Board Insights Winter 2023

FINANCIAL SERVICES

A Look Ahead: 2023 Regulatory

Loan Review Best Practices

IT Vulnerabilities with Open Banking

More than 80% of internet traffic relies on application programming interfaces (APIs), software that permits two or more computers to talk with each other. APIs fuel open banking and the growth of online banking services by connecting, aggregating, and streamlining the exchange of data between financial institutions and third parties that leverage the data to give customers better access to and control over their finances by creating applications that support transactions like account transfers, online payments, and more. Complex open banking services require the interaction of hundreds, if not thousands, of individual APIs, each with their own unique logic,

making them prime targets for cyberattacks and data breaches.

Encryption, authentication, and authorization are tools to address the complex security issues created by APIs; however, they are not enough. Web applications are designed for human use, while APIs are built for machines, creating an automated vulnerability that hackers can exploit to access data in a variety of ways.

For instance, multiple layers of APIs may be needed to pass customer information from the financial institution to a data aggregator, then finally to the application the customer is using to access their account information. Plus, API attack activity looks like normal API traffic to traditional security tools that typically can only inspect one transaction at a time and are dependent on signatures to detect known attack patterns.

According to the 2022 State of the Internet report released by Akami, security vulnerabilities of APIs grew substantially in the last year — attacks on financial service APIs and web applications rose by 257% globally and by more than 449% in North America. The use of botnets, computers infected with and connected via malware, to conduct API and other cyberattacks increased by 81%, and distributed denialof-service (DoS) attack targets also grew by 22%, according to the report. When these incidents occur, financial organizations not only lose competitive edge, they also can suffer from severely damaged reputations and lack of customer trust and loyalty that have long-term implications on growth and revenue.

Leadership at financial institutions that embrace open banking and are undergoing their own digital transformation should take a holistic approach to API security. Building highly experienced IT teams, processes and technologies that deliver continuous AI (artificial intelligence), and ML (machine learning) analysis of volumes of API traffic data and activity patterns are critical to understanding normal patterns and detecting and stopping API attacks in real-time.

To learn more about API challenges and opportunities, and how Rehmann can help your financial institution maximize their benefits while mitigating risk, contact jessica.dore@rehmann.com or call 989.797.8391.

Staffing Secrets from an HR Pro

Your bank, credit union, or fintech may be trying to fill open positions to remain competitive, introduce new digital, mobile, and cloud-based services, mitigate fraud, manage your loan portfolio in uncertain economic conditions, deliver on customer service expectations, and meet regulatory and compliance obligations. Competition for skilled, motivated employees right now is immense and intense. While credit unions are expanding their physical footprint, more than one-third of banks plan to reduce their branch networks in 2023, as reported in American Banker. Regardless, brick and mortar branches must be staffed. The turnover rate for frontline bank employees jumped to 23.4% in 2022 largely due to The Great Resignation, up from 16.2% in 2021 despite an increase in minimum pay by some 5%, according to a survey by Crowe LLP.

When you realize you need human resources help, your wish list for the breadth of HR expertise can understandably feel enormous, maybe even impossible to fulfill. The duties and compliance requirements that fall under the HR umbrella are extensive.

Two important questions to consider

Since HR is responsible for recruiting and retaining human capital, your expectations should be high. Before you post another ad, hire an executive search firm, or retain a temp service agency, ask yourself these key questions:

Does your financial institution simply need to fill empty chairs? If yes, an ad, search firm or temp service will do.

Or …

Do you want to recruit and retain the right people who bring the right skills to specific roles, thrive in your corporate culture, and contribute to its momentum and success?

If yes, consider this unique approach: take the time to understand the potential impact even a single hire can have on your institution. Recognize the power of strategy in positioning your company to play the long game, and value experience, institutional knowledge, and unique skillsets. Calculate

the cost of turnover, which is about 150 percent of an employee’s annual salary, according to Gallup. That cost doesn’t include the unquantifiable hit to company morale and momentum when you once again have to rehire, retrain, and retain employees. Before investing resources to fill each open position, save yourself time, effort, and the costs associated with FTEs by engaging a high-level, outside human resources team that is always available, whether it’s for shortterm projects, for a few hours per week, or on-call as you need them.

Leadership should look for these attributes in an outsourced HR solution:

1. Proven track record. Consider the level and years of experience of all consultants with whom you’ll be working. Will you interface with an HR executive once and then be passed off to an intern or young upstart? We recommend engaging consultants and teams comprised of professionals with at least 10 years leadership experience to maximize the value, efficiency, and insights of the relationship. Rather than having a customer service number with a rotating staff answering your HR questions, look for a firm that provides you with a dedicated consultant with a deep bench of CHRO-level leadership, to support both your tactical and strategic HR initiatives when you need it.

