Table of Contents 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

Pub. 3 2022 Issue 6

ISSUE 6 2022 Official Publication of the Community Bankers Association of Kansas EXPANDING FAIR BANKING ENFORCEMENT 10 5 HOLIDAY MESSAGE

» Call Rick Gerber or Ryan Gerber at 1-866-282-3501 or email rickg@chippewavalleybank.com ryang@chippewavalleybank.com 1. Calling us is the first step. 2. You email us the appropriate documents of information. 3. CVB preparing the loan documents generally within 5 to10 days. 4. Meeting the customer. We will come to you to sign loan documents. 5. CVB wires the funds. 6. Wow that was easy. IS YOUR BANK SUFFERING UNREALIZED SECURITY PORTFOLIO LOSSES? ARE YOU IN NEED OF A CAPITAL INJECTION? Bank Stock and Bank Holding Company Stock Loans up to $50 Million Done the Simple Way

CONTENTS Issue 6 | cbak.com © 2022 Community Bankers Association of Kansas | The newsLINK Group, LLC. All rights reserved. In Touch is published six times each year by The newsLINK Group, LLC for the Community Bankers Association of Kansas and is the of f icial publication for this association. The information contained in this publication is intended to provide general information for review, consideration and education. The contents do not constitute legal advice and should not be relied on as such. If you need legal advice or assistance, it is strongly recommended that you contact an attorney as to your circumstances. The statements and opinions expressed in this publication are those of the individual authors and do not necessarily represent the views of the Community Bankers Association of Kansas, its board of directors, or the publisher. Likewise, the appearance of advertisements within this publication does not constitute an endorsement or recommendation of any product or service advertised. The Community Bankers Association of Kansas is a collective work, and as such, some articles are submitted by authors who are independent of the Community Bankers Association of Kansas. While In Touch encourages a first-print policy, in cases where this is not possible, every effort has been made to comply with any known reprint guidelines or restrictions. Content may not be reproduced or reprinted without prior written permission. For further information, please contact the publisher at 855.747.4003. Irv Mitchell Chairman Wilson State Bank Joe Rottinghaus Chairman-Elect Conway Bank Tom Pruitt Secretary/Treasurer Peoples Bank & Trust Company Michele C. (Mickey) Lundy Immediate Past Chairman Tampa State Bank DIRECTORS Josh Bailey Security State Bank Cheri Fahrbach First National Bank of Hutchinson Brandon Lee Union State Bank Jack Rowden Citizens State Bank Kent Culbertson First National Bank and Trust Melisa Sorenson Legacy Bank Margaret Nightengale Grant County Bank Jim Wayman ESB Financial STATE ICBA DIRECTORS Tanner Johnson Swedish-American Bank Shawn Mitchell President and CEO shawn@cbak.com Nikki Dohrman Senior Vice President/ Executive Director nikki@cbak.com Yvonna Hansen Vice President of Member Services yvonna@cbak.com Stuart Little Little Government Relations, LLC CBA STAFF 2022 CBA OFFICERS AND DIRECTORS IN EVERY ISSUE: 26 ANNIVERSARIES AND ANNOUNCEMENTS 27 BANK TRAINING WEBINARS 28 PRODUCTS AND SERVICES REFERENCE LIST 5 HOLIDAY MESSAGE By Shawn, Nikki and Yvonna, Community Bankers Association of Kansas 6 FLOURISH By Rebeca Romero Rainey, President and CEO, ICBA 8 FOURTH QUARTER RALLY: SOME SUGGESTIONS ON HOW TO WRAP UP 2022 By Jim Reber, President and CEO of ICBA Securities 10 EXPANDING FAIR BANKING ENFORCEMENT By William J. Showalter, CRCM, CRP, Senior Consultant Young & Associates, Inc. 12 2022 CBA MEMBERSHIP APPRECIATION TAILGATE 16 THE 2023 COMMUNITY BANKERS FOR COMPLIANCE PROGRAM 18 WHAT BANKS NEED TO KNOW ABOUT CIS CONTROLS By Mike Gilmore, Chief Compliance Officer, RESULTS Technology 20 IT’S NOT TOO LATE FOR CECL COMPLIANCE! By Shawn O’Brien, President, QwickRate 23 REPAYING CORONAVIRUS-RELATED DISTRIBUTIONS (CRDS): HOW YOUR CLIENTS MAY CATCH UP By Jodie Norquist, CIP, CHSP; Ascensus

Community Bankers Association of Kansas wants you to know how much we appreciate your valuable contribution in helping the association be a great success this year. We take this opportunity to thank you, and to wish you a Happy Holiday Season. -Shawn, Nikki & Yvonna happy holidays 5 ISSUE 6 | 2022

BY REBECA ROMERO RAINEY, PRESIDENT AND CEO, ICBA Connect with Rebeca on Twitter @romerorainey. Cyber and data security have long been areas of emphasis for community banks, but in today’s escalating digital environment, that focus has grown. In fact, our 2022 CEO Outlook Survey ranked data security as a top concern, and as the digital sphere continues to evolve, all signs point to that level of concentration increasing. When I think about the work community banks are putting into heightening security protocols and protecting their customers, I’m struck by the fact that so much of cyber preparedness stems from navigating conceptual circumstances. Fraudsters continually evolve their techniques to find new ways to prey on consumers and small businesses, and as they do, we must remain vigilant in serving as the first line of defense. But the question remains: How do we stay on top of their tactics and safeguard against a hypothetical, moving target? While there’s no cyber or data security silver bullet, by bringing the theoretical into a true banking environment, we can begin to establish action plans that speak to real-world attacks. For example, by participating in tabletop exercises, bankers can get a first-hand account of where their preparedness plans shine and where they fall short. By taking cyber and data security from the conceptual into the concrete, we are able to find the chinks in our armor and shore up our defenses before a hacker gains entry. Because a good defense begins with a strong offense, ICBA has partnered with the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security, to offer tabletop exercises tailored specifically to community banks. These exercises enable you to bring all areas “While there’s no cyber or data security silver bullet, by bringing the theoretical into a true banking environment, we can begin to establish action plans that speak to real-world attacks.” of your bank into the cyber and data security fold and, in the process, create a deeper understanding about what you are preparing for, how it will impact all facets of your bank, and how you can be ready to respond to what may come your way. In addition, ICBA also has created a Cyber and Data Security Resource Center. Updated regularly with new tools and resources, this center offers insights, tips and even customer support tools for community banks. It helps you not only to prepare, but also execute your cyber plans and introduce new education, training and resources as needed. In today’s environment, cyber and data security is about constant vigilance. This can feel like a daunting task, but by working in bite-sized pieces, you keep it top of mind on a standing basis and build a culture of cyber and data preparedness. That cyber and data security-first mentality will go a long way in helping to protect you and your customers from emerging threats.  Where I’ll be this month I’ll be participating in our fall leadership meeting as we strategize for the coming year and consider ways to help community banks both manage risks and embrace new opportunities. FLOURISH cbak.com 6 In Touch

