Pub. 11 2021-2022 Issue 4

Issue 4 2021-2022 A Word from CBA President and CEO Jenifer Waller: With a Nod to the Past, CBA Is Poised for Continued Success Page 2 Banker OVER A CENTURY: BUILDING BETTER BANKS — Helping Coloradans Realize Dreams

©2022 The Colorado Bankers Association is proud to present Colorado Banker as a benefit of membership in the association. No member dues were used in the publishing of this news magazine. All publishing costs were borne by advertising sales. Purchase of any products or services from paid advertisements within this magazine are the sole responsibility of the consumer. The statements and opinions expressed herein are those of the individual authors and do not necessarily represent the views of Colorado Banker or its publisher, The newsLINK Group, LLC. Any legal advice should be regarded as general information. It is strongly recommended that one contact an attorney for counsel regarding specific circumstances. Likewise, the appearance of advertisers does not constitute an endorsement of the products or services featured by The newsLINK Group, LLC. Jenifer Waller President & CEO Alison Morgan Director of State Government Relations Brandon Knudtson Director of Membership Lindsay Muniz Director of Education Rita Fish Communications & Office Manager Margie Mellenbruch Bookkeeper* Craig A. Umbaugh Counsel* Jim Cole Lobbyist* Melanie Layton Lobbyist* Garin Vorthmann Lobbyist* Andrew Wood Lobbyist* * Outsourced 140 East 19th Avenue, Suite 400 Denver, Colorado 80203 Office: 303.825.1575 Websites: coloradobankers.org smallbizlending.org financialinfo.org colorado-banker.thenewslinkgroup.org Contents Over a Century BUILDING BETTER BANKS— Helping Coloradans Realize Dreams 14 12 4 2 A Word from CBA President and CEO Jenifer Waller: With a Nod to the Past, CBA Is Poised for Continued Success 4 Looking Back on 2021: The Year of Cryptocurrency and DLTs 6 Why Your Bank’s ALCO Should Use Derivatives to Manage Rate 8 The AMLA and a Culture of Compliance – More Critical Than Ever 12 CFPB Data Point Quantifies Overdraft/NSF Fee “Reliance” 14 H ow to Create a Vendor Due Diligence Checklist 17 Violating the One-Per-12-Month Rollover Rule: A Case Study 20 Optimize Your Financial Institution’s Loan Review Process January • February 2022 1

As I begin serving you in my new role as Chief Executive Officer and President of the Colorado Bankers Association, I want first to express my sincere gratitude and appreciation to our member banks and bankers for placing their trust in me. I am truly honored to represent this industry and build upon the incredibly solid foundation Don Childears built for this organization over his 47 years with CBA. I am proud to have worked alongside him for more than 20 years. I thank Don for his leadership, mentorship and most importantly, his friendship. In the coming months, we will be concentrating on ensuring post (and current) pandemic public policy fosters a healthy economic environment, and does not create barriers that hinder the industry’s ability to meet the needs of its communities and customers. CBA has a renewed vision of highlighting the positive work banks do for their communities. Banks have always been there for their customers, but the Paycheck Protection Program shone a strong spotlight on banks’ commitments. We want to ensure that light continues to shine bright. Public officials can have a short memory, so we will keep the good work you do at the top of their minds. We have a long history of legislative success, promoting positive bills and defeating bills that would harm the industry and your customers, and we will maintain that track record. Over the years, we have seen an increase in the number and depth of bills that would negatively impact the economy, bank customers and the banking industry should they pass, and we will not let down our guard. CBA is here to shield your bank just as we always have. We expect to see significant changes in federal regulations prompted by new leadership at the regulatory agencies. Our eyes are laser-focused on their actions to minimize any potentially negative impact. Team CBA is a small but mighty one that takes each step with efficiency and efficacy in mind toward the benefit of Colorado’s banks. We remain your one-stop shop dedicated to advocating for the banking industry, offering the continuing education you need and providing access to products and services that make your job easier. Don’t hesitate to contact me if there is anything CBA can do for you or your bank. A Word From CBA By Jenifer Waller President and CEO Colorado Bankers Association With a Nod to the Past, CBA Is Poised for Continued Success Feature coloradobankers.org 2

Cryptocurrencies and Digital Ledger Technologies (DLT) have become topics nearly impossible to measure. Innovations come hourly, as do the challenges. Cryptocurrencies that were once derided as at best a fad, or at worse a scam or way to launder money, have become a legitimate asset class reaching three trillion dollars in 2021. A few highlights from 2021: • Consumer adoption of crypto as an investment somewhere between 25-30% of adults represents 2.5% of the $120 Trillion Global Equity market. • Institutional investment in crypto has increased exponentially, with more than 50 U.S. companies holding crypto on their balance sheets and even more accepting crypto as a means of payment (including over 40 million PayPal merchants). • Companies like Flexa have emerged that allow spending crypto at the point of sale, completely bypassing the traditional network rails – with potentially significant impacts on merchant fees and interchange. • Venture capitalists have invested $30 billion into crypto startups this year – more funding than the sector has received every other year combined (the previous high was $8 billion in 2018). “Investors are funding anything and everything” crypto-related, according to PitchBook analyst Rob Le. Looking Back on 2021: The Year of Cryptocurrency and DLTs By Larry Pruss SRM (Strategic Resource Management) coloradobankers.org 4

