NOVEMBER/DECEMBER 2021 A Message from NBA's President: Workforce Strategies
Would you like to transform the management of your information security program from a daunting chore to a process that fuels better decisions? SBS can help! SBS empowers financial institutions to make informed security decisions and trust the safety of their data based on a valuable information security program. To learn more, visit www.sbscybercom today! Reece Simpson reece.simpson@sbscyber.com 605-270-3916 CONSULTING | NETWORK SECURITY | IT AUDIT | EDUCATION
Member: FINRA and SIPC Oklahoma City, OK | Atlanta, GA | Austin, TX | Dallas, TX | Indianapolis, IN | Long Island, NY | Salt Lake City, UT | Springfield, IL The Baker Group LP is the sole authorized distributor for the products and services developed and provided by The Baker Group Software Solutions, Inc. www.GoBaker.com | 800.937.2257 Successful financial institution managers know the importance of achieving a high-performance plan. Establishing such a plan requires not only sound data and accurate information, but also an insightful partner; The Baker Group is that partner. Leaders in innovation. The Baker Group remains the industry leader when it comes to innovation. We are truly a one-stop shop that never outsources our customizable reporting services. To find out how The Baker Group can assist your institution in defining and meeting its financial objectives, call your Baker representative or Ryan Hayhurst at 800.937.2257. Investment Portfolio Services Balance Sheet Management Education Public Finance Strategic Planning Funding Bond Accounting and Analytics Our Experience Will Guide Your Institution to the Next Level High-Performing Financial Institutions Have HighPerforming Partners
NEBRASKA BANKERS ASSOCIATION 5 NOVEMBER/DECEMBER 2021 EDITORIAL: Nebraska Banker seeks to provide news and information relevant to Nebraska and other news and information of direct interest to members of the Nebraska Bankers Association. Statement of fact and opinion are made on the responsibility of the authors alone and do not represent the opinion or endorsement of the NBA. Articles may be reproduced with written permission only. ADVERTISEMENTS: The publication of advertisements does not necessarily represent endorsement of those products or services by the NBA. The editor reserves the right to refuse any advertisement. SUBSCRIPTION: Subscription to the magazine, which began bimonthly publication in May 2006, is included in membership fees to the NBA. CONTENTS ©2021 NBA | The newsLINK Group, LLC. All rights reserved. Nebraska Banker is published six times each year by The newsLINK Group, LLC for the NBA and is the official publication for this association. The information contained in this publication is intended to provide general information for review, consideration and education. The contents do not constitute legal advice and should not be relied on as such. If you need legal advice or assistance, it is strongly recommended that you contact an attorney as to your circumstances. The statements and opinions expressed in this publ ication are those of the individual authors and do not necessari ly represent the views of the NBA, its board of directors, or the publisher. Likewise, the appearance of advertisements within this publication does not constitute an endorsement or recommendation of any product or service advertised. Nebraska Banker is a collective work, and as such, some articles are submitted by authors who are independent of the NBA. While Nebraska Banker encourages a first-print policy, in cases where this is not possible, every effort has been made to comply with any known reprint guidelines or restrictions. Content may not be reproduced or reprintedwithout prior written permission. For further information, please contact the publisher at 855.747.4003. 18 8 PRESIDENT’S MESSAGE: WORKFORCE STRATEGIES As I was sitting down to finalize my magazine column for the month, I received a notice from the Nebraska Department of Labor indicating the state’s unemployment rate for September had fallen to 2.0%, tied for the lowest unemployment rate ever recorded by a state. Similarly, the rate in Lincoln had dropped to 1.3%, a record low for the Capitol City. Richard Baier, President and CEO, Nebraska Bankers Association 9 THE IMPACT OF AN INTERNSHIP Growing up on a farm near Arlington, Krista Prinz was heavily involved in 4-H and FFA. When it came time to choose a college major, the ag banking and finance option of the agribusiness major at the University of Nebraska-Lincoln (UNL) was a natural fit. 10 WASHINGTON UPDATE: TO PAY OR NOT TO PAY: RANSOMWARE ATTACKS OFFER AN UNSAVORY CHOICE It’s the message a CEO never wants to receive: “We’ve got your data and you need to pay up if you want it back.” Rob Nichols, President and CEO, American Bankers Association 12 COUNSELOR'S CORNER: A VICTORY FOR SECURED LENDERS: NEBRASKA SUPREME COURT CONFIRMS A SECURED LENDER’S RIGHT TO COLLECT ITS BORROWERS’ ACCOUNTS UPON DEFAULT Lenders often require their borrowers grant them a security interest in their accounts in order to secure the borrowers’ loan obligations. Brian Barmettler, Nicholas Buda and Brandon Tomjack, Baird Holm, LLP 14 TECH TALK: CONTROLS TO REDUCE VENDOR BREACH RISK The thought of a vendor breach is terrifying. We engage in vendor relationships because the value proposition is that the vendor will provide us better service and security than we can provide for ourselves, often at a lower cost than we would incur to perform and secure the service for ourselves. Cody Delzer, CISA, CDPSE, SVP IS Consultant/Regional Director, SBS CyberSecurity, LLC 18 COMPLIANCE ALLIANCE: OCC RELEASES PROPOSAL TO RESCIND CRA FINAL RULE AFTER A FALSE START New leadership usually takes us into the future. The Office of the Comptroller of the Currency (OCC) is reversing this trend by first taking us into the past for a bit. Chris Bell, Associate General Counsel, Compliance Alliance 20 CHECKING IN ON THE BANKING INDUSTRY 2020 was a year of challenges in many aspects of life, business, and the economy. The start of 2021 brought a close to a tumultuous year and opened the door to a year of economic recovery and hope for more normal times. Dale Sheller, The Baker Group 24 EDUCATION CALENDAR