FMSI www.fmsiconsulting.com 913.955.3355 FMSI is a small business founded and located in Kansas, specializing in assisting community banks to succeed, a mission consistent with core CBA values. We have partnered with community banks for nearly 25-years providing core advisory services including asset/ liability, investment, and liquidity management. FMSI advisors actively assess market conditions and bank balance sheets of different size, mix, and capital levels. Market conditions are constantly changing presenting opportunities and challenges for CBA member banks. Interest rates are increasing for the first time in nearly a decade and now is a perfect time to partner with a trusted, industry leader. Establishing an FMSI relationship provides confidence your bank is optimizing the balance sheet, deploying necessary strategies, maximizing profitability, and managing balance sheet risks. FMSI is a Kansas CBA Endorsed Provider 7 ISSUE 6 | 2022

The word “rally” can be used for a number of purposes and in different contexts. For instance, it could mean a long-distance auto race over varying surfaces involving stages and checkpoints. It could mean a gathering of supporters to generate enthusiasm and momentum for an individual or cause; we’ve seen plenty of these during this election cycle. It can also refer to a comeback from some type of challenge. It may be an improvement in one’s health. It could be a spurt of energy to enable the completion of a task. Finally, it might be an analogy for sports or other competitions in which a participant or team overcomes a deficit to snatch victory out of the grasp of defeat. This final example is the general theme of this column. I hasten to say that the community banking industry, by most measures, is doing quite well. I’ve consistently heard from bankers across the country this year that “earnings are good.” So if there’s any catching up to do, it’s not in banking fundamentals. It has to do with – you guessed right – rising interest rates and the attendant drop in market values for your bonds. Here are a few ideas that may be worth considering as we approach year-end. Funding Options Suddenly, shockingly in some cases, community banks are having to consider using wholesale funds to manage their liquidity. This is an exercise that faded in relevance in 2019 as loan demand was beginning to wane, and has been in oblivion since. Not now: FHLB’s issued more debt in the third quarter than they did in the first two quarters combined, most of which was used to finance new advances to community banks. And with a little effort, a bank can lock down attractive (which I admit is relative) terms on longer-duration borrowings. Even with 5%-plus yields available on shorter assets, low-4% costs can be secured for FHLB floating rate advances swapped to fixed for five or so years. If you’re not inclined to execute a rate swap, traditional three- to seven-year advances are generally less expensive than brokered CDs. This is, in part, compliments of the inverted yield curve. “Income Deferral” This subheading is shorthand for “sell assets at a loss in this fiscal year, reinvest into higher-yielding bonds, and make back the loss before your original bonds mature.” All accountants worth their salt (I think I’m one of them) understand that pushing income into the future is a wise move from tax planning and cash flow standpoint. And, since all community banks own liquid assets at below-market rates (i.e., have unrealized losses) in a year in which they’re probably ahead of budget, the table is set for a classic holiday feast: tax swap. What makes this strategy viable in many cases is the ability to book a net-of-tax loss since selling bonds is considered an ordinary event for a community bank. When the proceeds are reinvested into tax-free instruments, the net loss is often recouped in short order. Your brokers are capable of modeling a number of possible transactions to determine the best course of FOURTH QUARTER RALLY SOME SUGGESTIONS ON HOW TO WRAP UP 2022 Endorsed Partner cbak.com 8 In Touch

BRUCE GOETSCH National Sales Manager bgoetsch@myservion.com 651-497-4734 myservion.com We provide financial institutions and borrowers the support they need to reach their financial goals. Re-envisionyour mortgage strategy. Correspondent Retail Wholesale Delegated Conventional FHA, VA, USDA Jumbo/Non-Conforming Quality control Contract processing Contract closing Servicing Appraisal review Servion Mortgage is a DBA of Servion, Inc. NMLS #1037 Equal Housing Lender partnership channels mortgage products additional services Jim Reber (jreber@icbasecurities.com) is president and CEO of ICBA Securities, ICBA’s institutional, fixed-income broker-dealer for community banks. action. If you do go down this path, here are a couple of possible sales items that may work for you: • Short bullet bonds or out-of-the-money callables • Short (< five year) municipals (which are the domain of retail investors) • Odd lot MBS with several years of seasoning And for all you S corps, this strategy works even better as your higher marginal tax rates allow you to avoid more income tax liability. Look Around You If you’re inclined to sell out of some losing positions but need to limit the impact on this year’s earnings, remember there may be other pieces of your balance sheet that can be sold at a profit. Not the least of these are floating rate assets such as SBA 7(a) loans. The guaranteed portion of a 7(a) loan will likely adjust each quarter based on prime, which is 100% correlated with fed funds. They command large premia in the secondary market; it’s not uncommon to see a bid of over 110 cents on the dollar. Plus, the lender/seller is required to retain the unguaranteed portion of the loan and to service it as well. SBA lender service providers can guide a community bank through the secondary market process. Far from making up lost ground, using some of these ideas can more correctly press your advantages into 2023 and beyond. In a year of positive earnings pictures and solid credit quality, the fourth quarter could be the ideal time to set the stage for robust future periods. This holiday season, community bankers may be donning their rally caps.  Quarterly Bank Industry Update ICBA Securities’ exclusive broker Stifel presents its quarterly Bank Advisory and Strategic Services webinar on Dec. 8 at 10 a.m. Central. Bank profitability, industry risk and the M&A environment will be discussed. One hour of CPE is offered. Contact your Stifel rep for more information. 9 ISSUE 6 | 2022

