DISCLAIMER...Nicole Booth Senior Manager [email protected] 704.808.5272 Thank you! The...
Transcript of DISCLAIMER...Nicole Booth Senior Manager [email protected] 704.808.5272 Thank you! The...
This material was used by Elliott Davis during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation
may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis.
DISCLAIMER
Hopes and Hang-UpsCRA Reform
V I R G I N I A R I S K M A N A G E M E N T F O R U M
CRA Reform: Hopes and Hang-Ups
CRA Modernization
•Concerns Over the Current CRA Regulatory Approach
•Performance Evaluation Methods
•Community Assessment Areas
Polling Question #1
Will CRA modernization effect your institution?o YesoNo oNot Sure
CRA Reform: Hopes and Hang-Ups
Why is CRA Being Reformed?
•Evolution of the Banking System
•Provide Clarity and Certainty in CRA-eligible Activities
•Flexibility
CRA Reform: Hopes and Hang-Ups
Where Are We?
•OCC Adopted Final Rule
•Joint Rule Making
•Effective Date – Effective October 1, 2020
•Definition of a “small bank”
CRA Reform: Hopes and Hang-Ups
Expanding Where CRA Activity Counts
•Still required to delineate an assessment area
•Facility based assessment area
•Community Development Deserts
CRA Reform: Hopes and Hang-Ups
Separate Retail and Community Development Tests
Polling Question #2
Is the current CRA rating system objective, fair, and transparent?o YesoNo
CRA Reform: Hopes and Hang-Ups
Separate Retail and Community Development Tests, continued
•Retail Loans
•Qualified Community Development Activity
•Changes in Small Business and Small Farm Loan Thresholds
•Partially Benefits
•Multiplier
CRA Reform: Hopes and Hang-Ups
Presumptive Ratings
•CRA Evaluation Measure
•Assessment Area •Retail Lending Distribution Measure
•Community Development Minimum
CRA Reform: Hopes and Hang-Ups
Data Collection and Recordkeeping Requirements
•Data Reporting
•Supporting Documentation
•Record Maintenance
CRA Reform: Hopes and Hang-Ups
Potential Impact of Adoption
New CRA Frame Work (<$500 million)
•Outstanding Ratings: 71.4%
•Satisfactory Ratings: 1%
New CRA Frame Work ($500 -1.25 billion)
•Outstanding Ratings: 85%
•Satisfactory Ratings: 0%
Current CRA Frame Work (<$500 million)
•Outstanding Ratings: 4.8%
•Satisfactory Ratings: 81%
Current CRA Frame Work ($500 -1.25 billion)
•Outstanding Ratings: 4.7%
•Satisfactory Ratings: 81%
CRA Reform: Hopes and Hang-Ups
Potential Impact of Adoption, continued
•Geographic Distribution Test
•Key Metric
•Threshold Concerns• Small Business Gross Revenue Threshold Increased from $1 Million to $2 Million• Family Farms Threshold Raised
•Essential Infrastructure as Eligible Community Development
•Public Disclosures
Polling Question #3
In your opinion, what is the underlying intent of the CRA?o Repair a market failure, perhaps a lack of information about credit quality in LMI areas?o To encourage banks to look harder for business opportunities that they would otherwise
miss?o Compel banks to help meet social policy objectives?o All of the above
CRA Reform: Hopes and Hang-Ups
Potential Impact of Adoption, continued
•Affordable Housing
•Opportunity Zones
• Impact on Communities
Thank you!
CANNABIS BANKINGV i r g i n i a R i s k M a n a g e m e n t S e m i n a r
Going Green:
KYC: Know Your Cannabis
Title
A Sc ience Lesson
CBD Oil Risks
CROSS CONTAMINATIONTHC Residue
CROSS POLINATION“Rooster in the Hen House”
DISTILATION PROCESS“Clean”? CBD
Polling Question #1
Is your institution providing services to a cannabis related businesses?oWe’re not touching that riskoHemp onlyoHemp and indirect marijuana related businessesoWe’ll be serving the medical marijuana industry
Regulatory Outlook& Guidance
Regu la tory Gu idance & Out look
Regu la tory Gu idance & Out look
USDA Hemp Production Plan
Overview
•Licensing
•Sample and Testing Requirements
•Non-Compliant Plants
Notable Terms
•Measurement of Uncertainty (MU)
•Acceptable Hemp THC Level
•Dry Weight Basis
•Geospatial Location
17 State Plans Approved
9 State Plans Pending
24 2014 Pilot Program
Regu la tory Gu idance & Out look
VirginiaVirginia’s USDA State Plan expected October 2020
• Received USDA feedback in February
• Currently revising plan
2020 Hemp Growing Season
•Operating under the 2014 Farm Bill
• Three Available Licenses
• Industrial Hemp Grower
• Industrial Hemp Processor
• Industrial Hemp Dealer
Regu la tory Gu idance & Out look
Hemp Stance by State
Regu la tory Gu idance & Out look
What About CBD?
Regu la tory Gu idance & Out look
Marijuana Stance by State
Regu la tory Gu idance & Out look
2020 Legalization Outlook
Signature Drive 2020 BallotArkansasNorth Dakota
ArizonaNew HampshireNew JerseySouth Dakota
Regu la tory Gu idance & Out look
Virginia
•Decriminalization
•Up to one ounce; effective July 1, 2020
•Medical Use
•CBD and THC-A rich medical cannabis•Approval for 25 dispensaries
Regu la tory Gu idance & Out look
SAFE Banking Act
Highlights:
•Safe Harbor from:
• Prosecution
• Loss of Insurance
• Examiner Intimidation
•Development of “uniform guidance and
examination procedures”
Polling Question #2
What is your preferred resources for guidance on cannabis related business?
oPeer groupsoHigh Times MagazineoWillie NelsonoConsent Orders – learn from the mistakes of others
Regu la tory Gu idance & Out look
FinCEN’s 2014 Guidance
“How Financial Institutions can provide services to
marijuana-related businesses”
•Assess your risk
•Customer Due Diligence
• State licensure and registration
• Information about the business and related parties
• Expected activity
• Products sold and customer base
• Suspicious activity monitoring reflecting the red
flags
“ … should enhance the availability of financial services for, and the financial transparency of, marijuana-related businesses.”
