DISCLAIMER...Nicole Booth Senior Manager [email protected] 704.808.5272 Thank you! The...

This material was used by Elliott Davis during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation

may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis.

DISCLAIMER

Hopes and Hang-UpsCRA Reform

V I R G I N I A R I S K M A N A G E M E N T F O R U M

CRA Reform: Hopes and Hang-Ups

CRA Modernization

•Concerns Over the Current CRA Regulatory Approach

•Performance Evaluation Methods

•Community Assessment Areas

Polling Question #1

Will CRA modernization effect your institution?o YesoNo oNot Sure


Why is CRA Being Reformed?

•Evolution of the Banking System

•Provide Clarity and Certainty in CRA-eligible Activities

•Flexibility


Where Are We?

•OCC Adopted Final Rule

•Joint Rule Making

•Effective Date – Effective October 1, 2020

•Definition of a “small bank”


Expanding Where CRA Activity Counts

•Still required to delineate an assessment area

•Facility based assessment area

•Community Development Deserts


Separate Retail and Community Development Tests

Polling Question #2

Is the current CRA rating system objective, fair, and transparent?o YesoNo


Separate Retail and Community Development Tests, continued

•Retail Loans

•Qualified Community Development Activity

•Changes in Small Business and Small Farm Loan Thresholds

•Partially Benefits

•Multiplier


Presumptive Ratings

•CRA Evaluation Measure

•Assessment Area •Retail Lending Distribution Measure

•Community Development Minimum


Data Collection and Recordkeeping Requirements

•Data Reporting

•Supporting Documentation

•Record Maintenance


Potential Impact of Adoption

New CRA Frame Work (<$500 million)

•Outstanding Ratings: 71.4%

•Satisfactory Ratings: 1%

New CRA Frame Work ($500 -1.25 billion)

•Outstanding Ratings: 85%


Current CRA Frame Work (<$500 million)



Current CRA Frame Work ($500 -1.25 billion)




Potential Impact of Adoption, continued

•Geographic Distribution Test

•Key Metric

•Threshold Concerns• Small Business Gross Revenue Threshold Increased from $1 Million to $2 Million• Family Farms Threshold Raised

•Essential Infrastructure as Eligible Community Development

•Public Disclosures

Polling Question #3

In your opinion, what is the underlying intent of the CRA?o Repair a market failure, perhaps a lack of information about credit quality in LMI areas?o To encourage banks to look harder for business opportunities that they would otherwise

miss?o Compel banks to help meet social policy objectives?o All of the above


Potential Impact of Adoption, continued

•Affordable Housing

•Opportunity Zones

• Impact on Communities

Thank you!

CANNABIS BANKINGV i r g i n i a R i s k M a n a g e m e n t S e m i n a r

Going Green:

KYC: Know Your Cannabis

A Sc ience Lesson

CBD Oil Risks

CROSS CONTAMINATIONTHC Residue

CROSS POLINATION“Rooster in the Hen House”

DISTILATION PROCESS“Clean”? CBD

Polling Question #1

Is your institution providing services to a cannabis related businesses?oWe’re not touching that riskoHemp onlyoHemp and indirect marijuana related businessesoWe’ll be serving the medical marijuana industry

Regulatory Outlook& Guidance

Regu la tory Gu idance & Out look


USDA Hemp Production Plan

Overview

•Licensing

•Sample and Testing Requirements

•Non-Compliant Plants

Notable Terms

•Measurement of Uncertainty (MU)

•Acceptable Hemp THC Level

•Dry Weight Basis

•Geospatial Location

17 State Plans Approved

9 State Plans Pending

24 2014 Pilot Program


VirginiaVirginia’s USDA State Plan expected October 2020

• Received USDA feedback in February

• Currently revising plan

2020 Hemp Growing Season

•Operating under the 2014 Farm Bill

• Three Available Licenses

• Industrial Hemp Grower

• Industrial Hemp Processor

• Industrial Hemp Dealer


Hemp Stance by State


What About CBD?


Marijuana Stance by State


2020 Legalization Outlook

Signature Drive 2020 BallotArkansasNorth Dakota

ArizonaNew HampshireNew JerseySouth Dakota


Virginia

•Decriminalization

•Up to one ounce; effective July 1, 2020

•Medical Use

•CBD and THC-A rich medical cannabis•Approval for 25 dispensaries


SAFE Banking Act

Highlights:

•Safe Harbor from:

• Prosecution

• Loss of Insurance

• Examiner Intimidation

•Development of “uniform guidance and

examination procedures”

Polling Question #2

What is your preferred resources for guidance on cannabis related business?

oPeer groupsoHigh Times MagazineoWillie NelsonoConsent Orders – learn from the mistakes of others


FinCEN’s 2014 Guidance

“How Financial Institutions can provide services to

marijuana-related businesses”

•Assess your risk

•Customer Due Diligence

• State licensure and registration

• Information about the business and related parties

• Expected activity

• Products sold and customer base

• Suspicious activity monitoring reflecting the red

flags

“ … should enhance the availability of financial services for, and the financial transparency of, marijuana-related businesses.”