BY WILLIAM J. SHOWALTER, CRCM, CRP, SENIOR CONSULTANT; YOUNG & ASSOCIATES, INC. EXPANDING FAIR BANKING ENFORCEMENT Associate Member In March 2022, the Consumer Financial Protection Bureau (CFPB) made a significant revision to its examination manual for Unfair, Deceptive, or Abusive Acts or Practices (UDAAP). The main intent of this action is, as the CFPB states in its press release, “to better protect families and communities from illegal discrimination, including in situations where fair lending laws may not apply.” While this action is coming from the CFPB, which directly regulates large financial institutions, other federal supervisors can be expected to pay close attention to it. They may even follow the CFPB lead and adjust their supervisory approach in dealing with discrimination issues. Background In the late 1960s, the Fair Housing Act (FHA) was passed by Congress to prohibit discrimination in housing-related services, including lending, on the basis of specified bases. Less than a decade later, Congress enacted the Equal Credit Opportunity Act (ECOA) to take similar action regarding all types of credit, on the basis of a similar set of factors. These “prohibited bases” – including race, sex, and age (other than the legal capacity to enter into a binding contract) – are deemed to be irrelevant to a borrower’s creditworthiness. Federal banking supervisors and other federal agencies have used these tools over the years to try to reverse inequalities in credit markets. However, they have not had similar legal avenues for dealing with concerns over discrimination related to other financial services, though some have argued that general civil rights laws might apply. “Unfairness” in UDAP/UDAAP The Federal Trade Commission (FTC) has had jurisdiction over “unfair or deceptive acts or practices” (UDAP) since at least the 1970s. The FTC spelled out three elements to the concept of “unfairness.” Those three elements are: • The act or practice must cause or be likely to cause substantial injury to consumers. • Consumers must not reasonably be able to avoid the injury. • The injury must not be outweighed by countervailing benefits to consumers or competition. The FTC issued interpretations and enforcement actions over the years that developed the scope of these concepts (as well as the “deceptive” concept). However, Congress determined after the financial crisis of 2008 that consumer protection policy and enforcement needed to be changed. As a result, the Dodd-Frank Wall Street Reform Act of 2010 moved much of the consumer protection rulemaking and interpretation responsibility from the individual financial regulators and placed it in a new federal agency – the Consumer Financial Protection Bureau (CFPB). This law also added another element to UDAP – the “abusive” concept, which has added a letter to the acronym giving us UDAAP (unfair, deceptive, or abusive acts or practices). The CFPB is building on the UDAP structure that the FTC built. In fact, the Dodd-Frank Act ensconced much of the previous FTC policy concepts in federal law. The statutory elements of what constitutes “unfairness” are the same three (listed above) originally developed by the FTC. Unfairness is Discrimination Some have advocated for applying the “unfairness is discrimination” theory to fill what they see as important gaps in the existing patchwork of anti-discrimination laws, which currently leave large parts of the economy unregulated and unprotected from a variety of discriminatory practices, including those with a disparate impact. Then-FTC Commissioner Rohit Chopra said at a conference in 2020, “Discriminatory practices often are three for three [under the unfairness elements], causing grievous harm that cannot be avoided.” Mr. Chopra is now Director of the CFPB. CFPB UDAAP Exam Manual This has led to the revisions announced in the spring to the CFPB UDAAP examination manual. By revising its examination manual rather than going through the formal rulemaking process, the CFPB did not have to put the changes out for comment beforehand. The revisions have just been announced as an accomplished fact, effective immediately (in March). cbak.com 10 In Touch

“In the late 1960s, the Fair Housing Act (FHA) was passed by Congress to prohibit discrimination in housing-related services, including lending, on the basis of specified bases. Less than a decade later, Congress enacted the Equal Credit Opportunity Act (ECOA) to take similar action regarding all types of credit, on the basis of a similar set of factors.” William J. Showalter, CRCM, CRP, is a Senior Consultant with Young & Associates, Inc. (www.younginc.com), with over 35 years of experience in compliance consulting, advising and assisting financial institutions on consumer compliance and compliance management issues. He also develops and conducts compliance training programs for individual banks and their trade associations and has authored or co-authored numerous compliance publications and articles. Bill can be reached at (330) 678-0524 or wshowalter@younginc.com. Now that the CFPB explicitly recognizes discriminatory practices as “consumer harm,” they are considered as “unfair,” and the product scope covered by standards in fair lending laws has expanded beyond just credit to include any financial product or service. The UDAAP examination procedures provide general guidance on: • The principles of unfairness, deception, and abuse in the context of offering and providing consumer financial products and services; • Assessing the risk that an institution’s practices may be unfair, deceptive, or abusive • Identifying unfair, deceptive or abusive acts or practices (including by providing examples of potentially unfair or deceptive acts and practices); and • Understanding the interplay between unfair, deceptive, or abusive acts or practices and other consumer protection and antidiscrimination statutes. The exam procedures deal with the three elements of unfairness, much of which is not new. The first prong, substantial injury, usually involves monetary harm. Monetary harm includes, for example, costs or fees paid by consumers as a result of an unfair practice. An act or practice that causes a small amount of harm to a large number of people may be deemed to cause substantial injury. Foregone monetary benefits or denial of access to products or services, like that which may result from discriminatory behavior, may also cause substantial injury. The CFPB notes that actual injury is not required in every case. A significant risk of concrete harm is also sufficient. Trivial or merely speculative harms are typically not sufficient for a finding of substantial injury. Similarly, emotional impact and other more subjective types of harm also will not ordinarily amount to substantial injury. However, in certain circumstances, such as unreasonable debt collection harassment or discriminatory conduct, emotional impacts or dignitary harms may amount to or contribute to substantial injury. The exam procedures then deal with the second element of “unfairness,” whether the consumer may reasonably avoid the injury. An act or practice is not considered unfair if consumers may reasonably avoid injury. Consumers cannot reasonably avoid injury if the act or practice interferes with their ability to effectively make decisions or to take action to avoid injury. A key question, according to the CFPB, is not whether a consumer could have made a better choice. Rather, the question is whether an act or practice hinders a consumer’s decisionmaking. For example, not having access to important information could prevent consumers from comparing available alternatives, choosing those most desirable to them, and avoiding those that are inadequate or unsatisfactory. For an injury to be reasonably avoidable, consumers must have practical means to avoid it, and the actions that a consumer is expected to take to avoid injury must be reasonable. There are many instances where consumers simply have no mechanism to avoid injury. For example, consumers typically cannot avoid the harms of discrimination. Regarding the third element – injury outweighed by consumer or competitive benefits – to be unfair, the act or practice must be injurious in its net effects. That means the injury must not outweigh any offsetting consumer or competitive benefits produced by the act or practice. Offsetting consumer or competitive benefits of an act or practice may include lower prices to the consumer or a wider availability of products and services resulting from competition. A discriminatory act or practice is not shielded from the possibility of being unfair, deceptive or abusive even when fair lending laws do not apply to the conduct. For example, not allowing African-American consumers to open deposit accounts, or subjecting African-American consumers to different requirements to open deposit accounts, may be an unfair practice even when ECOA does not apply to this type of transaction. Conclusion Financial institutions directly supervised by the CFPB should treat this exam manual update as a regulation change. They should update their risk assessments, policies, procedures, processes, internal controls, audit processes, staff training, and so forth to incorporate the new application of anti-discrimination standards to areas other than credit. Financial institutions supervised by other federal agencies would be well advised to at least begin to look at this issue since the regulators tend to generally move in the same direction.  11 ISSUE 6 | 2022

