Community Banking A D V I S O R Winter 2013

When a leadership change is in order, be a resource

Risky businessOCC report analyzes threats faced by banks

Bank Wire

Inadequate IT procedures expose banks to liability for online fraud

www.elliottdavis.com

2

In today’s cyberworld, where would-be thieves are finding ever more clever ways to commit fraud and

theft, it’s critical that banks offering online banking implement effective, risk-based security procedures. Not only is it good business in terms of customer satisfaction, but it can also help protect a bank against liability for online fraud. In a recent case, one bank learned this lesson the hard way.

Technology was underusedIn Patco Construction Co. v. People’s United Bank, the U.S. Court of Appeals for the First Circuit found that a bank was potentially liable for over $345,000 in fraudulent withdrawals from a customer’s account.

The customer, Patco, used online banking primarily to make weekly payroll payments. These payments were always made on Fridays, were always initiated from a computer at Patco’s offices, and always originated from a single static IP address. The largest payment Patco ever made was just under $37,000.

In 2007, the bank implemented a sophisticated security system that involved user IDs and passwords, “invisible” device authentication and risk profiling. The system monitored all log-in attempts and transactions and assigned each a risk score based on IP address, device

ID, the customer’s “normal” transaction profile, and other factors. Risk scores that exceeded a specified threshold triggered additional authentication procedures — in this case, answering three pre-established challenge questions.

Challenge questions also were triggered if the transac-tion amount exceeded $100,000. Transactions were immediately blocked if the user’s IP address appeared on a fraud watchlist.

In 2008, the bank reduced the dollar threshold from $100,000 to $1. The following year, a fraudster with access to a Patco employee’s ID and password — as well as the challenge question answers — initiated six withdrawals over a seven-day period totaling nearly $589,000. The withdrawal amounts ranged from around $56,000 to more than $115,000.

Despite the unusual nature of these transac-tions, which yielded unprecedentedly high risk scores, the bank processed them as usual and did nothing to alert Patco. Fortunately, some of the transfers were rejected because of bad account numbers, and the bank blocked some transfers after Patco notified it of the fraud. Nonetheless, Patco was left with a $345,000 loss.

System was compromisedUnder Article 4A of the Uniform Commercial Code, banks generally bear the risk of losses

Inadequate IT procedures expose banks to liability for online fraud

Banks can shift the risk of loss to customers by having them agree to commercially reasonable security procedures for verifying transactions.

3

Lenders often form long-term, and even close, rela-tionships with their business loan customers. So

when a customer needs to turn over the management reins to a replacement, it may be hard for them to say good-bye to the old and hello to the new. But the well-being of your customer’s business may depend on it. Consider the following example.

a customer’s tough decisionSix years ago, Jason Jones (not a real name) told his lender, Chris Cash, that he had been diagnosed with chronic heart disease and intended to turn over Jones Industries to his twins, Jack and Jill.

Chris was understandably concerned — not only for Jason’s health, but also because he knew firsthand the failure rate for second-generation owners. To make matters worse, Jack (a social worker) and Jill (a nutri-tionist) lacked the manufacturing experience, technical know-how and fiscal discipline that had made Jones Industries a model borrower for the last 17 years.

Chris had a frank discussion with Jason about the future of Jones Industries. Although Jason wanted to see his children take over the reins, he wondered if they were truly qualified for the job and willing to dig in. Did Jason want Jones Industries to survive him?

When Jason admitted that Jack and Jill weren’t optimal successors, he gifted stock to the twins instead, which

when a leadership change is in order, be a resource

caused by unauthorized transfers. But they can shift the risk of loss to customers by having them agree to commercially reasonable security procedures for veri-fying transactions.

In this case, the bank’s procedures weren’t commer-cially reasonable. By reducing the dollar threshold to $1, the bank essentially crippled its risk-scoring sys-tem, since users had to answer the challenge questions for every transaction. This made the answers more vulnerable to interception by keyloggers (programs that record everything a user types) or other malware, increasing the risk of fraud.