• Regulatory guidance has been provided from the Office of the Comptroller (OCC) and National Credit Union Administration (NCUA) – clearly allowing financial institutions to move into digital asset technologies. • We’ve seen credit unions announce and several banks launch crypto/DLT solutions. One bank observed a 25% increase in its customer base eight weeks after its crypto product launch. We’ve also observed several financial institutions mint and leverage stablecoins for instant settlement 24x7x365. • Several major announcements have been made about Central Bank Digital Currencies as the world’s central banks scramble to keep up with China’s digital asset initiatives. So What? Cryptocurrency is here to stay, adoption is accelerating, and it offers opportunities for financial institutions willing to try something new. It certainly appears the largest risk facing financial institutions is not having a crypto/DLT strategy. Most financial institutions observe their deposits flowing out to the crypto exchanges, and most financial institutions are unsure about what to do. Those under 35 are already active in cryptocurrency. Banks and their wealth advisor arms must be active this year or potentially lose this population segment. We’ve observed new crypto solutions coming to market that promise a solution via a partnership between the crypto solution providers and popular mobile banking and processing partners. While these solutions promise to make offering crypto to clients easy and offer “white glove” service, the reality of how competitive these solutions will be with the crypto exchanges, fintechs, or early bank competitors remains to be seen since most of these solutions only offer a buy/sell/hold Bitcoin only option. Will these solutions really be competitive to the existing crypto exchanges, or might it be better to launch a more elegant solution? The reality is that the crypto solutions you select today need to be competitive, scalable, and consider future solutions (like loans against those digital assets) your clients will ultimately request. Several potential crypto product solutions can be brought to market, but they will need to be considered in the broader context of your institution’s digital strategy and longterm roadmap. Some of these solutions include: • Custody and trust • Trading and investment alternative/advice • Rewards and gifting • Considering digital assets in credit decisions • Lending against cryptocurrency and to crypto businesses • Stablecoins • Staking • Decentralized Finance (DeFi) Financial institutions must invest significant time in early 2022 to truly understand these new technologies against their competitive landscape. Key considerations include: • Understanding the extent of your existing outflows to the exchanges • Talking with your clients (especially the younger generation) to determine their current and potential future needs • Ensuring your wealth and trust teams are fully involved • Developing short and long-term digital roadmaps that include cryptocurrencies and DLTs • Developing a product strategy to complement your broader strategy • Understanding the various vendors, solutions, and technical considerations • Having a good set of partners: technical, business, compliance, marketing, etc. Crypto is here to stay. It is growing. And your bank needs to have a solid plan. About the Author Larry Pruss is SVP of Project Management at SRM (Strategic Resource Management). He has nearly 25 years of expertise in payments, developing strategies and plans related to card optimization, revenue enhancement loyalty marketing and portfolio acquisition. And he now leads the company’s cryptocurrency consulting offering for financial institutions. Cryptocurrency is here to stay, adoption is accelerating, and it offers opportunities for financial institutions willing to try something new. It certainly appears the largest risk facing financial institutions is not having a crypto/DLT strategy. January • February 2022 5

Why Your Bank’s ALCO Should Use Derivatives to Manage Rate By Ben Lewis Chatham Financial coloradobankers.org 6

In a December 2021 poll of banking executives, we asked respondents two questions about their outlook and concerns for 2022. First, we asked what concerns their ALCO committee the most. It wasn’t inflation. Despite all the headlines and press that inflation is currently receiving, that wasn’t bankers’ primary concern. It was the combination of low yields and the resulting NIM pressure that captured the concern of nearly 70% of the 100-plus bankers responding. Second, we asked what concerns their financial institution the most. Again, inflation or rising rates to tame inflation was not the primary concern. The main worries for 61% of respondents were rates staying low for an extended period, and particularly the long end of the yield curve staying low or even going lower. What can a bank do to manage its balance sheet against a lower for longer rate scenario, especially when it’s flush with deposits? • Make more long-term fixed-rate loans. In the current environment, with banks flush with liquidity and loan demand below historical norms, this is a challenging proposition. Even if loan demand is strong, it requires time and capital. • Buy fixed-rate bonds. The CFO/treasurer can deploy liquidity through the bond portfolio. Credit risk is mitigated, but it is inefficient both from time (it can take months to find enough quality assets to buy) and capital. • Use a swap to bring forward interest income. An interest rate swap allows ALCO committees to instantaneously change the interest income on an asset or liability while using very little capital. Client requests, investment decisions, and funding choices can be optimized rather than driven by their associated interest rate risk profile. Why do banks use derivatives to hedge their balance sheet? • Efficiency. It’s efficient from both a timing and capital perspective. In a late 2021 earnings call, when outlining their hedging strategy, financial institution CFO John Woods said, “We think it’s a bit more efficient to do that (manage interest rate risk) off-balance sheet with swaps.” • Flexibility. It’s more flexible than changing loan and deposit availability and pricing. • Cost. It’s often less expensive when compared to cash products. Why are some banks hesitant to use swaps? • Perception of riskiness. For a bank that hasn’t used derivatives, it is easy to fall into the fallacy that swaps are a “bet” on rates. In a sense, though, all the bank’s balance sheet is a “bet” on rates. When layered into the bank’s ALCO conversations and tool kit, swaps are simply another tool to manage rate risk, not add to it. • Accounting concerns. Banks frequently cite accounting concerns about derivatives. But recent changes from the Financial Accounting Standards Board have flipped this script – hedge accounting is no longer a foe but a friend to community banks. • Fear of the unknown. Derivatives bring an added layer of complexity, but this is often overdone. It’s important to partner with an external service provider for education as well as the heavy lifting both upfront and ongoing. The bank can continue to focus on what it does best: thrilling customers and returning value to shareholders. • Competing priorities. Competing priorities are a reality, and if something is working, why bother with it? But growth comes from driving change, especially into areas where the bank can make small incremental changes before driving significant change – banks can transact swaps as small as $1M or less. For banks that have steered clear of swaps – thinking they are too risky or not worth the effort – an education session that identifies the actual risks while providing solutions to manage and minimize those risks can help separate facts from fears and make the best decision for their institution. Community banks should leverage hedging strategies to enhance yield, increase lending capacity, and manage excess liquidity. January • February 2022 7

