Pub. 8 2017 Issue 2

www.wvbankers.org 22 West Virginia Banker Gut Check Time – Maintaining CRA Integrity By Aly Goodwin Gregg, Guardian Bridge T hroughout 2016, examiner focus and trend increasingly turned to compliance with the Community Reinvest- ment Act (CRA) with much coverage in trade publi- cations devoted to various banks tagged with a “Needs to Improve” rating specific to CRA. What’s more, the fourth quarter 2016 ratings saw downgrade for BancorpSouth in Tupeloe, Miss., which was essentially a retroactive downgrade, occurring as part of a mergers and acquisition application process review, in between regular examinations. A downgrade during a merger and acquisition review is not typical, but not outside the lines of regulatory authority. That said, when this news broke, CRA officers, compliance officers and bank executives likely asked the question - How solid is our institutions CRA performance? The answer, may have startled a few people. As Kenneth H. Thomas, president of Miami-based Commu- nity Development Fund Advisors LLC, noted in his article in American Banker in September 2016, many banks may de- liberately be engaged in a strategy of “satisficing,” or doing what needs to be done to maintain a Satisfactory rating and avoid the glare an “Outstanding” rating may bring. Mr. Thomas’s point to bankers was simple: if you’re only doing the minimum of what you need to do to get by, chances are a CRA downgrade will have greater negative and reputational impact than it would if you worked to be at the top of your game. That said, the trends to critically monitor CRA performance, taking fair lending and redlining along with it, are not going away anytime soon, and should be taken seriously. In these cases, it’s gut check time: how prepared is your insti- tution for a CRA spot check evaluation and what can you do to get ready? Here are five quick actions steps to evaluate the state of CRA and your financial institution and move you forward. Review To truly understand any challenges, you must know exactly where your institution stands from a performance perspec- tive. Set a procedure to annually review the state of your cur- rent CRA performance, and if necessary, consider an outside vendor to support. Maybe even two outside vendors: one to provide output data and the other to help you analyze that information. Such timely evaluations will keep your institu- tion’s CRA performance top of mind awareness and avoid any unwanted surprises along the way. Also, do not let those qualified Community Development Loans, Investments and Services fall through the cracks in between examinations. Many banks have suffered the conse- quences of failing to submit CRA qualified loans, investments, and services simply because they did not efficiently and successfully record them when they were first made. Another key review action step, is to maintain your CRA per- formance context file in between examinations. The perfor- mance context provides examiners with insights as to your institution’s performance within assessment areas, including economic factors, and other key factors which may impact the CRA performance. The opportunity to position your institu- tion’s performance between evaluations is critical and not a task you can complete just prior to your next examination. As examiners review CRA performance, they will be focused on the performance context giving you opportunity to effective- ly tell your story. Analyze Don’t just set a time for review and then check that task com- plete. Take the time to examine your overall CRA program and determine what vulnerabilities exists through detailed analysis of the data you are capturing. By doing so, you are likely to determine trends or issues which could become problematic later. For example, do you have a specific branch or market that is underperforming? Is there a loan-to-deposit ratio issue in a specific area where no money is being loaned locally? By analyzing the information captured for your CRA documentation purposes, you will be better positioned to effectively monitor and defend your CRA activities. Utilize the analysis details to create the foundation for your performance context. Remember, there is more to CRA management than the assumption the Bank is meeting the  Gut Check Time Continued on Page 26 Summer 2017 23 West Virginia Banker I t is impossible to avoid the stories of data breaches devastating some of America’s largest businesses: Target, Yahoo, eBay, JP Morgan Chase, Home Depot, Sony, and Anthem have all had confidential information compromised within the past few years. As these front-page cautionary tales demonstrate, your business’s most critical asset – information – must be protected. The data banks create, collect and process is highly sensitive, and the consequences of a loss or inadvertent disclosure of data can be catastrophic. It is essential that all businesses have a comprehensive cybersecurity strategy in order to protect both their customers’ capital and their own, whether it’s financial, intellectual, or reputational. Cyberattacks have become the new norm and any company that maintains the personally identifiable information of others is at risk. Among the steps any prudent company – and particularly any bank – should con- sider taking to combat the risks of cyberattacks is the engagement of experienced legal counsel, who can work both to prevent any incident and to minimize damage should one unfortunately occur. Cyber Risks Cyberattacks can fall into two categories: breaches in data security and outright sabotage. On the security breach side, threats can appear not only from outside an organization, but from a company’s own employees. Employees might uninten- tionally leave confidential information unprotected, or may deliberately expose or leak information for personal motives. Breaches have resulted in the release of personal data, confidential pricing information, and intellectual property. Sabo- tage may take the forms of manipulating financial records or bank account data for financial gain, or even efforts to disable entire systems. Manipulation attacks can be particularly hard to discover. The consequences of cyberattacks are countless, and include lawsuits, govern- ment investigations, executive resignations, share and/or purchase price reduction, increase in insurance costs, direct financial loss, and public relations nightmares. Cybercrimes and corporate vulnerability are only increasing. The number of reported information security incidents around the world rose 48% to 42.8 million, the equivalent of 117,339 attacks per day, according to The Global State of Informa- Cybersecurity: Why It’s More Vital Than Ever, and How to Ensure Your Company is Not Exposed to Unnecessary Risk By William Ihlenfeld, Patricia Kipnis and Jonathan Marshall Bailey & Glasser LLP  Cybersecurity Continued on Page 26 tion Security® Survey 2015, released by PwC in conjunction with CIO and CSO magazines. The amount of sensitive information maintained by corpora- tions, and technological advancements like the migration of data to third-party cloud providers, have created new op- portunities for cyber criminals, who are only becoming more sophisticated. Preventing Cyberattacks Countering cyber risk is widely acknowl- edged to be a board-level responsi- bility; the Bank Director’s 2016 Risk Practices Survey shows that 77 percent of bank executives and board members consider cybersecurity to be their most concerning issue for the second year running. Board directors can be held liable for not fulfilling their duty to pro- tect companies from this type of harm. The top level of the company needs to be regularly engaged in these efforts, but this is also an organization-wide task that requires awareness and vigi- lance at every level. Your company likely already has internal technology staff engaged in some level of cybersecurity. This is a rapidly evolving area, however, where an outside, objective viewpoint can prove invaluable. To ensure that your business is in the strongest possible position, a full security assessment is necessary. You should identify and map your data, train your employees, develop an incident response plan and establish relation- ships with law enforcement officials. It’s also critical that you review and update your current policies to shield your officers and directors against liability. Good cyber-hygiene is a must for busi- nesses and, by being proactive, you can prevent most attacks and be prepared if one does happen. Prudent companies should also con- sider engaging not only outside IT ex- pertise, but experienced legal counsel in their cybersecurity efforts. The right cybersecurity attorneys can help: 1. Prevent cyberattacks with the right counseling, compliance, policy development (particularly for banks with boards), regulatory review, and risk assessment efforts; 2. Develop an incident response plan so that you are prepared in the event of an incident;