NEBANKERS.ORG 6 233 South 13th Street, Suite 700 Lincoln, NE 68508 Phone: (402) 474-1555 • Fax: (402) 474-2946 nebankers.org NBA BOARD OF DIRECTORS RICHARD BAIER NBA President and CEO richard.baier@nebankers.org KARA HEIDEMAN Director of Communications and Marketing kara.heideman@nebankers.org NBA EDITORIAL STAFF More options for your customers, without more risk to your bank. Ag Resource Management offers an innovative solution to lenders by mitigating your risks with watch list and non-performing loans. We can help you take these assets off of your balance sheet and increase your lending ability. We achieve this with a blend of proprietary technology and data validation in valuing a growing crop, monitoring that crop, and keeping track of collateral as it approaches maturity. Loans are processed swiftly and we communicate with you throughout the process. Why Partner With Us? Bill Burton 20507 Nicholas Circle, Suite 106 Elkhorn, NE 68022 (402) 512-5166 wburton@armlend.com Jay Landell 2727 W 2nd Street, Suite 320 Hastings, NE 68901 (402) 902-4035 jlandell@armlend.com We’re just a call away. Get started today with our teams in Hastings or Elkhorn. Visit NebraskaBlue.com/YourStory your st ory Proud to be part of An independent licensee of the Blue Cross and Blue Shield Association. KIRK RILEY NBA Chairman (308) 784-2515 Waypoint Bank Cozad STEPHEN STULL NBA Chairman-Elect (402) 792-2500 Farmers State Bank Dodge KATHRYN BARKER (402) 333-9100 Core Bank Omaha NICHOLAS BAXTER (402) 341-0500 First National Bank of Omaha Omaha CORY BERGT (402) 434-4321 Wells Fargo Bank, N.A., Lincoln JOHN BOTHOF (402) 334-0300 Northwest Bank Omaha JOHN DAUBERT (402) 323-8008 Security First Bank Lincoln JUSTIN DOUGLAS (402) 975-2036 Bancook Corp. Cook DANIEL FULLNER (402) 454-1000 Madison County Bank Madison KARL GRAMANN (402) 988-2255 Adams State Bank Adams KIM HAMMES (402) 918-2332 Bank of the West Omaha REX HASKELL (402) 687-2640 First Northeast Bank of Nebraska Lyons CURTIS HEAPY (308) 367-4155 Western Nebraska Bank Curtis KRISTA HEISS (308) 534-2877 NebraskaLand Bank North Platte ZACHARY HOLOCH (402) 363-7411 Cornerstone Bank York DONALD JIVIDEN (402) 759-8113 Heartland Bank Geneva ZAC KARPF (308) 632-7004 Platte Valley Bank Scottsbluff JOHN KOTOUC (402) 399-5088 American National Bank Omaha STEVE KUNZMAN (308) 382-4000 Home Federal Bank Grand Island KAYE MONIE (308) 368-5555 Hershey State Bank Hershey RYNE SEAMAN (402) 643-3636 Cattle Bank & Trust Seward JOSEPH SULLIVAN III (402) 348-6000 U.S. Bank, N.A. Omaha TRAVIS SEARS (402) 323-1828 Union Bank & Trust Co. Lincoln CHRIS WIEDENFELD (402) 952-6015 Great Western Bank Omaha SCOTT ZIMBELMAN (308) 784-2000 Homestead Bank Cozad CHRIS HOVE NBA Past Chairman (402) 423-2111 Nebraska Bank of Commerce Lincoln
NEBANKERS.ORG 8 PRESIDENT’S MESSAGE AS I WAS SI T T ING DOWN TO FINALIZE MY MAGAZINE column for the month, I received a notice from the Nebraska Department of Labor indicating the state’s unemployment rate for September had fallen to 2.0%, tied for the lowest unemployment rate ever recorded by a state. Similarly, the rate in Lincoln had dropped to 1.3%, a record low for the Capitol City. Every industry in the state, including banking, is facing monumental workforce challenges. Recent NBA analysis suggests Nebraska regularly has over 500 bank job openings. The reality is that the current workforce shortage may not subside for many years! Therefore, it is imperative the banking industry and the NBA think differently about how to attract and retain the best and brightest. Causes for the lack of workers are varied. For years, demographers warned us about the coming war for talent tied to the mass retirement of the Baby Boomer generation. According to the labor market data company Emsi, in 2020 alone, approximately three million Baby Boomers left the workforce, many of them in highly-skilled and seniorlevel positions. COVID-19 has also drastically altered the employment landscape. The United States is experiencing a tidal wave of early retirements and a sizable number of people simply leaving the workforce. Finally, rural states like Nebraska have long struggled with the issue of “brain drain.” Experts at the University of Nebraska-Omaha Center for Public Affairs Research estimate the state annually loses 2,000 people between the ages of 25 and 35 who pursue career opportunities outside of the state. To help address these challenges, the NBA is doubling down on its efforts to attend career fairs at colleges and universities, foster meetings with student groups, and create meaningful internships. We are also reevaluating our scholarship and philanthropic efforts. A recent review of the NBA’s agricultural banking internship program, for instance, found that around 35% of the more than 150 students who have participated in the program since its inception are still working in Nebraska banks. Almost 40% of the students who have participated in the program over the past three years work at Nebraska banks. Finally, two of the students who participated in the program this past summer have already accepted job offers for June 2022. Our banks have done such a good job training these students that even our competitors at Farm Credit are actively try to recruit these young finance/ banking leaders. (Watch the NBA E-Update or reach out to Kara Heideman on our NBA team to find opportunities for your bank to engage with students and internship opportunities.) While a sizable number of Nebraskans have traded in their full-time jobs for retirement or to pursue less structured opportunities, I would suggest that these individuals should be a primary recruitment target, assuming your institution is willing to be flexible. Not everyone is built for retirement; my dad retired three times. He liked to work so much that he actually worked part-time up until three weeks before
