Table of Contents 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Pub. 3 2024 Issue 3

MAY/JUNE BUILDING ON THE PAST, BANKING ON THE FUTURE. A PUBLICATION OF THE INDEPENDENT COMMUNITY BANKERS OF COLORADO 2024’s Top Cybersecurity Threats Play Ball! National Pastime Gives Us Some Portfolio Management Guidance A Foundation of Growth for Community Banks DATA ANALYTICS

©2024 The Independent Community Bankers of Colorado (ICBC)|The newsLINK Group, LLC. All rights reserved. The Independent Report is published six times per year. The information contained is intended to provide general information for review, consideration and education. The contents do not constitute legal advice and should not be relied on as such. If you need legal advice or assistance, it is strongly recommended that you contact an attorney. The statements and opinions expressed in this publication are those of the individual authors and do not necessarily represent the views of the ICBC, its board of directors or the publisher. Likewise, the appearance of advertisements within this publication does not constitute an endorsement or recommendation of any product or service. ICBC encourages a first-print policy, and every effort has been made to comply with any known reprint guidelines or restrictions. Content may not be reproduced or reprinted without prior written permission. For further information, please contact the publisher at (855) 747-4003. 6732 West Coal Mine Avenue, #640 • Littleton, CO 80123 • 303.832.2000 2023-2024 OFFICERS ICBC CHAIRMAN Randy Younger President & CEO First National Bank Hugo-Limon ICBC PRESIDENT Tom Ogaard President & CEO Native American Bank ICBC PRESIDENT-ELECT Mike Hurst President Del Norte Bank ICBC ICBA STATE DIRECTOR PJ Wharton President & CEO Yampa Valley Bank ICBC STAFF EXECUTIVE DIRECTOR Mike Van Norstrand mvannorstrand@icbcolo.org ADMINISTRATION DIRECTOR/ TREASURER Maelynn Lewis mlewis@icbcolo.org LEGAL COUNSEL Christian Otteson Partner Otteson Shapiro LLP LOBBYIST Mary Marchun Founding Partner The Capstone Group 2023-2024 DISTRICT DIRECTORS DISTRICT A Dan Ebert, Vice President, Evergreen National Bank Bruce Hellbaum, President/CEO, RNB State Bank/Front Range State Bank Robert Holt, Senior Vice President, North Valley Bank Jeff Walker, Senior Vice President & CCO, Redstone Bank DISTRICT B Mark Brase, President, Points West Community Bank Tim Croissant, Market President, Bank of Colorado Travis Goeglein, Senior Vice President, First FarmBank Ed Rarick, President/CFO, High Plains Bank DISTRICT C Sean Lening, President, GN Bank Kathryn Perry, Senior Vice President, Park State Bank & Trust Lora Rose, CFO, The State Bank Andrew Trainor, President, Community Banking, InBank DISTRICT D Wade Gebhardt, Corporate President, Mountain Valley Bank John Stelzriede, Market President — Colorado River Region, Alpine Bank Joe Martinez, President & CLO, San Luis Valley Federal Bank Jeris Romeo, Community Bank President — Avon & Eagle, ANB Bank ICBC ADVISORY BOARD MEMBERS Eric Budreau Partner Eide Bailly Jim Hall Managing Director Bond & Specialty Insurance — Financial Institutions, Travelers Bill Mitchell President & CEO Bankers’ Bank of the West Christian Otteson Partner Otteson Shapiro LLP I C B C 2 | INDEPENDENT REPORT

CONTENTS 04 Support the ICBC’s Associate Members! 06 FLOURISH A New Tool for Your Team’s Career Development By Rebeca Romero Rainey, President and CEO, ICBA 07 ICBC Preferred Providers 08 51st ICBC 2024 Annual Convention 09 FROM THE TOP Continuing the Community Bank Legacy By Lucas White, Chairman, ICBA, President of The Fountain Trust Company 10 Data Analytics A Foundation of Growth for Community Banks By BHG Financial, ICBC Associate Member and Preferred Provider 12 2024’s Top Cybersecurity Threats By Steve Sanders, Chief Risk Officer and Chief Information Security Officer, CSI, ICBC Associate Member 14 8 Ways to Drive Deposit Growth Without Raising Rates By Matt Helsing, SVP & Northwest Regional Manager, PCBB, ICBC Associate Member 16 CECL: It Doesn’t End With Adoption By Elliott Holmes, Assurance Senior Manager, Plante Moran, ICBC Associate Member 18 The Latest Fraud Trends and Prevention Best Practices By Ryan Dutton, Senior Fraud Operations Manager, SHAZAM, ICBC Associate Member 20 Welcome New Associate Members 21 Congratulations!! ICBC High School Scholarship Recipients 22 Play Ball! National Pastime Gives Us Some Portfolio Management Guidance By Jim Reber, President and CEO, ICBA Securities, ICBC Preferred Provider and ICBC Associate Member 10 18 22 CONNECT Like us on Facebook ICBColo Connect with us ICBColo Follow us on X ICBColo Give us a call (303) 832-2000 Follow us on Instagram ICBColo PUB. 3 2024 ISSUE 3 INDEPENDENT REPORT | 3

