Pub. 4 2023 Issue 2

ISSUE 2 2023 Official Publication of the Community Bankers Association of Kansas 6 USING IT GOVERNANCE TO ACHIEVE YOUR BANK’S BUSINESS GOALS 12EXPLORING BANKERS’ PRIORITIES AND PERSPECTIVES FOR 2023

CONTENTS Issue 2 | cbak.com © 2023 Community Bankers Association of Kansas | The newsLINK Group, LLC. All rights reserved. In Touch is published six times each year by The newsLINK Group, LLC for the Community Bankers Association of Kansas and is the official publication for this association. The information contained in this publication is intended to provide general information for review, consideration and education. The contents do not constitute legal advice and should not be relied on as such. If you need legal advice or assistance, it is strongly recommended that you contact an attorney as to your circumstances. The statements and opinions expressed in this publication are those of the individual authors and do not necessarily represent the views of the Community Bankers Association of Kansas, its board of directors, or the publisher. Likewise, the appearance of advertisements within this publication does not constitute an endorsement or recommendation of any product or service advertised. The Community Bankers Association of Kansas is a collective work, and as such, some articles are submitted by authors who are independent of the Community Bankers Association of Kansas. While In Touch encourages a first-print policy, in cases where this is not possible, every effort has been made to comply with any known reprint guidelines or restrictions. Content may not be reproduced or reprinted without prior written permission. For further information, please contact the publisher at 855.747.4003. 4 FLOURISH By Rebeca Romero Rainey, President and CEO, ICBA 6 RESULTS TECH TALK: USING IT GOVERNANCE TO ACHIEVE YOUR BANK’S BUSINESS GOALS By Mike Gilmore, Chief Compliance Officer, RESULTS Technology 10 CFPB 1071 RULE: CHECKLIST FOR COMPLIANCE SUCCESS By Paula King, Abrigo 12 EXPLORING BANKERS’ PRIORITIES AND PERSPECTIVES FOR 2023 By Shane Ferrell, Vice President of Product Strategy, CSI 15 COLLATERAL ADVANTAGE: A VARIETY OF MBS POOLS CAN SPREAD YOUR RISK By Jim Reber, President and CEO, ICBA Securities 18 QUESTIONS FROM COMMUNITY BANKERS FOR COMPLIANCE PROGRAM (CBC) MEMBERS By Bill Showalter, CRCM, Senior Consultant, Young & Associates, Inc. 21 THE TRUST COMPANY OF KANSAS (TCK) IS PLEASED TO ANNOUNCE SEVERAL WELL- DESERVED PROMOTIONS IN EVERY ISSUE: 22 ANNIVERSARIES 23 BANK TRAINING WEBINARS 24 PRODUCTS AND SERVICES REFERENCE LIST 6 18 12 cbak.com 3

FLOURISH For community banks, marketing often points to finding ways to educate, support and grow the community, as well as customer knowledge and awareness. BY REBECA ROMERO RAINEY, PRESIDENT AND CEO, ICBA True relationships withstand the test of time, ebbing and flowing with the cycles of life, and such is the case with the community bank — customer connection. It’s not unusual to hear about a community bank having served a family or a business for generations, and that’s a testament to the strength of the relationship. As we consider marketing in this month’s issue, I took time to reflect on exactly what differentiates the community banker and how marketing can help in growing and retaining business. I kept coming back to the fact that, for community banks, marketing often points to finding ways to educate, support and grow the community, as well as customer knowledge and awareness. By extension, these promotional efforts assume a natural role in a community bank’s journey, just enhancing what are already mission-critical initiatives. For example, consider ICBA Chairman Brad Bolton’s Community Spirit Bank in Red Bay, Alabama, and its work to share tips for financial resolutions in the local paper. Offering that information to the community helps individuals strengthen their financial savvy and supports a broader story of community bank leadership. Or look to ICBA Past Chairman Bob Fisher’s bank, Tioga State Bank, in Spencer, New York, and how it teams up with local television stations to support cause-related activities, like the No Shave November Cure the Blue 5K. Not only does this event help raise funds for an important program, it also demonstrates the bank’s involvement with and commitment to its community. These examples offer only a snapshot of what community banks all over the country do to support their communities from a mission-based approach. In many cases, the added promotion these efforts deliver is a side benefit to serving the community. That’s precisely why these efforts are successful: they garner attention because they are the right things to do. These stories create a value proposition around why banking with a community bank is so vital, and the differentiation from megabanks and credit unions happens by leading with the community bank relationship model front and center. So, as you think about your bank’s planned storytelling this year, know that ICBA is standing by to help. In fact, stay tuned for a very exciting announcement that we’ll be making during ICBA LIVE, which will shine a light on what differentiates community banking. And our work won’t stop there. We invite to you join us in this next step of our journey as we continue to tell the community banking story. Because beyond promotion, what you do matters to the customers and communities you serve. You are and will remain a partner through your customers’ lives and financial journeys. From a marketing perspective, that’s an ideal place to be.  Connect with Rebeca on Twitter @romerorainey. 4 In Touch