Regu la tory Gu idance & Out look
FinCEN’s 2014 Guidance
Suspicious Activity Reports (SAR)
Requirements
•Required for all marijuana-related
businesses
•Within 30 days of onboarding or
detection
•Ongoing SARs required every 90 day
period (30 days to file)
•Reliance on Cole Memo priorities
• Limited vs Priority
•Marijuana Limited
• Does not implicate one of the Cole
Memo priorities or violate state law
• Use of “MARIJUANA LIMITED” in
SAR narrative
•Marijuana Priority
• Implicates one of the Cole Memo
priorities or violates state law
• Use of “MARIJUANA PRIORITY” in
SAR narrative
•Marijuana Termination
• For use when terminating a
relationship
• Use of “MARIJUANA TERMINATION”
in SAR narrative
Regu la tory Gu idance & Out look
Cole Memo Priorities
•Listed eight DOJ priorities
•Acknowledged state laws
•Rescinded in 2018
Gone but Not
Forgotten:
•FinCEN Guidance
•DOJ Case Lookback:
• ~ 50 Cases
•None outside of the
priorities
•Bribes are a recurring
theme
Regu la tory Gu idance & Out look
FinCEN’s Marijuana Updates: Institutions
Regu la tory Gu idance & Out look
FinCEN’s Marijuana Updates: SAR Breakdown
Total SARs Filed
Non-Priority
85,193 “Marijuana Limited” SARs8,795 “Marijuana Priority” SARs28,025 “Marijuana Termination” SARs
Polling Question #3
Does THCA have psychoactive properties?o Yes, all THC has psychoactive properties.oNo, THCA’s molecular structure makes it too large to fit into our cannabinoid
receptors.oNo, but THCA turns into THC.
Program Expectat ions
Cannabis Program
•Policy and Procedures
•Bank’s stance is adequately
documented
•Controls are documented
•Program Risk Assessment
•Tailored Training
•Customer Due Diligence
• Internal Monitoring
•SARs
Program Expectat ions
No Risk, No Problem?
•Policy and Procedures
•Bank’s stance is adequately
documented
•Controls are documented
•Address in Risk Assessment
•Tailored Training
•Customer Due Diligence
• Internal Monitoring
•SARs – “Terminated Marijuana”
Cannabis-Related Businesses
•Types of MRBs (3 tiered approach)
• Industrial Hemp
•CBD Oil Retailors
Thank you!
The increasing price of consumer privacy
What major changes in data privacy mean for your bank today and in the years to
come
This material was used by Elliott Davis during an oral presentation; it is not a complete record of the discussion.
This presentation is for informational purposes and does not contain or convey specific advice. It should not be
used or relied upon in regard to any particular situation or circumstances without first consulting the
appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution
without prior written approval from Elliott Davis.
Disclaimer
Today’s Speakers
Robert Snodgrass
Elliott Davis | Data Privacy Discipline Leader
Focused on developing and implementing programs to add business value and effectively
minimize data privacy and cyber risk. Clients include Fortune 500s across the United States,
Asia, and Europe and customers in the public sector, financial services, consumer and industrial
products, and public utility industries. Spent the last fourteen years in consulting managing
deployments of data privacy and cyber risk solutions across data protection, privacy
management, compliance management, identity and access management, application security,
and vulnerability management across cloud and on-premise environments.
Agenda
WHAT IS DATA PRIVACY?01DATA PRIVACY IN BANKING02AN OVERVIEW OF CCPA03BUILDING A SUSTAINABLE PRIVACY PROGRAM04WHAT’S NEXT IN PRIVACY?05
What is Data Privacy?
What is Data Privacy?Can I get a Rosetta Stone please?
Is the data I collect used only for its stated purpose?
Is the data I collect protected from unauthorized access?
Data Security Data Privacy
• Encryption• Identity and access controls• Network architecture• System patching• Awareness training
• Disclosure and consent for personal data collection
• Right to view and correct personal data
• Right to be forgotten
What is Data Privacy?US consumer/employee privacy through the years
1960s 1990s TODAY
TRANSACTION• Establish targeted rights around
specific data elements and/or business transactions
• Fair Credit Reporting Act (FCRA)
INDUSTRY PERSON• Build guidelines to manage data
management practices of specific industries focused on those that handle sensitive consumer information
• Health Insurance Portability and Accountability Act (HIPAA)
• Provide a general set of rights for individuals and any information that could reasonably identify them
• California Consumer Privacy Act (CCPA)
What is Data Privacy?Why is it a priority?
$3 Trillion 5,000 $475
Million
Value of global data economy*
* World Economic Forum
Est. data points used by Cambridge Analytica to target US political ads
Total fines issued under GDPR in 2019
Data Privacy in Banking
Data Privacy in BankingFollowed a similar trend to rest of the US
1960s 1990s TODAY
TRANSACTION• Establish targeted rights around
specific data elements and/or business transactions
• Exampleso Fair Credit Report Act (FCRA) o Fair and Accurate Credit
Transaction Act (FACTA - 2003)o Bank Secrecy Act (BSA)
INDUSTRY PERSON• Build guidelines to manage data
management practices of specific industries focused on those that handle sensitive consumer information
• Exampleso Gramm-Leach Bliley Act (GLBA)o Dodd Frank Act
• Provide a general set of rights for individuals and any information that could reasonably identify them
• Exampleso EU General Data Protection
Regulation (GDPR)o California Consumer Privacy Act
(CCPA)
Data Privacy in BankingBreaking down information sharing under GLBA
For the last decade, GLBA has set the tone for privacy at banks working to strike a balance between consumer rights and the need to share information across financial institutions for operations
Initial and Annual
Privacy Notice
Consent andOpt-out
Processing
Framework for Cross-Institution
Data Sharing
Third PartySafeguard
Considerations
Required Security Controls
Data Privacy in BankingHow did the European Union’s GDPR change the trajectory of privacy law?