2022 CBA MEMBERSHIP APPRECIATION TAILGATE On Saturday, September 17, CBA members, friends and family enjoyed the CBA annual tailgate event in Manhattan. It was an exciting fall day with plenty of food, conversation and camaraderie. On behalf of the team and leadership of CBA, we extend our thank you to all who participated or attended – and we truly look forward to hosting events throughout the year to celebrate our shared commitment to Kansas community banking! A big “Thank You” to this year’s sponsors: Allen, Gibbs & Houlik, LC, Bankers’ Bank of Kansas, Bank Compensation Consulting, First National Bank of Hutchinson, RESULTS Technology, Security 1st Title and Varney & Associates, CPAs, LLC.  cbak.com 12 In Touch

13 ISSUE 6 | 2022

Ease into innovative payment products at icba.org/bancard Ease into modern payments with the comfort of ICBA Bancard. High quality, innovative payment products, including mobile card apps. Backup support for your community bank in negotiating with payments providers. Letting your customers sit back and use payment solutions from anywhere. A strong foundation in thought leadership in payments and ongoing personalized support.

Bill Lloyd Call me at 573.268.5172 – Based in Columbia, MO Serving Missouri and Kansas 34604 AD- Community Bankers Association of Kansas 2022_Bill Lloyd_OT.indd 1 4/12/22 2:24 PM 15 ISSUE 6 | 2022

Sponsored by Already a CBA of Kansas member? You’ll save nearly 60% off the cost of your enrollment in Community Bankers for Compliance! Instead of paying the full price of $3,974.25, you’ll receive a subsidy set aside only for CBA of Kansas members. This means you’ll pay only $998.00 for one designated banker and a second registrant. THE 2023 COMMUNITY BANKERS FOR COMPLIANCE PROGRAM There’s Never Been a Better Time to Solve Compliance Challenges. Your Solution for Compliance Challenges is Here. Are you a Member of ICBA, and hold the Community Banker University Compliance Certification? Receive CPE credits for your participation in live events. SAVE 60% Presented by Webinars-Regulatory Update: February 23, 2023 May 11, 2023 September 7, 2023 November 9, 2023 Live Regulatory Seminars: April 18, 2023 Salina, KS October 17, 2023 Salina, KS

“As a CBC Member, I use the 800-number Compliance Hotline and the team is professional while providing quick answers. This is a very practical and useful feature of the CBC program.” Margaret Nightengale, Senior Vice President, Grant County Bank, Ulysses, Kan. “Most of us expect regulation measures to be tighter in the future, and we have to be ready. Using the CBC program helps our bank handle and control our compliance processes efficiently and more cost effectively.” Tim Matlack, President, FNB Washington, Washington, Kan. For additional information, please contact: Yvonna Hansen Vice President of Member Services Phone: (785) 271-1404 E-mail: yvonna@cbak.com cbak.com 2 Live Seminars The live seminar topics are selected based on the most recent industry and regulatory developments, which may have an impact on community banks. Each person attending the program will receive a detailed manual, written in full narrative, that they can take back to the bank as a reference and training tool. Quarterly Regulatory Update Webinars Each webinar will discuss current news and regulatory changes that may have an impact on community banks. Monthly Newsletter The Compliance Update newsletter is sent to program members each month. It provides an update of compliance issues in easy to understand articles. Each issue includes a compliance calendar looking out several months at what is looming ahead that community banks need to be preparing for. Compliance Hotline Members of the program may call the Young & Associates’ toll-free number or visit their Web site with compliance questions that arise on a daily basis. Young & Associates has many qualified compliance professionals available to answer your questions. This service ensures that your bank is just a phone call or email away from the information you need in order to answer your compliance questions. CBC Members-Only Web Page This web page is reserved for banks that are registered members of the CBC Program. In it, you will find timely information and tools provided by Young & Associates, Inc., that can be used to enhance the regulatory compliance function at your bank. CBC Program Membership includes the following: CBA of Kansas members receive 60% off the enrollment fee! CBA Member Rate: $3,974.25 Annual Program Fee ($2,976.25) Less CBA Member Subsidy $998.00 Total CBC Program Fee