SUPPORT THE ICBC’S ASSOCIATE MEMBERS! ACCOUNTING | COMPLIANCE CroweLLP.....................(303)831‑5023 EideBaillyLLP . . . . . . . . . . . . . . . . . . . (303)770‑5700 Fortner Bayens PC . . . . . . . . . . . . . . . . . (303) 296‑6033 FORVISLLP.....................(303)861‑4545 MossAdamsLLP . . . . . . . . . . . . . . . . . . .(503)471‑1277 Plante Moran** . . . . . . . . . . . . . . . . . . (303) 740‑9400 ADVERTISING | EQUIPMENT | PRINTING | SUPPLIES Kristopher James Company . . . . . . . . . . . . . (800) 274‑9212 Spry........................(303)323‑4341 CAREER ADVANCEMENT Graduate School of Banking at Colorado . . . . . . (800) 272‑5138 COMPUTER PRODUCTS | CONSULTING Alogent.......................(719)583‑8004 CivITas Bank Solutions . . . . . . . . . . . . . . . . (303) 291‑3700 (A Bankers’ Bank of the West Bancorp Inc. Subsidiary) Cook Solutions Group . . . . . . . . . . . . . . . (503) 260‑8562 Federal Protection Inc. . . . . . . . . . . . . . . . (800) 299‑5400 *SBS CyberSecurity . . . . . . . . . . . . . . . . (785) 594‑0503 CONSULTING | HUMAN RESOURCES AND MANAGEMENT | MARKETING | STRATEGIC PLANNING Bank Strategies LLC . . . . . . . . . . . . . . . . . (303) 291‑3700 (A Bankers’ Bank of the West Bancorp Inc. Subsidiary) BellBank.......................(701)371‑3355 Blendification . . . . . . . . . . . . . . . . . . . . (970) 274‑1723 CD Construction Consulting . . . . . . . . . . . . . (720) 701‑2122 Expert Business Development . . . . . . . . . . . . . (610) 771‑2121 *ICI Consulting Inc. . . . . . . . . . . . . . . . . . (316) 201‑8590 The James Paul Group . . . . . . . . . . . . . . . (877) 584‑6468 Kasasa.......................(877)342‑2557 MJCPartners . . . . . . . . . . . . . . . . . . . . (213)278‑0429 Piper Sandler & Co. . . . . . . . . . . . . . . . . . (415) 978‑5057 *S&P Global . . . . . . . . . . . . . . . . . . . . (434) 951‑6948 CORRESPONDENT BANKING SERVICE *Bankers’ Bank of the West . . . . . . . . . . . . . (303) 291‑3700 BellBank.......................(701)371‑3355 Citizens Bank Farmington . . . . . . . . . . . . . (505) 599‑0100 INTRUSTBank. . . . . . . . . . . . . . . . . . . .(800)732‑5120 PCBB....................... (888)399‑1930 TIB — The Independent BankersBank . . . . . . . . (972) 650‑6000 DATA PROCESSING | EFT | ATM | CARD PROCESSING | MERCHANT SERVICES *Bankers’ Bank of the West . . . . . . . . . . . . . (303) 291‑3700 BluePoint ATM Solutions LLC . . . . . . . . . . . . (540) 335‑2848 Computer Services Inc. . . . . . . . . . . . . . . . .(970) 212‑7104 Entrust.......................(720)279‑3287 *FIS . . . . . . . . . . . . . . . . . . . . . . . . (513) 900‑4661 FPSGOLD......................(801)201‑2525 *IBT . . . . . . . . . . . . . . . . . . . . . . . . .(512) 606‑1100 *ICBA Bancard / TCM Bank . . . . . . . . . . . . . (800) 242‑4770 Jack Henry & Associates . . . . . . . . . . . . . . . (417) 235‑6652 SHAZAM......................(515)288‑2828 VisaInc.......................(415)238‑3682 INSURANCE | BENEFIT SERVICES Bank Compensation Consulting . . . . . . . . . . .(303) 482‑1844 First Insurance Services Inc. . . . . . . . . . . . . . (719) 456‑2303 *ICBA Reinsurance . . . . . . . . . . . . . . . . .(888) 790‑6615 NFP Executive Benefits Company . . . . . . . . . . . (469) 252‑1037 *Travelers . . . . . . . . . . . . . . . . . . . . . (720) 200‑8416 Unitas Financial Services . . . . . . . . . . . . . . (800) 461‑9224 INVESTMENTS | FUNDING AND LENDING PARTNERS B:Side Capital . . . . . . . . . . . . . . . . . . . .(303) 657‑0010 TheBakerGroup . . . . . . . . . . . . . . . . . . (405)415‑7200 BancAlliance. . . . . . . . . . . . . . . . . . . . (301)232‑5423 *BHG Financial*** . . . . . . . . . . . . . . . . . (954) 263‑6399 The Citizens Bank . . . . . . . . . . . . . . . . . .(505) 599‑0145 Colorado Enterprise Fund . . . . . . . . . . . . . (303) 860‑0242 Colorado Housing and Finance Authority . . . . . . (303) 297‑7329 D.A.Davidson. . . . . . . . . . . . . . . . . . . (303)764‑6000 FHLBank Topeka — Denver Office . . . . . . . . . . (720) 212‑9873 First Bankers’ Banc Securities Inc. (FBBS) . . . . . . . (720) 709‑7613 Gill Capital Partners . . . . . . . . . . . . . . . . (303) 296‑6260 Holman Capital . . . . . . . . . . . . . . . . . . .(949) 981‑0237 *ICBA Mortgage . . . . . . . . . . . . . . . . . . (800) 253‑5356 *ICBA Securities . . . . . . . . . . . . . . . . . . (800) 422‑6442 IntraFi Network . . . . . . . . . . . . . . . . . . . (303) 706‑9265 Northland Securities Inc. . . . . . . . . . . . . . . (303) 801‑3380 Olsen Palmer LLC . . . . . . . . . . . . . . . . . (202) 803‑2620 West Gate Bank Mortgage . . . . . . . . . . . . . (402) 434‑4116 LEGAL SERVICES Arnold&Porter . . . . . . . . . . . . . . . . . . (303)863‑1000 Coan, Payton & Payne LLP . . . . . . . . . . . . . (303) 861‑8888 Godfrey Law Group LLC . . . . . . . . . . . . . . (303) 802‑6336 Hoffman Nies Dave & Meyer LLP** . . . . . . . . . (303) 860‑7140 León Cosgrove Jiménez LLP . . . . . . . . . . . . . (720) 689‑7749 LewisRocaLLP** . . . . . . . . . . . . . . . . . .(303)623‑9000 Markus Williams Young & Hunsicker LLC . . . . . . (303) 830‑0800 Otteson Shapiro LLP** (ICBC Counsel) . . . . . . . (720) 488‑0220 Spencer Fane LLP . . . . . . . . . . . . . . . . . (303) 839‑3838 StinsonLLP. . . . . . . . . . . . . . . . . . . . .(303)376‑8400 LOAN REVIEW SERVICES EideBaillyLLP . . . . . . . . . . . . . . . . . . . (303)770‑5700 Fortner Bayens PC . . . . . . . . . . . . . . . . . (303) 296‑6033 ICBC LOBBYING AND PUBLIC RELATIONS The Capstone Group (ICBC Lobbyists) . . . . . . . (303) 860‑0555 *ICBC Preferred Providers **Silver Associate Member ***Gold Associate Member 4 | INDEPENDENT REPORT