GDPR has become the basis for many international laws including Japan and Brazil as well as the most recent data privacy law in California, the California Consumer Privacy Act (CCPA)
Rights Follow the Individual Expanded View of Personal Information (PI) Universal Set of Privacy Rights
Provides a standard set of rights that are available to you across all your business
interactions
Expands beyond “personally identifiable information” (PII) to better align with
our digitally connected lives
Provides 10 privacy rights that enable you to control how and what
information is collected, processed, shared, and retained by businesses
An Overview of CCPA
To be or not to be…A question of scoping CCPA for banks
While many US-based privacy laws have excluded GLBA-covered institutions, CCPA makes an important carve out for consideration by banks
CCPA does not apply to personal information “collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations” CCPA § 1798.145(e)
Generally Exempt Information Generally NOT Exempt Information
• Transaction and experience information• Joint products or services• Account website information
• General website advertising (such as retargeting)• Marketing information from non-financial
partners• Information shared with, or obtained from, an
affiliate (outside of a joint product)
CCPA Impact on BanksMany organizations have been challenged to understand their requirements
In survey of Fortune 500 companies in financial services performed by BCLP Law, the following trends were identified:
Majority had updated to account for CCPA requirements
PRIVACY NOTICE
Vast majority did not include the required ‘do not sell’ button
DO NOT SELL BUTTON
Included an average of 10 types of tracking / digital advertising cookies
WEBSITE TRACKING AND TARGETING
Majority included some but not all required disclosures
DISCLOSURES
Majority offered the required data subject privacy rights
SUBJECT RIGHTS
Only 1 in 12 web sites included an opt-in
OPT-IN CONSENT
Not
ice
&
Dis
clos
ure
Web
site
What Do You Need To Know?
Are there other scoping requirements?
What data is in-scope?
What new rights and business obligations are created?
What are the penalties for non-compliance?
What is the timeline for enforcement?
Even if not in-scope today, it is very likely that large portions of this law will be the template for future US state and federal laws
An Overview of CCPAWhich businesses are impacted?
In-scope businesses must meet the following
For-profit organizationCollect personal
information on California residents
Controller of data (determine purpose and
means of processing)Do business in California
Meet at least 1 of the following:(i) annual gross revenues in excess of $25 million(ii) annually buys, receives, sells, or shares for
commercial purposes, the PI of 50,000+ CA consumers, households, or devices
(iii) 50%+ of annual revenues from selling CA PI
CCPA is focused on individual consumers. It does NOT cover business to business transactions even if one business is a sole proprietor.
An Overview of CCPAWhat data is in-scope?
Any consumer information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household”
Commercial activity such as purchases or consuming
tendencies
Internet activity such as interaction with a web site
or ad
Geolocation and biometric data
Common identifiers such as name, IP address, e-mail
address, and SSN
Audio, electronic, or similar information
Professional or employment information Education information
Personal Information (PI)
PI about employees and PI already governed by existing California or federal laws are excluded. This includes laws such as health information (HIPAA) and financial information (GLBA)
An Overview of CCPAWhat new rights and business obligations are created?
Request Information
Consumers can request the detail about what PI businesses have collected about them (with verification)
Be Informed
Businesses must disclose categories of PI collected and their purpose as well as consumer rights and process to request them
Opt-outConsumers have the ability to prohibit businesses from selling their PI to 3rd parties
Be Forgotten
Businesses must delete consumer’s PI after receiving a verified request (with multiple exceptions)
Exercise Rights
Without Penalty
Businesses are prohibited from discriminating against consumers who have exercised their right to opt out
Right to Action
Consumers have a direct right to action in case of breach of unencrypted PI that is not cured within 30 days
An Overview of CCPAWhat are the penalties for non-compliance?
• Upon notification of alleged violations, businesses have 30 days to remediate violations
• State Attorney General’s office will enforce CCPA through staffing funded entirely out of money generated
through CCPA compliance penalties.
$2,500Per violation (per record) if
shown as unintentional
$7,500Per violation (per record) if
shown as intentional
$100 – $750Individual consumers can sue in the event
personal information is breached
Civil Action from Attorney General’s Office
Civil Action from Individual CA Residents
An Overview of CCPAWhat is the timeline for enforcement?
June 28, 2018CCPA signedinto law
September 13, 2019CA Assembly approved 5 amendments
July 1, 2020State AG’s office begins enforcement
Oct. 10 – Dec. 5, 2019State AG’s office releases draft rules of enforcement for comment
January 1, 2020Law became effective and companies are expected to be in compliance
Polling Question #1
Which of the following is considered Personal Information under relevant data privacy law for banks?
o Employment Informationo Email Addresso IP AddressoAll of the Above
Building a Sustainable Privacy Program
Privacy ProgramWhat are the key building blocks?
