SPRING 2025 Debanking: Financial Services as a Public Utility? Plan Sponsors’ Five Deadly Sins Navigating the Future Key Trends for CAEs to Watch in 2025
Luke Thomas joins our corporate practice in Morgantown. © 2024 BAILEY & GLASSER, LLP | ATTORNEY ADVERTISING | BAILEYGLASSER.COM Contact Luke at: 304.594.0087 lthomas@baileyglasser.com Partner Luke Thomas has over 15 years of private practice experience handling transactional and litigation matters across numerous industries, such as banks and private equity funds, international manufacturers, government contracts, construction, health care, real estate development, commercial and residential landlords, natural resources and energy, trucking, software development, high-net-worth family-owned businesses, and everything in between.
CHARLESTON, WV • MARTINSBURG, WV • MORGANTOWN, WV • PARKERSBURG, WV • SOUTHPOINTE, PA • WINCHESTER, VA Banks, retailers, finance companies, and other businesses offering financial services to consumers face the ever-present threat of expensive and potentially ruinous litigation. Lawsuits, based on federal and state laws prohibiting “predatory lending,” “unfair debt collection,” and “deceptive and unfair” practices, strike at the heart of marketing, sales, privacy, and debt collection practices. At Bowles Rice, our Financial Services Litigation team has experience successfully defending clients, big and small, against lending-related lawsuits and class action litigation brought by consumers and regulators. Our lawyers have experience dealing directly with federal and state regulators on behalf of our banking and lending clients. For more information, contact our firm’s Financial Services Litigation team leader Zack Rosencrance at (304) 347-1161. Financial Services Litigation bowlesrice.com Responsible Attorney: Marc Monteleone 600 Quarrier Street • Charleston, WV 25301
Contents ©2025 West Virginia Bankers Association (WVBA) | The newsLINK Group LLC. All rights reserved. West Virginia Banker is published four times per year by The newsLINK Group LLC for WVBA and is the official publication for this association. The information contained in this publication is intended to provide general information for review, consideration and education. The contents do not constitute legal advice and should not be relied on as such. If you need legal advice or assistance, it is strongly recommended that you contact an attorney as to your circumstances. The statements and opinions expressed in this publication are those of the individual authors and do not necessarily represent the views of WVBA, its board of directors or the publisher. Likewise, the appearance of advertisements within this publication does not constitute an endorsement or recommendation of any product or service advertised. West Virginia Banker is a collective work, and as such, some articles are submitted by authors who are independent of WVBA. While a first-print policy is encouraged, in cases where this is not possible, every effort has been made to comply with any known reprint guidelines or restrictions. Content may not be reproduced or reprinted without prior written permission. For further information, please contact the publisher at (855) 747-4003. 18 25 PRESIDENT’S MESSAGE 5 West Virginia School of Banking Transformative Education Right Here at Home By Mark Mangano, President & CEO, WVBankers 6 Debanking: Financial Services as a Public Utility? By Drew A. Proudfoot, Partner, and Amy J. Tawney, Partner, Bowles Rice LLP 10 “Don’t Get Fooled Again!” Refinance Borrower Imposter Fraud By Bob Wisman, Business Development Officer, West Virginia Bankers Title LLC 16 Preparing for the FFIEC CAT Phase-Out Exploring New Cybersecurity Assessment Options for Financial Institutions By Bryan Newlin, CPA, CISA, Risk Advisory Services Principal, YHB 18 Navigating the Future Key Trends for CAEs to Watch in 2025 By Prashant Panavalli, Principal, Forvis Mazars 22 Top Challenges and Opportunities for Community Banks in 2025 By Allison Maddock, Senior Vice President and Chief Product Officer, CSI 25 Plan Sponsors’ Five Deadly Sins By John Schafer, Vice President, National Leader, Financial Institutions Channel, Pentegra 4 WEST VIRGINIA BANKER
Educating bankers is a key West Virginia Bankers Association value proposition. I was recently reminded that there is no more significant educational opportunity we provide than the West Virginia School of Banking. The banking school experience for our students is transformative. We accept students who have often displayed expertise and commitment to very focused banking aspects and introduce them to the vast and complex elements that must be coordinated to operate even the smallest bank. Our students invariably leave the school changed in their perspectives, appreciations and potential as bank leaders. In January, I had the opportunity to facilitate a day-long strategic planning session with the banker-led board of trustees for the school. I was immediately struck by the trustees’ passion and commitment to providing students with the highest quality curriculum, faculty and experience. The results from the planning session are the topic for another article. I do want to share some very interesting details about the school that I learned as I prepared for the planning session. The most significant details relate to stability, participation and relevance. The banking school board and staff have achieved remarkable stability against the backdrop of declining bank charters, pandemic-driven changes of in-person training patterns and increased competition. The school was not held in 2020 and was provided virtually in 2021 due to pandemic restrictions. Apart from the pandemic hiatus, since 2018 the school has maintained enrollment between 64 and 84 students, kept its expenses flat, recruited new faculty and refreshed its board with new leaders. The school averages enrollment from 55% of state‑chartered banks. Nearly all the banks that have sent a student since 2018 have sent multiple students. One-third of state-chartered banks send at least one new student each year. The banks that send students continue to see value in sending more students. The key to attracting repeat banking customers is the commitment of the trustees and staff to ensuring