The AMLA and a Culture of Compliance – More Critical Than Ever By Terri Luttrell CAMS-Audit Compliance and Engagement Director With the 2021 change in administration in Washington, D.C., the anti-money laundering (AML) regulatory climate has already seen significant impacts. On Jan. 1, 2021, the Senate voted into law the National Defense Authorization Act (NDAA). Within the NDAA, the Anti-Money Laundering Act of 2020 (AMLA) became law and amends the Bank Secrecy Act (BSA) for the first time in nearly two decades. The BSA, adopted in 1970, has not had a significant overhaul since the USA PATRIOT Act (commonly known as the Patriot Act) in 2001 in response to the September 11 terrorist attacks on the United States. AMLA is significant in U.S. anti-money laundering laws and priorities, and financial institutions must be prepared for the changes. The Financial Crimes Enforcement Network (FinCEN) and other regulatory bodies have long understood the need to re-adjust and streamline AML priorities. The passing of AMLA signals that Congress is paying attention. AMLA encourages a strengthened partnership between law enforcement and financial institutions, effectively using scarce resources. The intention of the BSA has always been to detect and report criminal financial activity and deter criminals from flowing illicit gains through the U.S. financial system. One of AMLA’s primary objectives is for financial institutions to spend time doing what is truly necessary for detecting criminal activity and not spin their wheels with policies and procedures on tasks that bring no benefit to law enforcement. The AMLA is extensive, and there are many steps involved before FinCEN can implement the Act, such as conducting studies, writing regulations, and publishing guidance. One example is published Anti-Money Laundering and Countering the Financing of Terrorism National Priorities. One thing is clear; a financial institution’s culture of compliance is more critical now than ever, and bank executives must take note. A strong culture of compliance is crucial The culture of compliance within the BSA/AML framework is not new and was first introduced by FinCEN in 2014 with advisory FIN-2014-A007. The advisory was preempted by widespread shortcomings in AML programs leading to many enforcement actions that might have been prevented. Former FinCEN Director Jennifer Shasky Calvery stated in a 2014 speech that “I can say without a doubt that a strong culture of compliance could have made all the difference.” coloradobankers.org 8

The Federal Financial Institutions Examination Council (FFIEC) BSA Examination Manual states, “The board of directors plays an important role in establishing and maintaining an appropriate culture that places a priority on compliance, and a structure that provides oversight and holds senior management accountable for implementing the bank’s BSA/AML internal controls.” In addition, the FinCEN advisory emphasizes that regardless of the size or business model of the financial institution, a poor compliance culture is likely to have systemic shortcomings in its BSA/AML program. It advises that a financial institution could strengthen their BSA/AML culture of compliance by: • Having leadership that actively supports and understands compliance efforts • Not allowing compliance to be compromised by revenue interests • Making efforts to manage and mitigate BSA/AML deficiencies • Ensuring relevant information from various departments within the organization is shared with BSA/AML staff • Devoting adequate resources to its compliance function (both human and technological) continued on page 10 • Ensuring that the BSA/AML is effective by conducting independent and competent testing • Making sure leadership and staff understand the purpose of its BSA/AML efforts This topic has continued to be emphasized by FinCEN throughout the years, as demonstrated by former FinCEN Deputy Director Jamal El-Hindi in a 2019 speech centered around national security concerns within our U.S. financial institutions. He stated, “(Regulators) should talk to (banks) about the risks they run within their institutions and jurisdictions if an AML compliance culture is not fostered. Much is at stake when a business anywhere puts its reputation at risk.” This statement should be a driving force for executives to strive for a strong culture of compliance. As we surpassed the 20th anniversary of the 9/11 terrorist attacks and the uprising of the Taliban in Afghanistan, this cannot be emphasized enough. In 2021 and forward, AMLA brings to the top of mind the importance of the culture of compliance. Key highlights of the act (the codification of risk-based AML/CFT programs, a beneficial ownership registry, suspicious activity report January • February 2022 9

