PRESIDENT’S MESSAGE Enhancing Member Engagement WINTER 2025 Get Smart About the GENIUS Act
CHARLESTON, WV • MARTINSBURG, WV • MORGANTOWN, WV • PARKERSBURG, WV • SOUTHPOINTE, PA • WINCHESTER, VA Banks, retailers, finance companies, and other businesses offering financial services to consumers face the ever-present threat of expensive and potentially ruinous litigation. Lawsuits, based on federal and state laws prohibiting “predatory lending,” “unfair debt collection,” and “deceptive and unfair” practices, strike at the heart of marketing, sales, privacy, and debt collection practices. At Bowles Rice, our Financial Services Litigation team has experience successfully defending clients, big and small, against lending-related lawsuits and class action litigation brought by consumers and regulators. Our lawyers have experience dealing directly with federal and state regulators on behalf of our banking and lending clients. For more information, contact our firm’s Financial Services Litigation team leader Zack Rosencrance at (304) 347-1161. Financial Services Litigation bowlesrice.com Responsible Attorney: Marc Monteleone 600 Quarrier Street • Charleston, WV 25301
Contents ©2025 West Virginia Bankers Association (WVBA) | The newsLINK Group LLC. All rights reserved. West Virginia Banker is published four times per year by The newsLINK Group LLC for WVBA and is the official publication for this association. The information contained in this publication is intended to provide general information for review, consideration and education. The contents do not constitute legal advice and should not be relied on as such. If you need legal advice or assistance, it is strongly recommended that you contact an attorney as to your circumstances. The statements and opinions expressed in this publication are those of the individual authors and do not necessarily represent the views of WVBA, its board of directors or the publisher. Likewise, the appearance of advertisements within this publication does not constitute an endorsement or recommendation of any product or service advertised. West Virginia Banker is a collective work, and as such, some articles are submitted by authors who are independent of WVBA. While a first-print policy is encouraged, in cases where this is not possible, every effort has been made to comply with any known reprint guidelines or restrictions. Content may not be reproduced or reprinted without prior written permission. For further information, please contact the publisher at (855) 747-4003. 11 16 PRESIDENT’S MESSAGE 4 Enhancing Member Engagement By Mark Mangano, President & CEO, WVBankers 6 Effective Advocacy is a Collective Effort By Bryce Himelrick, Government Affairs Strategist, WVBankers 8 Get Smart About the GENIUS Act By Jordan Maddy, Attorney, and Ben Thomas, Partner, Bowles Rice LLP 11 Your Board’s Cybersecurity Oversight Probably Isn’t Good Enough By Steve Sanders, Chief Risk Officer and Chief Information Security Officer, CSI 14 Have You Covered Fair Lending Considerations in the Debt Collection Process? By Tara Booth, Virtual Compliance Officer, Compliance Alliance 16 Ian F. McDowell Named to Forbes Top 200 CPAs List 17 How To Protect Your Financial Services Firm from Social Engineering Attacks Courtesy of Travelers 20 ACT Deposit Program A Simple Solution for Improving Your Bank’s CRA Rating By Diane Ellis, Senior Managing Director, IntraFi 22 2026 WVBankers Calendar of Events 3 WEST VIRGINIA BANKER
PRESIDENT’S MESSAGE MARK MANGANO President & CEO WVBankers Enhancing Member Engagement The association’s primary focus for 2026 is to enhance member engagement. We believe that increased member engagement improves the association’s ability to understand and respond to member needs and provides greater opportunities for interested bank leaders to participate in guiding association priorities and advancing our industry. There are two major components to member engagement. The first component relates to the association’s activities to communicate with its members. We currently reach our members through electronic channels, West Virginia Banker magazine, annual convention, banker legislative day, educational programming, banking school and personal outreach. The second component relates to creating meaningful and rewarding opportunities for interested bank leaders to participate in guiding association priorities and governance. Bank leaders currently participate by serving on the board of directors and board committees. In addition, bankers provide oversight for the West Virginia Bankers PAC, Banking School, Proserv and committees related to legislative strategy, investment and audit. We also periodically form workgroups to address specific industry issues. The association’s member engagement activities are already robust. However, we recognize that improvement would benefit our members and the industry. Increasing in-person outreach and conversation will help us better understand and respond to changing member needs and ensure that members are informed on how to use association membership to their best advantage. Increasing association governance opportunities for interested bank leaders allows them greater opportunities to become better informed about industry trends, expand peer networks and serve the West Virginia banking community. Enhancing membership engagement requires changing how the association is staffed and managed. We are fortunate to have talented professional staff committed to pursuing innovations to better serve our members. We began those innovations in 2025, and we will continue their development in 2026. In 2025, the association engaged in four significant organizational improvements 4 WEST VIRGINIA BANKER