that the education remains relevant. The school is constantly reevaluating curriculum, instructors, instructional methods, peer learning opportunities and overall experience. As the trustees and staff pursue priorities identified in the planning exercise, I am confident that the school will enhance its relevance to our rapidly changing industry and workforce. I am gratified by our member banks’ support for our banker led school. It is truly a center of excellence in the state. The trustees and staff are sensitive to the bank commitment required to send an important team member out of the bank. Their commitment is to ensure that graduating students return with skills, perspectives and relationships that will repay the lost productivity associated with attending the school. If you currently send students to the school, you know the value they return. If you have not sent a student in a while, I invite you to help one of your team members experience a transformative journey right here at home. PRESIDENT’S MESSAGE MARK MANGANO President & CEO WVBankers West Virginia School of Banking Transformative Education Right Here at Home 5 WEST VIRGINIA BANKER
Debanking: Financial Services as a Public Utility? By DREW A. PROUDFOOT, Partner, and AMY J. TAWNEY, Partner, Bowles Rice LLP In recent years, “debanking” has emerged as a significant issue within the financial services industry. “Debanking” refers to the termination of or refusal to provide financial services to certain individuals, businesses or entire commercial sectors. As debanking becomes an increasingly public concern, federal and state governments are introducing new legislation and regulations to address the perceived problem of financial exclusion. THE RISE OF DEBANKING Debanking primarily impacts businesses and individuals in high-risk sectors such as cryptocurrency, money transfer operators and even politically affiliated enterprises. Financial institutions rely on the denial of financial services as a measure to mitigate financial crimes like money laundering, fraud or terrorist financing and protect against financial risk. Banks are required by regulators to conduct thorough customer due diligence, often leading them to close accounts they perceive as risky or non-compliant with regulatory requirements. 6 WEST VIRGINIA BANKER
As debanking becomes an increasingly public concern, federal and state governments are introducing new legislation and regulations to address the perceived problem of financial exclusion. 7 WEST VIRGINIA BANKER
While these measures are intended to protect financial systems, public concern has begun to grow around the transparency and accountability related to “debanking” practices. Critics argue that debanking is often arbitrary and discriminatory, with businesses and individuals suffering from arbitrary decisions that hinder their ability to access essential financial services. LEGISLATIVE RESPONSE: FLORIDA UNSAFE AND UNSOUND PRACTICES As “debanking” practices become more widespread, legislators have introduced legislation to address public concern and protect access to financial services. One example is the Florida Unsafe and Unsound Practices Statute, effective July 1, 2023, which was designed to ensure that individuals and businesses are not unfairly excluded from the banking system. FLA. STAT. § 655.0323. This statute specifically addresses debanking in the state of Florida and aims to provide a legal framework for individuals and entities who believe they have been unfairly denied banking services. Under Section 655.0323, financial institutions in Florida are prohibited from denying, canceling, suspending or terminating services to an individual or business or otherwise discriminate against a person in making such services available on the basis of (i) the person’s political opinions, speech or affiliations; (ii) the person’s religious beliefs, exercise or affiliations; (iii) any factor if it is not quantitative, impartial and a risk‑based standard, including factors related to the person’s business sector; or (iv) the use of any rating, scoring, analysis, tabulation or action that considers a social credit score. To provide accountability under the debanking statute, Florida financial institutions are subject to a complaint system, allowing customers to file complaints for alleged breaches of the anti-discrimination guidelines. Unresolved violations of the law result in a breach of Florida’s Deceptive and Unfair Trade Practices Act, which can carry sanctions and fiscal penalties. In addition to responding to customer complaints, financial institutions are also required to annually attest, under penalty of perjury, whether the entity is acting in compliance with Section 655.0323. ACCESS TO FINANCIAL SERVICES AS A PUBLIC UTILITY Federal regulators are also taking steps to address “debanking” and are comparing financial services to public utilities. In a January 2025 speech, former Director of the Consumer Financial Protection Bureau (CFPB) Rohit Chopra contended that bank accounts are an essential service and should be regulated more like a public utility with a baseline expectation of universal access. The former director noted that bankers “should only have the ability to [close accounts] when there is some reasonable business justification or a very clear law or regulation that they are following.” The former CFPB director suggested revisiting the 2020 fair access rule proposed by the Office of the Comptroller of the Currency (OCC), which requires large banks to provide support for denial of loans or other services to politically sensitive businesses with “objective, qualitative and individualized” risk assessments. Mr. Chopra noted that although the OCC’s fair access rule had some problems, it would be a good start in addressing “debanking.” He encouraged lawmakers to review common‑carrier laws to see if these laws may apply to banking and payments. He also promoted requiring banks to provide adverse action notices to customers when closing an account, noting that the anti-fraud analytics and algorithms used to trigger account closure are opaque and require more transparency. He advocated for “bright line” prohibitions on using characteristics like political or religious views to make account closing