2. Proactive and flexible. Seek HR professionals who take an objective look at your financial institution and can identify needs, problems, and potential compliance risks by conducting a holistic review to pinpoint issues and their causes, and then propose a comprehensive plan that works with your budget, time, priorities, and appetite for change. If an HR professional offers solutions only to the issues you think you have, they’re falling short of the bigger picture, failing you and your people. You’re paying for their expertise; expect it. You should be able to pay only for those services you need, and the team you select should be able to scale up or down and pivot according to your changing needs.

3. Depth and breadth. Will you have one person or a deep bench of expertise to rely on? Can the consultant or team deliver the full spectrum of HR acumen? One person

can’t do it all, and certainly not well. A deep team with multiple layers of expertise can do far more, exceptionally well and efficiently for far less than a single permanent employee. An effective HR team must wear numerous hats, including recruiter, onboarding and employee engagement pro, trainer, mediator, benefits navigator, Department of Labor liaison, federal and state employment law guru, and proactive legislative watchdog, among others.

4. Availability and reliability. Will that person or team be hands-on and collaborative with you and your team? If your consultant is out, who will cover — and how well-versed will they be with your company and/or the work you’ve been doing together? Can they accommodate a hybrid schedule, working remotely and onsite when needed?

5. Business advantage. To remain competitive, you may need more than “HRspecific” expertise. For instance, perhaps a legacy core system or outdated software is at the root of employee and customer frustration, or you suspect embezzlement or fraud. Your HR team should be equipped to consult and connect you with other vetted specialists to address and resolve these issues.

Empowering your organization

Just as with other third-party vendors, outsourcing many HR needs to a highlevel, hands-on team can empower your organization with more experience and expertise by targeting efforts where you need them. Become a “sticky employer” — a place people want to be – and the right talent will be attracted to your organization like a magnet. You’ll build a workplace experience that supports ongoing operations and the execution of strategic plans.

If you’re interested in learning about Rehmann’s unique approach to human resources consulting, contact elizabeth.williams@rehmann.com or call 248.952.5000.

A Look Ahead: 2023 Regulatory Challenges

A recent survey of financial industry executives conducted by Wolters Kluwer (75% of respondents represented institutions with less than $1 billion in assets) found that 73% do not anticipate significant regulatory relief before the 2024 elections. They do anticipate heightened regulatory scrutiny in 2023 in several key areas.

Section 1071 — Dodd Frank Amendment to the Equal Credit Opportunity Act

Some 68% of survey respondents said they are very or somewhat concerned about their institution’s ability to manage the small business data collection requirements for two reasons. First, lenders must develop and implement a process to obtain and report the data within 18 months of the final rule. Second, depending on what the data reveals regarding gender, race, and ethnicity of small business loan applicants, it could expose them to fair-lending issues. The proposed rule subjects a vast majority of community financial institutions to the requirement because they likely have originated at least 25 covered credit transactions in each of the two preceding years. The CFPB, which is required to collect the data under the DoddFrank Act of 2012, has agreed to finalize the rule by March 31, 2023.

BSA and AML — Bank Secrecy Act/AntiMoney Laundering

Some 44% of survey respondents said they are very concerned about these issues, and recent reports of cryptocurrency fraud and scams have likely further raised concerns. While it remains to be seen what will happen

with crypto trading and investments going forward, financial institutions will continue to experience suspicious transaction activity and face compliance requirements including enhanced due diligence, KYC (Know Your Customer), and prevention and detection of money laundering activity.

Beneficial Ownership

Some 41% of respondents expressed a high level of concern, pending Treasury Department rules regarding the government’s creation of a beneficial ownership database. Some are concerned they could face increased compliance burdens, including a requirement to validate the accuracy of volumes of registry data and file SARs when information is suspect. FinCEN recently issued a final rule designating the legal entities that will be required to report beneficial ownership data beginning on Jan. 1, 2024, including limited liability partnerships, business trusts, most limited partnerships, corporations, and limited liability companies.

CRA — Community Reinvestment Act

Some 36% of the respondents said they are very concerned, particularly as it relates to fair lending and appraisal bias, which is increasingly pervasive in some markets. Appraisal bias occurs when a real estate appraiser assigns a lower value to a home based on its location or the homeowner’s race, ethnicity, or other factors that could be considered discriminatory. In early 2022, the Property Appraisal and Valuation Equity (PAVE) interagency task force created by a President Biden executive order and including HUD, FHFA, and other banking agencies, recommended a series

of actions to: prevent unlawful discrimination in all stages of residential real estate valuation; enhance fair housing and fair lending enforcement; build a skilled, diverse appraiser workforce; empower consumers to take action against unfair appraisals; and regulate appraisers.