FinCEN’s 2014 Guidance

Suspicious Activity Reports (SAR)

Requirements

•Required for all marijuana-related

businesses

•Within 30 days of onboarding or

detection

•Ongoing SARs required every 90 day

period (30 days to file)

•Reliance on Cole Memo priorities

• Limited vs Priority

•Marijuana Limited

• Does not implicate one of the Cole

Memo priorities or violate state law

• Use of “MARIJUANA LIMITED” in

SAR narrative

•Marijuana Priority

• Implicates one of the Cole Memo

priorities or violates state law

• Use of “MARIJUANA PRIORITY” in

SAR narrative

•Marijuana Termination

• For use when terminating a

relationship

• Use of “MARIJUANA TERMINATION”

in SAR narrative


Cole Memo Priorities

•Listed eight DOJ priorities

•Acknowledged state laws

•Rescinded in 2018

Gone but Not

Forgotten:

•FinCEN Guidance

•DOJ Case Lookback:

• ~ 50 Cases

•None outside of the

priorities

•Bribes are a recurring

theme


FinCEN’s Marijuana Updates: Institutions


FinCEN’s Marijuana Updates: SAR Breakdown

Total SARs Filed

Non-Priority

85,193 “Marijuana Limited” SARs8,795 “Marijuana Priority” SARs28,025 “Marijuana Termination” SARs

Polling Question #3

Does THCA have psychoactive properties?o Yes, all THC has psychoactive properties.oNo, THCA’s molecular structure makes it too large to fit into our cannabinoid

receptors.oNo, but THCA turns into THC.

Program Expectat ions

Cannabis Program

•Policy and Procedures

•Bank’s stance is adequately

documented

•Controls are documented

•Program Risk Assessment

•Tailored Training


• Internal Monitoring

•SARs

Program Expectat ions

No Risk, No Problem?

•Policy and Procedures

•Bank’s stance is adequately

documented

•Controls are documented

•Address in Risk Assessment

•Tailored Training


• Internal Monitoring

•SARs – “Terminated Marijuana”

Cannabis-Related Businesses

•Types of MRBs (3 tiered approach)

• Industrial Hemp

•CBD Oil Retailors

STAY IN TOUCH

elliottdavis.com

Nicole BoothSenior Manager

[email protected]

704.808.5272

Thank you!

The increasing price of consumer privacy

What major changes in data privacy mean for your bank today and in the years to

come

This material was used by Elliott Davis during an oral presentation; it is not a complete record of the discussion.

This presentation is for informational purposes and does not contain or convey specific advice. It should not be

used or relied upon in regard to any particular situation or circumstances without first consulting the

appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution

without prior written approval from Elliott Davis.

Disclaimer

Today’s Speakers

Robert Snodgrass

Elliott Davis | Data Privacy Discipline Leader

Focused on developing and implementing programs to add business value and effectively

minimize data privacy and cyber risk. Clients include Fortune 500s across the United States,

Asia, and Europe and customers in the public sector, financial services, consumer and industrial

products, and public utility industries. Spent the last fourteen years in consulting managing

deployments of data privacy and cyber risk solutions across data protection, privacy

management, compliance management, identity and access management, application security,

and vulnerability management across cloud and on-premise environments.

Agenda

WHAT IS DATA PRIVACY?01DATA PRIVACY IN BANKING02AN OVERVIEW OF CCPA03BUILDING A SUSTAINABLE PRIVACY PROGRAM04WHAT’S NEXT IN PRIVACY?05

What is Data Privacy?

What is Data Privacy?Can I get a Rosetta Stone please?

Is the data I collect used only for its stated purpose?

Is the data I collect protected from unauthorized access?

Data Security Data Privacy

• Encryption• Identity and access controls• Network architecture• System patching• Awareness training

• Disclosure and consent for personal data collection

• Right to view and correct personal data

• Right to be forgotten

What is Data Privacy?US consumer/employee privacy through the years

1960s 1990s TODAY

TRANSACTION• Establish targeted rights around

specific data elements and/or business transactions

• Fair Credit Reporting Act (FCRA)

INDUSTRY PERSON• Build guidelines to manage data

management practices of specific industries focused on those that handle sensitive consumer information

• Health Insurance Portability and Accountability Act (HIPAA)

• Provide a general set of rights for individuals and any information that could reasonably identify them

• California Consumer Privacy Act (CCPA)

What is Data Privacy?Why is it a priority?

$3 Trillion 5,000 $475

Million

Value of global data economy*

* World Economic Forum

Est. data points used by Cambridge Analytica to target US political ads

Total fines issued under GDPR in 2019

Data Privacy in Banking

Data Privacy in BankingFollowed a similar trend to rest of the US

1960s 1990s TODAY

TRANSACTION• Establish targeted rights around

specific data elements and/or business transactions

• Exampleso Fair Credit Report Act (FCRA) o Fair and Accurate Credit

Transaction Act (FACTA - 2003)o Bank Secrecy Act (BSA)

INDUSTRY PERSON• Build guidelines to manage data

management practices of specific industries focused on those that handle sensitive consumer information

• Exampleso Gramm-Leach Bliley Act (GLBA)o Dodd Frank Act

• Provide a general set of rights for individuals and any information that could reasonably identify them

• Exampleso EU General Data Protection

Regulation (GDPR)o California Consumer Privacy Act

(CCPA)

Data Privacy in BankingBreaking down information sharing under GLBA

For the last decade, GLBA has set the tone for privacy at banks working to strike a balance between consumer rights and the need to share information across financial institutions for operations

Initial and Annual

Privacy Notice

Consent andOpt-out

Processing

Framework for Cross-Institution

Data Sharing

Third PartySafeguard

Considerations

Required Security Controls

Data Privacy in BankingHow did the European Union’s GDPR change the trajectory of privacy law?