» Call Rick Gerber or Ryan Gerber at 1-866-282-3501 or email rickg@chippewavalleybank.com ryang@chippewavalleybank.com 1. Calling us is the first step. 2. You email us the appropriate documents of information. 3. CVB preparing the loan documents generally within 5 to 10 days. 4. Meeting the customer. We will come to you to sign loan documents. 5. CVB wires the funds. 6. Wow that was easy. IS YOUR BANK SUFFERING UNREALIZED SECURITY PORTFOLIO LOSSES? ARE YOU IN NEED OF A CAPITAL INJECTION? Bank Stock and Bank Holding Company Stock Loans up to $50 Million Done the Simple Way

Community Banks carry an ongoing burden of compliance for information technology (IT). Examiners expect the bank to undergo annual IT audits, penetration tests, policy reviews, and complete comprehensive technology plans, risk assessments and cybersecurity self-assessments all while trying to do the real work of banking in the community. Why do regulators expect this level of paperwork? What is the purpose of all those self-assessments and evaluations, and who, ultimately, is responsible for getting them done? The answer lies in the realm of IT Governance. In this article, we’ll explore: • What is IT Governance? • Why is it important? • Who is responsible? • How do you implement your own IT Governance Program? IT Governance: What it is – What it isn’t IT Governance is not about the day-to-day management, procurement, installation and running of IT systems. It’s not about keeping the lights on and the wheels turning. Instead, IT Governance can be defined as the processes that ensure the effective, efficient, and safe use of IT to enable an organization to achieve its goals. The key word here is “goals.” Not IT goals, but the business goals of the bank which IT is serving. What are the primary business goals of your community bank? At a high level, almost all have the same goals: to provide quality, competitive, profitable, timely, confidential, (add your own adjective here) banking services to businesses and individuals within your community. A bank’s business goal is not to provide technological services, but to provide banking services. IT’s role is to serve those goals through efficiency, innovation, cost reduction, competitive advantage, security and marketing, to name a few. BY MIKE GILMORE, CHIEF COMPLIANCE OFFICER, RESULTS TECHNOLOGY Using IT Governance to Achieve Your Bank’s Business Goals RESULTS TECH TALK Endorsed Partner 6 In Touch

The purpose of IT Governance is two-fold: 1. Ensure that IT generates business value for the bank; and 2. Ensure that controls are in place to best mitigate the risk posed by technology. Who is Responsible for IT Governance? The easy answer is “everybody”, but the best answer is “whoever sets the business goals for the bank.” Those who set the goals determine the course of governance in all aspects of the business. Ultimately, the Board of Directors has responsibility. The Board sets in place policies, procedures, values, and long-term planning to meet the mission of the organization and the requirements of all stakeholders. Senior Management implements the directives of the Board and makes sure that policies and procedures apply to everyone. Governance is very much a top-down implementation, but ultimately everyone in the organization has responsibilities to see it operate effectively. How to Implement an IT Governance Program The thought of implementing your own program may be overwhelming, but fortunately, you don’t have to start from scratch. There are a lot of thoughtful organizations who have put together IT Governance Frameworks. These are sets of tools, policies, standards and processes that can help in implementing a systematic approach to IT Governance. Common frameworks include COBIT, ITIL, COSO, CMMI and FAIR. These frameworks differ somewhat in emphasis and utility, but each offers guidelines for setting up and following an IT Governance program. Example: COBIT COBIT stands for Control Objectives for Information and Related Technologies and is published by ISACA (Information Systems Audit and Control Association). COBIT is based on five principles that define the scope of the framework, and four domains that define the cycle of processes for maintaining the framework. COBIT also includes tools for evaluating an organization’s maturity level in governance. COBIT’s Five Principles 1. Meeting Stakeholders Needs: Identify all stakeholders affected by IT and how IT provides business value and security. Include all internal as well as external stakeholders. 2. Covering the Enterprise End-to-End: The framework should be inclusive of everyone within the organization: top to bottom, all assets, no exceptions. 3. Applying a Single Integrated Framework: Set the rules and stick to them. 4. Enabling a Holistic Approach: This principle recognizes that there are a lot of interacting parts of an organization and this framework helps to manage that complexity. 5. Separating IT Governance from IT Management: • IT Governance: Ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be Mike Gilmore is the Chief Compliance Officer of RESULTS Technology and a Certified Information Systems Auditor (CISA) with more than 30 years of experience in the banking industry. RESULTS Technology provides IT services to community banks across the Midwest. In his role as CCO, Mike provides compliance and risk assessments, audit and exam support and policy documentation. He can be reached at mgilmore@resultstechnology.com. achieved; sets direction through prioritization and decision-making; and monitors performance and compliance against agreed-on direction and objectives. • IT Management: Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. COBIT’s Four Domains COBIT’s four domains are where the functional meat of your IT Governance program lies. The domains should be treated as a set of recurring, cyclical tasks that are continually revisited to ensure that IT is aligned with changing goals and ever more concerning security threats. 1. Align, Plan and Organize: The first step is to take a detailed look at your existing IT systems and infrastructure and make sure that they align with your business goals and risk threshold. 2. Build, Acquire and Implement: The implementation and maintenance of IT should be guided by the informed, intelligent review conducted in the first domain. 3. Deliver, Service and Support: Track IT support and delivery and gather data on the type, frequency and severity of support issues. 4. Monitor, Evaluate and Assess: Continually monitor the status of IT systems, evaluate in terms of business and security goals, assess risk, and adjust as needed. The full COBIT framework dives down to a very detailed level. It’s worth the effort to review the varied frameworks and adopt one that appears to best match your bank’s internal and regulatory requirements. What to Keep in Mind When Developing an IT Governance Program Whichever model you chose, or if you chose to design your own, remember these important points: • IT Governance is not IT Management. • IT Governance is the process that ensures the effective, efficient, and safe use of IT to enable an organization to achieve its goals. • IT Governance is top-down and is initiated by the Board and Senior Management – but everyone in the organization has some level of responsibility. • IT Governance Frameworks provide the guidance to implement your own governance program. • Governance is a cyclical process that requires ongoing evaluation, monitoring, and review.  cbak.com 7