NEBRASKA BANKERS ASSOCIATION 9 Contact Richard Baier at (402) 474-1555 or richard.baier@nebankers.org. his health got the best of him. I suspect there are bankers out there who share this desire to keep working even during retirement. Go get ‘em! I am also aware of a number of young mothers who are interested in part-time professional opportunities. Consider matching these individuals and offering a full-time shared position. While this may take some extra coordination on the bank’s human resource team, it is an efficient way to secure excellent employees who are committed to the bank. Offutt Air Force Base in Bellevue is home to more than 8,000 military members. Each year, a sizable number of these individuals transition or retire from the military. To help service members with this transition, the Department of Defense offers the SkillBridge program that allows activeduty military personnel to spend the last 180 days of their military service interning at a civilian job. Additionally, participating companies are asked to coordinate a structured “educational work” experience allowing transitioning service members to evaluate careers. Participants continue to receive military pay and benefits and are not paid by the sponsoring company. Even if your bank is outside the Omaha metro area, you can participate in the SkillBridge program. In addition to educational and employment services for military members, the Department of Defense Spouse Education and Career Opportunities program provides career services for military spouses, including the Military Spouse Employment Partnership job network. Finally, remote work opportunities have evolved as a mainstream workforce strategy, thanks in large part to the pandemic. Nebraska banks have historically been recognized for offering flexible work environments, with many institutions focused on “family first.” Clearly, not every position within a bank can be performed remotely, but COVID-19 allowed the industry to identify positions that could be offered with even greater schedule flexibility. The NBA team has talked recently with several banks that plan to keep a portion of their team members in a hybrid model. Further, I have talked with bank leaders who now rely upon key managers who work entirely remotely. There is no question that remote flexibility creates significant challenges and opportunities, with a sizable number of unknown factors. However, current times may require new strategies and priorities. Again, I encourage you to throw out your traditional view on the workforce and begin to think about how the future will look different. The NBA will be your partner as we move through these challenging times together. GROWING UP ON A FARM NEAR ARLINGTON, KRISTA PRINZ WAS HEAVILY involved in 4-H and FFA. When it came time to choose a college major, the ag banking and finance option of the agribusiness major at the University of Nebraska-Lincoln (UNL) was a natural fit. The major includes both traditional finance classes and courses with an emphasis on agriculture. Students in the program are eligible to receive a scholarship and complete an internship at a Nebraska bank. The program is a partnership of the NBA and UNL and is designed to fill the need for ag bankers in Nebraska. Prinz, currently the president of Citizens State Bank in Wisner, has worked in banking since completing her internship through the program in 2008. She credits her internship and the program’s curriculum with providing a solid banking foundation. Prinz has helped provide opportunities for future ag bankers by mentoring program interns at her bank. Banks are also able to reap a variety of benefits from the program. Learn more about internships and how your bank can build the future banking workforce by visiting nebankers.org/interns. The Impact of an Internship
NEBANKERS.ORG 10 WASHINGTON UPDATE IT’S THE MESSAGE A CEO NEVER WANTS TO RECEIVE: “WE’VE GOT your data and you need to pay up if you want it back.” Unfortunately, that message is landing in CEO inboxes increasingly often, as ransomware attacks ramp up in the U.S. In just the first six months of 2021, the Financial Crimes Enforcement Network identified $590 million in ransomware-related Suspicious Activity Reports — a 42% increase from the 2020 total of $416 million. And FinCEN reports that we could be on track to see a higher transaction value for ransomware-related SARs than we’ve seen in the past 10 years combined. Ransomware attacks — which use malware to encrypt files on a computer or mobile device and render it unusable until a ransom is paid — present companies with an unsavory dilemma: pay a ransom to a criminal actor, or lose a potentially devastating amount of data, which could seriously compromise business operations. These kinds of attacks are evolving quickly in sophistication and scope, and virtually any business could be targeted at any time. What’s perhaps most concerning is that criminal actors are increasingly targeting critical infrastructure entities, as we saw in the Colonial Pipeline incident earlier this year that caused a shutdown of a major East Coast oil provider. They’ve also begun branching out into “extortion-ware,” in which the hacker not only encrypts sensitive data but then goes the extra step and threatens publicly to release it unless the institution complies with their demands. Given the potential operational and reputational consequences of these types of cyberattacks, banks need to have a plan in advance for how they’ll respond. There are a number of factors to consider. First, while most companies choose to pay — cyber insurer Marsh McLennan reports that more than 60% of ransomware victims pay the requested ransom — it’s not To Pay or Not to Pay: Ransomware Attacks Offer an Unsavory Choice Rob Nichols, President and CEO, American Bankers Association
NEBRASKA BANKERS ASSOCIATION 11 Email Rob Nichols at rnichols@aba.com. Since 1857, Cline Williams has devoted attention to the unique needs of the banking and nancial services industries. Since then, we have provided our clients with the resources they need in the areas that are most important to them – from lending and collections, to regulatory compliance, to mergers and acquisitions, and so much more. We’re more than a law rm. We’re a partner for your bank. LINCOLN I OMAHA I AURORA I FORT COLLINS I HOLYOKE always guaranteed that the encrypted data will be fully restored. In fact, one survey of more than 5,000 I.T. decisionmakers worldwide found that about half of those who did pay a ransom only recovered 65% of their compromised data. Twenty-nine percent said they only recouped about 50%. And even if a company’s ransom hacker unlocks all the encrypted data after the ransom is paid, the company will still need to take steps to clean that data and ensure it can’t be easily re-encrypted. On the other hand, there