Third-Party Risk Management

Some 26% of respondents said third-party risk management will be a priority, up from 15% compared to the prior year. In the burgeoning open-banking environment, unregulated third-party relationships between financial institutions and fintechs are growing in order to share data and develop digital banking technologies and applications that are key to growth strategies. Regulators continue to expand risk management expectations and require regular assessment updates for such highrisk, third-party relationships.

Boards of directors and senior management teams should hold discussions regarding these topics to ensure steps are being taken to address new regulatory requirements and anticipated enhanced regulatory scrutiny. A proactive approach and ongoing strategic planning to address the ever-evolving regulatory environment will help to ensure your financial institution remains compliant with regulatory requirements.

For a comprehensive assessment of your financial institution’s compliance vulnerabilities and strategic planning to address concerns before they become issues, contact beth.behrend@rehmann.com or call 616.975.2823.

Loan Review Best Practices

In May 2020, the FDIC, OCC, Board of Governors of the Federal Serve System and NCUA issued Interagency Guidance on Credit Risk Review to update and clarify 2006 guidance and make it consistent with CECL methodology requirements. The agencies note that an effective credit risk review function is critical to safe and sound operation because it helps financial institutions identify, evaluate, and address emerging risks associated with credit weaknesses, as well as validate and adjust risk ratings before regulator inspection.

Current credit quality generally remains high, and construction, development, and CRE risk-based capital meet regulatory requirements, at least for now. According to the FDIC, 98% of banks have CRE loans on their books, and they represent the largest type of loan for nearly half of all banks. The COVID-19 pandemic stressed the performance of CRE assets, such as offices, restaurants, and retail, curtailing borrowers’ cash flow. As history has shown, credit stress has always followed economic, political, or financial uncertainty, similar to the current post-pandemic business recovery, rising inflation, predictions of a recession and steady increases in interest rates. These trends, coupled with emerging areas of concern, including chasing loan deals to meet growth expectations, PPP masked issues, and overall complacency, create a “perfect storm” scenario that underscores the importance of a stringent, thorough process to monitor credit quality. Some common characteristics of inadequate loan review include:

• Failure to review the entire borrower relationship

• Incomplete loan file data

• Outdated cashflow information and lack of proof of liquidity

• Inadequate consideration of contingent liabilities

• Inaccurate risk ratings, including not appropriately evaluating smaller loan relationships

• Failure to adequately analyze one-time events, such as PPP loans

Loan Review Best Practices

A strong loan review function can be accomplished with an in-house team, outsourced third-party expert, or a combination of the two. While regulators don’t prescribe one approach over another, the factors most important to them are independence from internal lending and approval functions, expertise of the loan review team, supportable loan review conclusions, and the quality of the entire process. Follow these best practices for an efficient, comprehensive, and meaningful loan review function:

Use highly experienced credit review experts Assemble a team of qualified personnel with extensive experience in commercial and consumer lending products, credit analysis, institutional loan policies, state and federal regulations, determining reserves, and managing problem loans. Make sure these individuals are part of the loan policy review process to identify potential weaknesses or revisions that may be necessary as the credit environment changes.

Focus on complete, accurate documentation. Regulatory guidance notes that loan files with missing, stale, and improperly executed documents (document exceptions) could result in losses and result in a lesser risk grade because they can worsen problem loans and impair work-out efforts, especially when viewed in the aggregate. Individuals with appropriate experience should analyze document exception patterns to identify steps in the process (from underwriting to post close loan servicing), business lines or geographic regions where exceptions occur, and compliance needs to be strengthened.

Identify hotspots. When the broader loan portfolio is analyzed, identification of risk issues that could turn into future problems can be detected and remedied early to reduce losses. Start with an evaluation and rating of individual relationships, each credit facility, or both relationships and facilities. Your institution’s loan policy should designate who is accountable for the accuracy of risk ratings and therefore credit quality. Often, it’s the account officer because he or she knows (or should know) more about the borrower than anyone else and should be able to secure timely financial information. However, don’t forget to use the technology in place to produce data related to the portfolio, borrowers, or trends that can be actively monitored on a real-time basis, including data for loan committees and boards.

Rely on Rehmann as your credit review partner for real-time credit portfolio analysis to identify weaknesses and propose solutions to help. Contact liz.ziesmer@rehmann.com or call 616.975.2855.

Rehmann is a financial services and business advisory firm. We excel at helping clients because we take a collaborative, personalized approach and build a customized team of specialists to help them achieve their objectives. We focus on the business of business — allowing people to focus on what makes them extraordinary. The firm started as a CPA firm more than 75 years ago. Now, we are a multifaceted advisory firm that helps businesses and high-net-worth families maximize potential. Clients who work with us want us to be more than a vendor. They want collaboration, innovation, and continuous improvement.