GDPR has become the basis for many international laws including Japan and Brazil as well as the most recent data privacy law in California, the California Consumer Privacy Act (CCPA)

Rights Follow the Individual Expanded View of Personal Information (PI) Universal Set of Privacy Rights

Provides a standard set of rights that are available to you across all your business

interactions

Expands beyond “personally identifiable information” (PII) to better align with

our digitally connected lives

Provides 10 privacy rights that enable you to control how and what

information is collected, processed, shared, and retained by businesses

An Overview of CCPA

To be or not to be…A question of scoping CCPA for banks

While many US-based privacy laws have excluded GLBA-covered institutions, CCPA makes an important carve out for consideration by banks

CCPA does not apply to personal information “collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations” CCPA § 1798.145(e)

Generally Exempt Information Generally NOT Exempt Information

• Transaction and experience information• Joint products or services• Account website information

• General website advertising (such as retargeting)• Marketing information from non-financial

partners• Information shared with, or obtained from, an

affiliate (outside of a joint product)

CCPA Impact on BanksMany organizations have been challenged to understand their requirements

In survey of Fortune 500 companies in financial services performed by BCLP Law, the following trends were identified:

Majority had updated to account for CCPA requirements

PRIVACY NOTICE

Vast majority did not include the required ‘do not sell’ button

DO NOT SELL BUTTON

Included an average of 10 types of tracking / digital advertising cookies

WEBSITE TRACKING AND TARGETING

Majority included some but not all required disclosures

DISCLOSURES

Majority offered the required data subject privacy rights

SUBJECT RIGHTS

Only 1 in 12 web sites included an opt-in

OPT-IN CONSENT

Not

ice

&

Dis

clos

ure

Web

site

What Do You Need To Know?

Are there other scoping requirements?

What data is in-scope?

What new rights and business obligations are created?

What are the penalties for non-compliance?

What is the timeline for enforcement?

Even if not in-scope today, it is very likely that large portions of this law will be the template for future US state and federal laws

An Overview of CCPAWhich businesses are impacted?

In-scope businesses must meet the following

For-profit organizationCollect personal

information on California residents

Controller of data (determine purpose and

means of processing)Do business in California

Meet at least 1 of the following:(i) annual gross revenues in excess of $25 million(ii) annually buys, receives, sells, or shares for

commercial purposes, the PI of 50,000+ CA consumers, households, or devices

(iii) 50%+ of annual revenues from selling CA PI

CCPA is focused on individual consumers. It does NOT cover business to business transactions even if one business is a sole proprietor.

An Overview of CCPAWhat data is in-scope?

Any consumer information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household”

Commercial activity such as purchases or consuming

tendencies

Internet activity such as interaction with a web site

or ad

Geolocation and biometric data

Common identifiers such as name, IP address, e-mail

address, and SSN

Audio, electronic, or similar information

Professional or employment information Education information

Personal Information (PI)

PI about employees and PI already governed by existing California or federal laws are excluded. This includes laws such as health information (HIPAA) and financial information (GLBA)

An Overview of CCPAWhat new rights and business obligations are created?

Request Information

Consumers can request the detail about what PI businesses have collected about them (with verification)

Be Informed

Businesses must disclose categories of PI collected and their purpose as well as consumer rights and process to request them

Opt-outConsumers have the ability to prohibit businesses from selling their PI to 3rd parties

Be Forgotten

Businesses must delete consumer’s PI after receiving a verified request (with multiple exceptions)

Exercise Rights

Without Penalty

Businesses are prohibited from discriminating against consumers who have exercised their right to opt out

Right to Action

Consumers have a direct right to action in case of breach of unencrypted PI that is not cured within 30 days

An Overview of CCPAWhat are the penalties for non-compliance?

• Upon notification of alleged violations, businesses have 30 days to remediate violations

• State Attorney General’s office will enforce CCPA through staffing funded entirely out of money generated

through CCPA compliance penalties.

$2,500Per violation (per record) if

shown as unintentional

$7,500Per violation (per record) if

shown as intentional

$100 – $750Individual consumers can sue in the event

personal information is breached

Civil Action from Attorney General’s Office

Civil Action from Individual CA Residents

An Overview of CCPAWhat is the timeline for enforcement?

June 28, 2018CCPA signedinto law

September 13, 2019CA Assembly approved 5 amendments

July 1, 2020State AG’s office begins enforcement

Oct. 10 – Dec. 5, 2019State AG’s office releases draft rules of enforcement for comment

January 1, 2020Law became effective and companies are expected to be in compliance

Polling Question #1

Which of the following is considered Personal Information under relevant data privacy law for banks?

o Employment Informationo Email Addresso IP AddressoAll of the Above

Building a Sustainable Privacy Program

Privacy ProgramWhat are the key building blocks?

GOVERNANCE

Lawful & Transparent Processing

OPERATIONS

SecurityData Subject Rights

Notice

International

Policies & Procedures Program Ownership & Support

Awareness & Training

Legal Basis

Processing Limitation & Data Retention

Data Inventory & Maps(Including ‘Special’ Data)

Be Informed Access by Data Subject

Rectification Erasure

Restriction of Processing Data Portability

Object Withdraw Consent

Automated Individual Decision Making

Change Management

Vendor Management

Record Keeping

PRIV

ACY

PRO

GRA

M Appropriate Controls

Breach Notification

Contracts

Vendor Risk

Data Protection Impact AssessmentPrivacy by Design

and by Default

Authority Coordination Recurring Maintenance

Transfer Framework

Privacy ProgramHow to support sustainability

• Establish individual with overall ownership for the organization’s data privacy program

• Staff with responsibility to support consumer access requests and other privacy program activities• Empower individuals within line of business to advocate for privacy and provide feedback to program

• Outlines expectations and responsibilities regarding data privacy• Consider how data is generally collected, used, disclosed, classified, controls throughout the data

lifecycle, and required retention periods

• Provide step-by-step considerations for supporting data subject rights requests and where to go for answers to questions

• Provide general expectations on data privacy to organization

4. Build and Train on Privacy Procedures

3. Document Privacy Policies

2. Establish Program Ownership and Supporting Staff

1. Name a Data Protection Officer

• Highlights what PI elements are collected, stored, processed, and transferred• Maps identify personal data as it moves across various systems and thus how data is shared and

organized

5. Document Data Inventory and Maps

Privacy ProgramWhat is reasonable information security?