♥ Bankers’ Bank of the West bbwest.com ▪ 800-873-4722 offices in Denver and Lincoln Member FDIC ▪ Equal Housing Lender we champion community banking Bank Stock Loans | Loan Participations | Cash Management | ATM/Debit Proud Legacy Sponsor of ICBC and supporter of Colorado community banks for over 40 years!

FLOURISH As community bankers, we each wear multiple hats and have throughout the course of our careers. In fact, I’d say that no two of us have had the same journey. Our individual banks are as diverse as the communities we serve, and even when banking is “in the family,” how we ascended the ladder to our positions today differs greatly. The same applies to our teams. Community bank career paths have never fit a traditional, one-size-fits-all approach. We don’t simply promote in a hierarchical fashion. To be efficient and develop staff with both their and our banks’ best interests in mind, we have to be creative. We must ensure managers have a personalized plan in place for their staff, one that leverages day-to-day opportunities for career growth. At the same time, we want all employees to recognize they have a bright future with us. It’s precisely that unique approach to advancement that makes it difficult to articulate a clear career trajectory — and we’ve heard loud and clear that you are looking for a solution for that challenge, a way to better address professional development with your teams. So, I’m thrilled that at this year’s ICBA LIVE, we unveiled our new Professional Development Planner. This web-based, interactive tool offers a detailed overview of more than 80 community bank job functions and enables employees to research areas of interest, job descriptions and associated levels of responsibility. In addition, the tool generates the qualifications, competencies, specialized knowledge and on-the-job learning experience needed to qualify for a position. But it’s also geared toward managers to support their team’s professional development. For instance, using the planner, A New Tool for Your Team’s Career Development By Rebeca Romero Rainey President and CEO, ICBA managers can partner with employees to set personal goals and identify a path to their next career milestone. The tool further guides managers and staff by recommending specific training resources, providing clear direction on how to acquire the competencies required for each position. As you consider succession planning and your bank’s broader future, I encourage you to take a look at the Professional Development Planner and explore ways it will bolster your hiring efforts, help identify skill gaps and aid you in refining job descriptions accordingly. To view the Professional Development Planner, scan the QR code. https://icba.org/education/ resources/professionaldevelopment-planner As we look at this month’s best-performing community banks, we have to acknowledge there’s a direct correlation between having happy, well-trained and engaged employees and bank performance. Investing in our teams benefits not only employee retention and recruitment but also our bottom lines. And that’s a win-win path we can all get behind. … THERE’S A DIRECT CORRELATION BETWEEN HAVING HAPPY, WELL‑TRAINED AND ENGAGED EMPLOYEES AND BANK PERFORMANCE. 6 | INDEPENDENT REPORT

ICBC PREFERRED PROVIDERS ICBC Preferred Providers are selected by bankers just like you, so give them special consideration when considering their proposals for your bank! To learn more about ICBC’s Preferred Providers contact the ICBC at (303) 832-2000. Please note: ICBC endorses the listed companies but not all products offered by the company. Contact: Scott Wintenburg | swintenburg@bbwest.com | (303) 291-3700 or (800) 601-8630 Merchant services from Bankers’ Bank of the West help you grow customer relationships with mobile payments technology, competitive unbundled pricing, efficient approvals and startups, responsive support and training. Contact: Keith Gruebele | kgruebele@bhginc.com | (954) 263-6399 Creator of the largest community bank loan network in the country. ICBC members can access the BHG Loan Hub, a secure, state-of-art loan delivery platform and the number-one source for professional loans. Contact: Mara Spears | mara.spears@fisglobal.com | (813) 205-9488 Turn your card program into a growth opportunity. With 40 years in payments and card processing, we can quickly relieve you of the regulation and compliance burden. In the end, working with FIS is a low risk, high return proposition because of our payments expertise and proven results. FIS drives the ICBC’s 24 location ATM surcharge-free network. Contact: Phil Layher | phil.layher@ibtapps.com | (512) 616-1188 IBT Apps® is an empowering core partner to community banks nationwide, offering end-to-end core and digital banking solutions that meet today’s customer demands. Their adaptable i2Suite banking system enables your bank to streamline operations, control costs and mitigate risks. Transform your bank with the power of one total solution. Contact: icba.org/solutions | (866) 843-4222 The ICBC supports and recommends the following products and services supplied by our national association, the ICBA: ICBA Bankcard and TCM Bank, N.A.; ICBA Compliance & Risk Management; ICBA Mortgage; ICBA Reinsurance; and ICBA Securities. Contact: Mike Hatch | mike.hatch@ici-consulting.com | (316) 201-8590 Since 1994, ICI Consulting has helped banks and credit unions to assess, cost justify, evaluate, and convert core processing, digital banking, EFT, lending, document imaging, CRM and branch solutions. Contact: Robb Nielsen | robb.nielsen@sbscyber.com | (605) 251-7375 SBS is your cybersecurity partner. Our offerings include: TRACTM – Cybersecurity risk management software; CyberRISKTM – Automated FFIEC cybersecurity risk assessment software; IT and Network Security Audits; Consulting Services; Full Service Vendor Management; Role-Based Certifications; Vulnerability Assessments; Penetration Testing and More! Contact: Joe Valdez | joseph.valdez@spglobal.com | (213) 549-2281 S&P Global combines exclusive analysis and in-depth data in real time for the banking, financial services and insurance industries. From bank branch data and government assistance programs to executive compensation and league tables, S&P is the final word in business intelligence on financial institutions. Contact: Brandon Tate | btate2@travelers.com | (720) 200-8465 Offering a wide range of customized insurance protection, Travelers SelectOne+® for financial institutions is designed to respond to the most recent trends in banking. INDEPENDENT REPORT | 7