“Banks are increasingly targeted by cybercriminals, and the stakes are high. These controls are put in place to manage identified risks. They can be physical barriers (e.g., locks and walls, electronic barriers like firewalls, and software like antivirus), as well as policies, procedures, and training.” In just the first half of 2021, the banking industry experienced a 1,318% increase in ransomware attacks. Banks have become prime targets for cybercriminals due to the large amounts of sensitive customer data they hold. To protect this data, as well as maintain compliance with strict regulations, banks must have a strong cybersecurity strategy. This strategy should consider the unique needs of financial services cybersecurity. There need to be stronger controls, better knowledge of banking networks, better reaction time to threats, and a better ability to recover from incidents. A great way to achieve these goals is by implementing the CIS Critical Security Controls (CSC). What Is CIS? The Center for Internet Security (CIS) is a nonprofit organization providing guidance and best practices for improving cybersecurity for financial services. CIS is a parent of MS-ISAC, which serves as the information sharing and analysis center for state, local, tribal, and territorial governments. They offer a framework of critical security controls that effectively protect against the most common attacks. Why Should Banks Use CIS Controls? Banks are increasingly targeted by cybercriminals, and the stakes are high. These controls are put in place to manage identified risks. They can be physical barriers (e.g., locks and walls, electronic barriers like firewalls, and software like antivirus), as well as policies, procedures, and training. Abiding by these controls helps examiners know you’ve identified your risk for IT incidents and placed appropriate controls in place to manage them. For a better financial services cybersecurity strategy, you need to know how your network works and be aware of any changes that might invalidate the controls you have put in place. The Top 7 CIS Controls Here are the top seven controls adopted by the FFIEC for InTREx Exams: 1. Inventory & Control of Enterprise Assets Your bank needs to keep track of your assets and where they are located. This is important because it helps you to know what needs to be protected and how best to protect it. It’s important to regularly review or use tools to generate alerts to any asset changes. Be especially aware of the “internet of things” (IoT). This is the growing trend of interconnected devices, such as security cameras, thermostats, IP phones, HVAC systems, and even coffee makers. These devices are often unsecured and can provide a way for attackers to gain access to your network. It’s so easy to plug devices into your network that can act as an entry point. 2. Inventory & Control of Software Assets This control helps your bank ensure that your assets are properly configured and secure. This includes ensuring that only authorized users have access to sensitive data and that all data is properly backed up. BY MIKE GILMORE, CHIEF COMPLIANCE OFFICER, RESULTS TECHNOLOGY WHAT BANKS NEED TO KNOW ABOUT CIS CONTROLS Endorsed Partner cbak.com 18 In Touch

In many cases, software vulnerabilities are the root cause of attacks. Attackers will exploit these vulnerabilities to gain access to your network. You can help mitigate these risks by keeping your software up to date, regularly reviewing and removing unauthorized software, and preventing the installation of unauthorized software (i.e., limiting local permission, blocking internet download capabilities, etc.). 3. Data Protection This control helps you protect your data from unauthorized access and loss. It includes ensuring that sensitive data is encrypted at rest and in transit. It is also understanding where data is stored and how it travels. Data breaches are becoming more common and more costly. One way to help mitigate the risk of a data breach is by using Data Leak Protection. This makes it hard to copy and move sensitive data and will make it much more difficult for attackers to access your data if they are able to breach your network. 4. Secure Configuration of Enterprise Assets & Software It is crucial to implement a solid program for software, and operating system patching, establish written policies for “hardening” new servers, workstations, and network devices, and regularly review policies to ensure they are enabled on all devices. This control boosts your financial services cybersecurity and keeps your assets and software secure. The first step in this process is to create a secure baseline configuration for all enterprise assets, including hardware, software, and firmware. Once the baseline has been established, it is important to deploy security hardening techniques to further secure systems and reduce their attack surface. This can be accomplished by disabling unnecessary features and services, using strong passwords, and reducing privileges where possible. It is also important to regularly patch software and operating systems to mitigate known vulnerabilities. Patches should be deployed as soon as they are released or on a schedule appropriate for the organization’s risk tolerance. Be sure to test patches before deploying them to production systems. 5. Account Management For added cybersecurity, ensure that only authorized users can access your data and systems. This is not just for Windows login – it includes logins to core systems, email, and any hosted or internet-based accounts that potentially house confidential data. One of the most important things you can do to protect your data is to control who has access to it. This can be accomplished by requiring strong passwords, using twofactor authentication, and regularly reviewing permissions to ensure that only authorized users have access to sensitive data and systems. It’s also good to establish separate admin accounts for admin tasks. This way, if an attacker does gain access to an admin account, they will not have direct access to data. 6. Access Control Management This control helps your bank manage and monitor user access to data and systems. This includes ensuring that only authorized users have access to sensitive data, that all access is logged, and that privileged users are properly supervised. One way to help ensure that only authorized users have access to sensitive data is to implement least privilege principles. This means that users should only have the permissions they need to do their job, and no more. It is also important to log all access to data and systems. This can help you track down unauthorized access and identify potential insider threats. 7. Continuous Vulnerability Management This control helps you identify and remediate vulnerabilities in your systems and software. This includes patching software and operating systems, using security scanning tools, and conducting regular penetration tests. One way to help identify vulnerabilities in your systems is to use security scanning tools at least quarterly. These tools can be used to scan for known vulnerabilities, as well as to look for general weaknesses that could be exploited. Be sure to scan all systems, including web servers, application servers, and database servers. How to Incorporate CIS Controls To help your bank incorporate these Controls, look for an IT company that specializes in IT security and compliance for banks and who is also able to manage and automate many of the tasks associated with each of the CIS controls. More information about the Center for Internet Security can be found at https://www.cisecurity.org/controls.  About the Author: Mike Gilmore is the Chief Compliance Officer at RESULTS Technology and a Certified Information Systems Auditor (CISA) with more than 30 years experience in the banking industry. In his role as CCO, Mike provides compliance and risk assessments, audit and exam support and policy documentation. He can be reached at mgilmore@resultstechnology.com. 19 ISSUE 6 | 2022