Requires organizations process data

securely through a

framework of technical and organizational

measures

POLICIESInstitute and maintain enterprise security policy (and others if appropriate) with overall program ownership

CONTROLS FRAMEWORK• Implement security controls based on risk• Consider admin, technical, physical controls• Focus on data protection (e.g., encryption),

authentication, and backup/restoration

RISK ANALYSISUndertake recurring analysis of the risks of personal data collected/processed and use to assess appropriate level of security

BREACH RESPONSEProcess in place to investigate and notify enforcement authorities after becoming

aware of a breach of personal data (some laws have required timeframes)

THIRD PARTIESEnsure any data processors

implement appropriate technical and organizational

measures

TESTINGConduct regular testing

and act on results

Privacy ProgramUtilizing tools to accelerate and sustain your program

Consumer Rights Process

Data Mapping and Discovery

Website Consent Management

While not a requirement, tooling can help create automation, scalability, and overall efficiency in recurring operational processes

IAPP 2020 Privacy Tech Vendor Report: https://iapp.org/resources/article/privacy-tech-vendor-report/

https://iapp.org/resources/article/privacy-tech-vendor-report/

Polling Question #2

In order to be in-scope for a US state privacy law, your business must be physically located in that state:

o Trueo False

What’s Next In Privacy?

What’s Next for US Data PrivacyThe current status of US privacy law development

US State Privacy Bills (active only)

Signed into Law 3

Cross Committee 1

Cross Chamber 1

In Committee 15

Task Force 5

• New Jersey• Washington (3rd try)• New York• California

Who to Watch

https://iapp.org/resources/article/state-comparison-table/

https://iapp.org/resources/article/state-comparison-table/

What’s Next for Data PrivacyWhat do you mean California? Aren’t we done?

Working on a new privacy initiative for the November 2020 ballot, “California Public Records Act” CPRA, if passed, it would take effect 1/1/2023 and includes many key changes to CCPA such as:

Dedicated Enforcement Agency New Requirements for ‘Sensitive’ Data Processing New Data Subject Rights

Create 1st agency in US dedicated to privacy absorbing responsibility from the State AG

Provides a very broad definition of sensitive data. Impacted consumers would be able to limit use and disclosure of this data and provide global opt-outs

Including restrictions on automated decision-making/profiling, ability to correct data, and strengthened opt-ins for minors

Extends the moratorium on employee data until 1/1/2023

What’s Next for Data PrivacyAn expected delay in new state and federal data privacy legislation

01

02

03

04

05

PRIVATE RIGHT TO ACTION

Whether an individual or a recognized public authority can legally enforce a violation of an individuals privacy rights

FACIAL RECOGNITIION

Legislators are requesting additional scrutiny and

carve outs specifically for biometric data

COVID-19

Shortened legislative cycles overwhelmed dockets, and

significant cost impacts already imposed on businesses

PREEMPTION

Determination of whetherany proposed federal law would preempt existing state laws

ELECTION CYCLE

In general, election years have slowed bipartisan agreement needs for these types of bills

Polling Question #3

The state of California has created an independent agency in order to enforce the CCPA:

o Trueo False

Thank you!

Robert Snodgrass

[email protected]

540.521.4567

Leading a Horse to Water in Troubled Times

E a r l y I d e n t i f i c a t i o n o f P r o b l e m L o a n s

T h r o u g h L o a n P o r t f o l i o S t r e s s T e s t i n g

OverviewL o a n P o r t f o l i o S t r e s s T e s t i n g

• Value

• Types

• Tips

• Management’s Response

• Documentation

Meaningful Insight

Proactive Response

Regulators

Value L o a n P o r t f o l i o S t r e s s T e s t i n g

ValueL o a n P o r t f o l i o S t r e s s T e s t i n g

• Meaningful insight into the institution’s loan portfolio

• Brings focus

• Variable changes lend insight into overall impact to capital

• Policies can be adjusted to mitigate exposure

• Proactive response to results

• Identifies potential problems

ValueL o a n P o r t f o l i o S t r e s s T e s t i n g

• Regulators

• OCC Bulletin 2012-33, “Community banks, regardless of size, should have the capacity

to analyze the potential impact of adverse outcomes on their financial conditions.”