IT COMPLIANCE & SECURITY FOR COMMUNITY BANKS Watch our video! www.resultstechnology.com/bank-solutions/ Managed IT Cybersecurity Backup & Business Continuity Audit & Exam Support IT Planning & Budgeting Security Awareness Training RESULTS Technology is a family-owned, award-winning provider of managed IT compliance, infrastructure & cybersecurity services for banks. We have been helping banks reduce risks and achieve operational efficiency for more than 20 years. RESULTS Technology | 12022 Blue Valley Parkway, # 524, Overland Park, Kansas 913.928.8300 | info@resultstechnology.com www.resultstechnology

IS YOUR COMMUNITY BANK BOND PORTFOLIO PERFORMING? Meet Jim. Jim meets with community bankers across the U.S. to discuss ICBA Securities’ investment products, services, and education through our exclusively endorsed broker, Stifel. Investing through ICBA Securities is a direct investment back into the community banking industry. When Jim is on the road, he always takes time to enjoy local restaurants and share on social media. As an ICBA member, you’ve got Jim’s help investing. Learn more at icba.org/securities cbak.com 9

BY PAULA KING, ABRIGO ONE TWO THREE Executive Summary Commonly known as the CFPB 1071 Rule, upcoming requirements to be finalized in 2023 by the Consumer Financial Protection Bureau (CFPB) will represent the most significant effort of data collection and reporting for financial institutions in nearly 50 years. The checklist provides lenders with seven steps to prepare for compliance with this new rule. Introduction Section 1071 of the Dodd-Frank Act amended Regulation B — Equal Credit Opportunity Act (ECOA). On Sept. 1, 2021, the CFPB issued a proposed rule to require financial institutions and others to compile, maintain, and submit to the CFPB certain data points on applications for credit for small businesses, including those owned by women and minorities. While officially titled “Small Business Lending Data Collection Under the Equal Credit Opportunity Act (Regulation B),” the proposed rule is often known as the CFPB’s 1071 Rule. The primary purposes of reporting this information are to: • Provide tracking of small business credits to enforce fair lending laws • Enable creditors to identify and support the business needs of women and other minority-owned small businesses within the community CFPB 1071 Deadline Ahead The final rule is expected by March 31, 2023, with compliance required 18 months after the publication of the final rule. While 18 months may seem like a long lead time, don’t let that timeframe lull you into inaction. This is a major effort of small business data collection and reporting not experienced since the Home Mortgage Disclosure Act (HMDA) requirements of 1975. As community financial institutions have become more commercially focused, the data collection requirements of the 1071 rule may surpass those of HMDA. The following seven steps are a checklist for successful compliance with the final 1071 Rule: 1. Read the Rule and Familiarize Your Staff With Rule Requirements This may seem obvious, but spend the time needed to focus on the regulatory requirements of this particular guidance. This is especially important when complying with a regulation concerning the collection of applicant/borrower attributes – where it’s essential to know what you can and cannot ask. The Bureau is proposing to apply the rule to covered financial institutions. A covered financial institution is a financial institution or other entity, including fintechs, that originated at least 25 credit transactions that would be covered credit transactions to small businesses in each of the two preceding calendar years. After you’ve assessed whether you are covered under the 1071 data collection rule, the next step is to analyze your small business loan portfolio. 2. Analyze Your Small Business Loan Portfolio in Advance of the Compliance Date to Determine Impact The CFPB’s proposed definition of a small business is one that had $5 million or less in gross annual revenue for its preceding fiscal year. The bureau is seeking SBA approval for this alternate small business size standard pursuant to the Small Business Act. Next, covered credit transactions include loans, lines of credit, credit cards, and merchant cash advances (including such credit transactions for agricultural purposes and those that are also covered by the Home Mortgage Disclosure Act of 1975). If able, produce a report of small business loans that fit the revenue size above. In addition, if you have the minority information available, you can sort the data by that additional criteria. Either way, this exercise should provide insight into the impact that the 1071 rule will have on your institution. 3. Create Written Policies and Procedures Policies should include the following components, while procedures should represent more detailed instructions describing how to perform tasks associated with the rule: • Background and governance • Roles and responsibilities • Description of the 1071 rule’s impact on the loan portfolio (from the analysis above) CFPB 1071 RULE: Checklist for Compliance Success 10 In Touch