to increase efficiency and free resources to increase and enhance member engagement activities. First, the association substantially outsourced and automated many accounting and administration functions. Second, we added our political strategist, Bryce Himelrick. Third, we developed plans to better utilize the exceptional abilities of our education director, Amanda Cunningham, and our communications and convention director, Allison Boyd. Fourth, we began recruiting for a new staff member to support communication and event planning activities to free up Amanda, Allison and Bryce to focus more time on strategy, innovation and member engagement. Amanda, Allison and Bryce will be assuming expanded responsibilities. Amanda will be responsible for all professional development activities. Allison will be responsible for membership development, including associate members and endorsed partners. Bryce will be responsible for political engagement activities that include PAC, legislative affairs and banker political participation. This year, we will continue to reorganize our time and resources to increase personal outreach from Amanda, Allison, Bryce and me. We look forward to expanding and deepening our relationships with member bankers. We will also organize three new committees to provide oversight for Amanda, Allison and Bryce as they develop their areas of responsibility. We are committed to making service on the new oversight committees meaningful and rewarding. We will be working hard to implement our member engagement enhancement strategies while continuing to provide excellent service on our existing services and programs. We will keep you informed as the changes develop. If you have an interest in serving on an association committee, please let me know. I would be delighted to explore opportunities for you to lend your expertise to improve our association and our industry. We will be working hard to implement our member engagement enhancement strategies while continuing to provide excellent service on our existing services and programs. 5 WEST VIRGINIA BANKER
Effective Advocacy is a Collective Effort BRYCE HIMELRICK Government Affairs StrategistWVBankers eliminated red tape, allowed banks to quickly and ably respond to market conditions, and empowered banks to most effectively serve West Virginia’s citizens, businesses and governments. In part, we achieved such success because we worked daily at the Capitol to advocate both for our agenda and against legislation that exposed banks and businesses to excessive government interference or litigation. This is often intense work, with tight deadlines and a quick pace. Our ability to succeed in this environment, however, would not be possible without you. When a bill comes before the Legislature, lobbyists from every side will share their views and resources with legislators. That is the nature of the process. However, legislators often wish to understand policy from a localized perspective to understand impacts on their community, its economy, businesses and residents. And with a statewide membership of bankers who are trusted business leaders in West Virginia’s communities, we stand equipped to connect legislators with input from their own backyards. It gives our advocacy efforts a personal touch and enhances credibility when legislation is supported by bankers from legislators’ own districts. Member engagement in 2025 was a decisive difference-maker in our ability to navigate close votes. We thank those who took the time to engage, speak to legislators and magnify the banking industry’s voice from every corner of the state. Our unified voice is our most effective response when the legislative climate is unpredictable. In the coming months, we will share resources and information with you. This will range from inviting you to the WVBankers Legislative Day on Jan. 27, where you can learn from and talk to legislators and statewide officials, to sharing information about the session’s progress and our priorities. There will be calls to action, and your participation in these efforts will empower us in our daily work to advocate for a stronger banking and business climate in West Virginia. Our best defense against an uncertain legislative climate is to empower all of our members to be an extension of our advocacy team. We look forward to working with you. Greek philosopher Epictetus said, “In life our first job is this, to divide and distinguish things into two categories: externals I cannot control, but the choices I make with regard to them I do.” On Jan. 14, 2026, legislators will gather under the Capitol’s gold dome and gavel in for the 60-day Regular Session of the West Virginia Legislature. 2026 can either be a year where the Legislature, writ large, focuses on issues of economic development and pro-business reform, or it may be a year where populist, national issues are at the forefront. This is not within our control. However, echoing Epictetus, our response to it is. Each day of the Session, regardless of its tone or tenor, the West Virginia Bankers Association team will be within the marbled walls of the Capitol advocating for our industry. Our focus will be on advancing legislation that allows banks to prosper, protect their customers, and support job creation and economic development. No matter the externalities (and there will be many), our message will be steadfast and consistent. We will communicate with legislators of every persuasion to advance our message and highlight banking’s centrality to West Virginia’s economic future. Our path in 2026 will be bolstered by our success in 2025. Our team worked tirelessly, in an often-difficult environment, to achieve significant policy wins for you. These 6 WEST VIRGINIA BANKER
Get Smart About the GENIUS Act By JORDAN MADDY, Attorney, and BEN THOMAS, Partner, Bowles Rice LLP 8 WEST VIRGINIA BANKER
On July 18, 2025, President Trump signed the Guiding and Establishing National Innovation for U.S. Stablecoins Act (the GENIUS Act) into law. The GENIUS Act erects a new regulatory framework for payment stablecoins that will impact the financial services sector in a variety of ways. In this article, we outline the new regulatory framework and identify some initial policy risks for bankers to consider. Stablecoins are blockchain-based cryptocurrencies. Blockchain is digital ledger technology that allows for transactions to be recorded in an encrypted, shared ledger in accordance with established network policies. But unlike bitcoin and other untethered investment cryptocurrencies that use blockchain technology, stablecoins are asset-backed tokens intended to hold a stable dollar value on a 1:1 basis with maintained reserves of cash, short-term Treasuries and other permitted assets. The GENIUS Act governs payment stablecoins, which are stablecoins that are intended to be used for payment while maintaining a fixed value and a right to