determinations, which would be similar to the Florida Unsafe and Unsound Practices Statute. Although banks already comply with the Equal Credit Opportunity Act and the Fair Housing Act, financial services outside of credit transactions have not faced the same level of anti‑discriminatory regulation. Treating financial services as a public utility and the broad implementation of legislation similar to Florida’s Unsafe and Unsound Practices Statute, however, could restrict financial institutions’ ability to manage risk while remaining profitable for shareholders. This new focus on transparency and accountability as it relates to the comprehensive scope of financial services may increase the administrative cost of providing such services. President Donald Trump alleged that Bank of America and JPMorgan Chase have “debanked” conservative customers. “Debanking” will likely be a priority for the Trump Administration. The president also emphasized in a recent Executive Order that “protecting and promoting fair and open access to banking services for all law-abiding individual citizens and private-sector entities alike” is administration policy. Policy makers in West Virginia will most likely follow suit. The banking industry should continue to monitor any “debanking” legislation proposed in West Virginia and by any federal banking regulators. Drew A. Proudfoot is a partner in the Morgantown office of the regional law firm Bowles Rice. He specializes in corporate and financial services transactions, including commercial lending, mergers and acquisitions, and business succession planning. Contact Drew at (304) 285-2566 or dproudfoot@bowlesrice.com. Amy J. Tawney is a partner in the Charleston office of Bowles Rice. She focuses her practice on banking law, mergers and acquisitions, securities law, and regulatory matters. Contact Amy at (304) 347-1123 or atawney@bowlesrice.com. 8 WEST VIRGINIA BANKER
“Don’t Get Fooled Again!” Refinance Borrower Imposter Fraud By BOB WISMAN, Business Development Officer, West Virginia Bankers Title LLC Pete Townsend, the legendary guitarist, penned the song “Won’t Get Fooled Again,” and it was released by The Who in June of 1971. This song is universally regarded as one of the top 10 rock and roll songs of all time. Who knew that they could be talking fraud in a real estate transaction half a century later? (Yes, the pun is intended.) For anyone who has been the victim of wire fraud or seller imposter fraud and continued to work in this field, the following lyrics will really hit home: “Just like yesterday, then I’ll get on my knees and pray, We don’t get fooled again! Don’t get fooled again, No! No!” 10 WEST VIRGINIA BANKER
SELLER IMPOSTER FRAUD Nobody wants to get fooled the first time, but we sure do not want to get fooled AGAIN. By now, almost everyone knows a colleague who has been fooled by a fraudster at least once. Recently, we have been screaming from the mountaintop about seller imposter fraud. If you have not heard about it, there are fraudsters pretending to be sellers and selling property that they do not own — victimizing real estate professionals and property owners alike. Please refer to our S.I.M.P.L.E. — Seller Identity Must Precede Literally Everything — and prior alerts for more information. In this fraud, we have several elements and red flags: 1. Remote Seller: A remote seller is someone not personally known to the real estate agent and/or the settlement agent, and they will want the proceeds wired. 2. External Execution: Conveyance documents are: a. Prepared outside of your office and not known to the realtor or settlement agent; or b. Prepared in your office but executed and notarized outside of your office. 3. Unknown Notary: The notary is not personally known to the real estate agent and/or settlement agent. 4. Vacant or Non-Owner Occupied: Investment property, vacation property or other vacant property (including improved and unimproved) where a potential fraudulent sale would not draw the attention of the true property owner. 5. Entity Ownership: In many of these situations, the property is owned by a non-personal entity, such as a corporation, limited liability company or trust. In some cases, the entity was recently formed with the same name as a dissolved entity and purports to transfer the property of the dissolved entity. The title examination reveals no issues, as the fraudster is pretending to be the actual owner. We need to enlarge our thinking to include a broader definition of the parties. The remote seller can also be a borrower in a cash-out refinance transaction. Presumably, the bank has vetted the borrower with all sorts of requests, but one cannot rely upon that alone. Do not delegate the protection of your livelihood and your net worth to what “someone else should have done.” Standard procedure would dictate that your standard procedures be followed. THE OLD FRAUD The longer one continues to work in real estate, the longer one’s list of war stories of battle scars and near misses becomes. Most of these stories wind up with the storyteller being the hero of the story. Here is one of mine, however, the hero was not me — the hero was “standard procedure.” 11 WEST VIRGINIA BANKER
MEET THE NEW FRAUD, SAME AS THE OLD FRAUD Recently, we have seen a new twist to the seller imposter fraud — refinance owner imposter fraud, which is essentially just like what I encountered 20 years ago. However, it is easier to do because they can send in copies of IDs via fax or email, and most people would take them. After all, the bank only required that the settlement agent “get copies” of the proof of identification. Imagine someone saying, “The bank did not require that I look at them.” In fact, the bank requires that the actual borrowers sign the documents. For that matter, so does the law and common sense. This refinance fraud happened last month. A bank referred a settlement agent to a refinance closing, which involved a cash back to the borrower of over a half million dollars. This was a mail-away — a nonsensical term for a transaction involving someone’s home, someone’s career and over $500,000. We are not talking about sending away box tops to get an Twenty years ago, a friend and colleague at a local bank had referred a client to me for a