In light of these weaknesses, and the bank’s knowledge of fraud incidents involving keylogging malware, the bank’s

failure to implement additional security measures — such as manual reviews or additional authentication procedures for transactions with high risk scores — was unreasonable.

Do your homeworkTo avoid liability for online fraud, review your security procedures to ensure that they’re designed to require a higher level of security for riskier transactions or customers and that the procedures are effective. The FFIEC’s paper, “Authentication in an Internet Bank-ing Environment,” provides guidance on the “layered” security measures needed to combat fraud in the cur-rent environment. s

provided them with a passive income stream and seats on the company’s board of directors. In a unique deci-sion, Jason’s accountant filled in as interim CEO and assembled a professional management team to handle day-to-day operations.

Chris advised Jason to seek an accounting firm that offers outsourced CFO and accounting services. He also suggested that he check with other firms that might be able to assist short term while facilitating the assembly of a new management team.

Although Jason didn’t survive his heart problems, his legacy lives on through Jones Industries. The new management team has taken the company to the next level, and it’s considering a public offering this year.

Your take on the situationAt some point every business outgrows its first-generation entrepreneurs. Perhaps the founder — like Jason — faces health issues. Or perhaps the company reaches a critical mass that exceeds the founder’s abilities, or

partner disagreements reach insurmountable propor-tions. When current management is struggling to stay afloat, the owner faces tough choices: Should it bring in a family member, hire more experienced outsiders, or sell to a larger organization? In order to recognize when it’s time to upgrade management, lenders should visit the borrower’s premises to get acquainted with the people behind the numbers.

When talking to owners and managers, consider their ages, health and retirement goals. Use your knowledge and experience to help evaluate whether the owners are buried in administrative chores and spend less time in activities such as brainstorming ideas and landing new accounts.

Ask to see the organizational chart and job descrip-tions. Every business should have a tiered structure and a viable succession plan. Such planning minimizes the risk of relying too heavily on key people. Also evaluate the qualifications of up-and-coming managers — do they have what it takes to run the show? If not, training and mentoring are in order.

an assist from youIf a borrower is in the same or similar situation as Jason, it’s time to encourage a management change or upgrade. Higher-than-average unemployment rates make it an

employer’s market. And many skilled but out-of-work managers will likely be eager to jump aboard your borrower’s ship.

Lenders and accountants can introduce borrow-ers to their networks of business contacts, which include, for example, potential CFO, CIO and CEO candidates, business appraisers and brokers, and executive recruiters.

Proactive stepsA business can get a new lease on life with a change in leadership. The right top manager can breathe vitality into a business with a future that’s on hold. But if your customer waits too long to ini-tiate change, the business is likely to get off track. Be the expert resource you can be, and encourage your customer to take proactive steps now. s

4

When talking to owners and managers, consider their ages, health and retirement goals.

5

risky businessOCC report analyzes threats faced by banks

The Office of the Comptroller of the Currency (OCC) recently unveiled its Semiannual Risk

Perspective report. According to the OCC, community banks continue to face significant risks in the wake of the recession, including commercial real estate (CRE) risk, new product risk and interest rate risk.

The report outlines the primary risks banks face, present-ing data in four areas: the operating environment; the condition and performance of the banking system; fund-ing, liquidity, and interest rate risk; and regulatory actions.

Analyzing year end 2011 data, the report notes that, although bank profitability increased in 2011, the pri-mary driver of improved earnings was lower provisioning expenses (such as allowances for bad loans and other valuation reserves) rather than higher gross revenues.

Major risk concernsThe report focuses on three key concerns. First, the aftereffects of the recession created significant risks, as banks continued to face severely delinquent residential mortgages. Although small banks didn’t experience the same degree of delinquencies and loss rates as did larger banks, they were improving at a slower pace. CRE per-formance showed improvement, but high vacancy rates and problem asset levels continued to be a concern.