As we head into the final months of 2022, the CECL deadline seems to be coming faster and faster. If your bank hasn’t already adopted or finalized your CECL process, we can provide support that’s equally quick – whether you simply need answers to help you over some hurdles or the compliance efficiency that comes with our CECLSolver™ solution. Please feel free to contact us for a brief consultation. We talk and work with bankers every day to address and help alleviate their CECL concerns. In the meantime, here are some common questions we receive about our CECLSolver™ tool, its methodology, and what we’re hearing from regulators, accountants and other bankers. Questions & Answers: What banks are asking about CECLSolver™. Is it too late to get started with CECLSolver to meet the 2023 Q1 compliance date? Absolutely not. Every week we consult with banks who are just now starting on CECL compliance – and assure them there’s no need to panic. CECLSolver is easy to use and was built on regulatory guidance to make compliance as painless and efficient as possible for banks. And QwickRate’s excellent customer service will guide and support you along the way. What methodology does CECLSolver use? CECLSolver mainly uses a Weighted Average Remaining Maturing (WARM) methodology, with elements of Open Pool/ Snapshot – one of the more straightforward methodologies vetted and discussed by FASB and regulators for meeting CECL compliance. The tool automatically displays historical losses (by segment) and calculates lifetime loss rates over WARM periods. There’s no need to compile past information, and analysis of different loss scenarios is quick and easy. CECLSolver also aggregates long-term peer loss data for standard or customized peer groups. Experts are standing by to help with WARM calculations created by your team or ours. Will regulators be receptive to this methodology? Regulators continue to emphasize that “... for smaller, less complex community banks, complex modeling techniques are not required, and simple practical methods should work.”* We’re sensing an even greater acceptance of portfolio-based solutions and the WARM methodology, which is becoming the preferred choice of community banks. Regulators frequently note that bankers are constrained by the data they can access, making IT’S NOT TOO LATE FOR CECL COMPLIANCE! BY SHAWN O’BRIEN, PRESIDENT, QWICKRATE Endorsed Partner cbak.com 20 In Touch

overly complex CECL methodologies a nonstarter for many institutions. This is why a portfolio-based solution continues to be appropriate for helping more banks accomplish what their regulators look for – with very little work on their part. What can a bank expect when they first log in to the tool? Banks immediately see actionable results the first time they sign in to CECLSolver. We preload their historical call report data and the entire universe of historical data for peers at the segment level. It’s a huge time saver when you can pull up a tool and instantaneously have an entire picture of your loss history, by segment, before you even change anything. Not only yours but also your peers. From there, you can edit the template, peer groups, Q factor adjustments and individually assessed loans, etc., as needed. What advice do you have regarding the number of detail auditors/regulators expect? Auditors and regulators will definitely ask for the bank’s model and the model results. They also ask for documentation of your thought process and justifications for your assumptions. This is a huge best practice banks should be aware of: document, document, document: your rationale for each assumption, any changes from your last run, etc. Multiple places throughout the tool allow you to add notes about your assumptions – all efficiently organized by loan segment – to build that narrative. Whenever you print or export the tool for auditors/examiners, those notes will be attached, walking them (and you) through your thought processes, which is really what they’re looking for. An audit trail of this kind will be critical, especially the first year. What can a customer expect in the future for CECLSolver? As we help customers and meet with examiners and auditors, we identify enhancements to continually incorporate into the tool. A great example would be adding the Federal Reserve’s SCALE tool as a second model or gut check. We also have a monthly Q&A Coffee Talk Session with customers and take their suggestions and requests back to our team. We will continue these efforts: listening and partnering with users, regulators and auditors; investing in the CECLSolver tool; and working hard to make CECL compliance a worry-free experience. Request a demo with your data. Find out why hundreds of community banks are already using CECLSolver to address CECL compliance. Schedule at www.qwickrate.com or email info@qwickrate.com.  *From CECL Webinar for Bankers: Practical Examples of How Smaller, Less Complex Community Banks Can Implement CECL (by FDIC, FRB with the CSBS, the FASB, and SEC) February 27, 2018. Shawn O’Brien is president of QwickRate, providing practical and affordable solutions for community banks for more than 30 years. An ICBA Preferred Service Provider. Schedule at www.qwickrate.com or email info@qwickrate.com. 21 ISSUE 6 | 2022

CBA EDUCATIONAL Getaway 13 NIGHT GREEK ISLES & ITALY CRUISE August 14 to 27, 2023 Greek Isles & Italy Cruise This is our version of “All-Inclusive at Sea” WHO SHOULD ATTEND? Community Bankers, Directors, Employees, Associate Members, Family and Friends Book Early. Space will sell out quickly! https://www.cbak.com/wp-content/uploads/2022/08/2023-Greek-Isles-Cruise.pdf Visit the QR code for the full brochure

REPAYING CORONAVIRUS-RELATED DISTRIBUTIONS (CRDS) HOW YOUR CLIENTS MAY CATCH UP BY JODIE NORQUIST, CIP, CHSP; ASCENSUS On March 27, 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law as the largest relief package in U.S. history. The legislation included multiple provisions that affected retirement and health savings arrangements to help millions of Americans affected by COVID-19. The CARES Act allowed individuals to withdraw up to $100,000 in aggregate from eligible retirement plans and IRAs without paying the 10 percent early distribution penalty tax. The distribution had to have been made on or after Jan. 1, 2020, and before Dec. 31, 2020, by a qualified individual, defined in both the CARES Act and expanded in definition by Notice 2020-50, as someone who was diagnosed with or otherwise adversely affected by COVID-19. If your clients took coronavirus-related distribution (CRDs) in 2020, they still have time to make repayments to their qualified retirement plan or eligible IRA. Because a relatively small number of qualified individuals took CRDs in 2020, you may handle few CRD repayments, but their proper reporting is no less important for their infrequency. Based on a study of retirement plans with 500 employees or less in 2020, Ascensus reported that the percentage of eligible individuals who took CRDs from their retirement plans was low. Other financial services firms also reported to the Congressional Research Office modest usage of CRDs by their clients in 2020. Ascensus reported that 16.6% of employers adopted CRDs, and 4.9% of eligible individuals (i.e., individuals covered by plans that adopted CARES Act provisions) took CRDs. Of those, only 3.2% of those who took CRDs withdrew the maximum allowable amount of $100,000; most CRDs averaged $14,300 in total withdrawals at the end of 2020, according to Ascensus. Reporting CRD Distributions CRDs would have been reported to the IRS for the 2020 tax year by financial organizations in different ways. Like all retirement plan and IRA distributions, CRDs were reported on IRS Form 1099-R, Distributions From Pensions, Annuities, Retirement or Profit Sharing Plans, IRAs, Insurance Contracts, etc. Employers were not required to offer CRDs to plan participants. But if an employer had adopted provisions allowing CRDs, participants who were otherwise subject to the 10% early distribution penalty tax (other than beneficiaries) would have had their distributions reported on Form 1099-R as a code 2, Early distribution, exception applies, or code 1, Early distribution, no Continued on page 24 23 ISSUE 6 | 2022