refinance. I had never met the couple before, which is not unusual. However, I had a comfort level with them because they were the customer of a good friend and referral source. He would never send me someone that was not on the up and up, right? Well, certainly not intentionally. Everything went according to standard procedure — title was good, payoffs were as expected, appraisal was strong, and the couple had worked with my friend on the purchase. They came into my office and sat at the conference table and signed the documents, laughed at my jokes and were looking for a six-figure cash out to fund “some renovations.” As we concluded the signing, following standard procedure — the hero of our story remained in control — I asked them for their respective driver’s licenses. The husband quickly complied. The “wife” began to pat herself down nervously as if there was an insect crawling up her sleeve. She indicated that she had left the ID in the car. I told her that I would wait for her to retrieve it. She came back after about five minutes, returned to her seat at the conference table across from the “husband” and apologized for leaving her ID on her dresser at home. In our conversations, I had noted that she worked at an office less than half a mile from my office. I suggested to her that she could bring it tomorrow. After all, we still had a three‑day rescission period before we could proceed. The mood changed as she started to get agitated with me and, in a rather aggressive and disgusted tone, demanded to know, “Do you mean to say that if I do not give you my driver’s license, this deal is not going to happen?!” To which my response was, “No ma’am, I did not mean to say that. That is exactly what I am saying.” I guess she expected me and my faithful companion, “standard procedure,” to stand down because she screamed at her “husband” across the table, “YOU SAID I WOULDN’T GET IN TROUBLE!” (In her defense, it sounded like someone screaming at their husband.) Her outburst and incriminating statements immediately stopped the closing. I informed them that I had just saved them from committing bank fraud. They did not seem very appreciative of me stopping them from going to jail. (The “husband” did not think he had done anything wrong because he signed his own name.) I informed them that if the actual wife was available, I could reprint the loan package; she could come into the office and sign; and we could proceed. It turns out that the co-conspirator “wife” was actually his sister. (Gladly) I never heard from either of them again. I told my banker friend that the wife was unavailable to sign. Standard procedure saved the day and kept this (probably soon-to-be divorced) “husband” from depleting all of the equity out of the marital home without the wife’s knowledge and going to jail in the process. These people were sitting in my office. Imagine how much easier it would be if it were a mail-away and all that I had were copies of the IDs and no opportunity to compare them to the actual individual face or signature. 12 WEST VIRGINIA BANKER
Annie Oakley decoder ring. We are talking about life- and career‑altering consequences. The settlement agent received copies of the IDs from the fraudster. Forget the fact that there was no verification or validation of the IDs. Forget that the fraudster/borrower sent them by facially anonymous means. Anyone who has seen NBC’s “To Catch a Predator” knows that anyone on the other side of the internet connection can pretend to be anyone. Reality is merely an arbitrary inconvenience to a cyber-criminal. The settlement agent received the refinance documents back from the borrower refinance imposter and disbursed the wire. After all, the agent had IDs, and the documents were notarized by someone who may be dead or alive; may or may not have a commission; may or may not have ever met the borrower to acknowledge the documents; or may or may not even know that the transaction took place. See where we are going here? There are many bank robbers that have shot people over $10,000 or less. Does anyone really believe that a criminal is going to draw the moral line at forging a notary’s signature? MAIL-AWAYS — KILL THEM BEFORE THEY KILL YOU When a nuclear weapon goes missing, they call it a “broken arrow.” This leaves us to wonder which is more disturbing: 1) the fact that a nuclear weapon is missing or 2) the fact that it is so common that we have a term for it. Mail-aways are a similar term. Is it more disturbing that: 1) people are transacting this type of business transaction without ever validating the people in the transaction or 2) that it is so common that we have a term for it, and everybody seems to do it? If you are handling a mail-away transaction, what protections do you have in place? Did the documents go to the property address or the tax address? Did you select or are you 13 WEST VIRGINIA BANKER
CONTACT US TODAY TO PLACE YOUR ANNOUNCEMENT AD. SHOW-OFF. THERE'S NOTHING WRONG WITH BEING A Call (801) 676-9722 or scan the QR code to get started. Place QR Code Here ▷ Show off your employees. ▷ Show off your accomplishments. ▷ Show off a job well done. Employees are motivated when they are recognized and feel valued. This magazine is a great platform to celebrate your team’s accomplishments! otherwise in control of the notary? If the borrower (whether real or fraudulent) controls the notary, then you have an open door to get compromised. Do you merely request copies of the IDs, or do you compare them to the individual in real time? If you just get copies and pass them along, then you have an open window as well. Do you know whether the actual borrower executed the documents or not? If you allow the borrower (whether real or fraudulent) to control these vital and fundamental pieces of the transaction, you are playing with a broken arrow that can blow up your entire world. WHO ARE YOU? To borrow another phrase from The Who and Pete Townsend, just ask, “Who are you? Who, who, who, who?” He really wanted to know and so should you. The Who used the word “who” in this classic tune 150 times. If you are closing a mail-away and not even asking this question in earnest once, you need to take a step back and ask this question over and over again. “So, I still have to do