redemption. Stablecoins are intended to facilitate 24/7 transaction settlement, permitting parties to instantly move money anywhere in the world at any time for very little cost. They are used in connection with merchant payments, business-to-business payments and cross-border transfers. Time will tell how readily the consumer and business communities in our region will adopt these assets. The ramifications for the financial services sector could be transformational, with potentially significant downward pressures on income-deriving activities like extending credit. The following discusses the key rules set out in the GENIUS Act. First, payment stablecoin issuers must qualify as one of the following kinds of entities: (i) a non-bank licensee of the Office of the Comptroller of the Currency (the OCC) who is authorized to issue stablecoins; (ii) a subsidiary of an insured depository institution or insured credit union that is supervised by a primary federal regulator (i.e., the Federal Reserve, the FDIC and the OCC); or (iii) a state qualified issuer approved by a state payment stablecoin regulator that complies with federal requirements. Issuers must comply with the provisions of the Bank Secrecy Act, even if the issuer is a nonbank entity. Second, all stablecoin issuers must maintain an asset reserve that equates to the value of the stablecoins issued. This is referred to as 1:1 reserve backing. The reserve assets may consist of U.S. dollars, federal reserve notes, funds held at certain insured or regulated depository institutions, certain short-term Treasuries and Treasury-backed reverse repurchase agreements, and money market funds. Each issuer must provide monthly public reporting on its website as to the composition of its reserve portfolios. Third, stablecoin issuers are required to offer redemption or repurchase of their issued stablecoins for a fixed amount of monetary value. Redemption policies must be publicly disclosed and provide clear procedures for the timely redemption of outstanding stablecoins. Any fees associated with purchasing or redeeming stablecoins must also be disclosed clearly. Furthermore, stablecoin issuers cannot pledge the reserved assets that underpin the payment stablecoins, unless the pledges are for the purpose of creating liquidity to satisfy reasonable 9 WEST VIRGINIA BANKER
redemption expectations. Pending regulations are expected to clarify further requirements for redemption. Fourth, importantly for banks, stablecoin issuers are not permitted to pay any interest on the stablecoins they issue. But the GENIUS Act leaves open the possibility of an issuer partnering with third parties to offer other kinds of financial rewards or incentives to such issuer’s coinholders. We anticipate that the contemplated regulations will provide further guidance in this area. Recent comments from the OCC suggest that federal regulators may not feel compelled to implement restrictions on stablecoins that receive interest-like benefits. Bankers should keep apprised of developments in this area and work with advocacy groups to preserve the value of this statutory limitation. Finally, stablecoin issuers may not comingle reserve assets backing stablecoins with other assets or use deceptive terms in marketing, such as representing that their stablecoins are backed by the full faith and credit of the U.S., guaranteed by the U.S. government or covered by federal deposit insurance. Misrepresentation is subject to civil penalties. With these rules in mind, what impact could payment stablecoins have on a bank’s traditional deposit-taking and lending functions? Mainstream adoption of stablecoins could shift dollars out of bank deposits and into stablecoin wallets and Treasuries. This would likely reduce the available credit supply because dollars that would otherwise fund lending through bank deposits would migrate to cash or government securities that are not used for extending credit within a bank’s market. Additionally, mass redemptions of stablecoins that mirror traditional bank runs could result in reserves migrating quickly out of banks that are holding deposits for stablecoin issuers. Maintaining public confidence in stablecoins is critical to preventing runs on issuers. Unlike a bitcoin valuation crash, a run on stablecoin issuers would have a significant market impact because it could cause either a mass sale of Treasuries, thereby depressing the market price of Treasuries, or a second order run on banks to the extent that stablecoin reserves are stored with depository institutions. Regardless of whether banks elect to issue stablecoins themselves, many will have customers who seek to use stablecoins for regular transactions, especially companies that regularly engage in international trade. Understanding these rules and the operational mechanics of payment stablecoins will be crucial for banks to serve such customers. The GENIUS Act represents the federal government’s first significant foray into cryptocurrency regulation. Importantly, the primary federal regulators will issue regulations addressing several key components of the act in the months ahead. The GENIUS Act takes effect on the earlier of Jan. 18, 2027, or 120 days after the primary federal stablecoin regulators issue final regulations. These regulations must be issued by July 18, 2026. Between now and then, bankers should stay informed about payment stablecoin developments and remain involved with their local banking associations. Bankers should continue to educate themselves on the potential impact of stablecoins on core banking functions. They should also advocate to hold the line on the prohibition of yield-bearing stablecoins. Among other things, this will mean seeking additional prohibitions on third-party alternatives (or workarounds) to the interest prohibition, such as rewards programs for the holders of certain stablecoins. Jordan C. Maddy is an attorney in the Morgantown, West Virginia, office of Bowles Rice LLP. His practice involves a wide variety of transactional matters, including mergers and acquisitions and commercial finance. Email Jordan at jmaddy@bowlesrice.com. Benjamin R. Thomas is a partner in the Charleston, West Virginia, office of Bowles Rice LLP. He focuses his practice in the areas of mergers and acquisitions and commercial and financial services. Email Ben at bthomas@bowlesrice.com. Bankers should continue to educate themselves on the potential impact of stablecoins on core banking functions. 10 WEST VIRGINIA BANKER