Revenue growth in a slow economy is the second concern. Loan growth — other than commercial and industrial (C&I) lending — remained sluggish; the low-interest-rate environment continued to squeeze margins and spur growth in nonmaturity deposits,

which are vulnerable to runoff; and noninterest income faced increasing regulatory pressure.

The third concern is that banks, in an effort to improve profitability, will likely take on inappropriate levels of risk. For example:

n As banks compete for “higher earning assets,” they’re under pressure to relax underwriting standards.

n Financial institutions that enter new or less familiar markets may create new product risk.

n Banks that economize on systems and processes — particularly by using third-party providers — may increase operational risks.

n Financial institutions that add to investment portfolio positions and increase duration to obtain higher yields may be vulnerable to rate shocks if interest rates rise.

The report also notes that “the unprecedented volume and scope in the domestic and international regulatory environment challenges business models and revenues.”

Challenges for community banksThe OCC report highlights several risks for commu-nity and midsize banks:

CRE risk. Although CRE losses have been lower than expected, these loans have benefited from

One concern is that banks, in an effort to improve profitability, will likely take on inappropriate levels of risk.

6

low interest rates. If net operating income doesn’t improve, or if interest rates rise, bank performance will be affected adversely.

New product risk. Some banks are attempting to improve asset growth by expanding or creating prod-uct lines “for which they may lack the appropriate control process and expertise,” such as C&I, indirect auto lending, and oil and gas lending.

Interest rate risk. Deposit growth and weak loan demand have put pressure on margins, creating an incentive for banks to increase the duration of their investment portfolios and purchase more complex, structured products, such as asset-backed securities or collateralized debt obligations.

Risk managementAccording to the OCC, the main challenge for commu-nity banks is developing strategies that allow them to “thrive in the face of lingering credit stress, historically low margins, competitive pressures from larger banks and uncertainty about future regulatory changes.”

The first step is to assess your bank’s risks and to implement strategies for managing those risks and allocating resources in a prudent fashion. If you have a high concentration of CRE loans, for example, conduct a sensitivity analysis of your portfolio and develop a workout strategy for distressed CRE loans that minimizes the financial impact on your bank.

Also, if you’re entering unfamiliar markets, evaluate any new products or C&I loan portfolios to ensure that your underwriting and risk management stan-dards and practices are adequate. Finally, evaluate your bank’s interest rate risk and take steps to manage it. (See “Managing interest rate risk” at left.)

Review your plansIn light of the many risks your bank faces, now is a good time to review your organization’s policies, practices, procedures and strategic plans. A solid plan for measuring, monitoring and managing risk will help your bank survive — and prosper — as the economy improves. s

It’s critical for you to evaluate the potential impact of interest rate changes on your bank’s earnings or capital. This interest rate risk includes variations. for example, repricing risk can result when assets and liabilities mature or “reprice” at different times. suppose you fund a five-year fixed-rate loan at 5% with a one-year cd at 2%. If the cd rate increases to 4% in year two, net interest income drops from 3% to 1%.

another example is option risk, which can result when customers have the option to prepay loans or withdraw deposits early with little or no penalty. If interest rates go up, customers may move their deposits into higher-yielding investments. If rates go down, borrowers may refinance their loans at a lower rate.

To manage these risks, use financial modeling or other techniques to assess your risk and, if appropriate, take steps to reduce your exposure, such as:

n using asset-liability management to ensure the right blend of rates and maturities,

n reducing option risk by controlling the terms of loans and deposits, and

n Implementing hedging strategies, such as derivatives or interest rate swaps.

Managing in teres t rate r isk

GeT ready for new capITal requIremenTsUnder joint proposals by the Federal Reserve, FDIC and OCC, banks will soon be subject to new regulatory capital requirements. Originally, the proposed rules were intended to take effect as of January 2013, but on Nov. 9, 2012, the agencies issued a joint statement advising bankers that the effective date would likely be delayed. This will give banks and thrifts more time to integrate the new requirements.