mail-away closings. What do I do to protect myself?” If you find yourself in this situation, first, you can control the notary. Do a little research, arrange for a notary in their town and require the use of that notary. For example, hire an attorney or title agent to handle the acknowledgment. This will cost the borrower a little money, but it’s probably cheaper than time off from work and a plane ticket to your office. You could even find a bank in their neighborhood that probably has a notary with the confidence that they were vetted upon hiring. You might not know any of these notaries, but one thing is for certain — the borrower does not either. It is more important that the borrower does not know the notary than it is that you know the notary. Of course, you will want to go over the documents with the signers in real time. Have the notary present while you have the borrowers on screen or on the phone. If you are in a state where Remote Online Notarization (RON) is permissible, then use RON to conduct the closing. Each of these solutions takes a little more thought and planning but is well worth the time for a little piece of mind that you know “who, who, who, who” is signing the documents. Some things never change. You need to know your customer — your client. Meet the new boss — same as the old boss! Robert “Bob” Wisman is a life-long West Virginia resident. He has been married for over 30 years and has three children. Bob graduated from West Virginia University with mechanical engineering and business administration degrees. He brings a breadth of experience in financial services, real estate, project management and marketing with over 25+ years of proficiency. He resides in Morgantown and enjoys WVU sports, the outdoors and spending time with his family. 14 WEST VIRGINIA BANKER
Preparing for the FFIEC CAT Phase-Out Exploring New Cybersecurity Assessment Options for Financial Institutions By BRYAN NEWLIN, CPA, CISA, Risk Advisory Services Principal, YHB The FFIEC Cybersecurity Assessment Tool (CAT) has been a critical resource for financial institutions to assess their cybersecurity preparedness. However, with the upcoming phase-out of the CAT on Aug. 31, 2025, financial institutions must prepare to adopt a new framework to maintain effective cybersecurity risk management. In this article, we’ll review the intentions of the CAT, key dates to be aware of, and explore viable alternatives for future assessments. The FFIEC CAT was first introduced to help financial institutions benchmark their cybersecurity posture, create a path for continuous cybersecurity improvement, and provide evidence for audits and examinations. Despite these benefits, the CAT presented several challenges, particularly for smaller institutions. With 494 declarative statements, scaling it for all sizes of financial institutions proved difficult, leading to the decision to phase it out. EXPLORING VIABLE ALTERNATIVES The announcement from the FFIEC on Aug. 29, 2024, provided examples of several frameworks and tools that are available to replace the CAT. Each option offers unique benefits, depending on the size and complexity of the institution. It will be important for financial institutions to select a cybersecurity risk management framework that aligns with its size and complexity and achieves the benefits required from its cybersecurity goals. Here, we briefly discuss the frameworks to give financial institutions a starting point for selecting the appropriate one: 1. NIST Cybersecurity Framework 2.0: The NIST Cybersecurity Framework 2.0 includes six core functions (Govern, Identify, Protect, Detect, Respond and Recover), making it a comprehensive option for managing cybersecurity risks. It’s widely recognized as the gold standard in risk management and is adaptable to financial institutions of various sizes. NIST CSF 2.0 can be used as a maturity model using a four-tiered system, providing a path to improving cyber maturity over time. The framework, however, is large and could prove laborious for a community bank to execute, given the myriad responsibilities that tend to fall to IT and Operations teams in smaller settings. 2. CISA Cyber Performance Goals: Designed specifically for small- and medium-sized businesses, the CISA Cyber Performance Goals are practical, threat-informed goals that align with NIST but exclude the Govern function. The goals themselves declare that they are not a framework. However, they offer actionable steps for improving both IT and operational technology (OT) cybersecurity. The CISA Cyber Performance goals could be considered a minimum set of cybersecurity standards, so if financial institutions choose to adopt this model, they may need to migrate to another, more sophisticated model after achieving the stated goals. 3. Cyber Risk Institute (CRI) Cyber Profile: Focused on financial institutions, the CRI Cyber Profile is a streamlined tool that helps financial institutions assess cyber risk based on the significance of its (the FI’s) impact on the financial systems. The Cyber Risk Institute (CRI) is a nonprofit coalition of financial institutions and trade associations that lends industry knowledge to the CRI Cyber Profile. Most community banks will likely fall into the Tier 4 category, which contains 208 diagnostic statements, significantly fewer than the FFIEC CAT’s 494 declarative statements. It’s self-contained within an Excel format and allows FIs to complete only the applicable tier, making it ideal for community financial institutions. If this sounds similar to the CAT, it is. Of all the frameworks evaluated here, the CRI Cyber Profile will look and feel most like the FFIEC CAT. 4. CIS Top 18 Controls: The CIS Top 18 Controls provide a set of best practices categorized into three implementation groups (IGs) based on a company’s size and cybersecurity resources. But just because 16 WEST VIRGINIA BANKER