Your Board’s Cybersecurity Oversight Probably Isn’t Good Enough By STEVE SANDERS, Chief Risk Officer and Chief Information Security Officer, CSI Most bank boards struggle with cybersecurity oversight because they don’t know what questions to ask, how to interpret the answers or whether their security measures are working. Directors may approve cybersecurity budgets without understanding if those investments actually reduce risk, or they may review incident reports without grasping whether response times meet industry standards. They can describe their cybersecurity framework, but often can’t explain what their institution does with the results. The challenge is compounded further when cybersecurity is presented as a jargon-filled IT issue 11 WEST VIRGINIA BANKER
rather than the business-critical risk it represents, creating a dangerous gap between regulatory expectations and board-level understanding that leaves institutions vulnerable — not just to cyber threats, but also to regulatory scrutiny. Whether you’re a director seeking to understand what your institution’s NIST Cybersecurity Framework (CSF) or ISO framework results really mean for your risk profile, or an executive preparing risk dashboards, security briefings and incident reports for your board, the ultimate risk assessment strategy is to provide practical approaches that close the cybersecurity literacy gap. Board cybersecurity literacy doesn’t mean directors must become technical experts. However, it does require structured questioning, transparent reporting that translates technical risks into business impact and honest assessment of organizational maturity. THE UNCOMFORTABLE TRUTH ABOUT BOARD CYBERSECURITY LITERACY Here’s what I’ve observed after years of working with bank boards: Most of them generally don’t meet expectations when it comes to cybersecurity oversight. That’s not an indictment of their dedication or intelligence; it’s simply recognition that cybersecurity has evolved faster than board education. Many directors can tell you which framework their institution uses — whether it’s the NIST CSF, ISO standards or something else. But when you dig deeper and ask what they’re doing with that framework, you often get blank stares. Completing an assessment means nothing if you can’t articulate what you learned from it and what you’re doing to improve. The critical question isn’t “Did we complete our assessment?” Instead, it’s “What have we done with the results?” THE FRAMEWORK TRANSITION CHALLENGE The Aug. 31, 2025, sunset of the FFIEC Cybersecurity Assessment Tool (CAT) has forced smaller institutions to adopt more complex frameworks. The leap isn’t incremental — it’s substantial. But the transition is long overdue; many mature organizations should have already moved beyond the CAT’s simplified approach to adopt more comprehensive frameworks. The CAT provided a simple rating system that scored your cybersecurity maturity from one to five across different domains, including cyber risk management, controls and threat intelligence. The NIST CSF requires significantly more work, including comprehensive risk assessments across five core functions, detailed control documentation and ongoing measurement of outcomes rather than simple numerical ratings. That makes it less user-friendly for small banks, but risk assessment should never be contingent on how easy it is to complete. Community banks also face a severe shortage of qualified cybersecurity professionals. This isn’t just an inconvenience; it’s a fundamental challenge that boards must address strategically. Smaller organizations may need to invest in external expertise to complete assessments. That’s not a sign of weakness. It’s recognition that resource constraints make professional oversight frameworks even more critical. Knowledge gaps among bank boards are prominent. A director once told me their institution scored well on their cybersecurity assessment, but when I asked what specific improvements resulted from those findings, they couldn’t answer. That disconnect between completing an exercise and achieving real security maturity represents exactly what needs to be addressed to develop real cybersecurity preparedness. FIVE ESSENTIAL BOARD RESPONSIBILITIES Directors don’t need to understand the technical details of firewalls or encryption. However, they do need to fulfill five essential oversight responsibilities: 1. Understand Your Security Posture Board members should ask management to explain the cybersecurity framework in plain language, request summaries of their security posture — including both strengths and weaknesses — and understand their top five security improvement priorities for the coming year, along with specific, measurable goals. For executives preparing these briefings, present framework results as a narrative, not a checklist. Translate technical findings into business risks with a clear improvement roadmap. Your directors can’t provide effective oversight if they don’t understand what you’re telling them. 2. Ask The Right Questions The questions directors ask matter more than whether they understand every technical answer. Focus on the following questions: How do we compare to peer institutions? What is the business impact associated with our three highest-rated risks? How do we validate that our controls are actually working? That last question is particularly important. Many institutions assume that because they have implemented a control, it must be working. Executives should be prepared with peer benchmarking data. Quantify risk in dollars and customer impact, not technical metrics. Include validation results, not just implementation status. 3. Set Clear Expectations Directors need to define the institution’s acceptable risk tolerance for different types of threats, as well as establish a reporting cadence and format that enable informed decisions and require explanations 12 WEST VIRGINIA BANKER