GOVERNANCE
Lawful & Transparent Processing
OPERATIONS
SecurityData Subject Rights
Notice
International
Policies & Procedures Program Ownership & Support
Awareness & Training
Legal Basis
Processing Limitation & Data Retention
Data Inventory & Maps(Including ‘Special’ Data)
Be Informed Access by Data Subject
Rectification Erasure
Restriction of Processing Data Portability
Object Withdraw Consent
Automated Individual Decision Making
Change Management
Vendor Management
Record Keeping
PRIV
ACY
PRO
GRA
M Appropriate Controls
Breach Notification
Contracts
Vendor Risk
Data Protection Impact AssessmentPrivacy by Design
and by Default
Authority Coordination Recurring Maintenance
Transfer Framework
Privacy ProgramHow to support sustainability
• Establish individual with overall ownership for the organization’s data privacy program
• Staff with responsibility to support consumer access requests and other privacy program activities• Empower individuals within line of business to advocate for privacy and provide feedback to program
• Outlines expectations and responsibilities regarding data privacy• Consider how data is generally collected, used, disclosed, classified, controls throughout the data
lifecycle, and required retention periods
• Provide step-by-step considerations for supporting data subject rights requests and where to go for answers to questions
• Provide general expectations on data privacy to organization
4. Build and Train on Privacy Procedures
3. Document Privacy Policies
2. Establish Program Ownership and Supporting Staff
1. Name a Data Protection Officer
• Highlights what PI elements are collected, stored, processed, and transferred• Maps identify personal data as it moves across various systems and thus how data is shared and
organized
5. Document Data Inventory and Maps
Privacy ProgramWhat is reasonable information security?
Requires organizations process data
securely through a
framework of technical and organizational
measures
POLICIESInstitute and maintain enterprise security policy (and others if appropriate) with overall program ownership
CONTROLS FRAMEWORK• Implement security controls based on risk• Consider admin, technical, physical controls• Focus on data protection (e.g., encryption),
authentication, and backup/restoration
RISK ANALYSISUndertake recurring analysis of the risks of personal data collected/processed and use to assess appropriate level of security
BREACH RESPONSEProcess in place to investigate and notify enforcement authorities after becoming
aware of a breach of personal data (some laws have required timeframes)
THIRD PARTIESEnsure any data processors
implement appropriate technical and organizational
measures
TESTINGConduct regular testing
and act on results
Privacy ProgramUtilizing tools to accelerate and sustain your program
Consumer Rights Process
Data Mapping and Discovery
Website Consent Management
While not a requirement, tooling can help create automation, scalability, and overall efficiency in recurring operational processes
IAPP 2020 Privacy Tech Vendor Report: https://iapp.org/resources/article/privacy-tech-vendor-report/
Polling Question #2
In order to be in-scope for a US state privacy law, your business must be physically located in that state:
o Trueo False
What’s Next In Privacy?
What’s Next for US Data PrivacyThe current status of US privacy law development
US State Privacy Bills (active only)
Signed into Law 3
Cross Committee 1
Cross Chamber 1
In Committee 15
Task Force 5
• New Jersey• Washington (3rd try)• New York• California
Who to Watch
https://iapp.org/resources/article/state-comparison-table/
What’s Next for Data PrivacyWhat do you mean California? Aren’t we done?
Working on a new privacy initiative for the November 2020 ballot, “California Public Records Act” CPRA, if passed, it would take effect 1/1/2023 and includes many key changes to CCPA such as:
Dedicated Enforcement Agency New Requirements for ‘Sensitive’ Data Processing New Data Subject Rights
Create 1st agency in US dedicated to privacy absorbing responsibility from the State AG
Provides a very broad definition of sensitive data. Impacted consumers would be able to limit use and disclosure of this data and provide global opt-outs
Including restrictions on automated decision-making/profiling, ability to correct data, and strengthened opt-ins for minors
Extends the moratorium on employee data until 1/1/2023
What’s Next for Data PrivacyAn expected delay in new state and federal data privacy legislation
01
02
03
04
05
PRIVATE RIGHT TO ACTION
Whether an individual or a recognized public authority can legally enforce a violation of an individuals privacy rights
FACIAL RECOGNITIION
Legislators are requesting additional scrutiny and
carve outs specifically for biometric data
COVID-19
Shortened legislative cycles overwhelmed dockets, and
significant cost impacts already imposed on businesses
PREEMPTION
Determination of whetherany proposed federal law would preempt existing state laws
ELECTION CYCLE
In general, election years have slowed bipartisan agreement needs for these types of bills
Polling Question #3
The state of California has created an independent agency in order to enforce the CCPA:
o Trueo False
Leading a Horse to Water in Troubled Times
E a r l y I d e n t i f i c a t i o n o f P r o b l e m L o a n s
T h r o u g h L o a n P o r t f o l i o S t r e s s T e s t i n g
OverviewL o a n P o r t f o l i o S t r e s s T e s t i n g
• Value
• Types
• Tips
• Management’s Response
• Documentation
Value
Meaningful Insight
Proactive Response
Regulators
Value L o a n P o r t f o l i o S t r e s s T e s t i n g
ValueL o a n P o r t f o l i o S t r e s s T e s t i n g
• Meaningful insight into the institution’s loan portfolio
• Brings focus
• Variable changes lend insight into overall impact to capital
• Policies can be adjusted to mitigate exposure
• Proactive response to results
• Identifies potential problems
ValueL o a n P o r t f o l i o S t r e s s T e s t i n g
• Regulators
• OCC Bulletin 2012-33, “Community banks, regardless of size, should have the capacity
to analyze the potential impact of adverse outcomes on their financial conditions.”