FOUR FIVE SIX SEVEN • General process of gathering, tracking, monitoring, and reporting pertinent information to comply • Process internal controls • Reporting and conclusions on compliance • Educational expectations for current and new staff • Collection of data • Recording of data • Monitoring and interpreting the data • Staff training 4. Determine a Plan to Gather Data Points and Set Up an Identification/ Data Collection System Data points can be divided into three categories: • System basic data points such as applicant/ borrower loan number, type, purpose, pricing details, and, for denied applications, the denial reason • Data points specifically related to the credit, such as business description, gross annual revenue, census tract, NAICS code, and owner and worker counts • Demographic data points, such as minority (and women) business status, owner ethnicity, race, and sex We recommend including detailed procedures for lenders and other staff collecting this data. You may need to update your internal checklists or application to ensure a centralized and standard place to record information. As with Regulation B and HMDA, there are specific rules related to the method of data collection. For example, suppose an applicant does not provide ethnicity, race, or sex information for at least one principal owner. The proposed rule states that the financial institution or entity must collect at least one principal owner’s race and ethnicity (but not sex) via visual observation and/or surname if the financial institution meets in person, or by video, with any principal owner. The applicant must provide the minority-owned business status and/or women-owned business status. The institution would not be permitted or required to report these data points based on visual observation, surname, or any other basis if the applicant chooses not to provide the information. More details to come on instructions on how to collect and report minority-owned business status, women-owned business status, and principal owners’ ethnicity, race, and sex. This phase of the rule will require targeted and detailed training for your staff to avoid actual or perceived discriminatory treatment. 5. Begin Tracking Data on a Rule-Compliant System The final rule should include a sample tracking sheet. However, we recommend that you strongly consider automation of this function. With more than 20 data points required to be reported under the proposed small business data rule, automation is key to efficiently utilizing staff and minimizing data collection errors. Ideally, these data points should be captured during the loan application or booking process. Check with your core provider to determine if they have or are considering automating the process as data is entered directly into their system. Additionally, if you are on a loan origination platform, your provider will most likely build a data-gathering document into that system, so check with your provider in advance. What if your institution doesn’t automate this function? In that case, Excel can be a useful tool for maintaining the required data points as long as you have primary and backup staff to maintain the spreadsheet, as well as an independent reviewer to perform a periodic spot-check of the data. The 1071 rule requires that institutions collect data on a calendar-year basis and report their data to the bureau by June 1 of the following year. The proposed rule will allow the CFPB to make the data available to the public annually. 6. Set up an Audit System to Periodically Check Small Business Loans by Cross-Referencing to Tracking Document One of the primary reasons for the rule is to ensure that financial institutions are addressing the credit needs of minority small businesses and that institutions are pricing and determining other loan terms in a manner that does not discriminate against the minority-owned small business. The development of analytical reports and periodic monitoring of small business lending is essential for compliance and to identify areas of concern, mitigation, and reporting. Consider a quarterly compliance scorecard approach to identify loan pricing exceptions and set baseline performance indicators. 7. Finally, Consider Assistance From Third-Party Resources From educating and clarifying rule components to creating policies and procedures, a third-party provider can make compliance easier. Such a resource can: • Alleviate any staff bandwidth issues • Avoid interruptions in daily job requirements • Assist with best practices to gather information • Assist with the creation of or adaptation of current collection and/or loan pricing systems to ensure compliance with the rule Other considerations important for financial institutions as they implement the CFPB 1071 Rule include whether to: • Standardize small business lending loan originations, pricing, and fee structures • Develop an objective small business loan pricing model to mitigate unintentional disparate treatment resulting from lender subjectivity in interest rate, fee, and pricing structure • Automate the reporting of small business loan pricing exceptions to policy to be proactive in making future adjustments Conclusion In a recent survey of financial institution executives, the final 1071 rule was the top regulatory compliance concern — outranking BSA/AML rules, beneficial ownership requirements, and CECL obligations. With Community Reinvestment Act reform also expected to increase data collection and reporting requirements for some financial institutions, it’s prudent to plan early for the CFPB 1071 changes. Working with dedicated third-party risk management consultants or advisors is a way to ensure compliance with CFPB 1071 while minimizing institutional disruption.  cbak.com 11