"If your clients took coronavirus-related distribution (CRDs)in 2020, they still have time to make repayments to their qualified retirement plan or eligible IRA. Because a relatively small number of qualified individuals took CRDs in 2020, you may handle few CRD repayments, but their proper reporting is no less important for their infrequency." Jodie Norquist is a Consultant with the Ascensus ERISA Compliance Department. As a Consultant, she assists financial organizations with technical compliance matters through Ascensus’ 800 Consulting Service. In addition to consulting, Norquist is responsible for writing and editing Ascensus’ technical and marketing materials. She has received the designations of Certified IRA Professional (CIP) and Certified Health Savings Professional (CHSP). She holds a Bachelor of Science in Mass Communications from Bemidji State University and a Master of Science Degree in Mass Communications from St. Cloud State University. known exception. A qualified individual would have claimed the penalty tax exception on his individual tax return, regardless of how the Form 1099-R was coded. Inherited IRA owners were also eligible to take CRDs in 2020, and could have used code 4, Death, another penalty tax exemption; however, a CRD repayment cannot be made to an inherited IRA. The taxpayer would have reported the CRD and any repayments, if made, on Form 8915E, Qualified 2020 Disaster Retirement Plan Distributions and Repayments. A taxpayer could have claimed CRD status even if the distribution was taken from a retirement plan whose sponsoring employer did not elect to add CRDs as a distributable event. A CRD was not considered a modification of a series of substantially equal periodic payments as an exemption from the 10 percent early distribution penalty tax, so no retroactive penalty would have been applied to previous payments received. Reporting CRD Repayments You may have account owners requesting to make a CRD repayment through 2023. Qualified individuals who took CRDs in 2020 have three years, beginning on the day following the date they received the CRD, to repay the distribution to their eligible retirement plan (such as a 401(k) plan, a 403(b) plan, a governmental 457(b) plan, or an eligible IRA). These CRD amounts are taxed ratably over the three-year period unless the taxpayer elected otherwise. At the time of this writing, the IRS has not officially released repayment reporting requirements. Unofficially, the IRS has indicated to Ascensus that financial organizations should enter the repayment amount in Box 14a, Repayments, with code “DD” (disaster distribution) in Box 14b, Code of IRS Form 5498, IRA Contribution Information. Retirement plan participants and IRA owners report these CRD repayments on the Form 8915 series. This is how other qualified disaster distribution repayments are also reported. 2021 IRS Publication 590-B, Distributions from Individual Retirement Arrangements (IRAs), provides some CRD repayment information for taxpayers, including how to include CRDs in their taxable income each year over a three-year period, along with an example. The amount repaid reduces the amount included in income for the year of the distribution. Taxpayers may repay more than is otherwise includible income for a year. The excess amount may be carried forward to a future year or applied to a previous year in order to reduce the amount included in income for the year (if applied to a previous year, the account owner may need to file an amended return). If you are uncertain whether your client is eligible to make a CRD repayment, remember that it is up to the client to selfcertify to the IRS that he is eligible for repayment, and to you if your organization is going to report amounts as repayments on Form 5498. It’s always a good idea to recommend that your client seek competent tax advice first.  Continued from page 23 cbak.com 24 In Touch

MARCH 12-16 REGISTRATION IS OPEN HAWAII HILTON HAWAIIAN VILLAGE ICBA LIVE is your destination for the latest in community bank education and innovation. Network with fellow community bankers, hear from inspiring speakers, and soak up the latest industry insights and fintech solutions. REGISTER TODAY I CBA . ORG/L I VE EVT_1266A21_2023 ICBA LIVE Hawaii Core Designs_IB Magazine Ads.indd 2 8/1/22 10:59 AM

ANNIVERSARIES 1884 138 Years First National Bank & Trust Phillipsburg 1913 109 Years Johnson State Bank Johnson 1886 136 Years Conway Bank Conway Springs 1961 61 Years Security State Bank Scott City December 1889 133 Years Kansas State Bank Overbrook 1909 113 Years Farmers State Bank Phillipsburg 1934 88 Years First State Bank & Trust Tonganoxie Citizens Bank of Kansas Citizens Bank of Kansas is pleased to announce that Jessica Fuller has joined the CBK Team to lead the branch at Derby High School. Shanda Swinehart now leads the Medicine Lodge branch. Chris Davis is the new Branch Manager in Augusta. Regina Gregory joins the West Wichita Branch (13th & Tyler). There’s something new at the El Dorado Branch of Citizens Bank of Kansas! With the capable assistance of Steve Joyce and several eager Dexter High School students, CBK has a barn quilt above the entrance! Brightly colored barn quilts are appearing across the scenic countryside in Kansas. The “Barn Quilt Movement” started in Ohio with a daughter honoring her mother with a painted quilt on her barn in Adams County, Ohio. This simple idea has spread to over 48 states and Canada, with over 7,000 quilts participating ANNOUNCEMENTS Jessica Fuller Shanda Swinehart Chris Davis Regina Gregory in the organized American Quilt Trail, which includes the Kansas Flint Hills Quilt Trail. This trail was formed to celebrate agricultural heritage, promote rural pride, and attract visitors to the area. Courtesy photos: (1) CBK El Dorado new barn quilt (2) The CBK barn quilt artists deliver the barn quilt to CBK. L-R DHS students Brieley Minnie, Luis Grandy, and teacher/artist Steve Joyce. cbak.com 26 In Touch