continued from page 9 [SAR] and currency transaction report [CTR] reform, safe harbor for keeping suspicious accounts open, and increased FinCEN resources) are all critical for financial institutions to prepare for and understand. Other key components of the AMLA speak directly to a strong culture of compliance and should be addressed as soon as possible. Key AMLA Components for a strong culture of compliance Penalty Enhancements The AMLA has given federal law enforcement and financial regulators many new AML/CFT enforcement tools to take more aggressive enforcement action for egregious or systemic program issues, keeping in line with the new administration’s promises. These enhanced penalties confirm the continued importance of the FinCEN culture of compliance guidelines and should be stressed during your board of directors’ training. The language in the AMLA provides a new direction to financial institutions that they have adequate resources in technology and staff to appropriately address the FinCrime risk to the institution. This part of the AMLA is crucial to share now with your board and senior management to ensure they understand the consequences if it is not followed. Penalties Around Politically Exposed Persons Political corruption and kleptocracy are a growing concern globally and domestically alike. Politically Exposed Persons (PEPs) are high-profile individuals in a unique position to be entrusted with a prominent public function. PEPs pose a higher risk of money laundering or terror financing, using funds illicitly obtained through their position. The Financial Action Task Force (FATF) has issued extensive guidance in this area. Indeed, not all PEPs are criminals or kleptocrats, but financial institutions must perform ongoing monitoring on their higher-risk PEPs and understand the source of funds flowing through their financial institutions. The AMLA increases penalties around concealing a PEP’s source of funds, and the increased scrutiny is a direct indication that financial institutions should enhance policies and procedures around PEPs. Whistleblower Program Like the Dodd-Frank requirements, the AMLA establishes an enhanced whistleblower program strongly encouraging informants to step forward. This program also significantly expands rewards and safe harbor for those who step forward. Whistleblowers may be aware of fraud within an institution, corruption, systemic program deficiencies, or even a lack of strengthening programs as expected by regulators. A whistleblower could prevent severe regulatory penalties if issues are uncovered in time. What this will mean for an internal difference of opinion on SAR filing is yet to be seen. In any event, an addition of a whistleblower policy mirroring the AMLA should be part of an institution’s AML/BSA program in the future. It is more important than ever that financial institutions stay informed on the latest progress and understand the implications. From the board and executive management down, a strong culture of compliance is critical to an AML/CTF program’s success and avoiding regulatory scrutiny. coloradobankers.org 10

Denver | Fort Collins | Greeley CP2LAW.COM COAN, PAYTON & PAYNE, LLC PROVIDES A FULL RANGE OF LEGAL SERVICES TO THE BANKING INDUSTRY. R. Clay Bartlett G. Brent Coan Donovan P. Gibbons Amanda T. Huston Michael C. Payne Brett Payton Steven T. Mulligan Julie Trent Matthew L. Chudacoff Visit us online: coloradobankers.org What Can Institutions Do to Prepare? The FinCrime industry has hoped for BSA/AML reform to reduce the regulatory burden of BSA reporting. On the flip side, the enhanced penalties brought by AMLA make the culture of compliance even more critical. Institutions should modernize their BSA/AML programs with appropriate riskbased innovative solutions to streamline those processes and use resources efficiently and effectively. AML/BSA programs should align with new expectations and requirements as they roll out, with a strong emphasis on the culture of compliance. What can a financial institution do to prepare? Below are a few suggestions to get an institution started: • Keep your board of directors and executive management apprised of the AMLA and subsequent regulations and guidance. No one likes surprises of a regulatory nature. • Enhance your BSA/AML policy language, demonstrating a strong culture of compliance. • Consider adding an accountability component for adhering to compliance procedures. • Evaluate BSA/AML processes for innovative technology needed for streamlining. • Use the AMLA to develop a business case that will pay for itself in time saved. • Develop an AMLA action plan and update it as regulations and guidance are written. • Update policies, procedures, and processes with what is currently known, such as adding whistleblower language to your BSA/AML program. • Continue to be proactive and take the time to set up alerts and follow the AMLA’s progress. Passing AMLA is an essential first step in overhauling the BSA, and executive management should be apprised of upcoming changes. It is more important than ever that financial institutions stay informed on the latest progress and understand the implications. From the board and executive management down, a strong culture of compliance is critical to an AML/CTF program’s success and avoiding regulatory scrutiny. It is going to be a busy few years ahead. Still, the hope is that the changes will ease some of the burdens on financial institutions and provide more value to law enforcement for what’s essential: detecting and deterring money laundering and the financing of terror. January • February 2022 11