in business terms, rather than technical jargon. If you can’t understand what you’re being told, you can’t provide effective oversight. Executives should request that the board define its risk appetite explicitly. Propose a reporting rhythm that strikes a balance between staying informed and not overwhelming directors. Test materials on non-technical colleagues first. 4. Evaluate Resource Allocation The board should review whether the cybersecurity budget matches the institution’s stated risk appetite. You can’t credibly tell regulators and customers that security is a priority while underinvesting in it. When spending doesn’t match stated priorities, it’s only a matter of time before that gap is exploited. Executives should show budget trends and compare spending to peer institutions and industry benchmarks. Be transparent about skill gaps. If bringing in outside expertise for assessments, explain why that’s a strength. Present how security investment connects the dollars spent to the risks mitigated. 5. Assess True Security Maturity Directors shouldn’t accept “we completed the assessment” as proof of security. Ask what management has done with the framework results to strengthen security. Most importantly, evaluate whether security is treated as a strategic advantage or just a compliance checkbox. For executives, lead with outcomes, not activities. Show how framework findings drove specific improvements. Demonstrate measurable progress year over year. Make the strategic case for security as a competitive differentiator, not just a regulatory obligation. PUTTING IT INTO PRACTICE Consider developing a one-page dashboard that answers the questions boards really need to know: What are our top three risks? What are we doing about them? How do we compare to peers? This kind of clear, focused reporting enables both effective oversight and productive board conversations — without overwhelming directors with technical details or requiring executives to explain the same concepts repeatedly. Steve Sanders serves as CSI‘s chief risk officer and chief information security officer. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber risk oversight. Completing an assessment means nothing if you can’t articulate what you learned from it and what you’re doing to improve. The critical question isn’t “Did we complete our assessment?” Instead, it’s “What have we done with the results?” Stay up to date from your couch, office or even the moon! TAKE US ANYWHERE! Place a 1” x 1” QR Code White on Black Here to the main website Scan to read the most recent publication. 13 WEST VIRGINIA BANKER
Have You Covered Fair Lending Considerations in the Debt Collection Process? Financial institutions like to keep their losses to a minimum when it comes to delinquent loans, but has your institution considered its Fair Lending risks associated with the process of collecting debt? As we delve into this question, let’s consider how a compliance officer or collections officer would know what examiners expect to see in place for the debt collection process. Do you start by reading the Fair Lending regulations? How boring! Let’s cut to the chase and go straight to the source. I always look to the Fair Lending Exam Manual or the Interagency Fair Lending Examination Procedures to gain insight. As we walk through the debt collection process, let’s keep in mind the prohibited bases found in the Equal Credit By TARA BOOTH Virtual Compliance Officer, Compliance Alliance 14 WEST VIRGINIA BANKER
Opportunity Act (ECOA): race, color, religion, national origin, sex, age, marital status or receipt of public assistance. Similarly, under the Fair Housing Act, the prohibited bases include race, color, national origin, religion, sex (including gender, gender identity, sexual orientation and sexual harassment), familial status and disability. These prohibited bases also apply to debt collections. A potential Fair Lending issue could arise if, during the debt collection process, the collections department fails to provide a borrower with information or services regarding any aspect of the lending process, including debt collection. Examples: • The bank tends to work more with married couples, assuming they have two incomes and are more likely to repay the debt if the bank refinances the loan. Single borrowers are not offered a refinance as quickly, based on the assumption that their repayment ability may not be as strong. • A loan officer who performs their own collections tends to work more closely with male borrowers, giving them multiple workout options to avoid foreclosure, while similar options are not offered to female borrowers. To help avoid these situations, the institution can conduct its own analysis of collection procedures with Fair Lending in mind, using available collection data. This process can highlight potential concerns or disparities. MITIGATING FAIR LENDING RISK IN COLLECTIONS What can financial institutions do to avoid any perception of Fair Lending issues in the debt collection process? A good starting point is to centralize the collection process and prohibit lenders from collecting their own debts. Ensure the bank has written collection procedures that include the loss mitigation options offered by the institution. Promote consistency in procedures so that the same options are offered to all borrowers. Procedures should instruct collection staff on how to use the various means of communication — including text messages, email, social media and phone calls — to effectively and fairly reach borrowers. Consider how the institution is represented in these communications. Avoid using third-party debt collectors unless you are very familiar with their practices and compliance with the Fair Debt Collection Practices Act (FDCPA). Address any incentives paid by the bank to ensure compensation structures do not promote unfair treatment or result in discriminatory outcomes. FAIR LENDING AND OTHER REAL ESTATE OWNED (OREO) If the worst-case scenario occurs and the institution must manage Other Real Estate Owned (OREO), are Fair Lending concerns over? Wrong! Examination manuals clearly instruct examiners to look for potential Fair Lending concerns within OREO practices by reviewing statistics on foreclosures and deeds in lieu of foreclosure. They also direct examiners to assess any disparities between groups of individuals in the maintenance, marketing and disposition of OREO properties. For example, do disparities appear in property maintenance tied to the race