The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.

FMS forward: September/October 2017 Issue

Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by fmsdesign, 2017-08-16 14:39:23

FMS forward: September/October 2017 Issue

FMS forward: September/October 2017 Issue

Keywords: forward,fms,financial managers society,Septemebr/October 2017 issue,finance

A PUBLICATION OF THE FINANCIAL MANAGERS SOCIETY
SEPTEMBER/OCTOBER 2017 | FMSinc.org
DARK
WEB
DEALING WITH THE HUMAN ELEMENT OF CYBERSECURITY
IN THIS ISSUE
BUILDING A BETTER BOARD
MARIJUANA BANKING: WORTH THE RISKS?
FMS forward | SEPTEMBER/OCTOBER 2017 | 1


Make Your Case In FMS forward!
Advertising opportunities are now available
For advertising information, contact:
Autumn Wolfer
Director, Marketing and Membership (312) 630-3420
[email protected]
FMS forward is setting the standard for industry-leading content. Your company is invited to take part in this must-read publication!
Learn how you can make your case to a wider network of community institution professionals by advertising with FMS. With your message in FMS forward, you’ll make a stronger impression on the industry at large!


Contents SEPTEMBER/OCTOBER 2017 | VOL. 1, ISSUE 2
HILARY COLLINS
Assistant, Publications and Research
LYNDSEY WARNER CAULKINS
Layout and Design
2017-2018
FMS EXECUTIVE LEADERSHIP
DARRELL E. BLOCKER, CPA
Chairman
STEVEN M. FUSCO, CMA, CFM
Vice Chairman
JOHN WESTWOOD
Immediate Past Chairman
Copyright© 2017, Financial Managers Society, Inc. All rights reserved.
forward, a publication of the Financial Managers Society
Published for:
Financial Managers Society, Inc.
1 North LaSalle Street
Suite 3100
Chicago, IL 60602-4003 FMSinc.org | 800-ASK-4FMS
FMS EDITORIAL STAFF
DANIELLE HOLLAND
President and CEO
MARK LOEHRKE
Editor and Director, Publications and Research
AUTUMN WOLFER
Director, Marketing and Membership
DAN BOSTROM 8 Manager, Member Engagement
14
8 WHAT HAPPENED IN VEGAS A look back at The 2017 FMS Forum
14 DARK WEB
Dealing with the human element
of cybersecurity
20 BUILDING A BETTER BOARD How to set the right tone at the top
24 GROWING CONCERNS
Is marijuana banking worth the risks?
Departments
6 MEMBER SPOTLIGHT
Get to know American Bank of the North
CFO Christina Cavallin
28 COMPLIANCE CORNER
How to prepare for the new FinCEN
customer due diligence requirements
30 CHAPTER AND VERSE
The Maryland Chapter hosts the annual
East Coast Regional Conference
30 ON THE HORIZON
Looking ahead to a busy fall education season
FMS forward | SEPTEMBER/OCTOBER 2017 | 3
20
Features


2017 EAST COAST REGIONAL CONFERENCE
The Hyatt Regency Bethesda | Bethesda, MD FMSmd apter.org
Hosted by the Maryland Chapter of the Financial Managers Society
L
A
O
N
M
N
M
E
C
C
E
O
N
U FR
T
E
E
N
s
l
i
g
e
R
t
r
a
t
i
o
YOUR MESSAGE, DELIVERED STRAIGHT
FMS Update
TO FMS MEMBERS
Here’s your opportunity to take your message straight to FMS members. The FMS Update e-newsletter keeps FMS members up-to-date with the latest news and trends in the community nancial institutions industry.
When you advertise in FMS Update, you’re reaching the decision makers and leaders in our eld. FMS Update is a platform for the fast-paced style of today’s news cycle.
4 | FMS forward | SEPTEMBER/OCTOBER 2017
ASSOCIATE YOUR BRAND WITH WHAT’S TO COME!
e!
n
N
o
wA
v
a
i
l
a
b
For advertising information, contact:
Autumn Wolfer
Director, Marketing and Membership (312) 630-3420 [email protected]


BY MARK LOEHRKE
Take a look at those two charts to the right, both taken from our recent FMS research study Community Mindset: Community Bank and Credit Union Leadership Viewpoints 2017. When asked to rank their risk management priorities from a list of five options, 66% of the 400 executives that we surveyed rated information security/fraud prevention as either their first or second most pressing issue. Meanwhile, 77% of respondents also tabbed improving fraud/risk management as their top choice from among a field of ten potential technology priorities.
What’s the common theme here?
For as much as technology continues to increase organizational efficiencies and bring to life new products and services
for customers, the ever-present specter of cyberattacks and data breaches continues to weigh heavily on the minds – and budgets – of community institutions. In “Dark Web,” our cover story on page 14, we check in with several cybersecurity experts for a look at some of the most significant threats lurking out there and a few ideas of how best to enhance your institution’s defenses.
Speaking of managing risks, as marijuana legalization continues apace, many of the all-cash businesses capitalizing on this trend are now looking for the safety and credit of a local banking partner. But is the risk-reward tradeoff worth the potential BSA/AML
headaches for community institutions? Find out what a few attorneys and economists think in “Growing Concerns” on page 24.
Elsewhere in this issue we have a primer on “Building a Better Board” (page 20), a look back on some highlights from The 2017 FMS Forum (“What Happened in Vegas,” page
8), a preview of the new FinCEN customer due diligence rules set to take effect in May of 2018 (page 28) and much more. And be sure to check out our calendar of upcoming events on page 30 to help plan your fall education itinerary.
Improve credit underwriting 16%
prevention
31%
Regulatory compliance 32%
FMS forward | SEPTEMBER/OCTOBER | 5
EDITOR’S LETTER
Regulatory compliance 34%
ERM/establish Information or improve 16% security/fraud
Improve credit underwriting
21%
ERM/establish or improve 16%
TOP PRIORITY
Information security/fraud prevention 35%
SECOND PRIORITY
Improve fraud/risk management
Improve efficiency
Get more value from existing technology and/or vendor relationships
Data management Add new systems/capabilities Infastructure improvements/core upgrades Replace existing systems Pursue fintech partnerships
77 77
69
As always, thanks for reading.§ RISK MANAGEMENT PRIORITIES
IMPORTANCE OF TECHNOLOGY PRIORITIES
0 10 20 30 40 50 60 70 80
Source: Community Mindset: Bank and Credit Union Leadership Viewpoints 2017 – Financial Managers Society. To read the full report visit FMSinc.org/Research.
49
65 63
72 70


FMS MEMBER SPOTLIGHT
Bio in Brief
Christina Cavallin
Title: CFO
Institution: American Bank of the North – Grand Rapids, Minn. / The Lake Bank – Two Harbors, Minn.
Asset Size: $560 million / $130 million Years in current position: 15 Years as an FMS member: 1
I love working with people who are as vested as I am in our local communities.
6 | FMS forward | SEPTEMBER/OCTOBER 2017