are also several good reasons not to pay a ransom. There are the societal costs to consider — paying the ransom could perpetrate attacks on other institutions or entice the hacker to hit you again for more money. Paying a ransom could also erode trust from customers and business partners, as payment could signal a lack of continuity planning and preparation. Either way, the first time you think about ransomware attacks and how to handle them should not be after your bank has fallen victim to one. To that end, ABA in October released a new Ransomware Toolkit, which provides helpful guides for protecting your bank against ransomware attacks, responding in the event of an attack, and determining whether to pay a ransom. The toolkit can be downloaded at aba.com/ransomware. Ransomware represents a serious threat to all businesses. But the good news is that the financial sector is ahead of the game when it comes to cybersecurity, given the rigorous regulatory framework to which banks adhere. After all, as we found in a recent ABA/Morning Consult poll, consumers overwhelmingly trust banks the most to keep their personal information safe and secure. By addressing the problem of ransomware head-on and taking prudent steps to prepare, we can help our industry maintain its reputation as the “gold standard” for data protection.
NEBANKERS.ORG 12 COUNSELOR’S CORNER Brian Barmettler, Nicholas Buda and Brandon Tomjack, Baird Holm, LLP A Victory for Secured Lenders: Nebraska Supreme Court Confirms a Secured Lender’s Right to Collect Its Borrowers’ Accounts Upon Default LENDERS OFTEN REQUIRE THEIR borrowers grant them a security interest in their accounts in order to secure the borrowers’ loan obligations. Accounts are arguably one of the most liquid types of collateral available to secured lenders and can sometimes lead to substantial recovery for lenders when loans go bad. Although the creation, attachment, and perfection of a security interest in accounts are fairly straightforward under the Nebraska Uniform Commercial Code (the “UCC”), foreclosing accounts is no easy task. You cannot send the sheriff or your local repo agent to collect a thirdparty’s legal obligation to pay your borrower. Fortunately, the Nebraska Supreme Court recently confirmed a secured lender’s right to collect its borrower’s accounts and identified the applicable requirements and procedures in its decision of First State Bank Nebraska v. MP Nexlevel, LLC, 307 Neb. 198, 948 N.W.2d 708 (2020). But, as discussed below, the path to the decision was riddled with a puzzle of complicated statutory language and lender-hostile precedents from other jurisdictions. The Facts of the Case The case transpired like many familiar loan transactions. The bank loaned money to Husker Underground, a local construction business, and Husker Underground granted the bank a security interest in essentially all of its assets. In particular, Husker Underground granted the bank a security interest in its accounts: money third parties owed the debtor for construction services Husker Underground had performed. The bank properly perfected its security interest in Husker Underground’s accounts by filing a financing statement with the Nebraska Secretary of State. A few years later, Husker Underground stopped making loan payments, and the bank declared Husker Underground in default. Upon Husker Underground’s default, the bank began exercising its remedies to collect Husker Underground’s obligations. The bank liquidated its collateral to minimize losses, including Husker Underground’s accounts. Among other things, the bank attempted to liquidate Husker Underground’s accounts, as set forth in Part 6, Article 9 of the UCC. It sent deflection notices to one of Husker Underground’s account debtors — a company that owed Husker Underground money for construction projects — and demanded the account debtor pay all amounts due on the accounts directly to the bank instead of Husker Underground. One of Husker Underground’s account debtors, MP NexLevel, ignored three of the bank’s deflection notices. Despite the warning in the bank’s notices indicating there may be adverse consequences for MP NexLevel if it continued to make its payments to Husker Underground rather than the bank, MP NexLevel paid Husker Underground more than $400,000 after receiving the bank’s notices. As a result, the bank filed suit against MP NexLevel to recover the amounts paid by MP NexLevel to Husker Underground after the bank sent its deflection notices. The District Court Decision MP NexLevel was not involved with the bank’s loan to Husker Underground and did not have any agreements with the bank. MP NexLevel’s contract
NEBRASKA BANKERS ASSOCIATION 13 was with Husker Underground, not the bank. What legal obligations did MP NexLevel owe to the bank? The law governing this matter is a complicated web formed by various sections of UCC Article 9. First, after a debtor’s default, UCC §9-607(a)(1) allows a secured lender (the bank) to send deflection notices to its debtor’s (Husker Underground) account debtor (MP NexLevel), demanding the account debtor pay all amounts due on the account directly to the secured lender. Importantly, this section of the UCC does not create an independent duty owed by the account debtor to the secured lender; instead, any obligation the account debtor owes the secured lender is based on the agreement between the debtor and the account debtor. Second, once an account debtor receives a valid deflection notice from a secured lender, the account debtor may only discharge its account obligations by paying the secured lender instead of the debtor according to UCC §9-406(a). Third, in the event an account debtor ignores a secured lender’s deflection notices and continues paying the debtor, the account debtor has failed to discharge its payment obligations on the accounts. At that point, UCC §9-607(a)(3) allows a secured lender to step into its debtor’s shoes and sue the account debtor to enforce the account debtor’s payment obligations on the account. When MP NexLevel ignored the bank’s notices, the bank stepped in to Husker Underground’s shoes and sued MP NexLevel for breach of contract to collect the more than $400,000 still due on the account, even though MP NexLevel had already paid these amounts to Husker Underground. The bank