CFPB Data Point Quantifies Overdraft/NSF Fee “Reliance” By Cheryl Lawson Executive Vice President Compliance Review for JMFA Analysis offers limited perspective on disclosed overdraft program value On Dec. 1, 2021, the Consumer Financial Protection Bureau (CFPB) released the Data Point: Overdraft/NSF Fee Reliance Since 2015 report, which expands on their earlier Data Point: Checking Account Overdraft, published in 2014. Data reviewed by the CFPB comes from the Consolidated Reports of Condition and Income, or “Call Reports,” which are submitted to the regulatory agencies. The CFPB’s analysis includes those banks and credit unions under their supervision and those with assets over $1 billion. Key points and observations The report’s analysis indicates that aggregate overdraft/ NSF fee revenues for the largest financial institutions in the U.S. gained a small, steady increase of 1.7% annually between 2015 and 2019. Account maintenance fees also grew, but at a lower rate of 0.6% annually during those years. ATM fees declined during the period. Additionally, all aggregate fees fell in 2020 due to consumer behavior changes associated with the COVID-19 pandemic. Overdraft/NSF fee revenues declined most sharply at 26.2%. The granularity of fee data used by this Data Point was possible beginning in 2015 when Call Reports required that each of the three types of fees (overdraft/ NSF, account maintenance and ATM) be reported distinctly. A total of 425 banks were analyzed using their annual fee data from 2015 to 2019. A smaller group of 238 banks was used for quarterly analysis. The two groups represented 97.2% and 90.7% of all overdraft/NSF fees, respectively. There was a small increase in the growth of combined fee income from 65% to 66% between 2015 and 2018. It rose to 66.5% in 2019 and declined to 62.4% in 2020. The CFPB reports that the market is “stable and persistent,” especially before the COVID-19 pandemic of 2020. While overdraft/NSF fee revenues declined in 2020, the report does not prescribe whether the change in institutional policies and practices or consumer use patterns drove the decline. However, the report recognizes that consumer deposit balances and average checking account balances experienced a marked rise during the pandemic, in large part due to the stimulus payments received by consumers. coloradobankers.org 12

The report defines “reliance” as “the share of overdraft and NSF fees among the listed fees” at a given institution. Variance in “reliance” can occur because of several things, including: • Different fee structures in use by various institutions • The mix of consumers served • Combination of consumer fees (primarily checking account) and non-transaction accounts (savings and money market deposits) CFPB weighs in on Data Point results When the Data Point was released, prepared remarks from the Director of the CFPB, Rohit Chopra, were critical of the report’s findings. “The reports show banks, including big banks, continue to rely on these fees as a major source of revenue. Rather than competing on transparent, upfront pricing, large financial institutions are still hooked on exploitative junk fees that can quickly drain a family’s bank account.” According to its leadership, the CFPB is planning to “take action against large financial institutions whose overdraft practices violate the law” which is their purpose and function. The CFPB report shows that consumers consistently use overdraft services and that usage is generally stable. Unfortunately, many CFPBsupervised financial institutions do not provide a disclosed overdraft solution with limits and transparent policies. The CFPB study does not include financial institutions that utilize JMFA’s fully disclosed solution. Instead, the CFPB refers to “exploitative junk fees” but does not give financial institutions direction, or support transparent, consumerfocused overdraft solutions. Focus on consumer protection remains strong A well-disclosed overdraft solution that complies with banking laws and regulations is an important banking strategy and highly valued by account holders. With the continued focus on transparency, it’s a responsible business practice to have simplified and effective communication with your account holders. Reviewing and evaluating your program’s communication impact is the best way to alleviate any confusion about how your program works and the fees associated with its use. And, with an experienced overdraft program provider, you’ll be able to navigate the complexities of the regulatory environment and mitigate any potential compliance issues. To learn more, please contact your local JMFA representative or call at (800) 809-2307. January • February 2022 13

By Steve Sanders CSI How to Create a Vendor Due Diligence Checklist Vendor due diligence – it’s a favorite topic of a few people, but in today’s risky environment, it’s one of the most important ways to protect your organization. Vendor due diligence is how an organization examines a current or potential vendor’s risk to its business operations. Vendor due diligence is a key component of vendor management required by the Federal Banking Agencies. However, knowing your vendors and understanding the risks they pose to your institution is far more than just a compliance requirement: it’s necessary for running a successful operation. The third-party risk management guidelines – issued by the OCC and the FFIEC – are still causing ripples in the financial services community. And many organizations are still feeling the pressure. With increased reliance on third parties for these services, as well as increased scrutiny from examiners, auditors and even leadership teams and boards of directors, this pressure is more significant than it’s ever been. Five Steps to Creating a Vendor Due Diligence Checklist Whether vendor management is an outsourced service or still performed in-house, it’s time to rethink and mature your vendor due diligence process, starting with these five tips: 1. Prioritize Vendors by Risk Due diligence should be performed on all vendors, but not to the same degree. Far too many organizations perform the same amount of due diligence on every vendor, likely resulting in inadequate due diligence on higher-risk vendors and excessive due diligence on lower-risk vendors. That’s a lose-lose proposition of inefficiency and inadequacy. coloradobankers.org 14