Top Down

Bottom Up

Types L o a n P o r t f o l i o S t r e s s T e s t i n g

TypesL o a n P o r t f o l i o S t r e s s T e s t i n g

• Top Down

• Identifies the extent to which capital might be at risk given the bank’s balance-sheet

structure and loan mix

• Bottom Up

• Identifies current and emerging risks and vulnerabilities within the loan portfolio

• Best approach for identifying potential loan problems

Polling Question #1

The top down loan portfolio stress test provides detailed information about borrowers?

o Trueo False

Determine Scope

Determine Stress Factors

Worksheet/Testing Loans

Items to be Mindful of

Tips – Bottom Up Approach L o a n P o r t f o l i o S t r e s s T e s t i n g

T i p s

ScopeB o t t o m U p A p p r o a c h

Tips – Bottom Up ApproachL o a n P o r t f o l i o S t r e s s T e s t i n g

• Determining scope - items to consider:

• Industry concerns

• Regulator concerns

• CRE concentrations

• Concentrations unique to the financial institution

• Specific markets due to mergers and acquisitions

• Full or partial coverage

• COVID-19 impact


• COVID-19 impact

• Emphasis on income producing real estate and partial coverage of samples ranging

from 30% to 75%

• Includes 1-4 family rental and owner occupied/non-owner occupied CRE

• Typical coverage: owner occupied – 50%; non-owner occupied – 75%

• A sampling of C&I loans supporting operations, focused on impacted industries


• COVID-19 impact

• Industry Segments notably impacted:

• Travel & hospitality; Entertainment; Manufacturing; Oil & gas; Restaurants; Commercial real estate; Dental & surgical partners

• Other industries of concern:

• Non-profits; Churches; Office space

T i p s

Stress FactorsB o t t o m U p A p p r o a c h


• Determining stress factors

• No one-size-fits-all approach

• 3 components to consider:

• Debt; Income; Collateral

• In each component consider: Basis, Mild and Severe scenarios

Polling Question #2

Has your financial institution been encouraged by regulators to perform a loan portfolio stress test?

o YesoNooNot sure

T i p s

Worksheet/Testing LoansB o t t o m U p A p p r o a c h


• The worksheet is broken into 4 sections:

• Loan information

• Basis

• Mild

• Severe


• Loan Information should include:

• Loan number

• Borrower name

• Brief collateral description

• Note rating

• Collateral type

• FFIEC code

• Loan exposure


• Basis, Mild and Severe sections include:

• Total collateral value

• Total annual debt service

• Cash available for debt service

• Global debt coverage

• Loan-to-value

• Net collateral shortfall

• Pass/Fail

T i p s

Items to be Mindful ofB o t t o m U p A p p r o a c h


• Participations

• What should the test reflect?

• Total exposure

• Annual debt exposure and loan-to-value based on master note


• 90 day deferrals

• End date is near

• An opportunity to obtain interim information to gauge COVID-19 impact

Management’s Response

Proactive Response

Results

Borrowers

Relationship lending

Management’s Response L o a n P o r t f o l i o S t r e s s T e s t i n g

Management’s ResponseL o a n P o r t f o l i o S t r e s s T e s t i n g

• Results

• List of potential problem loans

• Estimated impact to the financial institution


• Borrowers

• Failing basis

• Failing mild scenario

• Assess impact of COVID-19

• Opportunity to modify loan terms and/or improve collateral position

• Policies can be adjusted to mitigate credit risk


• Relationship building

• Meaningful conversations about:

• The business

• COVID-19’s impact

• Plans to manage moving forward

• How the financial institution can help

Polling Question #3

Does your financial institution periodically perform loan portfolio stress testing (outsourced or internally prepared)?

o YesoNooNot sure

Documentation

Results

Board presentation

Borrowers

Documentation L o a n P o r t f o l i o S t r e s s T e s t i n g

OCC Bulletin 2012-33 states,

“Community bank management can use stress testing to establish and support reasonable risk appetite and

tolerances, set concentration limits, adjust strategies, and appropriately plan for and maintain adequate capital

levels. Bank management should mitigate identified risks and vulnerabilities through such actions as increased

portfolio monitoring, adjusted underwriting standards, selling or hedging assets, and increasing capital. In

addition, bank management should use the results of stress tests to establish appropriate action plans that

address risks when the results are inconsistent with risk tolerance levels and the bank's overall strategic and

capital plans.”

DocumentationL o a n P o r t f o l i o S t r e s s T e s t i n g

DocumentationL o a n P o r t f o l i o S t r e s s T e s t i n g

• Borrowers

• Access risk ratings

• Add to loan review scope borrowers that failed

• Add memos regarding borrower’s ability to repay the note

• There is hope for navigating the credit risk associated

with the current crisis.

• Early identification of problem loans through loan

portfolio stress testing is key to that hope.

In Conclusion L o a n P o r t f o l i o S t r e s s T e s t i n g

elliottdavis.com

STAY IN TOUCH

Jason Price, CPACredit Risk Senior Manager

341 Cool Springs Blvd | Suite 340

Franklin, TN 37067

615.786.7961

[email protected]

This material was used by Elliott Davis during an oral presentation; it is not a complete record of the

discussion. This presentation is for informational purposes and does not contain or convey specific advice.

It should not be used or relied upon in regard to any particular situation or circumstances without first

consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced

for distribution without prior written approval from Elliott Davis.

Disclaimer

Thank You!

SBA PPP LoansI C F R , C o m p l i a n c e , a n d R i s k M a n a g e m e n t I m p l i c a t i o n s

This material was used by Elliott Davis during an oral presentation; it is not a complete record of the

discussion. This presentation is for informational purposes and does not contain or convey specific advice.

It should not be used or relied upon in regard to any particular situation or circumstances without first

consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced

for distribution without prior written approval from Elliott Davis.