What is the single biggest challenge facing your institution right now?
We are in the midst of a culture change. Historically we thrived on volume versus margin, which worked in the days when capital and liquidity were seemingly unlimited, but that isn’t the case anymore. Now we’re working hard to change our credit, sales and customer service culture.
How has your role changed over the past five years?
As we’ve grown I’ve become more focused on the finance, accounting and operations; previously, I had worn many more hats, particularly in our smaller bank.
Where do you expect to be focusing most of your attention in the next two to three years?
We have added some new talent to
our accounting department, so I will
be focusing on developing staff and delegating many of my current duties so I can focus on bigger issues, such as capital planning, funding, profitability and, of course, CECL.
What do you like best about working in a community institution?
I love working with people who are as vested as I am in our local communities.
What advice would you offer to someone entering the banking profession, particularly at the community institution level? Work your way through all areas of
the bank to develop a strong base of knowledge before becoming focused in one area. In particular, be sure to get some experience in credit.
What is the best professional advice you’ve ever received?
In my early public accounting days I was struggling with an audit workpaper, and in frustration said to my in-charge, “This just doesn’t work!” He looked up and calmly said, “It’s accounting; it has to work.” I’ve used that line over and over with newer
staff, and it’s stuck with me while working out my own problems as well.
What roles outside of accounting and finance have you held and how have they helped you in your current position?
I joined the bank in the controller/CFO role, but have had an opportunity to participate in almost all areas of the bank. I also serve on the board of our smaller bank. The broad base of knowledge helps me to see things globally.
In my early public accounting days I was struggling with an audit workpaper, and in frustration said to my in-charge, “This just doesn’t work!” He looked up and calmly said, “It’s accounting; it has to work.” I’ve used that line over and over with newer staff, and it’s stuck with me while working out my own problems as well.
What do you like best about being an FMS member?
I like the opportunity to interact with other members on FMS Connect, as well as the educational opportunities.
Where do you see the banking industry in 5–10 years? How do you see it changing/developing? We’re going to need to understand and keep up with our customers’ wants and needs while protecting against ever-changing cybersecurity risks. We will also need to evolve to attract and retain good millennial talent. The pace of change will continue to escalate and we need to keep up!§
The FMS community wants to get to know you better! If you’d like to share your thoughts and insights in the Member Spotlight, let us know at [email protected]
FMS forward | SEPTEMBER/OCTOBER 2017 | 7


FEATURE
WHAT HAPPENED
HIGHLIGHTS FROM A HOT TIME IN THE DESERT AT THE 2017 FMS FORUM
8 | FMS forward | SEPTEMBER/OCTOBER 2017


While each new FMS Forum is different from those that came before, one thing has become increasingly clear about our big annual education and networking event in the past few years – FMS knows how to bring the heat.
Indeed, record-setting temperatures once again greeted those attendees brave enough to venture out into the late-June frying pan of Las Vegas, but within the air-conditioned confines of the picturesque Red Rock Resort, it was only the energy level that was white hot. As FMS unveiled both the inaugural issue of its new member magazine forward and its first-ever large- scale research initiative, guests enjoyed several days of outstanding educational content from some of the best speakers
in the industry, a roundup of impending
regulatory and accounting changes, terrific social and networking events and all of the fun and excitement of the Entertainment Capital of the World.
What follows is but a sampling of everything that unfolded at this year’s Forum. If you were able to make it out to Vegas, we hope you had a great time. If you couldn’t be there this year, don’t worry – we’re already busy planning for next year’s event at the Hyatt Regency Grand Cypress in Orlando. So save the dates of June 10-12, 2018 and keep an eye out for more information coming soon!
Until then, thanks again to all of the presenters, sponsors and attendees who helped make The 2017 Forum such a great success. We hope to see you again next year!
As FMS unveiled both the inaugural issue of its new member magazine, forward, and its first-ever large- scale research initiative, guests enjoyed several days of outstanding educational content from some of the best speakers in the industry, a roundup of impending regulatory and accounting changes, terrific social and networking events and, of course, all of the fun and excitement of the Entertainment Capital of the World.
FMS forward | SEPTEMBER/OCTOBER 2017 | 9


Don’t let your model just be – own it! You’re making decisions based on those results.
Dave Koch, President and CEO, Farin Financial Risk Management
KEYNOTE SPEAKERS
Noted researcher, speaker and human bundle of energy Seth Mattison helped kick off the Forum with his general session presentation “Future Forces: Leadership Insights for Driving Performance and Growth in the Connected Era.” Working the ballroom like it was a Sunday morning revival tent rather than a Monday morning finance and accounting gathering, Mattison spoke passionately about the generational shift from hierarchies to networks in everything from social settings to corporate organizations. He encouraged the crowd to embrace network age realities by honoring what has made their institutions so successful – without letting it hold them back from the promise of the future. “Before we can create an external shift in our organization,” he said, “an internal transformation must first occur.”
Tuesday morning got underway with another thought-provoking general session, as James Johannes, director of the Puelicher Center for Banking Education at UW-Madison, spoke on one particular aspect of the future of
considerable note to those in the room – the future of interest rates. Without offering any rock-solid prediction of exactly where rates will go, Johannes noted that with a possible change of leadership at the Fed, a new administration in the White House and an unpredictable economy that is defying some of the usual rules, we might not see as much of a rise in rates as many have been anticipating.
BREAKOUT SESSIONS
As in years past, the focal point of The 2017 Forum was once again the wide array of educational sessions (thirty-two in all) offered across the event’s two full days, spanning a range of topics and subject areas – from CECL to lease accounting to balance sheet strategies. Here are a few highlights from a busy slate.
CASH PLAY
With practically every seat in the room occupied, Joe Kennerson of Darling Consulting Group talked about a market environment where every basis point counts, loan growth has been outpacing
deposit growth and pricing pressures continue to rise in his session “How to Improve Liquidity as Economic Conditions Change.”
Kennerson offered pointers on how
to establish a liquidity process that exceeds regulatory expectations while providing the most flexibility to manage the balance sheet, noting that ensuring that stress-testing scenarios are specific to your institution, industry, region
and environment is crucial to quelling regulatory concerns. Building a deposit early-warning system that enables you to save big relationships, he noted, can also strengthen your institution’s position, as even preventing one or two big losses a month can make a sizeable difference. Kennerson closed out his session by encouraging institutions to identify their minimum liquidity cushion levels, and
to be sure to run institution-specific scenarios when stress-testing in the face of liquidity levels that are likely to continue to shrink.
DEPOSIT DEBATE
Put together a top-rated speaker like Dave Koch of Farin Financial Risk Management
10 | FMS forward | SEPTEMBER/OCTOBER 2017


However much time your institution is spending on strategic planning, it isn’t enough.
Marc Winkler, Director, P&G Associates
and a meat-and-potatoes topic like deposit strategies, and the results are predictable – an overflowing room and a lively discussion.
Throughout his wide-ranging
session Rising Rates and Deposit Assumptions, Koch urged audience members to be sure their deposit decisions are being guided by a defined and well-reasoned strategy, rather than by impulsive competitive pressures or hot- take marketplace trends. This strategy,
he noted, will drive the assumptions upon which the institution’s models are built, answering key questions such as what the future “mix” of deposits will look like, what the rate-sensitive (or non-rates-sensitive) situation is and what the plan is for growing future deposits.
AT THE MOVIES
Forum attendees working their way through the full schedule of educational sessions over two packed days likely ran across some commonalities – from topical themes to presentation styles. But it’s probably safe to say that they came across only one speaker who referenced the widely panned 1991 Don Johnson-Mickey Rourke buddy film “Harley Davidson and the Marlboro Man”
to drive home a point in the course of his presentation. But movies (of varying degrees of quality) set in or around Las Vegas did indeed provide the gateway for Charley McQueen of McQueen Financial Advisors to highlight his five areas of focus in CFO: Chief Five + Officer.
In this well-attended session, McQueen laid out the case for CFOs to look beyond number-crunching to stay on top of five key areas – branch growth, indirect loan growth, balance sheet management, marketing control and internal negotiations – in order to provide maximum strategic value to their institutions. In each of these five areas, McQueen offered the audience not only helpful take-home advice in the form of negotiating techniques, coalition- building tips and financial modeling notes, but questionable movie recommendations as well.
SPACE IS WILD
Aiming to take attendees to a galaxy far, far away with a Star Wars-themed session, Marc Winkler of P&G Associates opened
“ERM: Aligning Risk with Strategy and Performance” with the familiar strains of the iconic John Williams score. With light saber in hand (in lieu of a traditional laser pointer), he spent the next hour highlighting some of the major shifts that happen when an institution builds an ERM framework that includes its refined risk appetite and risk tolerance.
Winkler said one of the key changes that results from embracing ERM is an elevation of strategy discussions. He further noted that when an institution can leverage its systems to get the right information, it can then use those reports to strengthen risk, culture and performance.
Bankers are good at risk management, Winkler noted in closing out his presentation, but their weakness is that they tend to work in silos, leaving blind spots that a healthy ERM process could help eliminate. Yoda couldn’t have said it better.
FMS forward | SEPTEMBER/OCTOBER 2017 | 11