Using a risk-based vendor due diligence approach solves this problem. It focuses your effort where it’s most beneficial, which happens to coincide with the areas emphasized by regulatory guidance. Here are the four key steps to a risk-based vendor due diligence checklist: 1. Pull the most recent list of all your vendors. 2. Classify them by definitive “risk-based” categories: general vendors, confidential/sensitive data vendors and strategic vendors. 3. Perform the appropriate level of due diligence as described below for those risk categories. 4. Repeat the due diligence at appropriate intervals (for strategic vendors, no less than annually). 2. General Vendor Due Diligence: Quick and Painless Any time you contract with an outside vendor, investigate the following factors and ensure all corresponding documentation is stored in a safe place, like a dedicated vendor management repository: • Business Impact Analysis: Ask yourself: what happens to your organization if something happens to this vendor, i.e., they go out of business or lose a key subcontractor? • Business Type and Status: Determine if the vendor is a legal entity and type: corporation, LLC or sole proprietorship. • Insurance: Confirm the vendor has general liability insurance, and if any specialty insurance is needed. • Contract: Develop a written, enforceable agreement. • Service Level Agreements: Ensure that both parties have agreed on how performance will be measured. • Relationship Owner: Identify the employee who will own this relationship and monitor performance. • Confidentiality Statements: This typically occurs when proprietary information will be shared with the vendor, i.e., details about an upcoming product launch shared with a graphic designer or freelance writer. This level of due diligence is sufficient for vendors in the General category, which likely make up most of your vendor list. 3. Confidential/Sensitive Data Vendor Due Diligence: Extra Cautious Vendors that have access to your confidential or sensitive data should be placed in the Confidential/ Sensitive Data category. In addition to completing the tasks for General vendors, you must conduct enough additional due diligence on these vendors to understand whether they can protect your data to the level required by the Gramm-Leach Bliley Act, including: • Third-party Audit • Additional Insurance • Bonding • Specific Contract Language • Confidentiality Agreements • Information Security • Business Continuity and Disaster Recovery • Employee Background Checks • Additional Questions • Vendor’s Due Diligence While these additional tasks will require more time, remember that this level of vendor due diligence is only needed for a finite group. 4. Strategic Vendor Due Diligence: Ensure Your Business Viability and Continuity These vendors are those without whom your institution could not operate. They perform a critical product, channel, operational or technological function. The strategic category usually consists of the fewest vendors, providing an inverse equation: the least number of vendors require the most due diligence. In addition to the Confidential/Sensitive Data and General information collected above, you should collect the following: • Financial Soundness • Ownership of the Company • Contract Protections • Continuous Relationship Monitoring • Capacity • Legal and Compliance Issues • Mergers or Acquisitions • Corporate Image, News and Social Media • Alternative Vendor on Deck continued on page 16 With increased reliance on third parties for these services, as well as increased scrutiny from examiners, auditors and even leadership teams and boards of directors, this pressure is more significant than it’s ever been. January • February 2022 15

WE MAKE IT EASY LET OUR TEAM HELP YOU SECURE THE DEAL AND LOWER YOUR RISK • UP TO 90% OVERALL FINANCING • UP TO 25 YEAR TERM • FIXED-RATE PREFERREDLENDINGPARTNERS.COM | 303.861.4100 Leveraged financing and refinancing of owner occupied real estate and long-term equipment. Most for-profit small businesses eligible. SBA defines businesses with net profit after tax <$5.0 Million and tangible net worth <$15.0 Million as small. SBA 504 That’s a lot of work, but for most organizations, this only needs to be completed on one or two vendors, and rarely more than five. 5. Don’t Go Overboard with Vendor Due Diligence Policies One of the most common mistakes in vendor management is making the program unmanageable. This often stems from a misunderstanding about what is expected, resulting in unrealistic, unsustainable expectations, reducing the effectiveness of a vendor management program. Understand the “why” behind every document requested and every question asked. continued from page 15 Rather than using cookie-cutter lists of hundreds of questions, only ask those relevant to your due diligence procedures. Comprehensive Vendor Management is Achievable – and Necessary While time-consuming, it’s in your institution’s best interest to ensure that general vendors have been appropriately vetted, that Confidential/Sensitive Data vendors can protect your sensitive data, and that Strategic vendors can perform their critical functions. Otherwise, the penalty could come in the form of both lost business and compliance violations – a double whammy no business wants to face. Steve Sanders serves as CSI’s chief information security officer. In his role, Steve leads CSI’s information security vision, strategy and program, and chairs the company’s Information Security Committee. He also oversees vulnerability monitoring and awareness programs and information security training. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain command of cyber-risk oversight. coloradobankers.org 16