Disclaimer

S B A P P P L o a n sInternal Control Over Financial Reporting

PPP Control ConsiderationsS B A P P P L o a n s – I n t e r n a l C o n t r o l o v e r F i n a n c i a l R e p o r t i n g

• Primary process considerations:

• Entity policy compliance and onboarding integrity

• Loan fee recognition

• Loan forgiveness processing


• Entity policy compliance and onboarding integrity

• Impact of loan processing/funding/onboarding on established processes and

procedures

• Control considerations

• Delegation of authority / lending limits

• Support adequacy (e.g. borrower info, SBA approval, etc.)

• Segregation of duties

• Timely review / system data verification


• Loan fee recognition

• Compliance with ASC 310-20 and system capabilities


• Loan fee onboarding accuracy

• Automated vs. manual process for deferral and recognition

• Subsequent impact: borrower ineligibility, held-for-sale designation, loan payoff/forgiveness, etc.

Polling Question #1

How is your institution tracking processing fees?o Fully manual processoUtilizing some element of the core systemo Fully utilizing the core system


• Loan forgiveness processing

• SBA compliance / eligibility and loss exposure


• Good faith certification review

• SBA receivable booking, PPP reversal, and clawback provisioning

Polling Question #2

Are you utilizing a third party to assist with the forgiveness process?o YesoNooUnsure

S B A P P P L o a n s

Compliance

Regulation OS B A P P P L o a n s – C o m p l i a n c e

• April 17, 2020 Federal Reserve Interim Final Rule

• Exempted certain PPP loans from Regulation O, not prohibited by insider lending

restrictions established by the SBA

• April 20, 2020 SBA Interim Final Rule

• Not subject to Regulation O, if made by a PPP lender to a business owned by:

• A PPP lender’s director

• A person that holds less than 30 percent of the stock or debt instruments of the PPP lender

• Insiders of a PPP lenders affiliates

Regulation OS B A P P P L o a n s – C o m p l i a n c e

• Exception does not apply to a director or owner who is also an officer or key

employee of the PPP Lender

• Officers and key employees of a PPP Lender may obtain a PPP Loan from a different

lender, but not from the PPP Lender with which they are associated.

• Favoritism by the Lender in processing time or prioritization of the director’s or equity

holder’s PPP application is prohibited.

• Lenders should also consult their own internal policies concerning lending to

individuals or entities associated with the Lender.

Community Reinvestment Act (CRA)S B A P P P L o a n s – C o m p l i a n c e

• Most SBA PPP loans will receive CRA credit

• Loans to businesses in amounts of $1 million, or less

• Considered small business loans and considered under the lending test

• Loans to businesses in amounts greater than $1 million

• If jobs are created, or retained, would qualify under economic development

• If primarily benefits low and moderate-income areas, or distressed middle-income

areas, would qualify under revitalization/stabilization

• Community Development Activities

• Loans, investments, or services that support digital access or healthcare for LMI individuals or communities

• Economic development activities that sustain small business operations, particularly in LMI communities

• Investment or service activities that support provision of food supplies and services for LMI individuals or communities

Community Reinvestment Act (CRA)S B A P P P L o a n s - C o m p l i a n c e

• Working with Customers

• Waiving certain fees (ATM, overdraft, late fees, early withdrawal)

• Increasing credit limits for creditworthy borrowers

• Alternative services options for branch access• Expanding availability of short-term,

unsecured credit products• Payment accommodations (deferral, payment

extensions)

• March 19, 2020 Joint Statement on CRA Consideration for Activities in Response to COVID-19

Bank Secrecy Act (BSA)S B A P P P L o a n s – C o m p l i a n c e

• Are PPP loans for existing customers considered new accounts for FinCEN Rule CDD

purposes? Are lenders required to collect, certify, or verify beneficial ownership

information in accordance with the rule requirements for existing customers?

• If the PPP loan is being made to an existing customer and the necessary information was

previously verified, you do not need to re-verify the information. Furthermore, if federally

insured depository institutions and federally insured credit unions eligible to participate in the

PPP program have not yet collected beneficial ownership information on existing customers,

such institutions do not need to collect and verify beneficial ownership information for those

customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based

approach to BSA compliance.

Bank Secrecy Act (BSA)S B A P P P L o a n s – C o m p l i a n c e

• It is a best practice, for PPP loans where the institution is not requiring additional

beneficial ownership information, to add a brief addendum to their customer due

diligence procedures stating they will not require reverification for PPP loans.

• Beneficial Ownership required for new business customer PPP loans and existing

loan customers that are opening a deposit account

Fair LendingS B A P P P L o a n s – C o m p l i a n c e

• The Equal Credit Opportunity Act (ECOA) and Regulation B prohibit discrimination against an applicant on a prohibited basis regarding any aspect of a credit transaction, and prohibit discouraging a reasonable person, on a prohibited basis, from making or pursuing an application.

• Applies to all creditors and to business and consumer credit

• Prohibited basis means race, color, religion, national origin, sex, marital status, or age (provided that the applicant has the capacity to enter into a binding contract); the fact that all or part of the applicant's income derives from any public assistance program; or the fact that the applicant has in good faith exercised any right under the Consumer Credit Protection Act or any state law upon which an exemption has been granted by the Bureau.

Fair LendingS B A P P P L o a n s – C o m p l i a n c e

• Many lenders implemented “gating” requirements for PPP loan applications

• Prioritizing existing customers, customers without other lending relationships

• Not expressly prohibited, but increases risk that similarly situated businesses were not treated similarly

• Were policies and procedures documented for any “gating” requirements?

• Document business justification for “gating” policies, even if after the fact.