Types
Top Down
Bottom Up
Types L o a n P o r t f o l i o S t r e s s T e s t i n g
TypesL o a n P o r t f o l i o S t r e s s T e s t i n g
• Top Down
• Identifies the extent to which capital might be at risk given the bank’s balance-sheet
structure and loan mix
• Bottom Up
• Identifies current and emerging risks and vulnerabilities within the loan portfolio
• Best approach for identifying potential loan problems
Polling Question #1
The top down loan portfolio stress test provides detailed information about borrowers?
o Trueo False
Tips
Determine Scope
Determine Stress Factors
Worksheet/Testing Loans
Items to be Mindful of
Tips – Bottom Up Approach L o a n P o r t f o l i o S t r e s s T e s t i n g
T i p s
ScopeB o t t o m U p A p p r o a c h
Tips – Bottom Up ApproachL o a n P o r t f o l i o S t r e s s T e s t i n g
• Determining scope - items to consider:
• Industry concerns
• Regulator concerns
• CRE concentrations
• Concentrations unique to the financial institution
• Specific markets due to mergers and acquisitions
• Full or partial coverage
• COVID-19 impact
Tips – Bottom Up ApproachL o a n P o r t f o l i o S t r e s s T e s t i n g
• COVID-19 impact
• Emphasis on income producing real estate and partial coverage of samples ranging
from 30% to 75%
• Includes 1-4 family rental and owner occupied/non-owner occupied CRE
• Typical coverage: owner occupied – 50%; non-owner occupied – 75%
• A sampling of C&I loans supporting operations, focused on impacted industries
Tips – Bottom Up ApproachL o a n P o r t f o l i o S t r e s s T e s t i n g
• COVID-19 impact
• Industry Segments notably impacted:
• Travel & hospitality; Entertainment; Manufacturing; Oil & gas; Restaurants; Commercial real estate; Dental & surgical partners
• Other industries of concern:
• Non-profits; Churches; Office space
T i p s
Stress FactorsB o t t o m U p A p p r o a c h
Tips – Bottom Up ApproachL o a n P o r t f o l i o S t r e s s T e s t i n g
• Determining stress factors
• No one-size-fits-all approach
• 3 components to consider:
• Debt; Income; Collateral
• In each component consider: Basis, Mild and Severe scenarios
Polling Question #2
Has your financial institution been encouraged by regulators to perform a loan portfolio stress test?
o YesoNooNot sure
T i p s
Worksheet/Testing LoansB o t t o m U p A p p r o a c h
Tips – Bottom Up ApproachL o a n P o r t f o l i o S t r e s s T e s t i n g
• The worksheet is broken into 4 sections:
• Loan information
• Basis
• Mild
• Severe
Tips – Bottom Up ApproachL o a n P o r t f o l i o S t r e s s T e s t i n g
• Loan Information should include:
• Loan number
• Borrower name
• Brief collateral description
• Note rating
• Collateral type
• FFIEC code
• Loan exposure
Tips – Bottom Up ApproachL o a n P o r t f o l i o S t r e s s T e s t i n g
• Basis, Mild and Severe sections include:
• Total collateral value
• Total annual debt service
• Cash available for debt service
• Global debt coverage
• Loan-to-value
• Net collateral shortfall
• Pass/Fail
T i p s
Items to be Mindful ofB o t t o m U p A p p r o a c h
Tips – Bottom Up ApproachL o a n P o r t f o l i o S t r e s s T e s t i n g
• Participations
• What should the test reflect?
• Total exposure
• Annual debt exposure and loan-to-value based on master note
Tips – Bottom Up ApproachL o a n P o r t f o l i o S t r e s s T e s t i n g
• 90 day deferrals
• End date is near
• An opportunity to obtain interim information to gauge COVID-19 impact
Management’s Response
Proactive Response
Results
Borrowers
Relationship lending
Management’s Response L o a n P o r t f o l i o S t r e s s T e s t i n g
Management’s ResponseL o a n P o r t f o l i o S t r e s s T e s t i n g
• Results
• List of potential problem loans
• Estimated impact to the financial institution
Management’s ResponseL o a n P o r t f o l i o S t r e s s T e s t i n g
• Borrowers
• Failing basis
• Failing mild scenario
• Assess impact of COVID-19
• Opportunity to modify loan terms and/or improve collateral position
• Policies can be adjusted to mitigate credit risk
Management’s ResponseL o a n P o r t f o l i o S t r e s s T e s t i n g
• Relationship building
• Meaningful conversations about:
• The business
• COVID-19’s impact
• Plans to manage moving forward
• How the financial institution can help
Polling Question #3
Does your financial institution periodically perform loan portfolio stress testing (outsourced or internally prepared)?
o YesoNooNot sure
Documentation
Results
Board presentation
Borrowers
Documentation L o a n P o r t f o l i o S t r e s s T e s t i n g
OCC Bulletin 2012-33 states,
“Community bank management can use stress testing to establish and support reasonable risk appetite and
tolerances, set concentration limits, adjust strategies, and appropriately plan for and maintain adequate capital
levels. Bank management should mitigate identified risks and vulnerabilities through such actions as increased
portfolio monitoring, adjusted underwriting standards, selling or hedging assets, and increasing capital. In
addition, bank management should use the results of stress tests to establish appropriate action plans that
address risks when the results are inconsistent with risk tolerance levels and the bank's overall strategic and
capital plans.”
DocumentationL o a n P o r t f o l i o S t r e s s T e s t i n g
DocumentationL o a n P o r t f o l i o S t r e s s T e s t i n g
• Borrowers
• Access risk ratings
• Add to loan review scope borrowers that failed
• Add memos regarding borrower’s ability to repay the note
• There is hope for navigating the credit risk associated
with the current crisis.
• Early identification of problem loans through loan
portfolio stress testing is key to that hope.
In Conclusion L o a n P o r t f o l i o S t r e s s T e s t i n g
elliottdavis.com
STAY IN TOUCH
Jason Price, CPACredit Risk Senior Manager
341 Cool Springs Blvd | Suite 340
Franklin, TN 37067
615.786.7961
This material was used by Elliott Davis during an oral presentation; it is not a complete record of the
discussion. This presentation is for informational purposes and does not contain or convey specific advice.