FROM THE TOP When it comes to serving small businesses, community banks just get it. We understand the day-to-day situation, and we also know local businesses shouldn’t have to try to fit into a mold made by much larger institutions. If we attempt to apply a single product to all small business clients, the shoe won’t fit. So, we customize, developing options geared to their unique needs. In short, we don’t require small businesses to fit into our solutions box; we build the box around them. For instance, at my bank, we developed a relationship with spouses who were looking for a home loan. They had been turned down by a large bank, and we were able to fulfill their needs — in multiple capacities. They also shared that it was a dream of theirs to own a nail salon, and after a few years, they were able to make the leap and turned to us for support. Their grand opening was planned for March 2020, but then the pandemic hit. We were immediately able to help by securing Paycheck Protection Program funds to keep their business afloat. By 2022, the salon had cleared over $550,000, and last year, we were able to finance their $2.9 million purchase of the strip mall in which their business operates. Another client, a local farmer who raises cattle, decided he wanted to get more for his beef and open a butcher shop. We helped him finance the hoop barn to expand his operation and supported the opening of the physical store. We took on some risk, as the butcher shop was untested with only projected figures to go on. But we were creative and able to support them. Community banks have countless stories like these, where we tailor a solution to particular requirements. Custom thinking allows us to meet disparate needs in ways that support our relationship-first model. But regulations like the Consumer Financial Protection Bureau’s 1071 rule will tie our hands, making it harder to get to yes. If we can’t collaborate with our borrowers to give them what they need, we’ll ultimately make fewer small business loans, which only hurts small businesses — the lifeblood of our economy. They need our advocacy more than ever so that policymakers don’t continue to enact one-size-fits-all restrictions that will lessen their success. So, as you just celebrated your customers during Small Business Month in May, continue to think about how you can advocate on their behalf and take time to honor how you support them because it takes out-of-the-box thinkers like community bankers to make small business dreams into realities. Lucas White is president of The Fountain Trust Company in Covington, IN. Continuing the Community Bank Legacy TOP 3 As community banks, we support a wide range of small businesses. Here are my most unique customers: 1. Amish carrier pigeon company. 2. Paper shop that manufactured old-fashioned paper. 3. Helicopter crop-dusting pilot. By Lucas White Chairman, ICBA, President of The Fountain Trust Company INDEPENDENT REPORT | 9

Embracing data analytics offers community banks a strategic opportunity to increase revenues and further support their communities. By thoroughly reviewing internal customer data, a bank may enhance customer engagement, improve underwriting, boost marketing results and more. However, smaller banks may not have the resources to audit and interpret customer data as thoroughly as large banks. So, this article explores how local banks can still harness internal information without overtaxing their budgets and staff. DATA ANALYSIS COMPLEMENTS PERSONAL RELATIONSHIPS There’s no substitute for the personal connections local banks have with their customers. Local roots, homegrown insights and first-name familiarity are tremendous assets. Still, some level of customer data analysis is advisable for small banks to thrive in the modern financial ecosystem. Banks whose boards and CEOs devote the necessary resources can be better positioned for success. PRACTICAL APPLICATIONS OF DATA ANALYTICS Data analytics can inform decision-making, drive product development, deliver a more personalized customer experience and more. Below is an overview of several practical applications: • Lending: Incorporating data analysis into loan underwriting can supplement or reveal more than FICO and credit scores. Analyzing behaviors that traditional metrics don’t (e.g., bank deposit history, property ownership, rent and utility payments) may provide clues about an applicant’s ability to manage debt. Data analysis can also supplement or replace traditional measures of credit risk. For example, individuals with short credit histories or recent immigrants often have weak credit scores or none at all. According to the CFPB, roughly one in 10 U.S. adults have no credit record at nationwide credit bureaus. In these cases, data analysis is essential to evaluate creditworthiness. • Fraud and Cybersecurity: Data analytics can help mitigate fraud and cyber intrusions. According to IBM, the average cost of a data breach in 2023 was $4.45 million. Today’s advanced analytics, such as machine learning and artificial intelligence (AI), can scrutinize real-time data and flag irregularities. Banks using these insights can identify questionable transactions and unauthorized system access. • Risk Management: Integrating market, economic and internal customer data helps detect changes to underlying conditions and develop timely, efficient response strategies. These insights identify risk factors that may adversely affect information security, operations, compliance and other functions. • Target Marketing and Customer Segmentation: Data analytics offer a holistic view of customers. This offers the potential for more relevant marketing messages, enhanced acquisition strategies and improved engagement, with personalized offers that align with customers’ specific needs. • Operational Efficiency: Data analysis can lead to faster, more confident loan decisions, automated internal reporting, lower costs, and streamlined processes, letting employees provide more personal attention to customers. DATA ANALYTICS A Foundation of Growth for Community Banks By BHG Financial ICBC Associate Member and Preferred Provider 10 | INDEPENDENT REPORT