• Volume of applications compared to capacity to process

• Speed of SBA PPP program implementation

• Limited availability of funds

• Review and monitor SBA PPP approvals, denials, and investigate any complaints

Regulation B – Equal Credit Opportunity Act (ECOA)S B A P P P L o a n s – C o m p l i a n c e

• Adverse Action Requirements

• For a business that grossed $1 million or less in prior fiscal year, notice must be delivered in 30 days

• Notice must be delivered to larger businesses within a reasonable period of time

• A PPP application that a creditor has submitted to the SBA is not a “completed application” under Regulation B until the creditor receives a loan number from the SBA or a response about the availability of funds.

• If the creditor receives the application, decides against granting credit and does not submit the application to the SBA, an adverse action notice is required.

• If the creditor does not receive a response from the SBA, they cannot deny the application for incompleteness

Polling Question #3

Have you updated your 2020 internal audit plan to consider SBA PPP loans?

o YesoNooUnsure

S B A P P P L o a n s

Risk Management

Denial of SBA GuaranteeS B A P P P L o a n s – R i s k M a n a g e m e n t

• Lender Underwriting Requirements (SBA Interim Final Rule)

• Confirm receipt of borrower certifications contained in the PPP application form

• Confirm receipt of information demonstrating that a borrower had employees for whom the

borrower paid salaries and payroll taxes on or around February 15, 2020

• Confirm the dollar amount of average monthly payroll costs for the preceding calendar year by

reviewing the payroll documentation submitted with the borrower’s application

• Follow applicable BSA requirements


• From Department of the Treasury and SBA Frequently Asked Questions

• Question: Paragraph 3.b.iii of the PPP Interim Final Rule states that lenders must “[c]onfirm the dollar amount of average monthly payroll costs for the preceding calendar year by reviewing the payroll documentation submitted with the borrower’s application.” Does that require the lender to replicate every borrower’s calculations?

• Answer: No. Providing an accurate calculation of payroll costs is the responsibility of the borrower, and the borrower attests to the accuracy of those calculations on the Borrower Application Form. Lenders are expected to perform a good faith review, in a reasonable time, of the borrower’s calculations and supporting documents concerning average monthly payroll cost. For example, minimal review of calculations based on a payroll report by a recognized third-party payroll processor would be reasonable. In addition, as the PPP Interim Final Rule indicates, lenders may rely on borrower representations, including with respect to amounts required to be excluded from payroll costs. If the lender identifies errors in the borrower’s calculation or material lack of substantiation in the borrower’s supporting documents, the lender should work with the borrower to remedy the issue.


• SBA Review of Individual Loan Files

• SBA will review all loans in excess of $2 million, in addition to other loans as appropriate, following the lender’s submission of the borrower’s loan forgiveness application.

• The outcome of SBA’s review of loan files will not affect SBA’s guarantee of any loan for which the lender complied with the lender obligations.

• If SBA determines in the course of its review that a borrower lacked an adequate basis for the required certification concerning the necessity of the loan request, SBA will seek repayment of the outstanding PPP loan balance and will inform the lender that the borrower is not eligible for loan forgiveness.

• SBA’s determination concerning the certification regarding the necessity of the loan request will not affect SBA’s loan guarantee.

elliottdavis.com

STAY IN TOUCH

Marshall Trull, CPA, CRCMSenior Manager

500 East Morehead Street | Suite 700Charlotte, NC 28209

[email protected]

Matthew McFarlin, CPASenior Manager

5140 Trinity Road | Suite 320

Raleigh, NC 27607

919.334.6184

[email protected]

Thank You!

Leveraging Analytics

T r a n s f o r m i n g i n t e r n a l a u d i t t h r o u g h t h e d e p l o y m e n t o f a n a l y t i c a l s o l u t i o n s

What does data analytics mean?

The ability to make conclusions based on the analysis of a useable, meaningful data

Polling Question #1

How much do you currently utilize data analytics in your internal audit?oHeavily reliantoOccasionally oWe have done it once or twiceoWe don’t even know where to begin

Deploying Analytics

Develop a Plan• Begin in your comfort zone, then build outside it

• Identify the low hanging fruit for immediate successes and buy-in

• Open up the ideation process to all departments

• No need to rush into new software, maximize the use of existing tools like Excel

• Determine the risks and the related scope

• Determine what attributes you need to

meet that scope

• Identify the needed data, related reports,

and necessary format

• Gather the data

Establish a ProcessWhen gathering data:

• Make sure it is in a useable format

• Ensure it has all the attributes you need to meet your scope

• Validate for completeness and accuracy

• Document how you obtained it

• Keep a copy of the original

With your plan and process in place, it’s time to perform the analysis

Perform the Analysis

•Specific attribute review

•Ratio analysis

•Trend analysis

•Correlation

•Sizing

•Segmentation

Evaluate the Outcome

Review patterns and trends

Prove (or disprove) hypothesis

Identify and sample/research

Look for outliers

• Document the process used to get results

• Create summary, preferably with visuals

• Have supporting data readily available

• Make recommendations on how to address

Present the Results

Points of Consideration

Benefits• Risk based approach

• Testing of full populations

• Efficient

• Continuous monitoring

• Scalable

• Availability of data

• Initial capital outlay

• Limited resources / skill sets

• Change is difficult

• Limited types of testing

Drawbacks

• Single Analysis

• Recurring Analysis

Two Types of Projects

• Large value in finding a solution

• Continued evaluation is unnecessary

• Likely a strategic priority

• Examples: merger support, investigation of known fraud, etc.