the title is the Top 18 Controls, the CIS controls are really grouped into 18 different control families. Each control family includes a series of safeguards with understandable definitions and control suggestions. The CIS controls are industry-agnostic, so don’t expect to find financial institution-specific controls. The controls provided, however, are sound and will provide financial institutions with a valuable roadmap to improve their cybersecurity posture. 5. AICPA SOC for Cybersecurity: You have probably seen SOC 1 and SOC 2 reports as part of your vendor management and due diligence process. A lesser‑known but equally valuable report is the SOC for Cybersecurity Examination, which offers an attestation report and opinion from an independent CPA firm on the cybersecurity risk management program of any entity, not just third-party service providers. It evaluates management’s description of its cybersecurity risk management program and the operating effectiveness of controls supporting its cybersecurity objectives. Often, the cybersecurity controls are defined using the AICPA’s Trust Services Criteria for security, availability and confidentiality, similar to a SOC 2 report. A unique characteristic of the SOC for Cybersecurity report is its designation as a general use report, which means distribution of the report is not limited and can, therefore, be shared with shareholders, customers, prospective customers, vendors and any other stakeholder. With the CAT’s removal on the horizon, financial institutions should begin planning their transition to an alternative framework. For more detailed guidance on preparing for the CAT phase-out, watch a previously recorded webinar presented by YHB’s Risk Advisory Services expert, Bryan Newlin, CPA, CISA, on YHB’s Engagement Hub by scanning the QR code. https://gateway.on24.com/wcc/eh/4362613/lp/4782607/ preparing-for-the-ffiec-cat-phase-out-exploring-newcybersecurity-assessment-options-for-financial-institutions Bryan began his career with YHB in 2005 and has been a key leader in YHB’s respected Risk Advisory Services practice since 2007. Focusing attention on two of the most well-known technology internal control frameworks — the AICPA’s Trust Services Categories and ISACA’s COBIT® framework — Bryan works across industries to help clients identify and mitigate information and technology risk. 17 WEST VIRGINIA BANKER
Navigating the Future Key Trends for CAEs to Watch in 2025 By PRASHANT PANAVALLI, Principal, Forvis Mazars As they navigate the choppy waters of a constantly evolving banking environment, chief audit executives (CAEs) within large financial institutions find themselves at the helm of unique challenges and intricate risks. Simple proficiency in risk management is no longer sufficient. Understanding the key risks, emerging trends and transformative technologies that continue to shape the internal audit shoreline going forward into 2025 remains a critical mandate for many financial institutions. CAEs need to know how to stay ahead of these changing trends as they continue to reverberate throughout the broader banking ecosystem. EMERGING TECHNOLOGIES In recent years, the banking industry has been transformed by the swift pace of technological advancements. While these innovations offer opportunities for efficiency and growth, they also present significant risks and challenges. The following are four technology trends impacting financial institutions: • Cloud Services: Banks continue to expand their cloud computing services. CAEs must assess the security, privacy, data and operational needs of the cloud, including establishing cloud services policies, roles, responsibilities and processes. Internal audit also should assess the cloud’s design and architecture, including its scalability, redundancy and performance. In addition, the cloud’s security measures should be evaluated to assess encryption protocols, access controls, vulnerability management and incident response capabilities. • Artificial Intelligence (AI): CAEs must establish appropriate guardrails to manage AI, including governance, policies, monitoring and risk mitigation. AI can be used to automate routine and manual internal audit functions such as reconciliations, compliance checks and data extraction and provide greater agility to internal audit teams. However, organizations should take action to have an AI model development policy in place to help avoid potential risks. • Endpoint Security: With the hybrid workplace introducing new and extended cybersecurity risks, CAEs need to perform endpoint security audits to assess vulnerabilities and help ensure appropriate security measures. Internal audit 18 WEST VIRGINIA BANKER
teams should review access controls, user permissions and encryption settings, as well as perform continuous monitoring. • Intrusion Detection/Incident Response: As cyberattacks increase in frequency and sophistication, it is critical for internal audit departments to help ensure the effectiveness of the organization’s intrusion detection and incident response. This can be done by assessing the effectiveness of intrusion detection systems, log analysis and threat intelligence feeds. DATA MANAGEMENT Effective data management is crucial for CAEs to understand and help organizations enhance the value of their data assets, mitigate risks and achieve business objectives. There are three key focus areas that CAEs should consider: • Data Governance and Policies: CAEs should continue to manage the availability, usability, integrity and security of data. Proper data governance will help identify and assess data-related risks such as data breaches, compliance violations and inconsistent data management. • Data Quality and Controls: CAEs should enforce data entry standards, validation rules and perform data quality audits. Conducting data quality audits helps organizations detect errors, gain deeper insights and utilize data to mitigate risks. Data controls also must be put in place so that data meets predefined quality standards. • Data Operations and Analytics: CAEs must make sure that data is collected, stored and processed properly. Through identifying patterns and anomalies, predictive analysis, improving benchmarking, and continuous auditing, data analytics can help provide real-time insights into risks. PRIVACY PROTECTIONS Financial institutions manage large volumes of sensitive information, and security remains the bedrock of data privacy compliance. CAEs must understand the intricacies of different privacy regulations across numerous countries. An accountability framework can help banks design an effective compliance program to protect customer privacy. In addition, this framework will establish risk-based, appropriate, and enforceable actions and controls for teams to implement. Internal audit teams should also consider how to validate that data privacy policies and procedures are designed and operating effectively within the organization. 19 WEST VIRGINIA BANKER