It should not be used or relied upon in regard to any particular situation or circumstances without first
consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced
for distribution without prior written approval from Elliott Davis.
Disclaimer
Thank You!
SBA PPP LoansI C F R , C o m p l i a n c e , a n d R i s k M a n a g e m e n t I m p l i c a t i o n s
This material was used by Elliott Davis during an oral presentation; it is not a complete record of the
discussion. This presentation is for informational purposes and does not contain or convey specific advice.
It should not be used or relied upon in regard to any particular situation or circumstances without first
consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced
for distribution without prior written approval from Elliott Davis.
Disclaimer
S B A P P P L o a n sInternal Control Over Financial Reporting
PPP Control ConsiderationsS B A P P P L o a n s – I n t e r n a l C o n t r o l o v e r F i n a n c i a l R e p o r t i n g
• Primary process considerations:
• Entity policy compliance and onboarding integrity
• Loan fee recognition
• Loan forgiveness processing
PPP Control ConsiderationsS B A P P P L o a n s – I n t e r n a l C o n t r o l o v e r F i n a n c i a l R e p o r t i n g
• Entity policy compliance and onboarding integrity
• Impact of loan processing/funding/onboarding on established processes and
procedures
• Control considerations
• Delegation of authority / lending limits
• Support adequacy (e.g. borrower info, SBA approval, etc.)
• Segregation of duties
• Timely review / system data verification
PPP Control ConsiderationsS B A P P P L o a n s – I n t e r n a l C o n t r o l o v e r F i n a n c i a l R e p o r t i n g
• Loan fee recognition
• Compliance with ASC 310-20 and system capabilities
• Control considerations
• Loan fee onboarding accuracy
• Automated vs. manual process for deferral and recognition
• Subsequent impact: borrower ineligibility, held-for-sale designation, loan payoff/forgiveness, etc.
Polling Question #1
How is your institution tracking processing fees?o Fully manual processoUtilizing some element of the core systemo Fully utilizing the core system
PPP Control ConsiderationsS B A P P P L o a n s – I n t e r n a l C o n t r o l o v e r F i n a n c i a l R e p o r t i n g
• Loan forgiveness processing
• SBA compliance / eligibility and loss exposure
• Control considerations
• Good faith certification review
• SBA receivable booking, PPP reversal, and clawback provisioning
Polling Question #2
Are you utilizing a third party to assist with the forgiveness process?o YesoNooUnsure
S B A P P P L o a n s
Compliance
Regulation OS B A P P P L o a n s – C o m p l i a n c e
• April 17, 2020 Federal Reserve Interim Final Rule
• Exempted certain PPP loans from Regulation O, not prohibited by insider lending
restrictions established by the SBA
• April 20, 2020 SBA Interim Final Rule
• Not subject to Regulation O, if made by a PPP lender to a business owned by:
• A PPP lender’s director
• A person that holds less than 30 percent of the stock or debt instruments of the PPP lender
• Insiders of a PPP lenders affiliates
Regulation OS B A P P P L o a n s – C o m p l i a n c e
• Exception does not apply to a director or owner who is also an officer or key
employee of the PPP Lender
• Officers and key employees of a PPP Lender may obtain a PPP Loan from a different
lender, but not from the PPP Lender with which they are associated.
• Favoritism by the Lender in processing time or prioritization of the director’s or equity
holder’s PPP application is prohibited.
• Lenders should also consult their own internal policies concerning lending to
individuals or entities associated with the Lender.
Community Reinvestment Act (CRA)S B A P P P L o a n s – C o m p l i a n c e
• Most SBA PPP loans will receive CRA credit
• Loans to businesses in amounts of $1 million, or less
• Considered small business loans and considered under the lending test
• Loans to businesses in amounts greater than $1 million
• If jobs are created, or retained, would qualify under economic development
• If primarily benefits low and moderate-income areas, or distressed middle-income
areas, would qualify under revitalization/stabilization
• Community Development Activities
• Loans, investments, or services that support digital access or healthcare for LMI individuals or communities
• Economic development activities that sustain small business operations, particularly in LMI communities
• Investment or service activities that support provision of food supplies and services for LMI individuals or communities
Community Reinvestment Act (CRA)S B A P P P L o a n s - C o m p l i a n c e
• Working with Customers
• Waiving certain fees (ATM, overdraft, late fees, early withdrawal)
• Increasing credit limits for creditworthy borrowers
• Alternative services options for branch access• Expanding availability of short-term,
unsecured credit products• Payment accommodations (deferral, payment
extensions)
• March 19, 2020 Joint Statement on CRA Consideration for Activities in Response to COVID-19
Bank Secrecy Act (BSA)S B A P P P L o a n s – C o m p l i a n c e
• Are PPP loans for existing customers considered new accounts for FinCEN Rule CDD
purposes? Are lenders required to collect, certify, or verify beneficial ownership
information in accordance with the rule requirements for existing customers?
• If the PPP loan is being made to an existing customer and the necessary information was
previously verified, you do not need to re-verify the information. Furthermore, if federally
insured depository institutions and federally insured credit unions eligible to participate in the
PPP program have not yet collected beneficial ownership information on existing customers,
such institutions do not need to collect and verify beneficial ownership information for those
customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based
approach to BSA compliance.
Bank Secrecy Act (BSA)S B A P P P L o a n s – C o m p l i a n c e
• It is a best practice, for PPP loans where the institution is not requiring additional
beneficial ownership information, to add a brief addendum to their customer due
diligence procedures stating they will not require reverification for PPP loans.
• Beneficial Ownership required for new business customer PPP loans and existing
loan customers that are opening a deposit account
Fair LendingS B A P P P L o a n s – C o m p l i a n c e
• The Equal Credit Opportunity Act (ECOA) and Regulation B prohibit discrimination against an applicant on a prohibited basis regarding any aspect of a credit transaction, and prohibit discouraging a reasonable person, on a prohibited basis, from making or pursuing an application.