To find out how bankers will confront challenges associated with a changing technology landscape, digital acceleration, cybersecurity, regulatory changes and more, CSI surveyed banking executives from across the nation about their strategies and priorities for 2023. The results of this annual survey are outlined in an interactive executive report and reflect both familiar challenges and emerging opportunities while also revealing the strategies that community institutions will deploy to stay competitive. In this article, we explore the top industry issues selected by bankers. What Did Bankers Identify as Top Issues? The CSI survey explored the challenges facing bankers this year, asking respondents to identify which issue will have the greatest influence on the industry in 2023. Bankers generally agreed on the industry’s biggest concerns in the coming year: • Retaining and Recruiting Employees: More than one-third (34%) of bankers described this as their biggest issue this year, rising from 21% going into 2022. Organizations across industries are feeling the ongoing effects of the Great Resignation, and banking appears to be no exception. However, the outflow of workers from the service and tech industries, paired with growing interest from young applicants, creates an opening to attract customer-oriented and tech-savvy talent. To attract this influx of fintech talent on the market, many financial institutions are focusing on improving the employee experience, upping their compensation package game and even offering remote or hybrid work. • Regulatory Change: With 27% of bankers selecting this as their top issue, regulatory change remains of constant significance to financial institutions. While there is a host of regulatory issues to consider, several of which are outlined in the executive report, bankers are most concerned about overdraft fees and potential UDAAP violations (74%), followed by cybersecurity compliance (68%). In addition to existing rules and regulations, the Current Expected Credit Losses (CECL) methodology goes into BY SHANE FERRELL, VICE PRESIDENT OF PRODUCT STRATEGY, CSI effect for the final group of financial institutions this year. Additionally, everyone is anxiously awaiting the final rule on Section 1071 of the Dodd-Frank Act and the Financial Crimes Enforcement Network’s (FinCEN) beneficial owner database. • APIs/Open Banking: Open banking APIs are on the minds of financial institutions everywhere, evidenced by this issue rounding out the top three at 17%. APIs allow separate systems to communicate with one another and determine what information is shared between them. Using open APIs enables third-party developers to build applications and services around an institution. Open banking APIs offer a host of benefits, including optimization of existing systems and integration with new technologies. Bankers selected platform banking (39%) as the most popular open API strategy for 2023. This selection is unsurprising, given that most banks rely on third parties to provide digital technologies like digital account opening, digital loan origination and payments technologies. Banks are also embracing Banking as a Service, a component of the open banking strategy, which allows them to partner with other institutions, fintechs or non-financial institutions to quickly launch digital banking products and payment solutions, including mobile payment services and purposedriven cards. Bankers’ Top Technology Priorities for 2023 Financial institutions must strategically choose where to use their limited technology resources to ensure they meet the demands of a tech-savvy population. This year’s results revealed where surveyed bankers plan to deploy their valuable dollars. • Digital account opening: Like the results from 2021 and 2022, digital account opening topped the list of bankers’ technology priorities at 55%. The continued push for improved digital account opening and digital lending reflects an environment in which many non-traditional institutions have created a seamless digital experience for customers. In today’s digital-first world, customers expect a world-class experience when opening a new account — making a customer-centric approach to digital account opening a priority for all institutions. EXPLORING BANKERS’ PRIORITIES AND PERSPECTIVES FOR 2023 Associate Member 12 In Touch

• Data analytics and reporting: Bankers are also aware of the capability of data and analytics to inform their strategic investments, with 47% prioritizing this technology. Only 29% of bankers selected reporting as a priority in 2022, suggesting that data will be increasingly leveraged for decision-making in the coming year. • Digital lending: 41% of bankers favor digital lending, and this technology has secured the third ranking for the past three years. In addition to improving the overall user experience and enabling quick loan origination, digital lending services improve efficiency, ease compliance and support efforts to use business intelligence and analytics. • Customer relationship management (CRM): While only 34% of respondents chose CRM as a technology priority, banks shouldn’t overlook how an effective CRM empowers them to meet customer needs. As institutions expand their digital presence, it’s imperative for them to maintain their sense of community and customer familiarity. An integrated CRM provides the means to build and maintain a strong connection with individual customers who previously relied on face-to-face interaction. Further, a truly integrated CRM does the same thing for the increasing universe of digitalfirst customers. Revealing the Greatest Cybersecurity Concerns As a prime component of our country’s critical infrastructure, financial institutions are targets of cyberattacks perpetrated by criminal and state-sponsored hacking organizations. Because of this, cybersecurity concerns continue to loom large for bankers. Bankers selected P2P or other digital fraud (29%) and data breaches (23%) as the top threats for 2023. As the risk of P2P or other digital fraud grows, fraud detection systems built with artificial intelligence (AI) represent a significant opportunity for banks. Using fraud systems with AI allows banks to identify incidents of fraud in real-time and expedite the investigation. While the financial services industry has made great strides in shoring up security measures to combat cyber criminals, securityminded consumers who follow best practices help mitigate risk and strengthen protection. Cybersecurity training is another strategy to prioritize, as banks benefit significantly from an informed customer base. Want the Full Results of the 2023 Banking Priorities Survey? As your bank navigates the changing technology landscape, explore the results of the 2023 Banking Priorities Survey by visiting www.csiweb.com/bp23.  cbak.com 13

Core and technology solutions backed by our unmatched support and customer care. At DCI, you’re not a number, you’re our rst priority. We’re here to support you every day, 24 hours a day. 100% U.S. BASED CUSTOMER SUPPORT 24/7/365

COLLATERAL ADVANTAGE A Variety of MBS Pools Can Spread Your Risk BY JIM REBER, PRESIDENT AND CEO, ICBA SECURITIES As many community bankers are still picking up the pieces from their bond portfolio’s meltdown last year, it occurs to me that the breathtaking rise in rates has created at least one byproduct that is both unusual in frequency and tangibly beneficial for future performance. Portfolio managers continue to embrace mortgage-backed securities (MBS) for several reasons. One is that they are loan surrogates. Since community banks are lenders by definition, the monthly cash flows are well understood and a nice fit for the balance sheet and interest rate risk. Each MBS pool is backed by hundreds, if not thousands, of conforming mortgages that have been underwritten to uniform standards. This allows securities to be compared with one another and for prepayment histories on given cohorts to be a basis to project future behavior. This also is one reason for the terrific liquidity in the pass-through market. What’s come to light in the wildly volatile 2022 is that borrowers’ rates can change in a hurry. In fact, they more than doubled last year. “Current coupon” pools are those new securities priced nearest to par (100.0) on the issue date each month. They increased at an alarming pace last year and hit levels not seen since 2003. For example, in January 2022, the current coupon on 30-year agency MBS was all of 2%. By April, it had squared to 4%. When mortgage rates peaked in October, a par MBS issued by Fannie Mae or Freddie Mac was all the way up to 6%. The Opportunity There have been several lengthy periods recently in which an investor in the mortgage market was limited to buying bonds with a small range of coupons. For the past 15 years or so, “small range” has been synonymous with “low.” In nine of those years, fed funds were anchored at 25 paltry basis points. Although there isn’t a high degree of correlation between overnight rates and 30-year mortgages, when money-market yields are “accommodative” (Fed-speak), it’s not likely that longer rates are historically impressive. So as community bankers try to set up their bond portfolios to take advantage of what’s available, there is now a wide range of options. One time-tested strategy is to diversify. (In fact, when is that not a good idea?) Sometimes that means issuer name, weighted average maturity (WAM) or even the age of the pools. This time around, it can also mean coupons. Endorsed Partner cbak.com 15