KEY RISK CONSIDERATIONS Banks operate in a complex environment filled with risks and challenges that significantly influence their operations and strategic decisions. These risks, ranging from economic conditions to regulatory compliance, have a profound impact on banks and the CAEs managing the internal audit function. The following are four key risks that CAEs must consider: • Liquidity Risk: CAEs should make sure their organization has strategies, policies and practices to manage liquidity risk in accordance with the organization’s risk profile and help ensure liquidity. CAEs must install procedures to test liquidity ratios and make sure there is sufficient stress testing. In addition, CAEs can utilize contingency funding plans to assess the completeness, feasibility and effectiveness of liquidity stress tests. • Strategic Risk: The connection between bank strategies with long-term market trends and investor expectations is drawing greater attention. CAEs must orchestrate strategic planning and rigorous risk assessment processes to help with compliance assurance, proactive risk management, and organizational and strategic readiness. • Regulatory and Compliance Risk: The introduction of Fundamental Review of the Trading Book regulations imposing stringent capital requirements and risk management standards will require CAEs to adapt their operations to meet these new regulatory demands and avert potential compliance issues. As such, CAEs must stay agile to adapt to the fast-paced regulatory environment and have structured and sustainable approaches to help document regulatory requirements, understand risks and improve decision-making. • Credit/Counterparty Risk: CAEs should develop a comprehensive assessment of the organization’s credit and counterparty risk, which encompasses financial metrics as well as qualitative aspects such as operational resilience, legal implications and risk models. Risk models should utilize credit ratings, exposure limits, collateral and market conditions to evaluate risks. CAEs also should consider the organization’s risk profile by evaluating a counterparty’s creditworthiness and potential vulnerabilities. A CAE’S ROAD MAP FOR SUCCESS Addressing the key risk areas requires a holistic internal audit approach that integrates proactive risk assessment, compliance and strategic planning. Developing robust policies that effectively identify and manage these risk issues early can help provide enduring best practices over the long term. Embracing these trends and emerging technologies, while fostering a culture of adaptability and innovation, can help CAEs adeptly navigate an evolving banking horizon with confidence and steer their organizations toward sustainable and responsible growth. Prashant is a principal with extensive experience in risk, regulatory compliance, accounting and IT application. He leads the development and growth of the Insurance Practice, for the second and third lines of defense, focused on internal audit and risk management. His areas of expertise include internal audit, SOX, ERM, project and team management, process transformation, and enterprise risk management. His experience encompasses evaluation and build-out of internal audit assurance analytics programs (vision, mission, tools and technologies, structure and staffing, best fit future state recommendations, including KPI and metrics) and process transformation build-out focused on integrating risk management and financial reporting functions to be more efficient and effective. He has also led the build-out of the internal audit and SOX functions; developed ERM programs across various risk verticals, such as operational risk, model risk, credit risk, etc.; and assisted with the execution of internal audits of complex areas such as liquidity, model risk and investments. Prashant is a graduate of Pace University, New York, New York, with a B.S. in accounting. 20 WEST VIRGINIA BANKER
Top Challenges and Opportunities for Community Banks in 2025 By ALLISON MADDOCK, Senior Vice President and Chief Product Officer, CSI Continued adoption of open banking, enhanced cybersecurity and evolving regulatory concerns shape what financial institutions must consider when developing their strategies. However, these areas also represent a tremendous opportunity for those who adapt. CSI’s Banking Priorities Survey — which asked a cross-section of community bankers nationwide about their strategies and priorities for 2025 — explored both, taking the industry’s pulse and plans for the year. 2025’S FOREMOST CHALLENGE: CYBERSECURITY/DATA PRIVACY Although we’ve made advances in cybersecurity monitoring technology, cyberattacks continue making headlines and concern institutions of all sizes. The average cost of a data breach rose from $5.9 million in 2023 to $6.08 million in 2024. A successful cyberattack can also expose an institution to reputational and legal consequences. For all these reasons, paired with regulatory scrutiny, 28% listed cybersecurity/data privacy as the most pressing issue, surpassing all other concerns. To stay ahead of cyber threats, institutions need around-the-clock monitoring and response. A managed cybersecurity monitoring platform helps institutions identify anomalies and send alerts for investigation to ensure the threat doesn’t spread. Solutions like data loss prevention (DLP) help institutions protect their data and control how it’s shared. Implementing cyber hygiene is another effective strategy to improve security and keep employees and consumers safe. 2025’S SECOND MOST SIGNIFICANT CHALLENGE: INTEREST RATES Interest rates surged in 2022 and 2023 due to the Federal Reserve’s efforts to curb inflation, creating a challenging environment for community banks. 22 WEST VIRGINIA BANKER
Bankers are strategically engaging with consumers and embracing transformative trends that promise to redefine banking operations and customer service in the years to come.