• Applies to all creditors and to business and consumer credit
• Prohibited basis means race, color, religion, national origin, sex, marital status, or age (provided that the applicant has the capacity to enter into a binding contract); the fact that all or part of the applicant's income derives from any public assistance program; or the fact that the applicant has in good faith exercised any right under the Consumer Credit Protection Act or any state law upon which an exemption has been granted by the Bureau.
Fair LendingS B A P P P L o a n s – C o m p l i a n c e
• Many lenders implemented “gating” requirements for PPP loan applications
• Prioritizing existing customers, customers without other lending relationships
• Not expressly prohibited, but increases risk that similarly situated businesses were not treated similarly
• Were policies and procedures documented for any “gating” requirements?
• Document business justification for “gating” policies, even if after the fact.
• Volume of applications compared to capacity to process
• Speed of SBA PPP program implementation
• Limited availability of funds
• Review and monitor SBA PPP approvals, denials, and investigate any complaints
Regulation B – Equal Credit Opportunity Act (ECOA)S B A P P P L o a n s – C o m p l i a n c e
• Adverse Action Requirements
• For a business that grossed $1 million or less in prior fiscal year, notice must be delivered in 30 days
• Notice must be delivered to larger businesses within a reasonable period of time
• A PPP application that a creditor has submitted to the SBA is not a “completed application” under Regulation B until the creditor receives a loan number from the SBA or a response about the availability of funds.
• If the creditor receives the application, decides against granting credit and does not submit the application to the SBA, an adverse action notice is required.
• If the creditor does not receive a response from the SBA, they cannot deny the application for incompleteness
Polling Question #3
Have you updated your 2020 internal audit plan to consider SBA PPP loans?
o YesoNooUnsure
S B A P P P L o a n s
Risk Management
Denial of SBA GuaranteeS B A P P P L o a n s – R i s k M a n a g e m e n t
• Lender Underwriting Requirements (SBA Interim Final Rule)
• Confirm receipt of borrower certifications contained in the PPP application form
• Confirm receipt of information demonstrating that a borrower had employees for whom the
borrower paid salaries and payroll taxes on or around February 15, 2020
• Confirm the dollar amount of average monthly payroll costs for the preceding calendar year by
reviewing the payroll documentation submitted with the borrower’s application
• Follow applicable BSA requirements
Denial of SBA GuaranteeS B A P P P L o a n s – R i s k M a n a g e m e n t
• From Department of the Treasury and SBA Frequently Asked Questions
• Question: Paragraph 3.b.iii of the PPP Interim Final Rule states that lenders must “[c]onfirm the dollar amount of average monthly payroll costs for the preceding calendar year by reviewing the payroll documentation submitted with the borrower’s application.” Does that require the lender to replicate every borrower’s calculations?
• Answer: No. Providing an accurate calculation of payroll costs is the responsibility of the borrower, and the borrower attests to the accuracy of those calculations on the Borrower Application Form. Lenders are expected to perform a good faith review, in a reasonable time, of the borrower’s calculations and supporting documents concerning average monthly payroll cost. For example, minimal review of calculations based on a payroll report by a recognized third-party payroll processor would be reasonable. In addition, as the PPP Interim Final Rule indicates, lenders may rely on borrower representations, including with respect to amounts required to be excluded from payroll costs. If the lender identifies errors in the borrower’s calculation or material lack of substantiation in the borrower’s supporting documents, the lender should work with the borrower to remedy the issue.
Denial of SBA GuaranteeS B A P P P L o a n s – R i s k M a n a g e m e n t
• SBA Review of Individual Loan Files
• SBA will review all loans in excess of $2 million, in addition to other loans as appropriate, following the lender’s submission of the borrower’s loan forgiveness application.
• The outcome of SBA’s review of loan files will not affect SBA’s guarantee of any loan for which the lender complied with the lender obligations.
• If SBA determines in the course of its review that a borrower lacked an adequate basis for the required certification concerning the necessity of the loan request, SBA will seek repayment of the outstanding PPP loan balance and will inform the lender that the borrower is not eligible for loan forgiveness.
• SBA’s determination concerning the certification regarding the necessity of the loan request will not affect SBA’s loan guarantee.
elliottdavis.com
STAY IN TOUCH
Marshall Trull, CPA, CRCMSenior Manager
500 East Morehead Street | Suite 700Charlotte, NC 28209
Matthew McFarlin, CPASenior Manager
5140 Trinity Road | Suite 320
Raleigh, NC 27607
919.334.6184
Thank You!
Leveraging Analytics
T r a n s f o r m i n g i n t e r n a l a u d i t t h r o u g h t h e d e p l o y m e n t o f a n a l y t i c a l s o l u t i o n s
What does data analytics mean?
The ability to make conclusions based on the analysis of a useable, meaningful data
Polling Question #1
How much do you currently utilize data analytics in your internal audit?oHeavily reliantoOccasionally oWe have done it once or twiceoWe don’t even know where to begin
Deploying Analytics
Develop a Plan• Begin in your comfort zone, then build outside it
• Identify the low hanging fruit for immediate successes and buy-in
• Open up the ideation process to all departments
• No need to rush into new software, maximize the use of existing tools like Excel
• Determine the risks and the related scope
• Determine what attributes you need to
meet that scope
• Identify the needed data, related reports,
and necessary format
• Gather the data
Establish a ProcessWhen gathering data:
• Make sure it is in a useable format
• Ensure it has all the attributes you need to meet your scope
• Validate for completeness and accuracy
• Document how you obtained it
• Keep a copy of the original
With your plan and process in place, it’s time to perform the analysis
Perform the Analysis
•Specific attribute review
•Ratio analysis
•Trend analysis
•Correlation
•Sizing
•Segmentation
Evaluate the Outcome
Review patterns and trends
Prove (or disprove) hypothesis
Identify and sample/research
Look for outliers
• Document the process used to get results
• Create summary, preferably with visuals
• Have supporting data readily available
• Make recommendations on how to address
Present the Results
Points of Consideration
Benefits• Risk based approach
• Testing of full populations
• Efficient
• Continuous monitoring
• Scalable
• Availability of data
• Initial capital outlay
• Limited resources / skill sets
• Change is difficult
• Limited types of testing
Drawbacks
• Single Analysis
• Recurring Analysis
Two Types of Projects
• Large value in finding a solution
• Continued evaluation is unnecessary
• Likely a strategic priority
• Examples: merger support, investigation of known fraud, etc.