27 ISSUE 6 | 2022

ABSTRACTING Security 1st Title Wichita, KS . . . . . . . . . 316-267-8371 ACCOUNTING/TAX RETURNS Allen, Gibbs & Houlik, LC Wichita, KS . . . . . . . . . 316-267-7231 The Fullinwider Firm, LLC Liberty, MO . . . . . . . . . 816-781-6939 Varney & Associates, CPAs, LLC Manhattan, KS . . . . . . . . 785-537-2202 ACH *SHAZAM Johnston, IA . . . . . . . . . 515-288-2828 ADVERTISING SPECIALTIES *Works24 Brian, Edmond, OK . . . . . 800-460-4653 ALARMS & SECURITY PRODUCTS Federal Protection Springfield, MO . . . . . . . 800-299-5400 Oppliger Banking Systems, Inc. Lenexa, KS . . . . . . . . . .800-487-7875 ASSET LIABILITY MANAGEMENT *Financial Management Services, Inc. (FMSI) Chuck, Overland Park, KS. . . . .913-955-3355 QwickRate Marietta, GA . . . . . . . . 800-285-8626 ATM EQUIPMENT (NEW/USED) Federal Protection Springfield, MO. . . . . . . . 800-299-5400 Oppliger Banking Systems, Inc. Lenexa, KS . . . . . . . . . 800-487-7875 AUCTION Purple Wave Manhattan, KS . . . . . . . . 785-537-7653 BACK ROOM SERVICE Modern Banking Systems Ralston, NE . . . . . . . . . 800-592-7500 BALANCE SHEET CONSULTING *Financial Management Services, Inc. (FMSI) Chuck, Overland Park, KS . . . 913-955-3355 BANK OPERATIONS The Baker Group Oklahoma City, OK . . . . . .800-937-2257 QwickRate Marietta, GA . . . . . . . . 800-285-8626 BANK/PEER PERFORMANCE QwickRate Marietta, GA . . . . . . . . 800-285-8626 BANKRUPTCY Hinkle Law Firm Wichita, KS . . . . . . . . . 316-267-2000 Spencer Fane, LLP Overland Park, KS . . . . . . 800-526-6529 BANK STOCK LOANS & LOAN OVERLINES Commerce Bank Kansas City, MO . . . . . . . 800-821-2182 *S&P Global Stacy, Charlottesville, VA . . . .434-951-4419 BOND ACCOUNTING First Bankers Banc Securities Overland Park, KS . . . . . . 913-469-5400 *ICBA Securities Corporation Jim, Memphis, TN . . . . . . . . . . . . 800-422-6442 COMPLIANCE ASSISTANCE/REVIEWS *Advanced Business Solutions (ABS) Sandy, Olathe, KS . . . . . . .913-731-6007 Allen, Gibbs & Houlik, LC Wichita, KS . . . . . . . . . 316-267-7231 *BHG Bank Group Tom, Syracuse, NY . . . . . . 315-372-4510 *MPA Systems David, Fort Worth, TX . . . . .888-233-1584 Purple Wave Manhattan, KS . . . . . . . . 785-313-2094 Varney & Associates, CPAs, LLC Manhattan, KS . . . . . . . . 785-537-2202 Young & Associates, Inc. Kent, OH . . . . . . . . . 800-525-9775 CONSULTING Abrigo Raleigh, NC . . . . . . . . . 919-851-7474 *Bank Compensation Consulting (BCC) Rich, Plano, TX . . . . . . . .303-482-1844 Young & Associates, Inc. Kent, OH . . . . . . . . . 800-525-9775 CORRESPONDENT SERVICES Commerce Bank Kansas City, MO . . . . . . . 800-821-2182 First National Bank of Hutchinson Hutchinson, KS . . . . . . . 800-293-0683 CORE SERVICES Data Center Inc. (DCI) Hutchinson, KS . . . . . . . 620-694-6800 Modern Banking Systems Ralston, NE . . . . . . . . . 800-592-7500 *SHAZAM Bill M. Johnston, IA . . . . . . . . . . . .515-306-8012 CREDIT AND PORTFOLIO RISK MANAGEMENT Abrigo Raleigh, NC . . . . . . . . . 919-851-7474 Young & Associates, Inc. Kent, OH . . . . . . . . . 800-525-9775 Credit Card Program *ICBA Bancard & TCM Bank Heather, Washington, DC . . . .800-242-4770 CREDIT SUPPORT *Advanced Business Solutions (ABS) Sandy, Olathe, KS . . . . . . .913-731-6007 DATA PROCESSING Data Center Inc. (DCI) Hutchinson, KS . . . . . . . 620-694-6800 Modern Banking Systems Ralston, NE . . . . . . . . . 800-592-7500 DEBIT/ATM CARD SERVICES *ICBA Bancard/TCM Bank Heather, Washington, DC . . . .800-242-4770 *SHAZAM Matt M. Johnston, IA . . . . . 515-480-5767 DEBT COLLECTION Hinkle Law Firm Wichita, KS . . . . . . . . . 316-267-2000 DIGITAL LENDING *BHG Bank Group Tom, Syracuse, NY . . . . . . 315-372-4510 Products and Services Reference List Each asterisk (*) represents an agreement for a specific endorsed product with that company. Not all products that these companies offer are endorsed by CBA. To see a detailed list and explanation of endorsements, visit CBA online at cbak.com. Keep in mind that the services provided by each company on this list may only be a sampling of the many services they offer. By their CBA Associate Membership, these companies have shown their commitment to serving community banks. Please look to these companies first, whenever possible, to meet your banking needs. The following CBA Associate Members are ready to serve you when you need them. Please keep this list handy, and the next time you’re looking for a specific service, you’ll know where to look first! Remember, this is just a sampling of what each company provides. cbak.com 28 In Touch

RkJQdWJsaXNoZXIy ODQxMjUw