CFO ROUNDTABLE
For the first time ever, The 2017 FMS Forum featured a Sunday afternoon CFO Roundtable, giving finance leaders from more than two dozen banks and credit unions a chance to meet, mingle and discuss the pressing issues facing their institutions.
Much of the talk in the room revolved around the concept of adjusting to a rapidly changing world, with topics such as technology, generational differences and CECL coming into play. While the community institutions represented differed in size, location and demographics, the anxieties of serving the younger generations was a particularly resonant subject across the board.
Moderators Ryan Abdoo, Mike Guglielmo, Dave Koch and Brady Nitchman helped keep the discussion moving, with many CFOs sharing not only struggles but successes. One attendee explained how although financial education programs for lower-income families had brought his bank only a small increase in its customer base, it did wonders for strengthening the institution’s reputation in the community. Another CFO told how his institution revitalized its lending team by creating a robust incentive plan.
These discussions sent the CFOs in attendance out to the rest of The Forum – and, indeed, back to their institutions – with plenty to think about.§
Mark your calendars! Join FMS June 10-12, 2018 in Orlando, FL to be part
of what everyone is talking about. Registration is now open at FMSinc.org/ TheForum18.
HIGHLIGHTS FROM THE 2017 FMS FORUM
Want to experience all the highlights of The 2017 FMS Forum? Check out the recap video, now available as an episode of FMStv!
See what happened in Vegas:
http://videos.fmsinc.org/highlights-from-the-2017-fms-forum
12 | FMS forward | SEPTEMBER/OCTOBER 2017

SCENES FROM THE SCENE
#FMSFORUM
The Forum wasn’t all about education, of course. Attendees didn’t have to look far to find plenty of great opportunities for networking, socializing and just plain fun!
FMS forward | SEPTEMBER/OCTOBER 2017 | 13


COVER FEATURE
DARKWEB THE STYLISTICS ONCE SANG THAT “PEOPLE MAKE THE
WORLD GO ’ROUND.” THAT MAY WELL BE TRUE, BUT WHEN IT COMES TO CYBERSECURITY, IT’S ALSO PEOPLE WHO CAN CAUSE YOUR COMMUNITY INSTITUTION
A WORLD OF HURT. IN FACT, THE BIGGEST THREAT FACING YOUR INSTITUTION MAY BE AN INTERNAL ONE.
14 | FMS forward | SEPTEMBER/OCTOBER 2017


When most people think about cybersecurity breaches, there’s a tendency to focus on
the big splashes – the major customer data heist at a national retailer or the global ransomware attack that threatens to shut down businesses of all shapes and sizes. Yet while community institutions certainly need to keep their guard up against these types of large-scale, high-profile assaults, the real threat to their day-to-day business likely lies in a far more pedestrian, run-of-the- mill scenario that might play out something like this:
Jim in accounting clicked on a bad link in an email.
It’s not exactly the kind of riveting, torn- from-the-headlines type of incident that screams out for a Movie of the Week, but the truth is that this kind of boring everyday miscue is, without question, the most likely way in which a community institution is going to become a victim of a cyberattack. According to a 2017 data breach investigations report by Verizon, 43% of hacks employ social engineering
tactics to prey on unsuspecting or error- prone employees. When successful,
those breaches can range in cost from significant to devastating for a community institution, incorporating not only direct monetary losses, but litigation costs, remediation expenses and reputational damage as well.
THE PEOPLE PROBLEM
“The biggest threats today come down to people,” says Jay Schulman, a principal at RSM US LLP, and a leader in the firm’s
FMS forward | SEPTEMBER/OCTOBER 2017 | 15


Having timely responses, and the right responses, is such an important piece of this preparation. Your reputation is probably going to take a hit, so how you respond to that and deal with that is crucial.
Mark Boettcher, Senior Manager – Risk Advisory Services, Baker Tilly Virchow Krause
privacy and security practice. “If you think about all of the technology and great software that companies can buy to protect themselves, ultimately they’re still at the mercy of someone clicking
on a bad link or falling into a reply-and- response wire fraud transaction. It still comes back to the simple fact of people making mistakes.”
Indeed, while smaller institutions have stretched their budgets in order to invest tens of thousands of dollars in security solutions to keep their data and systems safe, their biggest vulnerability continues
to reside within. Jeff Olejnik has seen the impressive technical investments that
many institutions have made in the name
of cybersecurity, and he believes their defenses tend to be more advanced than those at most non-financial organizations. Nevertheless, when it comes to assessing where their softest spots remain, the director in the risk advisory services area at Wipfli LLP certainly shares Schulman’s view.
“People are the weakest link,” Olejnik says. “Even with the more sophisticated technical controls, a mistake made by an individual who clicks on a link they shouldn’t, moves confidential information to a USB device or leaves an unencrypted laptop in a car that is stolen can lead to big problems.”
STEPS TOWARD SAFETY
Given the likelihood that employees are going to be the conduit through which
a potentially damaging cyberattack penetrates an institution, it stands to reason that one page in the handbook or an introductory training video that may have once constituted the entire cybersecurity program probably won’t suffice in the current environment. Mark Boettcher, a senior manager of risk advisory services at Baker Tilly Vichow Krause says institutions need to make sure their assessment and mitigation programs have kept pace with the changing nature of the threats.
“A risk assessment is essential, where you really look at what vulnerabilities
you have within your IT environment and what procedures you have in place to address those areas,” he explains. “On an ongoing basis, institutions should be doing vulnerability scanning and penetration testing on the network.”
Olejnik notes that in addition to the kind of vulnerability assessment that Boettcher describes, smaller institutions should also have a particular mindset when it comes to cybersecurity.
“There’s no silver bullet and 100% protection is not possible,” he says.
16 | FMS forward | SEPTEMBER/OCTOBER 2017


THE 20/80 RULE
Jay Schulman wants to be 100% frank – community institutions simply cannot do 100% of the things that need to get done to ensure their system security. While the banking behemoths of the world may be able to spend upwards of $500 million a year on cybersecurity, community institutions (who might have less than that outlay in total assets) should use their more limited resources to instead shoot for the 20/80 rule, or, as he explains it:
“What 20% of things can you do to have an 80% impact on security?”
Here are five things that Schulman says community institutions can do on a limited budget to get meaningful security coverage, regulatory appeasement and peace of mind.
KNOW WHAT’S ON YOUR NETWORK
Schulman knows it seems odd that an institution wouldn’t know what’s out there, but he says it happens more often than most people would think. Whether it’s something a contractor plugged in or something an employee added years ago and forgot about, the first step in securing your network is to know what you’re dealing with. “People forget about this step – they jump right into scrambling around to secure things,” Schulman says. “But if you don’t know what you have on your network, it’s really hard to do anything else.”
CONFIGURE WHAT’S ON YOUR NETWORK
When Schulman talks about this step in the context of the 20/80 rule for community institutions, he stresses that you’re just looking for basic protocols, such as how often you’re asking people to reset passwords or how many times they can attempt login before they’re frozen out – not necessarily the lockdown versions one might find at Chase or U.S. Bank. “It’s just a matter of making sure you’ve thought through all of these basic things and taken steps to make them uniform across your entire environment,” he says. “It doesn’t have to necessarily be the best, but uniformity is the key.”
PATCH WHAT’S ON YOUR NETWORK
Schulman goes back to the WannaCry ransomware attack from earlier this year, noting that a patch that had come out a few weeks before could have protected those victims. “Patching on a regular basis – which can in and of itself be a challenge – will really go a long way toward keeping you protected,” he says.
PROTECT YOUR ADMINISTRATIVE ACCOUNTS
This step actually involves two avenues – IT people using administrator accounts and non-IT employees with administrative rights on their machines. In the case of the former situation, which is quite common, the concern is that any bad link or email that IT person might click on by accident puts the entire institution at risk, giving a hacker access to the whole organization. In the latter scenario, Schulman says institutions need to take control of those administrative rights. “Turning off that access so that employees can’t install their own updates is a wildly impactful move, since 85% of the malware that gets sent doesn’t work on machines that
don’t have administrative rights,” he explains. “Locking down these rights can be incredibly controversial around the office, but it’s also a major step toward being more secure.”
TRAIN YOUR EMPLOYEES
Cybersecurity isn’t just about money – knowledge is power when it comes to heading off the most common breaches. “This is clearly an essential piece,” Schulman says, “since most attacks originate with an employee clicking on a bad link or opening a bad email.”
FMS forward | SEPTEMBER/OCTOBER 2017 | 17