or ethnicity of the neighborhood? If so, this could constitute a Fair Housing violation. Collection procedures should also describe how OREO properties will be maintained and marketed. Be specific about the type of maintenance, repairs or renovations to be performed, and identify who is responsible for making those decisions. To avoid Fair Lending issues, ensure all OREO properties are maintained equally, regardless of the demographic characteristics of the neighborhood. Examples of potential disparities: • OREO lawns in non-Hispanic neighborhoods are mowed regularly, while those in Hispanic neighborhoods are neglected. • Debris removal or utility maintenance is performed consistently in some areas but not others. Such inconsistencies may suggest discriminatory practices. INTEGRATING FAIR LENDING INTO THE COLLECTION FRAMEWORK If the institution hasn’t already documented its collection and OREO processes within its Fair Lending Risk Assessment or collection procedures, now is the time to enhance those documents and provide greater clarity. In the end, ensure your financial institution can demonstrate that its procedures support Fair Lending compliance throughout the entire lending process — including debt collection and the management and disposition of property taken in the collection of debt. 15 WEST VIRGINIA BANKER
Ian F. McDowell Named to Forbes Top 200 CPAs List S.R. Snodgrass, P.C., a full-service accounting and consulting firm known for its forward-thinking work with financial institutions, nonprofits and other businesses, is pleased to announce that Audit and Assurance Principal Ian F. McDowell, CPA has been named by Forbes magazine as one of America’s top 200 CPAs. Firm President Chuck Marston said, “Over his years with our firm, Ian has been an excellent role model for our younger associates and a proven leader, respected both by clients and co-workers alike, and I’m confident that will continue. We congratulate him on this well-deserved honor!” Ian F. McDowell, CPA, Principal, Audit and Assurance Group 16 WEST VIRGINIA BANKER
Social engineering presents a significant threat to the financial services sector. The Internet Crime Complaint Center reports that 21,832 business email compromise (BEC) complaints were filed in 2022, leading to more than $2.7 billion in losses.1 BEC scams are a type of social engineering that occurs when a criminal sends an email message that appears to be a legitimate request for funds from a trusted source. “We all have to work as hard as the fraudsters do,” said Tracey Santor, a bond product manager specializing in financial institutions at Travelers. If there is money to be made, thieves will look for new ways to break through security processes and systems. With this level of malicious activity, it is important to understand both existing and emerging social engineering threats, as well as steps you can take to help protect your firm. WHAT IS SOCIAL ENGINEERING FRAUD AND WHY SHOULD I CARE? Social engineering fraud is a type of cybercrime that uses behavioral techniques to trick people into sending money or divulging confidential information. Scammers may try to How To Protect Your Financial Services Firm from Social Engineering Attacks Courtesy of TRAVELERS 17 WEST VIRGINIA BANKER
Hardware and software solutions are essential to information security, but for social engineering threats, the first and most effective line of defense is your people. obtain passwords, bank data and other personal, protected or proprietary material. When directed toward business entities, often the goal is to fool employees into sending money, diverting a payment or transferring funds to the fraudster. These types of schemes are often successful because they exploit the norms of honorable social interaction, such as building trust, being polite and appealing to goodwill. This tactic manipulates employees into breaking established security measures and best practices. Methods can be as simple as infiltrating an email exchange. Scammers might send an email that appears to be from a colleague asking for urgent and immediate financial help, which dupes the recipient into clicking on a phishing link. Phishing is when the threat actor sends general spam emails using pressure levers like fear, authority and urgency to get the recipient to click a link or reveal information. Schemes can also be as intricate as setting up replica login pages and phony callback numbers to gather confidential personal and account information. Some threat actors even build dossiers on their targets so they can use specific personalized information to gain their victim’s confidence and better execute their crime. Regardless of the form of attack or its level of complexity, it is important to see these threats and the perpetrators as sophisticated, intelligent, skilled and relentless adversaries. Then, prepare accordingly. “These are sophisticated operations. It’s a job to them,” said Santor. “Downplaying the threat or putting off response planning can have serious consequences.” SOCIAL ENGINEERING: KNOW THE THREATS Most social engineering attacks derive from a few basic techniques. While the tactics may differ, the goal is the same. Fraudsters want to induce an entity or a person within it to provide access to protected data or money by revealing information, exposing a network to malware or sending money directly to the attackers. So, it helps to be able to recognize the most common techniques used by criminal social engineers. THE BASICS OF SOCIAL ENGINEERING2 • Baiting: Loading a device such as a USB flash drive with malware and leaving it in an obvious place for someone to find and plug into a computer. • Phishing: Sending general spam emails using pressure levers like fear, authority and urgency to get the recipient to click on a link or reveal information. • Email hacking and contact spamming: Gaining control of an email account and sending emails to the contact list with malware links or information-gathering ploys. • Pretexting: Creating a false identity and an invented scenario using individualized research to trick the target into revealing sensitive information or wiring money. • Smishing: Sending text messages purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers. • Spear phishing: Targeting specific individuals with a campaign of personally relevant emails to get them to divulge information or download malware. • Vishing: Calling a target posing as a trusted colleague and requesting confidential information needed to manage a fabricated problem. FRAUDULENT INSTRUCTION: A CONSTANT THREAT “Fraudsters continue to innovate, so it is vital that your firm stays on top of new threats,” noted Santor. “One claim trend that we are seeing more often is a form of social engineering referred to as fraudulent instruction.” In this type of fraud, the goal is to convince an employee to send a customer’s money somewhere. A fraudster will use stolen or compromised personal and professional information to impersonate a customer and contact your firm, asking that some amount of their money be transferred elsewhere. Often, an urgent scenario or change of plans will precede the request, and it could even suggest the need to bypass 18 WEST VIRGINIA BANKER