Single Analysis
• Continued monitoring provides value
• Upfront “costs” can be spread over several uses
• Can serve as building blocks for an analytically heavy IA program
• Continued process improvement
• Allows for process automation
• Examples: fair lending analysis, quarterly ratio review, etc.
Recurring Analysis
Polling Question #2
Which type of data analysis does your internal audit department use?o Single / One-offoRecurring / RepeatableoBothoNeither
• By building an analytical process in a manner that “stores” procedures, data
preparation and analysis can be quickly executed
Tools for Automation
Credit Reporting ReviewE X A M P L E O F R E C U R R I N G / R E P E A T A B L E A N A L Y S I S
Credit Reporting Review
*visual representation of an automated, recurring data process
E X A M P L E O F R E C U R R I N G / R E P E A T A B L E A N A L Y S I S
Home Mortgage Disclosure ActE X A M P L E O F R E C U R R I N G / R E P E A T A B L E A N A L Y S I S
E X A M P L E O F R E C U R R I N G / R E P E A T A B L E A N A L Y S I S
Home Mortgage Disclosure Act
Home Mortgage Disclosure ActE X A M P L E O F R E C U R R I N G / R E P E A T A B L E A N A L Y S I S
Finding the Right Solution
When Choosing Software
• User friendliness
• Useful visualization
• Ability to publish / share
• Ease of data import
• Can handle large data sets
• Built in functionalities
• Can create templates
• Audit log / trackable
procedures
t
Common Software
Base Next level With visualizations
• Microsoft Excel (*)
• Microsoft Access
(*) greatly undervalued tool
• Microsoft Power BI
• Tableau
• FineReport
• IDEA
• ACL
…this is just the tip of the iceberg with data extraction tools, integrated solutions, predictive analytics and machine learning
Maximizing Excel
Excel’s Capabilities
• Functions
• Pivot tables
• Conditional formatting
• Sort and filter
• Flash fill
• Goal seek
• Visual charts
• Macros
• Automation
Other Reports
Loan Trial
Balance
Deposit Trial
Balance1. Define your data questions and desired output
2. Decide what you need to measure and how to measure it
3. Collect and clean data
4. Perform data analysis
5. Present results
Utilizing the Data You Have
v Loan Portfolio Analysis
v Account Type Analysis
v Transaction Monitoring
v Risk Assessments
v Monthly Reconciliations
v Stress Testing
v Employee Account Reviews
v Automated Public Filings
v Loan/CIP Exception Logs
v Performance Goal Tracker
v Staffing Analysis
v Board Reporting
v and more!
Examples of Data Analysis in ExcelF I N A N C I A L I N S T I T U T I O N
• Detects matching of textual data, returning a similarity score along with
each match
• Helpful for comparing reports pulled from different systems
• Examples:• “Doe, Jane A.” vs. “Jane A. Doe”• “123 Independence St.” vs. “123 Independence Street”
Fuzzy LookupH E L P F U L E X C E L A D D - I N S
HANDS ON EXAMPLE
Employee Deposit Account ReviewReports you may need:
• HR Employee Listing
• Employee Deposit Account Listing
• Transactions
• File Maintenance Records
Goal of Analysis:
• Ensure employee accounts are properly coded
• Identify unusual employee transactions
• Review file maintenance records to identify outliers
• Allows user to provide data and parameters with pre-
developed analysis tools
• Displays all results in output table
• Microsoft Analysis ToolPak Details
Analysis ToolPakH E L P F U L E X C E L A D D - I N S
• Can be utilized to find optimal solutions for decisions based
on resources and constraints
• Steps to utilize tool:• Determine what decisions need to be made
• E.g. How many loans to originate in order to meet sales goals?• Determine constraints on production
• E.g. Total loan officers and hours of availability• Determine overall measure of performance
• E.g. Total loan origination amount during the quarter
SolverH E L P F U L E X C E L A D D - I N S
Polling Question #3
How often does your institution use an excel add-in function (such as Fuzzy Logic, Analysis ToolPak, Solver, etc.?)?
oNever used beforeoOnce in a whileoMonthly reportingoDaily
HANDS ON EXAMPLE
BSA/AML Alert ReviewReports you may need:
• Alerts triggered during the period
• Parameter settings in system
Goal of Analysis:
• Determine efficiency of parameter settings
• Compare alert type performance
• Gather statistics of investigated alerts during the period
Alert Analysis System OptimizationI M P R O V I N G D A T A A N A L Y S I S B E Y O N D E X C E L
Leveraging Power BI
elliottdavis.com
STAY IN TOUCHAlek Bevensee
SeniorMarissa Lahousse
SeniorMike Koupal
Principal
500 East Morehead Street | Suite 700
Charlotte, NC 28202
704.808.5213
500 East Morehead Street | Suite 700
Charlotte, NC 28202
980.201.3912
341 Cool Springs Road | Suite 340
Franklin, TN 37067
615.786.7952
This material was used by Elliott Davis during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation
may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis.
DISCLAIMER