requested the district court to enter judgment in its favor, but the district court declined. The district court based its ruling on the text of UCC §9-406(a), which uses the word “assignment” and “assignee” rather than “security interest” and “secured creditor.” The district court held that only creditors with outright assignments of their borrowers’ accounts can use UCC §9-406(a) to enforce those assignments, but it does not apply to secured lenders with security interests in accounts. Since the bank had a security interest — not an outright assignment — the district court dismissed the bank’s case. The district court’s decision essentially stripped the bank of its security interest and left the bank without any option to collect over $400,000 of its collateral. The Supreme Court’s Decision and the Law The bank appealed the district court’s decision to the Nebraska Supreme Court, which reversed the district court. Relying on principles of statutory interpretation presented by the bank’s counsel, the Nebraska Supreme Court held there is no meaningful distinction between an “assignment” and a “security interest” for purposes of UCC Article 9 and a secured lender’s right to enforce its security interest in accounts. The Nebraska Supreme Court’s ruling confirms a secured lender can enforce a security interest in its debtor’s accounts similar to other tangible personal property, such as equipment and inventory. The First State Bank Nebraska Court summarized the enforcement of security interests in accounts this way: Following a default — a term Article 9 leaves for the parties to define in their loan documents — the secured lender sends a notice directly to the account debtor instructing the account debtor to pay the secured lender directly. The account debtor may ask for proof the secured lender has a security interest in the account at hand. In most cases, the proof consists of the lender’s security agreements and other loan documentation showing the debtor is in default. Once the secured lender has provided satisfactory proof of its security interest or the account debtor failed to request such proof, the account debtor can only discharge its obligations on the account by paying the secured lender. The account debtor that opts to ignore the notices and continues paying the debtor is not discharging its debts on the account. In turn, the secured lender can step into its debtor’s shoes to enforce the account debtor’s payment obligations on the account. The Nebraska Supreme Court correctly interpreted UCC Article 9. Any contrary ruling would have been inconsistent with the UCC’s comprehensive regulation of security interests in personal property, such as accounts, and had disastrous consequences for secured lenders who rely upon accounts as an important type of collateral. Were UCC §9-406(a) only to apply to “assignments” of accounts instead of security interests, many secured lenders would be without any avenue to legally require an account debtor to turn over funds due on an account. Instead, the Nebraska Supreme Court wisely ruled that the “assignee” in UCC §9-406 included a secured creditor with a presently exercisable security interest in its debtor’s accounts. First State Bank Nebraska, 307 Neb. at 220, 948 N.W.2d at 725. For Nebraska lenders, the decision confirms accounts are valuable collateral that a secured creditor has the legal right to collect when the lender is enforcing its rights and remedies under Article 9 of the UCC. By Brian Barmettler, Nick Buda and Brandon R. Tomjack of Baird Holm. For more info visit, bairdholm.com.
NEBANKERS.ORG 14 TECH TALK Cody Delzer, CISA, CDPSE, SVP IS Consultant/Regional Director, SBS CyberSecurity, LLC Controls to Reduce Vendor Breach Risk THE THOUGHT OF A VENDOR BREACH IS terrifying. We engage in vendor relationships because the value proposition is that the vendor will provide us better service and security than we can provide for ourselves, often at a lower cost than we would incur to perform and secure the service for ourselves. We put immense trust in our vendors, yet the news is riddled with stories of data breaches involving trusted vendors. So, where do we start? What do we do? Modern vendor management requires a contemporary approach to controlling risk. The following controls, when implemented properly, will reduce a significant amount of risk: • Multi-Factor Authentication (MFA) — MFA is the single greatest risk-decreasing control you can implement in your organization. Use it whenever and wherever possible, but it must be on all internet-facing apps. The rule of thumb is this: if an application can be accessed outside of your network (i.e., VPN, email, or web portal access), get MFA on ASAP. • Strong Password Requirements — Even with MFA in place, a strong password is still a must, as it’ll guarantee protection against hackers and malicious software. Also, MFA isn’t always feasible on all applications, so a complex password will double the security. • Religious Patch Management — If you have a system with software, you NEED to be patching
NEBRASKA BANKERS ASSOCIATION 15 Modern vendor management requires a contemporary approach to controlling risk. religiously. Falling behind on patches leaves systems vulnerable to known attacks that can be prevented with proper patching. • Follow the 3-2-1 Data Backup Rule — The 3-2-1 Backup Rule is highly recommended for any organization looking to back up their data. This methodology suggests keeping three (3) copies of your data on two (2) different forms of media and one (1) of those copies being off-site. • Network Segmentation — The greater the segmentation, the harder it is for an attacker (or malware) to move throughout your network. • Egress Firewall Filtering — Firewalls, by default, block everything coming in and permit everything to go out. You gain significant control over what resources your internal systems can access when egress filtering is enabled. Here are a few additional tips to help control risk: • Log the right activity and establish a baseline on your network. Anything outside of the baseline could be an indicator of compromise. Ensure you have some central logging capability. Central logging capability is not SIEM. It is a place for you to store your collected logs. Make sure this system is a bastion host. Its data may be key in an investigation. • Have separate user accounts. The ultimate rule is that one user means one account and allows for accountability. All users should be restricted users, especially vendors. If a user is also an administrator, ensure they have a separate, privileged account to perform those administrative tasks. Ensure no one uses service accounts. Service accounts are often administrative in nature. Confirm each service that needs a service account has its own service account, like how individual Tech Talk — continued on page 16