Spread the Wealth Let’s say you’re in the market for 15-year stated final MBS, and you ask your favorite brokers to show you several examples. There currently is a supply of securities with pass-through rates ranging from 1.5% up to 5%. Each incremental bump in rate will, of course, have an increase in price. Another piece of good news related to this is that even the higher coupons have only modest premiums, especially compared with 2021. If investors are unsure of their favorite flavor, they can buy several different structures, thereby guaranteeing they will be pleased with at least some of the new purchases. (A pessimist might say they’ll be guaranteed to be displeased with some, but I’m going with the affirmative.) What also is clear is that an MBS with a below-market coupon will look very different from a “current coupon” in terms of prepayments, average lives, price volatility and, yes, yield. Currently, a 15-year 2% security is priced around 9 points below par, and the lifetime prepayment speed on the entire cohort is well under 10% annually, which is very slow. (It may be helpful to know that the average homeowner’s mortgage rate was 3.39% at the start of 2023.) One can expect these low coupons to continue to prepay very slowly, producing minimal monthly cash flow in the near term. If buyers are so inclined, they could layer in some 15-year MBS with, say, 4.5% coupons, which, at present, are at a slight premium. Because the borrowers’ rates will at some point be “in the money” to refinance, these pools will have shorter average lives than the discount pools and, quite possibly, higher yields. However, most relevant is that the portfolio will now be insulated against both rising and falling rates, and the average risk/reward metrics of the multiple pools would probably beat any one security currently available. Today’s lesson is that the debris of last year has created a simpleto-apply strategy of buying a historically wide range of coupons and, in effect, hedging your interest rate bets. Doing so can turn the collateral damage of 2022 into your collateral advantage of 2023.  Jim Reber (jreber@icbasecurities.com) is President and CEO of ICBA Securities, ICBA’s institutional, fixed-income brokerdealer for community banks. 2023 Webinar Series Continues ICBA Securities and its exclusive broker Stifel present the next installment of the 2023 Community Banking Matters webinar series on March 23 at 12 pm CST. The topic is “Solutions for a Challenging Environment.” To register, visit icbasecurities.com. Bond Academy Registration Open There are still some slots available for the ICBA Bond Academy on April 17–18, 2023, in Memphis, Tenn. Up to 11 hours of CPE credit are available. The event is hosted by ICBA Securities and its exclusive broker Stifel. For more information or to register, contact your Stifel sales rep or visit icbasecurities.com. Today’s lesson is that the debris of last year has created a simple-toapply strategy of buying a historically wide range of coupons, and in effect, hedging your interest rate bets. EDUCATION ON TAP 16 In Touch

FMSI www.fmsiconsulting.com 913.955.3355 FMSI is a small business founded and located in Kansas, specializing in assisting community banks to succeed, a mission consistent with core CBA values. We have partnered with community banks for nearly 25-years providing core advisory services including asset/ liability, investment, and liquidity management. FMSI advisors actively assess market conditions and bank balance sheets of different size, mix, and capital levels. Market conditions are constantly changing presenting opportunities and challenges for CBA member banks. Interest rates are increasing for the first time in nearly a decade and now is a perfect time to partner with a trusted, industry leader. Establishing an FMSI relationship provides confidence your bank is optimizing the balance sheet, deploying necessary strategies, maximizing profitability, and managing balance sheet risks. FMSI is a Kansas CBA Endorsed Provider cbak.com 17