Single Analysis

• Continued monitoring provides value

• Upfront “costs” can be spread over several uses

• Can serve as building blocks for an analytically heavy IA program

• Continued process improvement

• Allows for process automation

• Examples: fair lending analysis, quarterly ratio review, etc.

Recurring Analysis

Polling Question #2

Which type of data analysis does your internal audit department use?o Single / One-offoRecurring / RepeatableoBothoNeither

• By building an analytical process in a manner that “stores” procedures, data

preparation and analysis can be quickly executed

Tools for Automation

Credit Reporting ReviewE X A M P L E O F R E C U R R I N G / R E P E A T A B L E A N A L Y S I S

Credit Reporting Review

*visual representation of an automated, recurring data process

E X A M P L E O F R E C U R R I N G / R E P E A T A B L E A N A L Y S I S

Home Mortgage Disclosure ActE X A M P L E O F R E C U R R I N G / R E P E A T A B L E A N A L Y S I S

E X A M P L E O F R E C U R R I N G / R E P E A T A B L E A N A L Y S I S

Home Mortgage Disclosure Act

Home Mortgage Disclosure ActE X A M P L E O F R E C U R R I N G / R E P E A T A B L E A N A L Y S I S

Finding the Right Solution

When Choosing Software

• User friendliness

• Useful visualization

• Ability to publish / share

• Ease of data import

• Can handle large data sets

• Built in functionalities

• Can create templates

• Audit log / trackable

procedures

t

Common Software

Base Next level With visualizations

• Microsoft Excel (*)

• Microsoft Access

(*) greatly undervalued tool

• Microsoft Power BI

• Tableau

• FineReport

• IDEA

• ACL

…this is just the tip of the iceberg with data extraction tools, integrated solutions, predictive analytics and machine learning

Maximizing Excel

Excel’s Capabilities

• Functions

• Pivot tables

• Conditional formatting

• Sort and filter

• Flash fill

• Goal seek

• Visual charts

• Macros

• Automation

Other Reports

Loan Trial

Balance

Deposit Trial

Balance1. Define your data questions and desired output

2. Decide what you need to measure and how to measure it

3. Collect and clean data

4. Perform data analysis

5. Present results

Utilizing the Data You Have

v Loan Portfolio Analysis

v Account Type Analysis

v Transaction Monitoring

v Risk Assessments

v Monthly Reconciliations

v Stress Testing

v Employee Account Reviews

v Automated Public Filings

v Loan/CIP Exception Logs

v Performance Goal Tracker

v Staffing Analysis

v Board Reporting

v and more!

Examples of Data Analysis in ExcelF I N A N C I A L I N S T I T U T I O N

• Detects matching of textual data, returning a similarity score along with

each match

• Helpful for comparing reports pulled from different systems

• Examples:• “Doe, Jane A.” vs. “Jane A. Doe”• “123 Independence St.” vs. “123 Independence Street”

Fuzzy LookupH E L P F U L E X C E L A D D - I N S

HANDS ON EXAMPLE

Employee Deposit Account ReviewReports you may need:

• HR Employee Listing

• Employee Deposit Account Listing

• Transactions

• File Maintenance Records

Goal of Analysis:

• Ensure employee accounts are properly coded

• Identify unusual employee transactions

• Review file maintenance records to identify outliers

• Allows user to provide data and parameters with pre-

developed analysis tools

• Displays all results in output table

• Microsoft Analysis ToolPak Details

Analysis ToolPakH E L P F U L E X C E L A D D - I N S

https://support.microsoft.com/en-us/office/use-the-analysis-toolpak-to-perform-complex-data-analysis-6c67ccf0-f4a9-487c-8dec-bdb5a2cefab6%3Fui=en-us&rs=en-us&ad=us

• Can be utilized to find optimal solutions for decisions based

on resources and constraints

• Steps to utilize tool:• Determine what decisions need to be made

• E.g. How many loans to originate in order to meet sales goals?• Determine constraints on production

• E.g. Total loan officers and hours of availability• Determine overall measure of performance

• E.g. Total loan origination amount during the quarter

SolverH E L P F U L E X C E L A D D - I N S

Polling Question #3

How often does your institution use an excel add-in function (such as Fuzzy Logic, Analysis ToolPak, Solver, etc.?)?

oNever used beforeoOnce in a whileoMonthly reportingoDaily

HANDS ON EXAMPLE

BSA/AML Alert ReviewReports you may need:

• Alerts triggered during the period

• Parameter settings in system

Goal of Analysis:

• Determine efficiency of parameter settings

• Compare alert type performance

• Gather statistics of investigated alerts during the period

Alert Analysis System OptimizationI M P R O V I N G D A T A A N A L Y S I S B E Y O N D E X C E L

Leveraging Power BI

elliottdavis.com

STAY IN TOUCHAlek Bevensee

SeniorMarissa Lahousse

SeniorMike Koupal

Principal

500 East Morehead Street | Suite 700

Charlotte, NC 28202

704.808.5213

500 East Morehead Street | Suite 700

Charlotte, NC 28202

980.201.3912

341 Cool Springs Road | Suite 340

Franklin, TN 37067

615.786.7952

This material was used by Elliott Davis during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation

may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis.

DISCLAIMER

DISCLAIMER...Nicole Booth Senior Manager [email protected] 704.808.5272 Thank you! The...

Documents

Transcript of DISCLAIMER...Nicole Booth Senior Manager [email protected] 704.808.5272 Thank you! The...