NEBANKERS.ORG 16 Tech Talk — continued from page 15 users have their own user accounts. Remember, it’s about accountability. • Familiarize yourself with an incident response preparedness checklist. The list should highlight what organizations must have in place ahead of time to ensure the ability to respond to an incident quickly and perform a digital forensics investigation should the need arise. • Get cybersecurity insurance. If you haven’t already gotten it, please investigate it. Unfortunately, it is a tricky subject since there is no standard. If you haven’t gone down the path of obtaining cybersecurity insurance, ensure you understand the following: What is really covered? What do insurance companies expect from your cybersecurity controls paying the claim? Does your coverage include incident response and digital forensics costs? Ask questions, explore the options. The insurance companies are more than willing to help. • Familiarize yourself with legal, and not just your legal counsel, but law enforcement. Understand what their capabilities are and what they can provide in an event. Engaging your legal team can help protect your organization, especially if an investigation is needed, and it usually is. Ensure you run all communications through your legal team. Engage with law enforcement. Legal counsel and law enforcement will work with you to determine when to notify customers. Now that you’ve read a few tips, take a moment to assess your cybersecurity practices. Can you afford not to control unauthorized access to your valuable data? If you can’t take the appropriate steps to secure your organization now, will you be able to act later as the threat landscape continues to escalate? Implementing the controls discussed in this article will push your vendor management practices and overall cybersecurity risk mitigation into the stratosphere. It is less expensive to start implementing these controls today versus waiting until an incident occurs, leaving you with the costly decision to implement these controls. For more information, contact your Account Executive, Reece Simpson, at 605-270-3916 or reece.simpson@sbscyber.com. SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, auditing, network security, and education. Learn more at sbscyber.com. What is really covered? What do insurance companies expect from your cybersecurity controls paying the claim? Does your coverage include incident response and digital forensics costs? Ask questions, explore the options. The insurance companies are more than willing to help.
mibanc.com ACH Audit BSA Audit Lending Compliance Audit Deposit Compliance Audit Directors’ Examination Interest Rate Risk Review Home Mortgage Disclosure Act (HMDA) Review Secure and Fair Enforcement for Mortgage Licensing (SAFE) Act Audit Loan Review Internal/External Penetration Test Internal/External Vulnerability Assessment Social Engineering Assessment IT Security Audit Business Continuity Management Audit AUDIT SERVICES Welcome Jake Wolfe to our team. Jake handles loan review audits for community banks. Contact Jake at 888-818-7206 MEMBER FDIC mibanc.com Contact us for all your correspondent banking services. STRONG FOUNDATIONS PROVIDE SECURE FUTURES Tim Burns 402-480-0075 Doug Pfeifer 402-480-0333 ibanc.co /audit
NEBANKERS.ORG 18 COMPLIANCE ALLIANCE NEW LEADERSHIP USUALLY TAKES US INTO THE FUTURE. The Office of the Comptroller of the Currency (OCC) is reversing this trend by first taking us into the past for a bit. Seeing the June 5, 2020, final rule to modernize its Community Reinvestment Act (CRA) framework (June 2020 Rule) as a false start, the OCC has issued a proposed rule to rescind it in favor of working with the other agencies to develop a new rule. The proposed rule would replace the existing 12 CFR part 25 with a revised 12 CFR part 25 based on the 1995 Rules and reinstate 12 CFR part 195 (for savings associations). The proposed 12 CFR part 25 would be substantively identical to the 1995 rule. All definitions, performance tests and standards, and related data collection, recordkeeping, and reporting requirements would revert to those in place before the OCC issued the June 2020 Rule. Also, the rules surrounding the public file and public notice requirements would revert to those in the 1995 rule. The proposed rule applies to all national banks and all federal and state savings associations. If you would like to comment on any aspect of the proposal, you must submit those before Oct. 29, 2021. The June 2020 Rule would remain in effect until replaced by final rules based on this proposal. The OCC recognizes that banks have relied on the June 2020 Rule to plan for their ongoing compliance with the CRA. Given the partial implementation of the June 2020 Rule, its replacement would change the regulatory framework that impacts, among other things, how examiners evaluate banks and what qualifying activities they would consider OCC Releases Proposal to Rescind CRA Final Rule After a False Start Chris Bell, Associate General Counsel, Compliance Alliance