or alter callback protocols. While not new, this type of fraud can be more difficult to identify now that fraudsters can obtain confidential information more easily through social media and other unsecure internet sources. SOCIAL ENGINEERING: YOUR PEOPLE ARE YOUR BEST DEFENSE Hardware and software solutions are essential to information security, but for social engineering threats, the first and most effective line of defense is your people. Here are some ways to help protect your firm from fraudulent instruction schemes as well as other social engineering threats: • Train your staff regularly. The best way to help prevent losses from social engineering attacks is to have well-trained staff members who follow procedures, use predetermined callback numbers to verify customer instructions, question what doesn’t seem right and don’t take shortcuts. Institute recurring, up-to-date staff security training that discusses new threat trends, highlights suspicious activity and thwarted attacks, and reviews procedures and why they are important. • Require customers to prove who they are. Keeping customer property secure is a business imperative. Coach your staff to ask customers to provide their information instead of offering the information up-front for them to confirm. For example, instead of saying, “Is 555-1234 still the best number to reach you?” staff should ask customers to verify the contact number on file. If you are concerned about customer reaction, explain your procedures and their purpose at the beginning of your relationship or before there is an issue. That way, your customers will know your staff is acting in their best interest when following identity authentication procedures. • Know your customers. Pay attention to and note your customers’ patterns and behaviors. Then, when something out of the ordinary arises, you will be more likely to notice it. Empower staff members to investigate further if they receive a customer request that does not match prior behavior. If a customer asks that you call them on a number different than the one on file, call the one on file anyway. If poor grammar, awkward sentences, unexpected urgency and other unusual signs show up in an email or written request, take further measures to identify the source. • Escalate suspicion. Communication is paramount. Train employees to immediately notify other members of the team when they get a suspicious call or email. Just because one staff member stops a fraudulent transaction doesn’t mean another attempt will not be made using the same script. Fraudsters are relentless. They will keep trying until they get caught or there’s no more money to steal. • Celebrate success. If an employee prevents a fraudulent transaction, share the successful handling with your staff. By doing so, you emphasize your expectations of your staff and the vital role they play in maintaining security. Share the instructions that raised suspicion, discuss the red flags and post examples of fraudulent instructions. This helps the frontline team remember that attempts at fraudulent transactions are real and constant. HOW TO PROTECT YOUR BUSINESS AGAINST SOCIAL ENGINEERING FRAUD Even with the best security practices in place, your business may still fall victim to social engineering fraud. You need to be ready before it happens. Travelers has deep expertise in social engineering and fraudulent instruction schemes and can offer solutions to help protect asset management firms and other industries. Fraudsters continue to demonstrate their tenacity in developing new tactics. You need to be equally tenacious in your efforts to protect your business and your clients. The right insurance solutions can help shield your business from the costs associated with threats like claims of negligence in the provision of professional services. Sources 1. Federal Bureau of Investigation Internet Crime Report 2022 https://www.hsdl.org/c/federal-bureau-of-investigation-internet-crimereport-2022/ 2. A-Z Glossary of Information Security and Social Engineering Terms https://www.itsecurityawareness.ie/a-z-glossary-of-informationsecurity-and-social-engineering-terms 19 WEST VIRGINIA BANKER
ACT Deposit Program A Simple Solution for Improving Your Bank’s CRA Rating By DIANE ELLIS, Senior Managing Director, IntraFi 20 WEST VIRGINIA BANKER
For many bank executives, meeting the Community Reinvestment Act requirements can feel like solving an intricate puzzle. But a new initiative offers a safe, straightforward solution to one key aspect of CRA compliance. Launched this past year by the Community Development Bankers Association (CDBA) and the National Bankers Association (NBA), the Advancing Communities Together (ACT) Deposit Program provides banks with a secure and efficient way to fulfill their CRA obligations. By placing deposits into Community Development Financial Institutions (CDFIs) or Minority Depository Institutions (MDIs), your bank can earn credit toward the CRA’s community development and investment tests. “The ACT Deposit Program is a promising new tool for community and regional banks to earn CRA credit,” says Brian Blake, CBDA’s chief public policy officer and a former bank CRA officer. “ACT excels at meeting both the spirit and the letter of the CRA, and I believe it is very competitive compared with more complex, costly or time-consuming alternatives.” HOW DOES THE ACT DEPOSIT PROGRAM