TECHNOLOGIES AND TECHNIQUES Tools for data analysis come in many forms. They vary in cost and sophistication and can be conducted internally or by an external third party. Here are several examples: • Surveys: Simple customer surveys provide immediate feedback about how to better serve customers. “Surveys are an efficient and cost-effective way for banks to identify policies and practices that may need adjustment,” says Meghan Crawford-Hamlin, institutional division president for BHG Financial. • Open-Source Software: Open-source analytics provide universal and often free access to a product’s design, and can be a cost-effective way for smaller banks to launch new products and services quickly. Several popular open-source software tools offer data analysis applications for banks. • AI: AI can synthesize large volumes of data faster than most tools. It identifies non-obvious patterns and inconsistencies, making it ideal for loan underwriting and fraud mitigation. A growing number of open-source AI platforms are available for smaller banks. • Third-Party Specialists: Partnering with a specialized third-party provider can be a cost-effective strategy for banks limited by technology and employee capacity constraints. STARTING SMALL AND OTHER CONSIDERATIONS Experts advise smaller banks to begin data analysis slowly. Take small steps and learn from them. Let one success lead to another and use those victories to fund future efforts. Along the way, weigh these considerations: • Consider hiring a data analyst or data scientist to start analyzing data. • Decide whether to keep data analytics in-house or outsource it. • Consider aggregation tools that combine data from different systems for better insights. • Map out current data sources and systems to understand gaps and opportunities. Consider roles like chief data officer to oversee data strategy and execution. Community banks have a unique opportunity to thrive by combining local expertise and personalized service with data-driven insights and automation. This combination can help level the playing field against larger competitors. INDEPENDENT REPORT | 11 SOCIAL ENGINEERING NETWORK MONITORING BY COMMUNITY BANKERS FORCOMMUNITY BANKS CivITas Bank Solutions was born from the needs voiced by community banks for affordable real-world technology and information security solutions. Anne Benigsen President David Philippi VP - Business Development Chris Tuzeneu VP – Information Security PENETRATION TESTING VULNERABILITY SCANS info@acivitas.com www.acivitas.com

2024’S TOP CYBERSECURITY THREATS As the process of protecting systems, networks and endpoints from attack, cybersecurity is critical to any organization. Since banks must protect customer data, keeping up with evolving cyber threats and concerns is vital. In its annual “Banking Priorities” survey, CSI asked bankers across the country about their views on top cybersecurity challenges. This article explores how bankers view the changing cybersecurity landscape. EXPLORING BANKERS’ TOP CYBERSECURITY CONCERNS As part of our country’s critical infrastructure, financial institutions are prime targets of cyberattacks and must navigate an evolving threat landscape. Let’s examine the breakdown of bankers’ top cybersecurity concerns in this year’s survey: • Adapting to Changes in the Cyber Insurance Market: The results reveal that 19% of bankers view this as their top concern, which is unsurprising as cyber incidents continue to rise. In addition to cybersecurity monitoring solutions and increased personnel training, cyber liability insurance provides another layer of protection for institutions in the event of an attack. This result highlights a potential uncertainty about upcoming developments in the cyber insurance market, whether regarding price increases or coverage exceptions. Institutions should carefully review their coverage, and some are seeking assistance from IT governance services to evaluate their needs. • Being Unprepared to Respond to a Cyberattack: 18% of bankers expressed concern with their preparedness for cyberattack responses. As incidents evolve, institutions must ensure they plan accordingly, including developing and testing robust incident response plans (IRPs) that detail the steps to take in the event of a cybersecurity incident. Having an established IRP makes it easier for institutions to act decisively and minimize negative consequences if faced with a cyberattack. • Lack of Compliance with Cybersecurity Frameworks: 17% of bankers selected lack of compliance with cybersecurity frameworks as a top concern. Implementing robust cybersecurity frameworks, such as the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), helps institutions identify and apply solid controls in high-risk areas. Proven frameworks also enable banks to maximize compliance initiatives and cybersecurity spending. • Cyber Risks Not Being a Priority for Executive Leadership: This year, 17% of respondents indicated concern that cyber risks are not a priority for their institution’s executive leadership. Institutional leadership should recognize cybersecurity as a business issue, and a chief information security officer (CISO) plays an important role in guiding cybersecurity spending. ARE BANKERS READY TO RESPOND TO CYBERSECURITY THREATS? Preparing for the inevitable cyberattack is a never-ending responsibility. Let’s gain insight into banking executives’ perspectives on their own cybersecurity readiness: • Improving Cybersecurity Education: 92% of respondents agree — with 50% strongly agreeing — that their bank could improve cybersecurity education. If your employees receive a suspicious email, do they know the proper steps to report it? Educating employees on evolving threats and the latest social engineering schemes is one of the most effective ways to mitigate cyber risk. • Understanding Cyber Risk: Most respondents (89%) agree they understand their institution’s cyber risk. But as risk continues to evolve, are banks keeping up with the latest threats? Understanding recent cyber incidents provides key insight into how bad actors execute attacks and helps institutions stay one step ahead. As discussed previously, consider implementing a cybersecurity framework to guide risk mitigation if you haven’t already. • Producing a Business Case for Cyber Spending: An overwhelming majority (92%) of respondents feel their CISO can produce a strategic business case for cyber spending. Since cybersecurity affects the entire organization, it should be viewed as a business issue. IT governance helps your institution ensure your technology investments support your unique goals while mitigating IT- and cybersecurity-related risk. IT governance experts can also supplement your CISO’s efforts in making a business case for cyber spending. By Steve Sanders Chief Risk Officer and Chief Information Security Officer, CSI, ICBC Associate Member 12 | INDEPENDENT REPORT