TOO SMALL TO NAIL?
Are community institutions – with their lower profiles and lower asset levels – less likely to draw the unwanted attention of a hacker than the big banks? Don’t count on it, says Jay Schulman.
“A lot of community institutions haven’t thought about all of the ways that these attacks might reach them and aren’t necessarily experienced with them. So while attackers might find more efficiency at the big banks, they may find a community institution that isn’t quite as prepared to fend off their advances. In this case,
“But one thing that small institutions should do is take a layered approach to security assessment and testing. The IT audit or perimeter vulnerability assessment that is done each year is great, but it may give a false sense of security. Penetration testing, red-team exercises, social engineering and disaster recovery testing should be integrated into the overall threat mitigation and assessment routine.”
A good cybersecurity plan should not be limited to protection only, however, but should also include the institution’s outline for how
it will respond when an attack occurs. Both Olejnik and Boettcher caution that a plan that fails to address resiliency, continuity and decision-making in the wake of a breach is not where it needs to be, regardless of how strong one’s external defenses appear to be.
“For banks and credit unions, it’s not a matter of if they get hacked, it’s really just a matter of when,” Boettcher says. “For this reason, I think the resiliency part is almost more important than the prevention side. It’s critical for an organization to have a plan for how it would handle a breach and what it would do to resume operations. For example, what is the institution going to do if it gets hit by ransomware? Has leadership thought through whether they’re going to pay the ransom, or are they going to have procedures in place that allow them
to continue to operate without access to those IT systems? This is also important just from a general crisis management standpoint – from contacting customers to dealing with the media and things like that. Having timely responses, and the right responses, is such an important piece of this preparation. Your reputation is probably going to take a hit, so how you respond to that and deal with that is crucial.”
BUILDING A CULTURE OF SECURITY
Of course, the most important piece of any institution’s cybersecurity preparedness comes back to the people problem, and how employees are trained to recognize and respond to the insidious threats that are certain to come their way. The goal
18 | FMS forward | SEPTEMBER/OCTOBER 2017
going after the smaller, softer target of the community institution could be to their advantage.
“This is where what we call ‘threat intelligence’ comes into
play. Institutions need to start thinking about all of the different ways someone might attack them or their customers and, more importantly, how they’re going to respond when it happens. A lot of what we see today are generic, ‘drive-by’ types of attacks, but you have to start to think about how you’re going to respond if somebody decides to very specifically target your institution.”
should be to get to a place where everyone in the institution – from teller to manager – understands that security is an all-hands- on-deck kind of proposition. Anyone can be a target, so everyone needs to be on guard.
“Making sure employees are trained and are constantly thinking about whether the emails they get are legitimate can be a
real challenge,” Schulman says. “I think a lot of community institutions use some great technology outsourcing partners or they may have some great in-house technology, but ultimately if their employees are clicking on bad things or replying to malicious emails, it’s really going to hurt them. It’s a challenge for every industry, but when you have limited resources to make sure that kind of persistent training happens, it really puts your company at a significant disadvantage.”
Schulman says there are a number of ways for community institutions to approach employee training, from expensive self-configured software programs that force employees to undergo training the minute they click on a malicious test email (thus immediately tying their behavior to the instruction) to the cheaper (and less effective) route of refresher sessions that still use real-world examples to help get the point across. Whatever method an institution ultimately chooses, the ideal outcome is a board and management team that sees the human element of cybersecurity as just as important as the technical side, and a staff that is vigilant and aware at all times.
“It starts with the tone at the top,” Olejnik believes. “Building a culture of cybersecurity awareness cannot be done with just a once-a-year training session or having employees read a policy.
A good training and awareness program will include a variety of elements including formal training, regular awareness touch points, testing and measurement. Most importantly, executives need to communicate their support for this type of effort and back it up with ongoing education and awareness campaigns.Ӥ


THE HIT LIST
The variety of cyberattack variations seems to grow and evolve almost by the week, but our three experts tend to see the following areas as the most likely to affect community banks and credit unions.
PHISHING > WIRE FRAUD
An oldie but a goodie, the classic email phishing scam designed to perpetrate a fraudulent wire transfer is often the least technical attack to prepare against – but just as often the most effective.
“Phishing has gotten much more sophisticated and hackers are getting a little smarter about their approach, so community institutions probably need to think outside the box a little bit in terms of being prepared to ward off these threats,” Boettcher says. “At this point, they probably need to be thinking about new ways to test their defenses and procedures instead of doing the same kind of training and testing they’ve been doing for a while, because the threat has advanced since those tests were first put into place. Complacency is probably one of the biggest risks, so it’s important to constantly look at different scenarios and plan for a more sophisticated threat.”
MALWARE
Whether designed to steal an institution’s customer information, shut down a key piece of its system or extort a ransom payment for access to its data, malware is a persistent and many-faceted threat that can arrive via malicious email, an unpatched machine or one of a dozen other avenues.
“Security in this area needs to be operationalized – it is not a once-a-year activity,” Olejnik says. “Computers need to be patched and updated on a regular basis, passwords need to be changed, data needs to be backed-up and tested, and networks should be scanned routinely for vulnerabilities.”
THIRD-PARTY RISK
As more and more key data-intensive services and functions are outsourced, institutions need to make sure they have a good vendor management program in place to help assess and monitor the risks introduced by new services and providers.
“It’s important to make sure you understand where your data is and who has access to it,” Boettcher says. “You need to make sure you’re on top of your vendors and you understand what they’re doing.”
Computers need to patched and updated on a regular basis, passwords need to be changed, data needs to be backed-
up and tested, and networks should be scanned routinely for vulnerabilities.
Jeff Olejnik, Director – Risk Advisory Services, Wipfli LLP
Atlantic Capital Strategies, Inc.
Investment advisory services Atlantic Capital Strategies, Inc. is an SEC-registered investment advisory irm located in edford, Massachusetts. Our senior bankers provide investment advisory services to community- based inancial institutions, including commercial banks, savings banks and credit unions.
869354_Atlantic.indd 1
www.atlanticcapitalstrategies.com
FMS forward | SEPTEMBER/OCTOBER 2017 | 19 5/19/17 12:17 PM
COMPREHENSIVE ADVISORY
INVESTMENT CONSULTING
• Tailored investment plan
• Annual portfolio reviews
• Security selection and best execution
• Credit monitoring surveillance
• Pre-purchase analysis and ongoing monitoring
• Watch list reporting
• Policy development • Full regulatory reporting
• Market pricing
Contact: Robert B. Segal, CFA, President & CEO • 781-276-4966 [email protected]
• OTTI analysis and impairment opinions