WORK? The ACT Deposit Program uses IntraFi’s ICS®, or IntraFi Cash Service®, so your bank’s deposit is eligible for millions of dollars in aggregate FDIC insurance at network banks. The minimum deposit under the program is $1 million for banks with $10 billion or less in assets and $5 million for larger banks. And the deposits earn interest. Note: IntraFi is not an FDIC-insured bank, and deposit insurance covers the failure of an insured bank. A list identifying IntraFi network banks can be found at intrafi.com/network-banks. Certain conditions must be satisfied for “pass-through” FDIC deposit insurance coverage to apply. Regulators define CRA “qualified investments” to include bank deposits with a primary purpose of community development. Under this definition, and subject to considerations such as the asset size and assessment area of the bank seeking CRA credit, deposits placed at CDFI and MDI banks qualify for CRA consideration. While CRA guidelines require CDFIs to be located within a bank’s assessment area to qualify for the credit, deposits into any MDI bank qualify regardless of geographic location. Currently there are 34 MDIs and 64 CDFIs1 operating in 31 states participating in the ACT Deposit Program. You can see a full list of participating CDFIs and MDIs by scanning the QR code https://www.intrafi.com/act-deposit-program#find-a-bank Brian notes that these deposits will help CDFIs and MDIs do even more to help underserved communities. “ACT program deposits put capital to work in communities that need it most,” he says. “Because CDFI and MDI banks operate in low-income or low-wealth communities, their funding options are limited — but they excel at financing affordable housing and small businesses, creating jobs and expanding neighborhood facilities in low-income communities.” Blake adds that ACT deposits offer banks qualitative benefits when it comes to CRA ratings, since the deposits meet standards of being responsive, flexible and innovative. He concludes that “when leveraged by CDFI and MDI banks, ACT deposits go to very good use.” LEARN MORE ABOUT ACT If your bank is looking for a secure, effective way to meet CRA’s community development or investment tests, learn more by emailing Diane Ellis at dellis@intrafi.com or scanning the QR code. https://www.intrafi.com/act-deposit-program You’ll be doing something smart for your bank while also supplying a CDFI or MDI with much-needed deposits to lend in their markets. 1 Fifteen ACT Deposit Program banks are both CDFIs and MDIs. Deposit placement in the ACT Deposit Program within ICS (“Program”) is subject to the terms, conditions, and disclosures in applicable agreements, including the ACT Addendum to the ICS Deposit Placement Agreement. A portion of a deposit placed in the Program may be allocated to IntraFi network banks that are not CDFIs or MDIs. The interest rate earned on Program deposits will likely be lower than the interest rate available on deposits outside of the Program. IntraFi and ICS are registered service marks, and ACT is a service mark, of IntraFi LLC. Diane Ellis is the senior managing director at IntraFi. She leads the Advancing Communities TogetherSM, or ACTSM, Deposit Program for IntraFi. Previously, she was the director of the Division of Insurance and Research at the Federal Deposit Insurance Corporation (FDIC), where she led efforts to maintain the adequacy of the Deposit Insurance Fund and an effective and fair risk-based premium system, assess economic and financial sector risks to the banking industry, conduct policy-oriented research and analysis for rulemakings, and collect and publish bank financial information and statistics, including the Quarterly Banking Profile. She has extensive executive-level experience in deposit insurance pricing and fund management and was elected twice to serve as an Executive Council member for the International Association of Deposit Insurers. Earlier, she was a senior financial analyst and bank examiner with the FDIC. 21 WEST VIRGINIA BANKER
2026 WVBankers Calendar of Events JANUARY 2026 WVBANKERS LEGISLATIVE DAY Jan. 27 Charleston Marriott Town Center, Charleston 2026 BANKING SCHOOL RETREAT Jan. 28 Charleston Marriott Town Center, Charleston Closed retreat for the Board of Trustees of the WV School of Banking and Fellows. FEBRUARY RETAIL BANKING LEADERSHIP SERIES I & II (FKA BRANCH MANAGEMENT SCHOOL) Feb. 10-11 The Four Points by Sheraton, Charleston Presented by Josh Collins, Drexler Consulting LLC COMPLIANCE 101 Feb. 12-13 The Four Points by Sheraton, Charleston Presented by Kristin Vaughan, Performance Solutions Inc. INDIVIDUAL RETIREMENT ACCOUNT (IRA): BASICS Feb. 24-25 The Four Points by Sheraton, Charleston MARCH EMERGING LEADERS: COMMUNICATION March 12 The Four Points by Sheraton, Charleston Presented by Chuck Stump, The Performance Group Inc. APRIL ADVANCED COMPLIANCE SCHOOL April 21-23 Stonewall Resort, Roanoke Presented by Kristin Harville, Performance Solutions Inc. MAY BANK SECURITY SCHOOL May 6-7 Stonewall Resort, Roanoke Presented by Barry Thompson, Thompson Consulting Group LLC WV SCHOOL OF BANKING May 17-22 University of Charleston ASSET/LIABILITY MANAGEMENT TBD Charleston Presented by The Baker Group JULY 2026 WVBANKERS ANNUAL CONVENTION July 26-28 Greenbrier Resort, White Sulphur Springs AUGUST RETAIL BANKING LEADERSHIP SERIES III & IV (FKA BRANCH MANAGEMENT SCHOOL) Aug. 4-5 Stonewall Resort, Roanoke Presented by Josh Collins, Drexler Consulting LLC EMERGING LEADERS: CONFLICT MANAGEMENT Aug. 6 Stonewall Resort, Roanoke Presented by Mark Isabella, Isabella & Associates SEPTEMBER INDIVIDUAL RETIREMENT ACCOUNT (IRA) SCHOOL Sept. 16-18 Stonewall Resort, Roanoke Presented by Matt Dickinson, Training Resources Consulting LLC OCTOBER NEW ACCOUNTS Oct. 6-7 The Four Points by Sheraton, Charleston Presented by Matt Dickinson, Training Resources Consulting LLC BSA SCHOOL Oct. 6-9 Stonewall Resort, Roanoke Presented by Kristin Harville, Performance Solutions Inc. NOVEMBER CONSUMER LENDING SCHOOL Nov. 3-5 The Four Points by Sheraton, Charleston Presented by David Kemp, Bankers Management Inc. For more information about WVBankers professional development opportunities or to register for an event, visit us at www.wvbankers.org. 22 WEST VIRGINIA BANKER
www.thenewslinkgroup.orgRkJQdWJsaXNoZXIy MTg3NDExNQ==