Violating the One-Per-12-Month Rollover Rule: A Case Study By Jonathan Yahn JD, CPC Ascensus Years ago, IRA owners could take multiple distributions and roll them over in the same year – as long as they rolled over only one distribution per IRA. Some individuals took this opportunity to an extreme by opening multiple IRAs in order to take advantage of this rule. For example, a business owner with a cash flow problem might use multiple IRA distributions to meet payroll. By maintaining 12 separate IRAs, the owner could take a distribution to meet expenses and roll over that distribution within 60 days – assuming, of course, that the owner had the assets to complete the rollover. But if not, another distribution from a different IRA could replace the funds taken from the first IRA. This “robbing Peter to pay Paul” potentially could go on all year. But this scheme came to a screeching halt in 2014. A U.S. Tax Court decision (Bobrow v. Commissioner) radically revised the one-per-12-month rollover rule, restricting rollovers to individuals rather than to IRAs. The IRS provided further guidance in Announcement 2014-32, clarifying that they can roll over only one distribution per 12-month period irrespective of the number of IRAs individuals have. This restriction includes Traditional, Roth, SEP, and SIMPLE IRAs. Case Study: What if someone violates the one-per-12-month rollover rule? Consider a scenario that we recently encountered on our consulting lines. (Some details have been changed.) A financial adviser’s client wanted to move various IRAs to the adviser’s firm. Rather than simply transfer the assets, the client had taken two distributions from two separate IRAs: one for about $40,000 and another for about $90,000. The client had already rolled over the smaller distribution and was about to roll over the larger one when the adviser discovered the potential problem. Both distributions had been taken within the same week, and both were still within the 60-day rollover window. Relief is available only for violations of the 60-day rollover rule The financial adviser thought that there might be some way that the IRS would allow multiple rollovers within 12 months if there were a good reason. Unfortunately, the provision he was thinking of limits relief to those who have failed to roll over a distribution within 60 days of the distribution; it does not apply to the one-per-12-month requirement. continued on page 18 January • February 2022 17

Internal Revenue Code Section 402(c)(3)(B) allows the IRS to waive the 60-day requirement in certain cases. The IRS may waive the 60-day requirement “where the failure to waive such requirement would be against equity or good conscience.” IRS Revenue Procedure (Rev. Proc.) 2016-47 provides guidance for obtaining such a waiver. This Rev. Proc. includes details of how individuals may “self-certify” that they are eligible for a waiver, including a model letter they can complete. Valid reasons for a 60-day rule waiver include financial organization errors, death (or serious illness) of a family member, or depositing a distribution into an account mistakenly believing it was an IRA. Congress has not extended IRS relief to violations of the one-per-12-month rule. And while it may seem that an overly strict enforcement policy might violate “equity or good conscience,” so far, the IRS simply has had no statutory authority to waive the one-per-12-month requirement. Options are limited for violations of the one-per-12-month rule Even when an individual is not at fault, good options are scarce. For example, if a financial organization employee provides inaccurate information about the rule, the individual may still have limited recourse. Here are some approaches to consider: If multiple distributions occur within the 60day window, the individual may limit the tax liability by rolling over the largest one. In our case study, the client could have rolled over a total of $90,000. At least this would have made the problem – not being able to roll over the additional $40,000 – a bit less severe. If the distributing financial organization is at fault (e.g., giving bad advice, not following instructions), the individual may succeed at having the organization agree to void the transaction and redo it as (for example) a transfer. As with any situation like this, the financial organization may have to make a business decision based on possible risks – and may ask for specific written instructions from the client. Some might also insist on a hold harmless agreement. If the financial organization is at fault to any extent, it may decide to offer the client a way to avoid some of the consequences of a failed rollover. In our case study, assume both distributions had been rolled over: the $90,000 one first and the $40,000 second. Here, the second rollover would be disallowed, and the IRA owner would have to treat $40,000 as a regular contribution. If the IRA owner was ineligible to make a regular contribution for the year, he would have to remove the entire $40,000 (plus the net income attributable) as an excess contribution. Further, because this contribution could not be treated as a rollover, it would be taxable to the client in the year it was distributed. Let’s assume that the client would have to pay around 25% in federal and state taxes on $40,000, or $10,000. (If the client were under age 59½, an additional 10% tax would also likely apply.) The financial organization probably would not offer to pay the additional tax, as this would seem to create a bit of a windfall for the client. But it might help start a continued from page 17 If the IRA owner was ineligible to make a regular contribution for the year, he would have to remove the entire $40,000 (plus the net income attributable) as an excess contribution. Further, because this contribution could not be treated as a rollover, it would be taxable to the client in the year it was distributed. coloradobankers.org 18

Call me at 480.259.8280 Based in Phoenix, Ariz., serving Arizona and Colorado Tracy Peterson Together, let ’s make it happen. Commercial & ag participation loans Bank stock & ownership loans Bank building financing Business & personal loans for bankers We do not reparticipate any loans. Leverage our large lending capacity, up to $20 million on correspondent loans. Our lending limits are high enough to accommodate what you need, when you need it. Why choose Bell as your bank’s lending partner? Member FDIC 32150 discussion about how the financial organization could somehow put the client in an acceptable tax position. Important Takeaways Why even discuss a rollover scenario for such limited and unsatisfactory responses? At least three reasons come to mind: 1. Know the rules. This may seem obvious. But from our experience, many workers struggle with the complex rules that govern our retirement plan industry. The rules aren’t necessarily intuitive. In fact, sometimes they seem – as in this case – to defy common sense. If you don’t know the rules that a client wonders about, don’t fake it. Admit that you would “like to look into that” for your client, and then follow up with the correct information. Most clients will respect an authentic “may I get back to you on that” along with a prompt and accurate response. 2. Don’t give “advice.” There may be a fine line at times between reciting the rules and giving advice. And you may find yourself reciting this phrase repeatedly to your clients over the years: “I can’t give tax, legal, or accounting advice, but here’s the rule as I understand it.” You may also want to verify with your compliance or legal area precisely what they would prefer you to say. So while you certainly want to help your clients, knowing the limits of your understanding – and your proper role with your clients – will help keep you and your financial organization from the predicament in our case study. 3. Learn how to protect your organization while helping your clients. You may make mistakes. And you may have to deal with clients with valid complaints based on some interaction with you or a colleague. So it makes sense to have a response plan in place before you actually need it. For example, conferring with your legal/compliance team about when and how to refer problems to them may facilitate a broader discussion about various roles in your organization. You may, for example, come up with tools, such as checklists and decision trees that will help front-line workers refer challenging situations to the right colleagues. The real-life case study above may sound familiar to you. The rollover rules changed without prior warning, catching some financial organizations off guard. But even for those who consistently stay abreast of new developments, it’s easy to miss something. So whether it’s the one-per-12month rollover rule – or some other provision – you or someone you serve will likely get tripped up at some point. Knowing how to respond may lessen the impact and may even help you keep a client. January • February 2022 19