BUILDING A
BETTER BOARD
THE TONE AT THE TOP CAN HAVE A SIGNIFICANT IMPACT ON A COMMUNITY INSTITUTION
The board of directors at a community institution has the opportunity to guide long- term strategic vision and prevent disasters. It can provide a broader point of view and find opportunities to question, consider, reconsider and direct what the institution is doing. But
not every board is as effective as it might be in helping to shape strategy and provide direction.
Many of the challenges associated with maximizing the potential of a board can be traced back to basic elements such as group makeup and team dynamics, the relationship with management and executives, and even time management in meetings. With so many moving parts, then, community institutions need to take a step back to make sure they’re
considering all of the key building blocks of what constitutes a good board.
THE TRADITIONAL BOARD
For many community institutions, the focus in building a board has long been on finding members who could offer contacts within and access to the local business community
20 | FMS forward | SEPTEMBER/OCTOBER 2017
FEATURE


and economy, as opposed to individuals who brought banking experience to the table.
“Traditionally, and especially at the community bank level of the industry, board members have been comprised of local business leaders,” says Larry Sorensen,
a director-at-large on the FMS Board of Directors and Chief Financial Officer of $5.6-billion Washington Trust Bank. “Having a banking background wasn’t really a qualifier to be on the board.”
These traditional boards often sought out
a lawyer and an accountant to lend their specific areas of expertise to the discussion, but the other directors were tapped for their knowledge about business development.
“Those business leaders tended to be the key contacts within that
A thorough understanding of the institution’s specific strengths, weaknesses and strategic goals is therefore essential
to knowing what skills sets should be represented on the board. For example,
if legal and accounting expertise were always in demand, another area has become popular for many community institutions in recent years.
“One area that I think is becoming more of a focus is technology expertise, particularly cybersecurity and cyber risk,” says Sorenson. “The proper governance of the institution is the responsibility of the board, not just to regulators but to shareholders and the bank’s role in the community as well.” He adds that when a board has expertise finely attuned to pertinent subject matter – such as cybersecurity – it can not
perspective to bear that complements straight functional or industry knowledge.”
Ana , President and CEO of the Executives’ Club of Chicago, agrees that fresh perspective can be an enormous boon to financial institutions.
“Here’s the beauty – if a director is prepared, insightful and a quick learner, that person can provide immense contributions to the board because he or she is going to look at the industry with fresh eyes,” she says.
MIXING UP THE BOARD
While there is general support for a mix
of professional backgrounds on a board, the question of consciously expanding that diversity to also include a mix of personal backgrounds (i.e., race and gender) is
community, bringing business to the bank,” Sorensen says.” Smaller community banks’ boards had knowledge of who the borrowers and customers were and the direction of the local economy, which was important intelligence when it came to forming the strategy and the exposure of the bank.”
Board members need to ask the right questions, anticipate issues and be unafraid to speak up if something doesn’t make sense to them, or if they need further explanation. Their failure to do so is how management can get away with poor decisions.
Ana Dutra, President and CEO, Executives’ Club of Chicago
somewhat less definitive. Tayan cites split research and divided opinion between diverse boards and boards with a more homogenous makeup.
“The literature pretty strongly shows the benefits and drawbacks of both approaches,” he says. “Diverse groups have a greater array
But as times have changed, so too have the makeups of many boards. “There’s a shift underway from local business leaders [brought on for] business development purposes to subject matter experts that can help the institution manage the risks it faces,” Sorensen says.
CHANGING WITH THE TIMES
As the needs of the community financial institution change, how does leadership follow suit?
“For each board, the mix of skill sets is going to be different,” says Brian Tayan, a researcher at the Corporate Governance Initiative at Stanford University. “It’s based on a forward-looking view of the company and what it needs to succeed.”
only address the risks facing the institution, but put itself in a position to challenge management if necessary.
Beyond the right blend of expertise, however, is the blend of insiders and outsiders to the banking industry. Ensuring that a board is stocked with a blend of leaders from inside and outside can be important for a number of reasons.
“Outsiders are not going to understand the complexity of running an institution as well as someone with firsthand experience,” says Tayan. “At the same time, related but outside experience can bring important perspective on running a company in general, such as dealing with regulatory issues, management and leadership
style. [The outsiders] bring a second-level
of knowledge and experience, can counter groupthink and
can prevent premature consensus. They’re also generally important from a societal perspective. At the same time, however, diverse groups can be less cohesive, have lower levels of cooperation and can be less effective in sharing information.”
Dutra, however, champions the benefits of diversity, arguing that conformity is an ever- present threat for any board.
“If you have a very homogenous board, you end up promoting group thinking,” she says. “You’re going to have people who always see problems and make decisions from the same perspective. The more diverse the board is, the more creativity, the more out-of-the-box thinking and the more provocative questions you’re going to be able to get.”
FMS forward | SEPTEMBER/OCTOBER 2017 | 21


Perhaps one of the most important things to keep in mind when it comes to board makeup, however, is to fully understand the population the institution serves and to seek out directors who reflect the needs, interests and values of that population.
“Your board should mirror the types of clients and customers you want to have,
so the more diverse the board, the more perspective you have on different issues,” says Dutra. “That makes for good business.”
BOARD VERSUS MANAGEMENT
Determining the best mix of backgrounds and specialized expertise to serve an institution is a good start, but equally important is understanding the interplay between the board and management.
“Different institutions have different cultures and different epicenters of power,” says Sorensen. “Some are board-centric, some are management-centric – it’s a matter of who’s setting the direction.”
Whether the board is taking the lead
and setting the strategic vision for the institution or taking a more passive
role, it is still responsible for setting the tone of the organization. If leadership is serious and devoted to the purpose of the institution and the important role it plays in the community, that attitude permeates the institution.
“The tone at the top and the ethics and business practices and expectations from the leadership – be it the board or senior management, or ideally both – is crucial to the culture and ultimately the governance of the institution,” says Sorensen.
Regardless of how essential the board is to establishing that culture and setting those attitudes within the organization, however, Sorenson believes one thing is clear – it cannot uphold and maintain those attributes on its own. Without the right management, in other words, no board can truly make its mark.
“It’s hard for the board to impact ethics and culture beyond picking the right management to set the tone,” he notes. “If
management is inconsistent with the ethics and culture that the board wants to instill or preserve, then it really needs to replace those leaders.”
Along those same lines, boards need to be able to challenge management when they see questionable decisions being made. Whether directors don’t want to admit ignorance of certain issues, don’t want
to stick their necks out on a controversial topic or just don’t want to run counter
to prevailing opinions, the institution ultimately pays the price for complacency on the board.
“Board members need to ask the right questions, anticipate issues and be unafraid to speak up if something doesn’t make sense to them, or if they need further explanation,” says Dutra. “Their failure to do so is how management can get away with poor decisions.”
AN IDEAL DIRECTOR
Whether or not an institution chooses to prioritize diverse backgrounds or different areas of expertise when seeking out board members, there are some universal qualities that almost any candidate should have.
“In general, you would expect any board member to be insightful, self aware and extremely responsive and responsible,” says Dutra. “There’s nothing worse than getting to a meeting and realizing that board members have not read the materials and have not come prepared.”
This sense of responsibility is especially important when an institution is dealing with board members from outside industries who may need to educate themselves in order to be able to offer cogent insight. Sorensen notes that he regularly sees board books that run up to 1,000 pages – for each meeting. An irresponsible board member could certainly be tempted to skim, or even skip, such a volume.
Tayan believes that strong interpersonal skills are also a key attribute for any good board member. He says a high level of emotional intelligence and interpersonal maturity is crucial to being able to share
time and make hard choices in a timely and effective manner.
“[These] are attributes that the person either has naturally or has worked to develop so they know how to function
in a group setting to help that group make better decisions, communicate, ask questions and challenge management in a constructive but not confrontational manner,” he explains.
BOARD TURNOVER
Even the most well-constructed board
is subject to turnover, and how the institution handles those transitions will determine how stable and effective the board can remain as members come and go. An institution should understand when each of its directors is likely to roll off the board so it knows when there are going to be gaps.
“In an ideal situation, board turnover
is planned for well in advance and transitioning the old board member out and the new board member in happens in a very orderly and methodical fashion,” adds Sorensen.
Turnover can also provide an ideal opportunity to assess what can be improved on the board, once again employing a broad viewpoint and a clear plan for the future.
“Through the evaluation process, the board should identify which holes would be created by unexpected board turnover and be thoughtful of the types of people that could be brought in to fill those holes,” says Tayan. “Whenever a board member leaves, there’s an opportunity
to improve by recruiting new directors who have skills or traits the board may be lacking.”
Dutra says board members should have term limits and should be evaluated regularly. And while age limits may not be necessary, she believes it’s beneficial to have effectiveness exercises at least every other year.
“I’m a big proponent of terms because if you’re up for renewal and you’re not being
22 | FMS forward | SEPTEMBER/OCTOBER 2017