The following questions and answers (Q&A) are drawn from questions asked by bankers calling the Community Bankers for Compliance Program (CBC) Compliance Hot Line. Please note that Young & Associates, Inc. is not engaged in the practice of law. The answers given here apply to individual situations that may differ from one institution to another. The advice of legal counsel should be sought on specific situations. PMI. Q: Our mortgage area is considering adding this paying for private mortgage insurance (PMI) upfront as an option for our borrowers. I am not familiar with this subject and want to make sure we are following the proper procedures. When a borrower pays for PMI upfront in a single payment, do they still need to receive annual notices or notice when the termination of the MI is met? Does the PMI company still issue a refund if the loan is paid off early or when LTV is less than 80%? A: All the PMI notice requirements still apply. In addition, by law, the PMI company cannot keep unearned premiums so they would have to refund if the customer paid off early, just like with monthly-payment PMI. TILA. Q: We closed a rescindable loan on December 21, 2022, so rescission ended at midnight on Saturday, December 24. However, with the weekend and holiday, the customer did not actually have their funds until Tuesday, December 27 (with the holiday observance on Monday). I just wanted to make sure that since rescission uses the precise definition of a “business day”, it does not matter that our office was closed on December 24, and that we can still count that as one of the three business days of the rescission period. A: For this loan, the bank is permitted to disburse after midnight on December 24 – as long as it is reasonably certain that no person entitled to rescind has canceled. In practical terms, the bank likely would not disburse until Tuesday, December 27 if the bank was closed Saturday and Monday, December 26 for the observed Christmas Day 2022. For rescission “business day” purposes, Monday, December 26 would still count as a “business day” (if there is a rescission period that extends over that day) since Christmas is one of the federal holidays that is defined by its specific date – December 25 – not by when the Federal Reserve and government observe Christmas. TISA. Q: Our bank would like to offer a limited-time certificate of deposit special. When it comes to advertising on the bank’s website would it be acceptable to include the “triggered terms” in a link or do they need to be on the same screen with the annual percentage yield (APY)? For example, the “triggered terms” could be accessible by clicking on a link labeled “Disclosure.” A: Linking to the additional required terms is allowed, but the link must take the consumer directly to the additional information (not some chain of multiple links to get there). Also, just labeling the link as “Disclosures” might not be clear enough to at least some average consumers. It might be better to have something like, “For additional information, click here” – with the link embedded in the last word. TILA. Q: The percentage of downpayment applies only to “credit sale transactions” – one in which the creditor is the seller – correct? For example, that would include loans the bank extends to finance the sale of repossessed property (home, car, etc.)? If the bank is not advertising financing this type of transaction but a simple transaction for the purchase of a home from some third party, we are permitted to say 80% LTV or 20% downpayment in our advertising with no additional triggered terms, correct? A: Correct. In Regulation Z, “downpayment” is defined so that it applies only to “credit sale transactions.” Therefore, mention – explicitly or implicitly – of a downpayment is not a “triggering term” for general loan advertising, QUESTIONS FROM COMMUNITY BANKERS FOR COMPLIANCE PROGRAM (CBC) MEMBERS BY BILL SHOWALTER, CRCM, SENIOR CONSULTANT, YOUNG & ASSOCIATES, INC. Associate Member 18 In Touch

only for advertisements of loans related to credit sale transactions. BSA. Q: In cases of check fraud where a customer’s checks were stolen from the mail and either altered or counterfeited, should the payees on these checks be listed as the subject of a suspicious activity report (SAR), or should they be included only in the narrative and CSV attachment file? Should the $5,000 threshold be used for individual items and a SAR filed on the individual payee or should all fraud items for the business customer be aggregated using the $5,000 threshold? Or should the $25,000 threshold for unknown suspect be used for all fraud items for the business customer and the details of all items be included in the narrative and CSV file? A: The bank will need to determine, based on the information known to them, whether the payees are considered “subjects.” Based on the filing instructions, it would probably be best to treat this all as one event and aggregate the checks and amounts. The bank will need to determine if they have known or unknown subject(s) for the mandatory filing thresholds. Because this bank has payee names, it must decide if that alone meets the definition of a “known suspect/ subject.” It is likely the names and/or identification (ID) used for these people are fake, though. Although the payee names and IDs could be fake, the information may be useful to the Financial Crimes Enforcement Network (FinCEN) if other SARs were filed using those names (or it could basically be useless). In a situation like this, there are two routes the bank can go. It would be acceptable to just check the box in Part I that all information is “unknown” and list the payees and the amount(s) of the checks that were payable to them, along with the dates and where they were cashed/deposited, in the narrative. Or, if the bank believes the payees have been identified, they could complete a separate Part I for each named suspect (the payee of each check), including only the dollar amount of the check(s) on which they were the listed payee. It would probably be best to report them all on one SAR to tie the activities together against the presumably one organization responsible for them. EFTA. Q: Does Regulation E require an error resolution log to be kept for tracking the dates, amounts/liability, etc.? I am not finding where it says that in the regulation, but management thinks it is a regulatory requirement. I was thinking it was more of an internal procedure/policy. A: Keeping a log or spreadsheet is not specifically required by the regulation. However, Regulation E does require financial institutions to maintain some record of their compliance with its provisions. In addition, when auditors or examiners review an institution’s Regulation E compliance, they usually ask for the log or other record of the Regulation E error resolution process. A log – whether maintained as a written hard copy or an electronic spreadsheet – provides a handy method for maintaining this compliance record, allowing the bank to both track the status of individual error resolutions and document its overall compliance with the applicable rules. TILA/ECOA. Q: Can banks terminate open-end credit lines for inactivity? Are the rules different for home equity lines of credit (HELOC)? If such lines may be terminated for inactivity, are we required to include this information at time-of-loan origination and would we need to send an adverse action notification at the time of termination/closure? A: Whether most types of open-end lines (other than HELOCs) may be closed for inactivity is not addressed by the federal consumer protection laws and regulations, so legal counsel should be consulted for any state law limitations. While not required, it would be prudent to inform customers that account inactivity could lead to the closure of their lines of credit. If such an account is closed, an adverse action notice is required if the termination does not affect all, or substantially all, of a class of the lender's accounts. HELOCs may be closed only in certain specific circumstances listed in the Truth in Lending Act and Regulation Z since the late 1980s. Account inactivity is not one of these listed circumstances. Flood insurance. Q: How does the bank handle a real estate loan with force-place flood insurance when the note balloons? Does the customer have to get their own insurance before the bank can renew the balloon? A: No. The bank may send the customer a notice encouraging them to get their own flood insurance because it may give them better coverage, etc. In the past, the bank would not have been able to rely on force-placed coverage as adequate flood coverage to allow it to make/renew/extend a loan. However, in May 2022, the agencies updated the Interagency Questions and Answers Regarding Flood Insurance and one of the answers in this document states that lenders now may rely on force-place flood insurance when refinancing, increasing, etc. an existing loan that has such coverage. Regulation D. Q: Does a business customer that is a DBA with an Employer Identification Number (EIN) still qualify for a NOW account? Normally, DBAs are registered under the owner’s Social Security Number (SSN). A: Whether an SSN or EIN is used for the account is not the governing issue. The key is whether the DBA is a sole proprietorship or not. If it is, it qualifies for a NOW. If it is a partnership or a corporation (Inc., LLC), it does not qualify for a NOW (but does for an interest-bearing DDA, as does anyone).  Young & Associates, Inc., provides banks and thrifts with support for their compliance programs, independent reviews, and inbank training, as well as a full menu of management consulting, loan review, IT consulting, and policy systems. cbak.com 19