While these responses are encouraging, many financial institutions stand to benefit from hosting internal discussions between their CISO and other C-suite executives to ensure everyone is on the same page and confident surrounding cybersecurity preparedness. Additionally, they should focus on resource optimization, streamlined processes and a commitment to ongoing education to fortify their institution against the ever-changing threat landscape. HOW DO BANKERS FEEL ABOUT CYBERSECURITY COMPLIANCE? As cybersecurity threats increase, so does regulators’ emphasis on cybersecurity compliance, which involves fulfilling necessary regulatory requirements and implementing security controls for protection. This enhanced focus requires banks to uphold a secure IT infrastructure and proactively address risks. Given regulators’ increased focus on this area, it’s no surprise that 87% of bankers reported being at least somewhat concerned about cybersecurity compliance. Survey results reveal that bankers are using a variety of methods and tools to stay compliant. The top tools used for cybersecurity compliance are conducting risk assessments and impact analysis studies (46%). Well-executed risk assessments are a key component of a cybersecurity plan because they help organizations identify and manage financial, operational and other risks associated with internal and external incidents. WHY INSTITUTIONS SHOULD UNDERSTAND TOP CYBERSECURITY THREATS Dealing with cybersecurity threats is nothing new for financial institutions. Still, institutions should exercise constant vigilance and stay abreast of the latest threats to ensure they mount the most effective defenses. By keeping a pulse on current threats and where the cybersecurity landscape is headed, your institution will be better positioned to keep your network, data and users secure. Steve Sanders serves as CSI’s chief risk officer and chief information security officer. In his role, Steve leads enterprise risk management and other key components of CSI’s corporate compliance program, including privacy and business continuity. He also oversees threat and vulnerability management as well as information security strategy and awareness programs. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber risk oversight. INDEPENDENT REPORT | 13

By Matt Helsing SVP & Northwest Regional Manager, PCBB, ICBC Associate Member Community banks in search of deposits might see raising rates as their best option to gain customers, but that’s an expensive proposition, particularly as the Fed contemplates lowering rates. Luckily, your bank can choose from a multitude of less‑expensive strategies for attracting deposits. Consider one of these alternative strategies before defaulting to interest rate increases to entice new business: 1. Analyze your customer base. Find out who your best, most loyal customers are. You can also use a comprehensive profitability tool to learn which customers are bringing in the most revenue for your institution. Target your marketing efforts specifically to these groups and identify what demographics they share. This will allow you to create more targeted advertising for these groups and lookalike customers. 2. Increase marketing efforts. Make it easy for potential customers to find you. Update your search engine optimization (SEO) so that your homepage comes up quickly on searches for financial institutions meeting your target markets, and make sure that your website has accurate branch information so that potential customers know your operating hours and how to get ahold of you. Use online advertising and make sure your website works well on mobile devices. Invest in your community by leading fundraisers or sponsoring financial literacy courses. Consider teaming up with your top business customers to make joint donations to worthy local causes. 3. Focus on multi-product relationships. Look for ways to cross-sell products to your current consumers to deepen that relationship. Loan customers could also add their own personal financial accounts; business customers could always benefit from additional cash and treasury management services. A way to encourage this is through limited offers or bundles to entice them to add new services or open additional accounts. TO DRIVE DEPOSIT GROWTH W I T HOU T R A I S I N G R AT E S 8 WAYS 14 | INDEPENDENT REPORT

4. Provide innovative business services. The more of a business’ back office that your institution powers, the more sense it makes for that business to bank with you. Offer cash management tools, risk management tools and digital payment solutions that all integrate seamlessly with other financial systems. Now is a good time to review your cash management pricing and service bundles to encourage existing and new business customers to take advantage of these services. 5. Partner with fintechs. Where appropriate, your bank might benefit from teaming up with one or more fintechs that can provide robust data infrastructure, treasury management tools and digital platforms that let customers conveniently use those tools. Pay close attention to integration costs, risk management practices and client referrals. 6. Offer incentives. Consider low-cost ways to help deposit clients get started banking with you. Pay sign-up and referral bonuses. Offer tiered rates that pay more as balances grow. Make mobile deposits easy. Provide limited free checks and identity theft protection. 7. Give customers an easy “on” ramp. Design your online account opening process to be simple and fast, especially from mobile devices. Easy onboarding is especially important for younger Gen Z customers who take a mobile-first approach. 8. Improve your customer service. Make your customer service friendly, knowledgeable about product offerings and able to solve problems in a single conversation. By the time someone calls or visits a branch with a problem, there’s a good chance they’ve already tried to solve it online or over the phone. Don’t pass them from hand to hand. The time and money that potential customers can save by doing business with a bank that offers smart solutions can greatly outpace what those customers might get from an extra few bp paid on deposits. Focus on these alternatives to achieve the long-term gains that higher interest rates just can’t get you. To continue this discussion or for more information, please contact Matt Helsing, SVP & Northwest Regional Manager for PCBB, at mhelsing@pcbb.com. Dedicated to serving the needs of community banks, PCBB’s comprehensive and robust set of solutions includes cash management services such as Settlement and Liquidity for the FedNow Service, international services, lending solutions and risk management advisory services. INDEPENDENT REPORT | 15