a good director, it’s a good opportunity to decide it’s time to refresh,” she says.
Just as when new customers come into
the institution, whenever a new board member comes on, there should be a
robust onboarding process. Especially for board members coming from outside the industry, this can be an ideal opportunity for education. But even for those with banking experience or knowledge, it’s important that they know what’s special about your
community institution.
“When we bring on new board members, there’s a very deliberate onboarding process,” Sorensen explains. “[It covers] a historical briefing, a strategic component – what we’re trying to accomplish and what lines of business we’re in and what our strategies for success are – and a legal and regulatory component, including the regulatory framework and expectations and fiduciary responsibilities. There’s also
a financial briefing where we cover the financial structure and performance of our bank and our risk management approach.” This kind of comprehensive and meaningful investment in your board members – combined with a rigorous process for selecting, training and monitoring those members – will pay off in the long run, as they will approach their duties better attuned to your institution, and ready to start helping to make it better.§
FMS forward | SEPTEMBER/OCTOBER 2017 | 23
MAKING THE MOST OF MEETINGS
One of the inherent difficulties of being a board member is having limited time to take in a large amount of information and give important guidance based on that information. Boards are expected to oversee regulation, compliance, fiduciary issues, strategic issues and management – any one of which could take up all of their time in any given meeting.
“The board’s scope of responsibility is high-level but also extremely broad, so it’s a challenge to cover all of those bases adequately, and it’s only getting more challenging,” says Sorensen. “It’s really tricky to find a way to effectively allocate time across all of these expectations during meetings and retreats.”
What can institutions do to get the most out of their board’s limited 1available time?
HAVE A STRONG CHAIRPERSON
In helping to set the agenda, interfacing with management, communicating with all of the board members and serving
as group leader, the chairperson is essential to the overall efficiency and effectiveness of the board. As such, the chairperson manages the group dynamics to ensure the board is functioning cohesively – and must be prepared to step in when they’re not.
“A good chairperson should provide feedback to other directors on how they can improve, as any coach on an athletic team would,” Tayan says.
2
“We fill in the agenda with this and that, and suddenly some very 3crucial decisions and issues don’t get covered.”
CATEGORIZE AGENDA ITEMS TO GIVE THE BOARD A CLEAR UNDERSTANDING OF WHAT THEY’RE EXPECTED TO COVER AND CONTRIBUTE
“Companies usually fail miserably on defining what each agenda item should look like,” Dutra says, in explaining her “Test, Tell or Decision” method for determining how much time or effort board members should spend on each agenda item. “Make the most of the meeting by not spending more time than needed on a TELL, and instead sharing expertise and viewpoints when you need to discuss a TEST or reach a DECISION.”
Dutra’s categories break down as follows:
TELL: A presentation I’m taking part in and asking questions about. I’m not expected to offer my opinion or make a decision.
TEST: An idea that’s being floated or an issue that’s being raised. The executive team wants my opinion and insight.
DECISION: I am a part of the decision-making process. I should take part in a thoughtful discussion to reach a decision.
Using this as a kind of ranking mechanism allows board members to determine how much time and effort to invest in each item, allowing them to best utilize their time and energy.
GIVE THE BOARD INPUT ON THE AGENDA
“Board agendas are developed and constructed in such a way that it
seems the really important matters are never covered,” says Dutra.


GROWING CONCERNS COMMUNITY INSTITUTIONS HAVE LONG BEEN SEEN AS A NATURAL PARTNER TO
SMALL BUSINESS. BUT WHEN THE BUSINESS IN QUESTION IS SELLING MARIJUANA, REGULATORY AND REPUTATIONAL CONCERNS HAVE CAUSED MANY INSTITUTIONS TO STEER CLEAR.
Last year, the marijuana industry racked up $6.7 billion in sales, according to market research, and was projected to create more jobs than manufacturing. Legal for adult recreational use in eight states and medicinal use in many more, decriminalization has been a powerful trend over the past several years.
With such impressive growth, one might assume that community
institutions would be lining up to provide banking services to these booming businesses. However, this has not been the case thus far – and we may yet be far from a turning of the tide.
REGULATORY HURDLES
“You have to start from the understanding that it’s still illegal under federal law,” says attorney John Geiringer, a partner in the Financial
24 | FMS forward | SEPTEMBER/OCTOBER 2017
FEATURE


Institutions Group at Barack Ferrazzano. “That’s the starting point that every institution has to grapple with.”
Indeed, as of this writing, marijuana remains a Schedule 1 drug, which means the FDA deems it high risk with no medical benefit – a classification shared by heroin (even cocaine and meth have some accepted medicinal uses that relegate them to the less severe classification of Schedule 2). Further, under the new administration, it’s possible that the trend toward legalization could be slowing down. U.S. Attorney General Jeff Sessions once remarked that “good people don’t smoke marijuana,” and he has been adamant in noting his plans to use his elevated role to work toward rolling back
the Rohrabacher-Farr amendment, which allows states to make their own decision whether or not to legalize marijuana without interference from the Justice Department.
Nevertheless, marijuana remains a growing business at this point. But when it comes to providing banking services to companies in the industry, institutions in marijuana-friendly states face the challenge of navigating this space between a state-legal marijuana business and a federally-illegal marijuana product.
“FinCEN and the Department of Justice put out a road map [on how institutions] can provide services to these entities and not
FMS forward | SEPTEMBER/OCTOBER 2017 | 25