38545 Partner with us for: • Loan participation purchases and sales* • Bank stock financing • Bank executive and employee financing *We do not reparticipate loans. Tracy Peterson Call me at 480.259.8280 Based in Phoenix, Ariz. Serving Arizona, Colorado and Kansas Our Mission Is to Help You Succeed Hit your target market Get more exposure • Increase revenue To advertise in this magazine, contact us today. 801.676.9722 | 855.747.4003 thenewslinkgroup.org sales@thenewslinkgroup.com 20 In Touch

1 2 4 5 8 THE TRUST COMPANY OF KANSAS (TCK) IS PLEASED TO ANNOUNCE Several WellDeserved Promotions 3 6 1 2 3 4 5 6 7 8 9 Matthew Broderick has been promoted to Assistant Vice President & Trust Officer. Paul F. Fowler, C.T.F.A. is being promoted to Senior Vice President & Trust Officer. Kalie Gillock has been promoted to Marketing Officer. Carol J. Lindner has been promoted to Senior Vice President – Compliance & AML Officer. Lisa Mauck has been promoted to Senior Vice President & Operations Officer. Terry Richards, C.T.F.A. has been promoted to Senior Vice President & Trust Officer. Ramona Riggs has been promoted to Trust Officer. Mary Rupp has been promoted to Assistant Vice President & Cashier. Jess Sojka has been promoted to Trust Officer. 9 7 cbak.com 21

ANNIVERSARIES Congratulations to the banks celebrating March and April anniversaries as chartered institutions! March 149 years, est. 1874 First National Bank — Sedan 141 years, est. 1882 Farmers & Drovers Bank — Council Grove 131 years, est. 1892 State Bank of Downs — Downs 122 years, est. 1901 ESB Financial — Emporia 117 years, est. 1906 First National Bank — Syracuse 116 years, est. 1907 Farmers State Bank — Oakley 110 years, est. 1913 Kaw Valley State Bank & Trust Co. — Wamego 110 years, est. 1913 Swedish-American State Bank — Courtland 25 years, est. 1998 The Farmers & Merchants Bank of Colby — Colby April 140 years, est. 1883 FNB Washington — Washington 129 years, est. 1894 TriCentury Bank — De Soto 126 years, est. 1897 First Security Bank — Overbrook 125 years, est. 1898 Farmers State Bank — Westmoreland 120 years, est. 1903 Farmers State Bank — Wathena 118 years, est. 1905 Solomon State Bank — Solomon 114 years, est. 1909 Silver Lake Bank — Topeka 114 years, est. 1909 Southwind Bank — Natoma 102 years, est. 1921 First National Bank — Frankfort 43 years, est. 1980 The Bank of Protection — Protection Mortgage Investment Services Corporation 22316 Midland Drive • Shawnee, KS • 66226 • 913-390-1010 NMLS# 194708 • A Kansas licensed mortgage company #MC 0001182 Missouri Residential Mortgage Loan Broker Licence # 10-1912 Oklahome Mortgage Broker #MB001953 Colorado License #100044344 Nebraska Licensed Mortgage Company NMLS#194708 20+ Years! Depend On Us! For 20 years, community banks in the Midwest have depended on MISC’s expert mortgage services for their customers. • Free Loan Officer Training & Webinars •Offer all secondary market loan programs: VA, FHA, USDA/RD, Conventional & Jumbo •Earn more fee income with less risk Call or email today. Let’s discuss how MISC can help you! Joan Emas, Account Executive Andrew Holtgraves, Sr. Vice President Cell: 816-810-8878 Cell: 913-558-2555 Email: Joan@MISCHomeLoans.com Email: Andrew@MISCHomeLoans.com NMLS: #276932

RkJQdWJsaXNoZXIy ODQxMjUw