NEBRASKA BANKERS ASSOCIATION 19 in CRA examinations. The OCC proposes a transition to replace certain aspects of the June 2020 Rule, which it summarizes in a chart on Page 38 of the proposed rule (https://www.occ.gov/news-issuances/federalregister/2021/nr-occ-2021-94a.pdf). Subsequently, as part of the ongoing interagency CRA rulemaking, the OCC would propose a joint revised CRA rule to replace the rules in this proposal. Following publication of any final rules regarding this proposal, banks would have a minimum of 30 days before they would be required to comply with most of the provisions described in the proposed rule. Therefore, the OCC is considering an effective date of Jan. 1, 2022, for any final rules, provided they are published by Dec. 1, 2021. Banks that changed type based on the asset threshold adjustments in the June 2020 Rule are subject to different performance standards for activities conducted on or after Oct. 1, 2020. Also, former "large banks" that became "intermediate banks" under the June 2020 Rule were no longer required to collect data for calendar year 2021 onward and report data for calendar year 2022 onward. Many of these banks will transition back to their prior bank type based on the proposed asset-size thresholds. Consistent with its historical practices, if the proposed rules take effect Jan. 1, 2022, the OCC would require newly-classified large banks to begin collecting data Jan. 1, 2023, and reporting required and optional data the following year. The OCC will not provide banks transitioning from small banks to Intermediate Small Banks (ISB) to transition to the ISB performance standards. However, the OCC would consider the change in bank type as part of the bank's performance context when evaluating the bank's CRA performance. The OCC proposes that OCC-regulated banks would receive consideration in their CRA examinations for activities that met the qualifying activities criteria or definitions that were in effect when the bank conducted those activities. The OCC will maintain the illustrative list of qualifying activities on its website to help banks determine whether the activities they performed while the June 2020 Rule was in effect are eligible for CRA consideration. However, activities included on the illustrative list may not receive consideration if conducted after the effective date of the final rules. The June 2020 Rule changed the public file requirements by reducing the information required in the public file and changing the requirements for how an OCC-regulated bank makes the public file available to the public, including permitting these banks to make the public file available solely on their websites. Under the proposed rules, banks would need to include additional information in their public file and make the file available at their main office. Interstate banks must make their public file available at one branch in each state and more limited information at each branch. Chris W. Bell serves as Associate General Counsel for Compliance Alliance. He holds a bachelor’s degree in Political Science from the University of Memphis, a master’s degree in Political Management from the George Washington University, and a law degree from the St. Mary’s University School of Law. Chris began his career working for a regional bank in Tennessee, where he developed a passion for serving customers through the banking system. In law school, Chris focused his studies on the different financial aspects of the law, including the Internal Revenue Code and Uniform Commercial Code. Chris has worked in the legal department of a federal savings bank and for the Texas Department of Banking. As one of our hotline advisors, Chris helps C/A members with a wide range of regulatory and compliance questions. Since the proposed rules would impose additional public file content and availability requirements, the OCC expects to provide in the final rule that banks would comply with these requirements no later than three months after the final rule's effective date. The June 2020 Rule permitted banks to include target market assessment areas when requesting approval for a strategic plan. The OCC proposes maintaining any strategic plans approved by the OCC under the June 2020 Rule and would not require these banks to amend their strategic plans.
NEBANKERS.ORG 20 2020 WAS A YEAR OF CHALLENGES IN MANY ASPECTS OF LIFE, business, and the economy. The start of 2021 brought a close to a tumultuous year and opened the door to a year of economic recovery and hope for more normal times. In March 2020, the banking industry was rocked when the Fed funds rate was cut to zero at an unprecedented speed, and Treasury yields tumbled to all-time lows. Additionally, the massive influx of stimulus-related deposits that flowed into the banking system greatly changed the size and structure of balance sheets. As a former bank examiner, I am taking a chapter from my previous regulatory career by looking at the banking industry as it relates to the Uniform Financial Institutions Rating System and its six components, known as CAMELS. Capital — A wise person once told me that capital cures a lot of ills. While this statement is very true, not properly leveraging your capital may leave some additional earnings and shareholder returns on the table. Before the pandemic hit, leverage ratios were very strong, with only 14 banks on the “less than well-capitalized” list. For the most part, leverage ratios haven’t been stressed in the traditional sense with loan losses; however, many institutions have seen a reduction in their leverage ratios as asset growth has dramatically outpaced capital growth. Additional pressure on leverage ratios could continue throughout 2021. Asset Quality — This is likely the biggest unknown of all the components. When the COVID-19 pandemic forced Checking In on the Banking Industry Dale Sheller, The Baker Group
NEBRASKA BANKERS ASSOCIATION 21 Dale Sheller is Senior Vice President in the Financial Strategies Group at The Baker Group. He joined the firm in 2015 after spending six years as a bank examiner with the Federal Deposit Insurance Corporation. Sheller holds a bachelor’s degree in finance and a master’s degree in business administration from Oklahoma State University. He works with clients on interest rate risk management, liquidity risk management, and regulatory issues. He can be reached at 800-937-2257 or dsheller@GoBaker.com. many states to shut down to varying magnitudes, many businesses struggled, and millions lost their jobs. As we continue the second half of 2021, the delta variant is pushing its way throughout the country, but in general, we haven’t seen massive asset quality problems materialize. Asset quality is likely to vary significantly from bank to bank and region to region. Some institutions have more exposure to the most hard-hit industries, while others have little to no exposure. We know that extensions, deferrals, and government stimulus have propped up some businesses and kept loans from going bust. Time will tell which businesses and customers will