violate the BSA, but when you dig into the guidance, it’s really hard to jump through all of the hoops,” says John Zasada, a principal and leader of the regulatory compliance practice at CliftonLarsonAllen. “When it comes down to it, even apart from the current administration, there are many experts that feel like there’s really no way to totally reduce your risk in being able to comply with that guidance.”
OPERATIONAL CHALLENGES
While institutions taking on marijuana businesses may struggle to comply with
not only FinCEN and DOJ guidance, Zasada says third-party firms grading on compliance have a particularly difficult time giving
the all-clear on the Cole Memorandum, which says that banks have to ensure
that their marijuana-based clients don’t promote negative societal effects such
as contributions to cartels, distribution to minors or exacerbation of drugged driving.
quite simply, those big cash deposits coming from marijuana businesses can smell up a branch office. Some institutions have gone so far as to have a special room to deal with the cash from marijuana businesses in order to cope with the optics (or odor, in this case).
Other PR issues have less to do with the legality of the product, but rather the challenge of working with an industry that many regulators just don’t like, similar to the fraught relationship institutions have
In light of the guidance available, institutions are
understandably reluctant to
take on clients associated
Every bank has to conduct its own risk analysis with respect to any new product or service they may provide. Marijuana’s no different.
John Geiringer, Partner, Barack Ferrazzano
had with payday lenders due to government and regulatory pressure. While it might not necessarily take a Schedule
1 drug to make banking a particular business difficult, it definitely doesn’t help.
“There are plenty of industries banks treat like this, either because they themselves find it risky,
with the marijuana industry
even in states where it’s
legal. Some may take on
these clients, but have them
keep the nature of their
business under the table and
out of the spotlight. However,
in such a cash-heavy
industry, the truth tends to
surface and accounts are often shut down and relationships ended.
“One retail owner has had her account shut down seventeen times, and she’s on the side of compliance and disclosure, but she runs into these problems constantly,” says Beau Whitney, an economist who has conducted in-depth research into the field of recreational marijuana legalization. “I think the difficulty is that the Feds are saying you can provide banking services to a Schedule 1-related company, but you have to do X, Y and Z in order to do so. So there’s a fair amount of risk associated with it, and it becomes fairly costly.”
But there are risks with not being banked as well. In a booming, cash-intensive business, not having access to banking services tends to become a safety issue, both for those within the marijuana industry and for their surrounding communities.
“When you have this business that’s operating almost entirely in cash, there are community-based risks,” says Zasada. “It’s just not the safest way for money to be handled, and it’d be best if a federally insured institution was involved.”
This means that institutions not only need to vet their clients, but to some degree their clients’ clients – a level of compliance that makes many experts believe there’s no real way to totally reduce the risk.
Even if an institution does all of its homework, a well-planned decision to work with marijuana entities is often still at the mercy of a correspondent banks’ oversight. Correspondent banks often don’t want their downstream banks engaged in what they perceive as a risky endeavor, regardless
of the precautions those institutions may have taken.
“They can always get another correspondent bank, but those relationships are very sticky and banks are disinclined to leave a correspondent bank over this issue,” says Geiringer.
Then there are the potential public relations implications of taking on clients dealing
in a federally illegal product. While the complicated SARs associated with such
a cash-heavy industry might stand out initially as the biggest issue to consider, one of the commonly cited problems for many institutions is much more on the nose –
or they’ve seen how regulators have signaled that they could be problematic,” Geiringer says.
NAVIGATING COMPLIANCE
Despite the many potential challenges, there are institutions that bank marijuana- related businesses – and do it well. Among other considerations, two of the necessary tools to have before wading
in are an in-depth understanding of all relevant regulatory guidance and the right team. For example, an experienced and savvy BSA/AML staff will be familiar with the enhanced due diligence required for riskier customers, and be able to appease regulators by automatically treating marijuana clients as enhanced due diligence customers.
“I tell any bank that wants to engage in marijuana-related activities that they need
to have a top-notch compliance staff and a top-notch BSA/AML staff in place before they go down that road,” Geiringer says. “Often it’s not the marijuana that concerns the regulators as much as the fact that the bank didn’t have the BSA/AML architecture in place to handle customers who require more enhanced due diligence in the first place.”
26 | FMS forward | SEPTEMBER/OCTOBER 2017


When you have this business that’s operating almost entirely in cash, there are community- based risks. It’s just not the safest way for money to be handled, and it’d be best if a federally funded institution was involved.
John Zasada, Principal, CliftonLarsonAllen
SOWING THE SEEDS
When asked what the future holds for the marijuana industry – and its intersection with banking – our three industry experts had a few thoughts to share.
GETTING BIGGER
“That $6 billion sales figure is going to rapidly increase over the next few years as the newly established recreational markets start making sales,” Whitney says. “The cash-strapped states are seeing the revenue generated from legalization, and not seeing the adverse impacts that a lot of the opponents of legalization have talked about.”
“Predicting what this administration will do can be a difficult thing, but I do think it will be hard to put the genie back in the bottle,” Geiringer adds.
STATES TAKE THE LEAD
States are spearheading ways to make the marijuana industry safer and the regulations that surround
it clearer. In Oregon, Nevada and Colorado, for example, companies are testing closed-loop systems such as kiosks in order to ensure that inordinate amounts of cash aren’t floating around.
BANKING SERVICES NEEDED
Legislation is beginning to be introduced to address the issue of institutions being uncomfortable banking marijuana businesses, which are badly in need of their services.
“One would think – outside of what’s happening in the administration – we are certainly on a trend towards making it easier to bank marijuana businesses, undeniably,” Zasada says. “If there
was a clear way to legally provide services to these entities, I don’t think they would have any trouble finding a financial institution in their community.”
In fact, some institutions that have chosen to go down the marijuana road will opt to confine their marijuana-related activities to one specialized branch, with all marijuana clients working through that one location. Not only does this strategy make practical sense when it comes to having one sorting room as opposed to trying to find a space for it in every branch, but the institution can also focus specialized personnel and expertise
in that one location. Even within the world
of marijuana clients, however, some require more involvement than others. The closer the business is to touching the actual marijuana plant, the more compliance you’ll need.
“The institutions that do it well can get away with charging these customers a lot more to recoup some of their compliance costs,” Geiringer notes.
However, Whitney warns against pricing marijuana companies out of business, stressing that building a better relationship can lead to a happy medium that will prove beneficial to both the institution and the client. Asking the businesses to provide thorough documentation up front and in-depth updates on an ongoing basis is essential.
“By becoming better partners with them, they’ll eventually learn how to self-regulate,” he says. “What’s common in Oregon is submitting the same documentation the business needs to get a state license – ownership structure, source of funds, use
of funds, location, security, tracking – so the financial institution can get that in their systems and application file and see that they’re legit.” Of course, building relationships with regulators and law enforcement is equally
important, allowing the institution to more easily reach out as questions or situations develop. Regulators are more likely to
see banking marijuana businesses as a compliance issue than a law enforcement issue – and they know the implications of having so much unbanked cash.
“There’s a good synergy between divisions within the government on a state level, where they understand not just the banking regulations but also the seed-to- sale regulations on the marijuana side,” Geiringer notes.
THE BOTTOM LINE
Looking at an infant industry with shaky legal footing, Geiringer says there’s every reason for community institutions to exercise caution when considering taking on a marijuana banking client. But for those institutions with solid due diligence and the right protocols in place, he also believes there are a lot of reasons – beyond the money – to start thinking seriously about it.
“There are some institutions that have top- of-the-line compliance and top-of-the-line BSA/AML who are willing to invest, aren’t afraid of the public relations ramifications and who will say ‘if they’re a legal business, we’re going to bank them,’” he says.
Even so, he’s quick to point out that it’s still not right for everyone – especially those not willing to make the commitment needed to do it right.
“You don’t want to dabble in the marijuana space.”§
FMS forward | SEPTEMBER/OCTOBER 2017 | 27


CHAPTER AND VERSE
COMPLIANCE CORNER
GETTING TO KNOW YOU
COMMUNITY INSTITUTIONS MAY PRIDE THEMSELVES
ON KNOWING THEIR CUSTOMERS, BUT THE NEW FINCEN CUSTOMER DUE DILIGENCE REQUIREMENTS MAY NEVERTHELESS POSE A SIGNIFICANT TEST
As major regulatory initiatives go, the long, winding journey of the Financial Crimes Enforcement Network’s (FinCEN) Customer Due Diligence Rules from initial proposal to final version wasn’t unusually long or inordinately winding. However, as so often is the case with these types of extended build-ups, it’s quite possible that over the past several years, community institutions may have gotten a little too comfortable with the notion that actual implementation was still a long way off.
If so, the coming spring promises to be a rude awakening, as the enhanced BSA/AML requirements stemming from these more stringent know-your-customer rules become
a reality on May 11, 2018. While several provisions already largely present in FinCEN’s current customer due diligence are merely tweaked or highlighted in the new version, the one piece that may prove problematic for community institutions is the new beneficial ownership requirement.
“The beneficial ownership rule could have a significant impact on community institutions, specifically as it relates to processes and procedures, system updates and training,” says Maureen Hellstrom, a manager at Crowe Horwath LLP. “The impact of the ruling will be greater at institutions that have multiple account opening channels, such as branches, lending and online.”
28 | FMS forward | SEPTEMBER/OCTOBER 2017