Optimize Your Financial Institution’s Loan Review Process By Mary Ellen Biery Senior Strategist & Content Manager Abrigo Loan review or credit risk review is a significant risk management function. According to the 2020 regulatory guidance on credit risk review, it is integral to every insured depository institution’s safe and sound operation. To be sure to get the most out of the loan review function, financial institutions should have a charter in place. They should structure loan review so that it reports up through the audit function, according to Ancin Cooley, CIA CISA, Principal and Founder of Synergy Bank Consulting and Synergy Credit Union Consulting. Cooley says one way to make sure that your financial institution optimizes its loan review or credit review function is to start with a charter, a document outlining its purpose and other important matters. “Why? Because it outlines the rules of engagement between the loan review function and the loan production function,” he says. Outlining the “rules of engagement” is important to ensure the loan or credit risk review is independent and objective. The charter also outlines the budget for the loan review function, including a budget for loan review employees and their training, Cooley says. “It outlines the organizational structure and the reporting structure, as well as it outlines what meetings and what scope loan review will be responsible for.” Such guard rails are important for loan review to ensure such decisions don’t come down to “My opinion versus somebody else’s opinion,” Cooley says. He adds that loan review charters should be reviewed and approved by the financial institution’s board of directors. A second way to make sure your financial institution optimizes its loan review or credit review function is to have it report up through the audit area of the bank or credit union. “As a best practice, loan review should report up through the audit function,” Cooley says. “I’ve had the pleasure of teaching loan review courses for the last nine years, and so I’ve had a lot of conversations with loan review and credit risk professionals. One of the things I hear sometimes is that they can’t be independent when they’re reporting up to the CEO.” What can happen if the loan review function does not report to auditing? One possibility is that the loan reviewer won’t downgrade a loan that they perhaps should downgrade “because they either report to the CEO, the Chief Credit Officer, or the Chief Risk Officer, who all report back up to the CEO,” Cooley says. “If you want to create a culture where you can go fast, and you want to be certain that the health of your portfolio is accurate and is what it reflects in your loan review reports, your loan review function should report up through audit,” he adds. “Some of you will say, ‘My outsourced loan review function reports to the Chief Credit Officer; isn’t that individual independent? Well, who does that Chief Credit Officer report to?’” Cooley suggests considering the function of loan review, how that ties in with the reporting structure, and how the reporting structure could influence the content of the loan reviews. For example, a loan reviewer reporting to the Chief Credit Officer might find it difficult or awkward to disparage other areas under that executive’s management. “How am I going to criticize the credit analysis, the appraisal management function, the appraisal review function, or maybe how we’re monitoring things at a portfolio level?” he asks. The first line of defense for mitigating credit risk is loan production, and the second line of defense is credit administration and loan administration. Audit and review make up the third line of defense, Cooley adds. “So, in closing, if you want to hear the truth from loan review, make sure that they have a functional dotted line to audit and report administratively to someone in management,” Cooley says. coloradobankers.org 20

TIRED OF BORROWING MONEY BEING MORE COMPLICATED AND DIFFICULT THAN IT NEEDS TO BE? Bank Stock and Bank Holding Company Stock Loans done the simple way Bank mergers, acquisition loans and refinances up to $50 million  Approval typically within 2 to 3 days and sometimes immediately  In many cases the loan can be started, closed and funded in less than 2 weeks  No Correspondent Bank Account relationship required  If the Federal Reserve approves it we can likely get the deal done for you  Standard Commercial Loan Documentation used in most cases  We won’t restrict you to unnecessary covenants  Limited or no reporting requirements  Limited or no origination costs  Low interest rates  Principal payments often determined with the borrower’s input on a year by year basis  In many circumstances we accept bank capital growth instead of loan principal reduction  We will come to you! Most loans initiated and closed at the borrowers home or office. Deal directly with a lender/owner who is a CPA who understands the banking industry. Although we cannot give direct advice, we have 35 years of industry experience and can make your job far less stressful and time consuming. We will understand your transaction. You do not need to educate the lender. Our belief is to make the loan and then stay out of the banker’s way and let you do your job. You will only see us when you choose to. Call Ryan Gerber or Rick Gerber at 1.866.282.3501 or email ryang@chippewavalleybank.com or rickg@chippewavalleybank.com

RkJQdWJsaXNoZXIy MTIyNDg2OA==