Bankers’ concern for interest rates has lowered since 2023, potentially due to stabilizing rates and anticipated future rate changes from the Fed. Nevertheless, it ranked second highest on their list of concerns. This economic uncertainty is prompting a prioritization of digital account opening and related technologies, emphasizing gaining new accounts and low-interest deposits. Institutions should also evaluate opportunities within their existing market and portfolio. Diversifying portfolios through resources like lending marketplaces is another avenue institutions are exploring to weather the effect of high interest rates. BANKERS’ TOP TECHNOLOGY INVESTMENTS Financial institutions are doubling down on digital-first technology investments to meet the evolving needs of a convenience-driven, tech-savvy clientele. 2025’s Leading Investment: Efficiency Drivers like Automation or AI At the forefront of technology investments lies efficiency drivers like automation or AI, with 43% of bankers acknowledging its importance. Most banks are seeking efficiencies in back‑office processes, with some beginning to utilize AI and automation to remove manual steps and add new functionality. The rise of generative AI tools, which the following discusses, offers the potential for heightened efficiency in the banking sector. Automation enables banks to streamline processes, improve customer interactions and strengthen fraud detection. 2025’s Second Highest Ranking Investment: Data Analytics and Reporting Garnering 42% of the vote, data analytics and reporting are transforming banking and customer experience. Data analytics and reporting provide banks with insight to understand customer behavior and identify areas to better serve them, including customizing offerings and promoting them via the digital experience. Using data analytics and reporting to personalize the digital experience is the core of digital engagement. To improve digital engagement, banks should strive to provide unique solutions to best serve customers and increase the adoption of those services. The more personalization banks build into their products and experiences, the more they will drive engagement, adoption and loyalty. BANKERS’ TOP OPPORTUNITIES FOR 2025 Bankers are strategically engaging with consumers and embracing transformative trends that promise to redefine banking operations and customer service in the years to come. 2025’s Greatest Opportunity: Harnessing the Power of AI 33% of bankers surveyed named AI as 2025’s top technology trend. Generative AI applications, for example, promise hyper‑personalized, around-the-clock service. If deployed well, this could enable community banks to level the playing field. From virtual assistants to content creation tools, the applications of generative AI are vast, offering banks newfound agility and efficiency in meeting customer needs. By embracing these deep learning technologies, institutions can position themselves as leaders in innovation and customer-centricity, driving sustained growth and profitability in an ever-evolving landscape. However, time will tell how regulations and successful use cases permeate the industry. 2025’s Second-Greatest Opportunity: Real-Time Fraud Detection As fraud continues to skyrocket, 17% of bankers selected real-time fraud detection as the top technology trend poised to affect the industry in 2025. FTC data showed consumers reported fraud losses totaling more than $10 billion in 2023, particularly in areas like check fraud. Real-time fraud detection presents a valuable opportunity for community banks in 2025. From synthetic identity fraud to check fraud, AI-powered solutions that analyze copious amounts of data stand to help institutions fight these evolving threats. Institutions should inform customers about these evolving fraud tactics. NAVIGATING THE ROAD AHEAD FOR COMMUNITY BANKING From digital banking to AI and open banking, bankers are strategically engaging consumers and capitalizing on emerging trends, demonstrating measured confidence in navigating the ever-changing financial landscape. This article only scratches the surface of their planned investments. See a more complete picture in the 2025 Banking Priorities Executive Report by scanning the QR code. https://info.csiweb.com/csi-banking-priorities-2025 Allison Maddock serves as senior vice president and chief product officer, a role in which she leads CSI’s product management team to deliver solutions aligned with CSI’s vision and strategy. As a member of the executive leadership team, she uses her product management, strategy, operations and technology expertise to advance CSI’s products and services. 24 WEST VIRGINIA BANKER
Plan Sponsors’ Five Deadly Sins By JOHN SCHAFER, Vice President, National Leader, Financial Institutions Channel, Pentegra Despite all the 401(k) media attention and national plan fiduciary discussion, plan sponsors continue to make very common mistakes year after year that are relatively easy to identify, fix and avoid with the right help. Mistakes can be opportunities to improve existing retirement plans for the better, but they can also be costly.w And it’s costing plan sponsors a bundle. The Employee Benefits Security Administration (EBSA) unit restored over $1.4 billion to employee benefit plans, participants and beneficiaries in FY 2023.1 A vast majority of the Voluntary Fiduciary Correction Program (VFCP) submissions were from oversights and omissions from unknowing plan sponsors. At the core of the problem is the assumption by many that plan sponsors understand their role as plan fiduciaries when, in fact, many are very uninformed. As retirement plan advisors, you are in a unique position to offer some non-fiduciary value-added educational services to help ensure an insignificant plan administration error does not grow into something more complicated and expensive. The fact that the same errors occur every year means there’s an opportunity to strengthen your value proposition and differentiate yourself from your competition by helping create risk-avoidance strategies. You can help clients and prospects save time and money by educating them on fiduciary exposure and how it can be reduced. Fortunately, both the Internal Revenue Service (IRS) and the DOL have established programs that allow self-correction of these types of mistakes. Under the IRS self-correction programs, most errors can be fixed without notifying the agency or paying a fee. Like the IRS, the DOL’s programs are simple and relatively inexpensive. Get started by focusing on the top five mistakes and make an impact on your clients’ bottom line by helping them identify, fix and avoid these costly errors: 1. Failure To Update Plan Documents: By far, the most common mistake plan sponsors make is failing to update their plan documents to reflect recent changes in the law in a timely manner. The IRS urges plan sponsors to review their plan documents annually and maintain regular contact with their plan provider. They also suggest a “reminder” system to automatically notify plan sponsors when changes must be completed. 25 WEST VIRGINIA BANKER
www.thenewslinkgroup.orgRkJQdWJsaXNoZXIy MTg3NDExNQ==