Beginning in May, institutions will be required to identify and document a “beneficial owner” when opening an account, according to the two main areas built into the FinCEN rules – ownership and control.
OWNERSHIP
Each individual (if any) who, directly or indirectly, owns 25% or more of the equity interests of a legal entity customer. Institutions are required to identify no more than four individuals, but may not need to identify any individuals if none meets the 25% threshold.
CONTROL
A single individual with significant responsibility to control, manage or direct a legal entity customer, including an executive officer or senior manager (such as a CEO, CFO, COO, Managing Member, General Partner, President, Vice President or Treasurer) or any other individual who regularly performs similar functions.
Hellstrom says institutions will need to pay particular attention to the method by which they collect the information to make these ownership determinations, ensuring that this data is evaluated and considered within various areas of their BSA/AML/OFAC programs. In addition, they should be prepared to demonstrate the reasoning behind – and documentation of – any exceptions they make to these provisions, such as when they voluntarily choose to identify additional individuals or use a lower threshold than 25% if deemed appropriate on the basis of risk.
“The beneficial owner process should be similar to CIP as it relates to exception processing and tracking and account closure for instances where exceptions are unresolved,” she explains. “Determination of the beneficial owners is the burden of the legal entity. However, the institution should determine situations where the data is required to be refreshed, or when the accuracy of the information provided may be called into question.”
The challenge for institutions leading up to May of 2018 comes
in trying to develop a formalized plan in order to implement the necessary process and system changes (where necessary) and train impacted staff. In doing so, Crowe Horwath senior manager Blake Walker says institutions should focus on considerations such as:
• Identifying all account opening channels that will be impacted
• Confirming that systems can be updated to support their process
– possibly including downstream systems like sanctions screening, CTR, CDD/EDD and transaction monitoring applications – and that IT and/or vendors can implement such changes prior to the deadline
“Education of frontline associates will also be a challenge,” Walker notes. “Organizations will need to develop a consistent message for the collection of required data, as well as provide training on the requirements to all account opening personnel.”
For a refresher on the final FinCEN rules, the full text is available at bit.ly/FinCENrules§
FMS forward | SEPTEMBER/OCTOBER 2017 | 29


ON THE HORIZON
It’s back-to-school time, which means now is the time to plan your fall schedule and beyond with these great FMS educational events
BUILD CUSTOMER RELATIONSHIPS WITH DIGITAL BANKING CHANGE MANAGEMENT FOR FINANCIAL MANAGERS
CAPITAL PLANNING IN A NEW CAPITAL WORLD CECL SHARING FORUM
CFO ROUNDTABLE
INTERNAL AUDIT OF CREDIT AND LENDING YEAR-END STRATEGIES FOR 2018
MANAGING IRR
FINANCE REVOLUTION-MAP FOR TOMORROW’S INSTITUTION
ALM FOR THE BOARD OF DIRECTORS
5300 CALL REPORT FOR CREDIT UNIONS
CALL REPORT BOOT CAMP FOR BANKS AND THRIFTS CECL UPDATE SEMINAR
THE 2018 FMS FORUM
September 26, 2017 October 18, 2017
October 24-25, 2017 October 26, 2017 November 8-9, 2017 November 15-16, 2017 November 15, 2017 December 5-6, 2017
December 12, 2017
January 23, 2018 March 5-6, 2018 March 5-6, 2018 March 7, 2018 June 10-12, 2018
ONLINE
ONLINE
BALTIMORE, MD BALTIMORE, MD CHICAGO, IL BOSTON, MA ONLINE LOCATION TBD
ONLINE
ONLINE ORLANDO, FL ORLANDO, FL ORLANDO, FL ORLANDO, FL
CHAPTER AND VERSE
FMS CHAPTERS:
EAST COAST REGIONAL CONFERENCE
Even those FMS members who have never had the opportunity to attend are likely aware of the existence of The FMS Forum, our annual conference that takes place in a different city every June (check out a recap of this year’s Las Vegas event in this issue). But did you know that FMS actually hosts two annual conferences each year?
The FMS East Coast Regional Conference takes place each September in a different location throughout the northeast. The four largest FMS Chapters – Boston, Maryland, New York/New Jersey and Philadelphia – rotate hosting duties for this annual event, which brings together community bank and credit union professionals and service providers from across the region and country.
Hosted by the Maryland Chapter from September 17-19, 2017 at the Hyatt Regency
in Bethesda, Maryland, this year’s East Coast Regional Conference is slated to be A Monumental Event, with a comprehensive educational agenda that includes topics ranging from CECL to fintech, as well as a deeper dive into today’s regulatory environment with presentations on accounting, regulatory and legal updates. And don’t forget the fun! Attendees will also enjoy a Sunday evening reception and experience the nation’s capital at night as they float down the Potomac aboard the Odyssey cruise ship.
Registration information and a full agenda for the 2017 FMS East Coast Regional Conference are now available online at FMSmdchapter.org.§
UPCOMING CHAPTER EVENTS
Please visit FMSinc.org/Chapters to stay up-to-date on chapter events in your area.
WISCONSIN CHAPTER
September 2017
Capital / Strategic Planning Meeting in the Milwaukee area
October 2017
Topic TBD in the Madison area
November 2017
Annual Tax and Accounting Update in the Milwaukee area
PHILADELPHIA CHAPTER
October 11, 2017
October Dinner Meeting: Improving Profitability, King of Prussia, PA
November 8, 2017
November Dinner Meeting: Most Expensive Mistake You Make with Vendors, Blue Bell, PA
MARYLAND CHAPTER
September 17-19, 2017
East Coast Regional Conference, Bethesda, MD
This list includes just some of the upcoming chapter events that may be taking place in your area. Don’t see anything local? Start an FMS Chapter of your own! For more information, contact Autumn Wolfer, Director, Marketing and Membership at [email protected] FMSinc.org.
30 | FMS forward | SEPTEMBER/OCTOBER 2017


CENTRAL
CECL Central is your one-stop comprehensive portal dedicated to all things CECL!
Featuring links to current articles and research on the FASB's Current Expected Credit Loss (CECL) standard, CECL Central is a hive for new viewpoints and a great place to start your CECL planning.
Get your full CECL coverage at: FMSinc.org/CECLCentral
REGISTER TODAY SAVE SPECIAL
EARLY RATES!
THE
FORUM
JUNE 10 - 12, 2018
Orlando, FL
FMSinc.org/TheForum18
AND
WITH


Financial Managers Society
1 North LaSalle Street, Suite 3100 Chicago, IL 60602
PRSRT STD US POSTAGE PAID MARCELINE, MO PERMIT NO. 13
2017 EAST COAST REGIONAL CONFERENCE
The Hyatt Regency Bethesda | Bethesda, MD FMSmd apter.org
Hosted by the Maryland Chapter of the Financial Managers Society
L
A
O
N
M
N
M
E
C
C
E
O
N
T
U FR
E
E
N
s
l
i
g
e
R
e!
t
r
a
t
i
o
n
N
o
wA
v
a
i
l
a
b


Click to View FlipBook Version
Previous Book
SPRAK
Next Book
SCV Smart Shopper East - August 2017