CECL: IT DOESN’T END WITH ADOPTION After years of anticipation and preparation, the Financial Accounting Standards Board’s (FASB’s) credit loss accounting standard, CECL, is now effective for all financial institutions. Larger institutions that file reports with the Securities and Exchange Commission (SEC) adopted the standard for fiscal years and interim periods beginning after Dec. 15, 2019. All other financial institutions adopted the standard for fiscal years beginning after Dec. 15, 2022. Although adoption is technically behind us, institutions can’t stop thinking about CECL now. Working through the adoption of the standard with our clients, we’ve identified several common issues that will require many institutions to enhance and refine their models, supporting documentation, and controls to better align with the standard and support the largest estimate on their balance sheet. The requirement to support critical modeling decisions doesn’t go away after adoption. FASB’s post-implementation review of the standard has also resulted in some additional guidance that institutions are required to comply with. CECL: LESSONS FROM THE FIELD Overreliance on Third-Party Vendors To assist with implementation and the ongoing calculation of the allowance for credit losses (ACL), many financial institutions are using third-party services and purchased applications. Although the methodology employed by most of these third-party models aligns with the standard and provides management with the necessary tools to mechanically perform otherwise complex calculations, the reliance on a third party doesn’t alleviate management’s responsibilities. Management is still required to maintain documentation that supports all significant modeling decisions, from the selection of an appropriate methodology to the ongoing support for all significant assumptions. It’s not sufficient to accept vendor model recommendations without assessing and documenting appropriateness for your specific institution. Inconsistent Qualitative Factor Framework For many institutions, a large majority of the calculated reserve still comprises qualitative factors. Qualitative factors are intended to adjust the quantitative portion of the calculation to reflect the extent to which management expects current conditions and reasonable and supportable forecasts to differ from the conditions that existed for the period over which historical information was evaluated (the lookback period). Institutions are still assessing qualitative factors under the logic commonly used with the incurred loss model by analyzing quarterover-quarter portfolios and macroeconomic trends; however, this analysis should be identifying differences in the portfolio By Elliott Holmes Assurance Senior Manager, Plante Moran, ICBC Associate Member 16 | INDEPENDENT REPORT

and economy when compared to the lookback period. Many institutions have also opted to use peer data to drive the quantitative portion of their calculation. When peer data is the basis for the calculation, qualitative factors should acknowledge differences between the institution’s portfolio and the portfolios of the peer group. Qualitative factors should also be supportable on a stand-alone basis. By assessing qualitative factors using this “directional consistency” concept quarter over quarter, it’s increasingly likely that the baseline hasn’t been supported to substantiate the total impact to the calculated reserve. Inadequate Internal Controls While review controls over your ACL calculation are likely similar to the controls that were in place under the incurred loss methodology, many CECL models are more complex and have additional considerations. When developing your controls over the detailed review of the calculation for mechanical accuracy, it’s important not only to consider manual inputs to the calculation each quarter but also to consider the consistent application of significant model settings and selections. Some models may have change management reports that can be reviewed, while other models may require that the detail reviewer manually review setting selections. Review controls for overall adequacy and reasonableness of assumptions also likely require enhancement with most models. While qualitative factors were likely the only assumption that needed to be assessed under the incurred loss methodology, most CECL models rely on additional assumptions that need to be assessed periodically for appropriateness. Some common additional assumptions to consider include: • Segmentation. • Lookback period. • Forecast and reversion period. • Prepayment and curtailment speeds. • Peer group selection. • Economic variables used to apply forecast adjustments. Models that rely on specific loan-level inputs will also require management to consider the appropriate design of the controls to ensure data integrity, such as loan boarding and maintenance review controls. ACCOUNTING STANDARDS UPDATE (ASU) 2022-02 Troubled Loan Modifications ASU 2022-02 became effective for financial institutions starting in 2023. This ASU eliminates the guidance for troubled debt restructurings (TDRs) and introduces new disclosure requirements to provide information about certain modifications to borrowers experiencing financial difficulty. Like the guidance for TDRs, identification of modifications for disclosure under this new ASU still starts with assessing whether the borrower is experiencing financial difficulty; however, there’s no longer a need to assess whether the modification constitutes a concession. Instead, there are four specific modification types that require disclosure: • Principal forgiveness. • Interest rate reduction. • Other-than-insignificant payment delay. • Other-than-insignificant term extension. Under the new ASU, loan modifications that meet the criteria for disclosure aren’t required to be individually evaluated for purposes of your ACL calculation. These modifications are assessed the same as the rest of the loan portfolio and should only be individually evaluated if they don’t share risk characteristics with the collectively evaluated population. Institutions should define their criteria for individual evaluation in their ACL policy. If a modification is individually evaluated, there are no longer the same requirements on how to measure the specific reserve. Like other individually evaluated loans, if foreclosure is probable or repayment is expected through the operation or sale of collateral, the calculation is based on the fair value of the collateral. If a discounted cash flow method is used, projected cash flows should be discounted using the postmodification contractual interest rate to derive the effective interest rate, which is also a change from previous guidance for TDRs. Updated Disclosures The disclosures for modifications made during the reporting period that meet the identification criteria are segmented by class of financing receivable and include: • Amortized cost basis by modification type, as well as the percentage relative to the total period-end amortized cost basis of the total class. • The financial effect of the modificationby-modification type. • Receivable performance in the 12 months after modification. • The amount and amortized cost basis of financing receivables that were granted the modification in the preceding 12 months and defaulted during the reporting period. These disclosures are required regardless of whether the modification is considered a modification of an existing loan or a new loan when assessed under the guidance within ASC 310-20. The ASU also enhances vintage disclosures for public business entities by requiring disclosure of gross write-offs by year of origination. This disclosure should cover each of the previous five annual periods starting with the date of the financial statements. However, upon adoption of the ASU, you wouldn’t have to provide the previous five annual periods of gross write-offs. This disclosure requirement is to be applied on a prospective-transition basis so that preparers can build the five-annualperiod disclosure over time. In part 4 of the Plante Moran CECL Guidebook Series, we provide examples of all required CECL disclosures, including the updates from this ASU. CONCLUSION Although all financial institutions have adopted CECL, efforts to refine models, supporting documentation and controls will continue for some time. As your institution works to comply, common pitfalls such as overreliance on third-party services, an inconsistent qualitative factor framework and insufficient internal controls should be addressed. Institutions should also review the 2022-02 ASU for additional post‑implementation guidance from FASB to ensure compliance. INDEPENDENT REPORT | 17

