for outgoing mail.Shred documents with personal information.Don’t open suspicious emails.Verify callers before giving out any information.

Questions?


For More InformationBarry Thompson, CRCM

Thompson Consulting Group, LLC315.342.5931

[email protected]

This presentation is designed to provide accurate and authoritative information with regard to the subject matter covered. It is provided with the understanding that the publisher is not rendering legal, accounting, or other professional services.

If legal or other advice for your specific situation is needed, the services of a professional should be sought.

coastal supervisory committee & internal auditor …

Documents