The proposals generally follow the Basel III Interna-tional Accord, which established global regulatory standards for capital adequacy and liquidity. Although they were designed for “internationally active” banks, many of the proposed requirements apply to all banks, including community banks.

The proposed rules are complex and may be revised before they’re finalized. In general, however, they’ll increase the quality and minimum quantity of capital for most banks, and include a requirement that more capital be held in the form of common stock or other common equity.

According to the Federal Reserve, most community bank holding companies that meet current regulatory capital requirements would also meet the new require-ments. And for those that don’t, the proposed rules include a transition period that would phase in the new requirements over six years.

For community banks that want to get a sense of the potential impact, federal regulators have created a Basel III “calculator,” available at fdic.gov. Although banks can’t rely on the calculator as an indicator of their actual regulatory capital ratios, it will give them a general idea of what to plan for. s

GuIdance on hard-To-value asseTsRecently, the OCC published a handbook on manag-ing unique and hard-to-value assets held in fiduciary or custody accounts. These assets may include real estate, closely held businesses, mineral interests, loans and notes, life insurance, tangible assets and collectibles. They can increase a bank’s risk because they often require special management expertise, present valuation challenges and are subject to special ownership rules.

The handbook reviews the various operational, com-pliance, strategic and reputation risks associated with these assets, and describes techniques banks can use to mitigate these risks. You can find it at occ.gov. Click on “Publications / Comptroller’s Handbook” and, under “Asset Management Booklets,” select “Unique and Hard-To-Value Assets.” s

reGulaTory calendar avaIlableTo help community banks keep abreast of changes in federal banking laws, regulations and supervi-sory guidance, the FDIC has developed a regulatory calendar. It includes notices of proposed, interim and final rulemakings, along with key dates, such as com-ment periods for proposed rules and effective dates for final rules. You can view the calendar by searching for “FDIC regulatory calendar.” s

This publication is distributed with the understanding that the author, publisher and distributor are not rendering legal, accounting or other professional advice or opinions on specific facts or matters, and, accordingly, assume no liability whatsoever in connection with its use. ©2013 CBAwi13

B A n k

Wire

P.O. Box 6286 • Greenville, SC 29606 - 6286

The banking industry is complex and rapidly evolving. You deserve the right team with the right leadership to serve you. More than 100 banks in the Southeast, large and small, depend on Elliott Davis’ Financial Services Practice for personal attention, industry experience and services including external and internal audit, SEC reporting, taxation, external loan reviews and compliance. With a 60-year reputation and a team of 90 professionals serving financial institutions, we help banks operate stronger, wiser, better.

Contact: Jason Caskey, CPA – Financial Services Practice Chair Phone: 888.816.0826 Email: jcaskey@elliottdavis.com

Founded in 1925, Elliott Davis LLC/PLLC is one of the largest accounting, tax and consulting services firms in the Southeast and ranks among the top 50 CPA firms in the U.S. For more information about Elliott Davis and its services, visit http://www.elliottdavis.com.

SOLUTIONS

Assurance• Audit services• Financial statement preparation

Non-Audit Services• Bank Secrecy Act compliance reviews• Information system audits• Independent loan reviews• Outsourced internal audit• SSAE No. 16 reports• ALLL validation

Tax• Income tax preparation and planning• State and local tax services• Tax estimates• Evaluation of deferred tax asset

SEC Related Services• Preparation of 10-Qs and 10-Ks• SEC registration and compliance• SOX 404 documentation and testing

Consulting• ALCO model testing• Business valuation services• Cost segregation studies• Director training• Loan and deposit compliance• Management and regulatory services• Mergers and acquisitions• Strategic planning• Stock compensation calculations• Compliance with enforcement actions