18 | INDEPENDENT REPORT

THE LATEST FRAUD TRENDS Debit card fraud is on the rise. It accounts for about 40% of all card fraud. Here’s what our SHAZAM fraud specialists are noticing and what financial institutions can do to protect their cardholders. SOCIAL ENGINEERING SCAMS ARE STILL COMMON Bad actors continue to use social engineering schemes to trick cardholders into providing their sensitive information. In these schemes, bad actors often claim to be a trusted financial partner or a representative of a well-known merchant. In their calls, emails or text messages, they will allege there’s a problem with a person’s card or account. These false narratives are meant to play on cardholders’ emotions to trick them into giving up their sensitive data such as their card number, log-in credentials or a one-time password. Education is key in protecting cardholders from being caught up in these malicious attacks. Remind them to be skeptical of unsolicited calls or emails. Cardholders should avoid giving out sensitive information by phone or via email. Financial institutions may need to verify personal information if a cardholder calls them, but never the other way around. Financial institutions should also review their internal verification processes. Pay attention to customer behaviors and listen to their responses. Empower staff members to investigate further if a cardholder request is unusual behavior from previous interactions. If their gut is telling them something is off, odds are they are probably right. FRAUDSTERS LURKING TO ATTACK BINS Cybercriminals are constantly looking to stay in the shadows to get their hands on cardholder information. The industry continues to see this behavior by fraudsters through enumerative account testing to identify valid issued cards and solve card issuance strategies. To make it more difficult for fraudsters to predict patterns it’s our recommendation, and industry best practice, to randomize card issuance in your assigned BIN range. Think of it this way — randomization is the equivalent of finding a needle in a haystack. Who wants to go searching for that? Certainly not a criminal. Financial institutions can go even further with card blocks. This gives you the power to manage authorization blocking at the primary account number and bank identification number levels. You can implement blocks by combinations of criteria or just one, for a specific amount of time or indefinitely. The wide array of available blocking criteria allows you to create blocks easily based on cardholder requests and fraud trends identified by your institution. ACCOUNT TESTING: THE FIRST SIGN OF FRAUD Fraudsters often test the waters on any cardholder information they may have illegally obtained by making a small transaction, typically under $5. If a test authorization is approved, fraudsters use the information to commit more fraudulent transactions or sell the information on the dark web. The ability to detect these threats before they can cause damage is critically important. Review active cases and submit updates when you confirm the activity with your cardholder. If the cardholder can’t be reached or the activity can’t be verified, update the case status to unable to confirm. You can also adjust your financial institution’s daily limits. A daily limit on debit card withdrawals ensures the account associated with the debit card is safe and cannot be emptied in the event a person’s debit card is compromised. If your cardholders in general are not asking to raise limits, consider lowering them to better protect your cardholders and your financial institution. PROTECTING FINANCIAL INSTITUTIONS AND CARDHOLDERS Fraud investigations are a constant balance of risk versus convenience. It is important to remember even small fraudulent transactions can quickly become big problems for you and your cardholders if they go undetected. However, by investing time and resources into fraud mitigation strategies, you can reduce fraud losses for your financial institution and provide peace of mind for your cardholders. Ryan Dutton is an experienced fraud strategy manager with a 17-year history of working in the fraud detection industry, focusing on the management of payment card fraud. Ryan’s focus is managing payment card fraud. His work at SHAZAM gives him a front-row seat to the challenges facing community financial institutions. AND PREVENTION BEST PRACTICES By Ryan Dutton Senior Fraud Operations Manager, SHAZAM, ICBC Associate Member INDEPENDENT REPORT | 19

Welcome Coan, Payton Payne, LLC 999 18th Street, S3100, Denver, CO 80202 303.861.8888 | www.cp2law.com Coan, Payton & Payne, LLC (“CP2”) is a leader in the Colorado legal profession recognized for empowering the success of those we serve and distinguished by the exceptional quality of our people. Our banking, lending and creditor rights team provides a full range of legal services to the banking industry across all of Colorado with offices in Denver, Fort Collins and Greeley. CP2 is distinguished as a Best Law Firms™ by Best Lawyers®. León Cosgrove Jiménez, LLP 999 18th Street, Suite 1200S, Denver, CO 80202 720.689.7749 | www.leoncosgrove.com León Cosgrove Jiménez, LLP was founded in January 2013, based out of a single office located in Miami, Florida. In the last 11 years, we have grown to over 20 lawyers, all of whom specialize in complex litigation with key lawyers having experience in bankruptcy, class actions, arbitrations, and employment litigation. In addition, Marcos Jiménez, a former U.S. Attorney for the Southern District of Florida, leads our internal and government investigations practice. We have offices in Denver, Colorado, Austin & Houston, Texas, and New York City in addition to servicing clients across Arizona and Illinois. Ron Tomassi is the Managing Partner of the Denver team. We are trial attorneys, not just discovery litigators, for financial institutions of any size who require dedicated top-tier legal counsel. Formed by some of the most accomplished corporate litigation partners from major national firms, León Cosgrove Jiménez, LLP cuts through the clutter of multi-level legal organizations, delivering personal and effective representation with unmatched efficiency and access. We have been recognized as a Tier 1 ranked firm in U.S. News — Best Law Firms, based on the highly positive reviews our firm received from both clients and peer lawyers, and are over 11 years recognized by Chambers & Partners USA. We are also a certified minorityowned firm and a member of NAMWOLF and the NMSDC. MJC Partners 300 South Grand Avenue, Suite 4050, Los Angeles, CA 90071 213.278.0429 | www.mjcpartners.com MJC Capital Partners, LLC a wholly owned subsidiary of MJC Partners, LLC and is a Member of FINRA/SIPC therefore this message, and any of its attachments, is for the intended recipient(s) only and it may contain information that is privileged, confidential, and/or proprietary information and subject to important terms and conditions. If you are not the intended recipient, please delete this message and notify the sender immediately. No confidentiality, privilege, or property rights are waived or lost by any errors in transmission.

RkJQdWJsaXNoZXIy MTg3NDExNQ==