be able to get back on their feet and which won’t. Management — Management is easily the most subjective component of all the CAMELS components. Bank management has been extra busy with the many challenges being thrown their way due to the pandemic. Community banks have continued to shine bright, providing us a friendly reminder of just how important they are to the communities of this country. Earnings — The industry was riding high in 2018 and 2019 after record years of profitability through expanding net interest margins, low provision expenses, and lower tax rates. However, zero-bound short-term interest rates, combined with high levels of low earning cash liquidity, have put margins back under pressure. The average community bank has seen significant margin compression in 2020 and 2021. In 2020, many institutions were aggressive in providing for their allowance for loan losses, given the uncertainty of the economy throughout the year. Going forward, many predict lowinterest rates are here to stay; therefore, some level of margin compression will likely continue. Many banks are likely well reserved against future loan losses, and the absence of more near-term provision expenses will be welcomed. Liquidity — Higher loan-to-deposit ratios and less on-balance sheet liquidity were the consistent themes for many institutions over the last several years; however, the pandemic quickly changed them. A combination of massive government stimulus via direct payments and the PPP loan program, coupled with higher personal savings rates and a flight to quality, boosted the industry’s deposit base and overall liquidity picture extremely fast. Institutions are now flush with more liquidity than they have been in years, and this excess liquidity doesn’t seem to be going away anytime soon. Having excess on-balance sheet liquidity 18 months ago was generally a good thing as loan demand was consistently outpacing deposit growth. The pandemic has completely flipped that narrative. Excess liquidity is now the enemy, with short-term interest rates near zero and a lack of loan demand (outside of PPP loans) plaguing the industry. Sensitivity to Market Risk — Once the financial crisis sent short-term rates to zero, most bank examiners tended to associate interest rate risk only if interest rates increased. However, the pandemic quickly reminded us that most banks perform better when interest rates rise. During a rising rate environment, the economy experiences growth and expansion, and margins tend to expand due to stronger loan demand, higher loan and bond yields, and deposit costs that lag market rates. Institutions spent most of the last decade preparing their balance sheets for rising interest rates; therefore, they were not as well prepared for the pandemic-induced zero interest rate environment. Margins contracted hard and fast in 2020 and are currently at historic lows. Today, the vast majority of institutions are well-positioned for rising interest rates as their stockpiles of short-term liquidity have pushed them even further assetsensitive than before. As we find ourselves near historically low-interest rates, we must remind ourselves that the risk of rates not rising is a risk not to ignore. Bank balance sheets have been dealt a tough hand with all the deposits flowing into the banking system at historically low-interest rates. Community banks have once again shown their resiliency during tough times and will continue to push forward. As a former bank examiner, I am taking a chapter from my previous regulatory career by looking at the banking industry as it relates to the Uniform Financial Institutions Rating System and its six components, known as CAMELS.
NEBANKERS.ORG 22 800.228.2581 MHM.INC Now more than ever people want self-service options. With our core integrated ITMs we can make this a reality both in the lobby and in the drive-up of your branch. SELF-SERVICE BANKING WALENTINE O’TOOLE, LLP When time is of the essence, experience counts. Walentine O’Toole blends confidence, experience and knowledge with the personal attention you can expect from a regional law firm. www.walentineotoole.com 402.330.6300 11240 Davenport St. • Omaha, NE 68154-0125 ARE YOU READY FOR GROWTH? ADVERTISE IN THIS MAGAZINE AND GET YOUR BRAND IN THE HANDS OF YOUR TARGET MARKET. 801.676.9722 | 855.747.4003 sales@thenewslinkgroup.com
NEBRASKA BANKERS ASSOCIATION 23 B A NK E R S ’ B A NK • OF THE WEST • WE CHAMPION COMMUNITY BANKING MARLENE WADE TRACI OLIVER TARA KOESTER KELLY MALONE IN BUSINESS TO FURTHER YOUR BUSINESS YOUR ADVOCATES: Nebraska’s correspondent team BBWEST.COM 411 South 13th Sreet | Lincoln, Nebraska | 402-476-0400 You’re preapproved for trusted advice! Your bank works hard to make customer dreams become reality. Don’t let complex regulations delay your next big transaction. Our talented, supportive pros can help you stay compliant, manage risk and grow strategically, so you can focus on building equity in your community. Everyone needs a trusted advisor. Who’s yours? bkd.com/fs • @BKDFS
NEBANKERS.ORG 24 Due to COVID-19, event schedules are subject to change. Please visit nebankers. org/education.html or call the NBA Education Center at 402-474-1555 for the most current event schedule. EDUCATION CALENDAR For more information about these live and online education events and training tools, contact the NBA Education Center at (402) 474-1555 or nbaeducation@nebankers.org. You also may visit the NBA website at nebankers.org/education.html. JANUARY 2022 The Three C’s forManaging Unconscious BiasWorkshop January 13 Virtual Offering State Government Relations Forum January 27 Lincoln, NE FEBRUARY 2022 Operations Conference – Technology, Marketing, Retail Banking February 8-9 Lincoln, NE Mid-Winter IRAWorkshop Series February 14-15 Lincoln, NE Mid-Winter IRAWorkshop Series February 16-17 North Platte, NE Health Savings Account Seminar February 18 North Platte Principles of Banking Seminar February 23-24 Virtual Offering Bank Executives &Directors Conference February 27 – March 3 O'ahu, HI MARCH 2022 Supervisor Bootcamp Conference March 15-16 Lincoln, NE Tri-State Conference March 29-30 Overland Park, KS APRIL 2022 Spring Agri-business Conference April 5-6 Kearney, NE MAY 2022 NBAAnnual Convention May 4-6 La Vista, NE
www.thenewslinkgroup.orgRkJQdWJsaXNoZXIy ODQxMjUw