tennessee risk management seminar 2016 - elliott davis · the cybersecurity assessment about the...

Tennessee Risk Management Seminar 2016 Thursday, April 21, 2016

Franklin Marriott Cool Springs, Franklin, Tennessee _________________________________________________________________

8:30 am - 9:00 am Registra on & Con nental Breakfast 9:00 am - 9:10 am Opening Remarks Chris Purvis, Shareholder, Ellio Davis Decosimo June Crowell, Shareholder, Ellio Davis Decosimo 9:10 am – 10:00 am IT Security – Update on Prac cal Risk Mi ga on Strategies Bonnie Bastow, Director, Ellio Davis Decosimo 10:00 am - 10:50 am Regulatory Compliance Hot Topics Tim Kemp, A orney, Butler Snow LLP 10:50 am - 11:10 am Break 11:10 am - 12:00 pm Great Internal Controls and Then It Happens – Fraud! Pam Mantone, Director, Ellio Davis Decosimo 12:00 pm - 1:00 pm Lunch 1:00 pm - 1:50 pm Performing Model Valida ons Interest Rate Risk/Asset Liability Management Allowance for Loan Losses Bank Secrecy Act Chris Purvis, Shareholder, Ellio Davis Decosimo Michael Koupal, Senior Manager, Ellio Davis Decosimo 1:50 pm - 2:40 pm 360° of Vendor Management Jay Brietz, Shareholder, Ellio Davis Decosimo 2:40 pm - 2:50 am Break 2:50 pm - 4:00 pm Risk Management Roundtable Moderator – June Crowell, Shareholder, Ellio Davis Decosimo Samantha Meyer, Chief Risk Officer, First Community Mortgage Richard Tripp, Compliance Officer, First Volunteer Bank Brandon Woodard, Compliance Officer, Macon Bank & Trust 4:00 pm Course Evalua on and Wrap Up

Shareholder Contact Information

Bob Beckwith, CPA Shareholder

Direct: 864.552.4763E-mail: [email protected]


Financial Institutions Group:

Bill Bossong, CPA, CBA Shareholder

Jason Caskey, CPA Financial Services Practice Leader



June Crowell, CPA, CGMA Shareholder

Chris Loyd, CPA, CISA, CGMA Shareholder


Andy Mitchell, CPA Shareholder


George Noonan, CPA Shareholder


Paul Pickett, CPA Shareholder


Chris Purvis, CPA Shareholder


Gary A. Rank, CPA Shareholder


Barbara Rushing, CPA Shareholder


Beverly A. Seier, CPA, CPCU Shareholder


Tennessee Senior Manager Contact Information

Joey Croom, II, CRCM Senior Manager - Franklin, TN

Jason Price, CPASenior Manager - Franklin, TN


Anthony Dugan, CPA Senior Manager - Knoxville, TN



Glenda Sloan, AAPSenior Manager - Franklin, TN


Marshall Stein, CPASenior Manager - Brentwood, TN


elliottdavis.com

Financial Institutions Group:

Financial Institutions Practice Quick Facts

Alabama | Florida | Georgia | Kentucky | Maryland | Missouri North Carolina | Ohio | South Carolina | Tennessee| Virginia | Washington, D.C. |

Professional Team

12 Shareholders 100 Team Members

360 Service. Focused on You. elliottdavis.com

Institutions Served

160 Financial Institutions

75 External Audit Clientso Largest - First Bancorp, Southern Pines, NC

($3.2 billion in assets) 28 SEC Registrants (Included in external audit clients)

o Largest – First Bancorp

60 Consulting Clients – Risk Advisory Services o Internal Audit / Compliance / Loan Review o Largest – Yadkin Financial Corporation, Raleigh, NC

($4.2 billion in assets) 25 Consulting Clients – M&A Advisory Services

o Valuations / Day 2 Accounting o Largest – First Citizens Bancshares, Inc., Raleigh, NC

($30 billion in assets)

States Served

IT Security – Update on Practical Risk Mitigation Strategies

Bonnie Bastow, CIA, CISA, CISM Director, Risk Advisory Services, IT Audit & Security April 2016

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC 2

Learning Objectives/Knowledge Gained IT Security – Update on 2016 Threats McAfee Labs 2016 Threat Predictions PwC 2016 Forecast Cybersecurity events - what they have in common

Practical Risk Mitigation Strategies Increased knowledge of cybersecurity risk

assessment processes and tools IT controls to mitigate risks

IT Security – Update on Practical Risk Mitigation Strategies

3 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

Threat Comments

Hardware Operating System level attacks

Ransomware As a service – hosted on the Tor Network Financial and Government sectors targets Targeting cloud services and mobile devices

Vulnerabilities Abode Flash, Unix

Payment Systems Credential stealing and attacking payment card devices (skimmers, etc)

McAfee Labs 2016 Threat Predictions

4 © Elliott Davis Decosimo, LLC

Threat Comments

Attacks through Employee Systems

Increase expected in Android devices. Securing home networks for employees remote access.

Cloud Services Users have little insight into the provider’s security measures

Integrity Compromise the integrity of the systems and data. Stealth, selective, attacks – appearing to be operational problems, accounting errors, or dumb mistakes,



1. Financial services respondents ranked assessment of security capabilities of third-party vendors as the top challenge to their information security efforts. More than half said they would increase spending

to better monitor third-party security in the coming 12 months.

Average information security spending is up 15% 2. Rapidly evolving, sophisticated, and complex

technologies 3. Increased use of mobile technologies by customers

PwC Survey - Top 3 Challenges - Financial Services 2016


Cyber Security Events – What They Have in Common


Social Engineering

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRxqFQoTCPvB6eXA9MgCFYM3PgodLegNPg&url=http%3A%2F%2Fwww.sodahead.com%2Funited-states%2Fbig-brother-social-engineering-obama-and-hud-killing-neighborhoods-one-community-at-a-time-the%2Fquestion-3859717%2F&psig=AFQjCNG6RQZKfcameMYnOTma8-IDT0tv8g&ust=1446648568989627

Social Engineering Defined

© 2015 Elliott Davis Decosimo, PLLC 8

Social Engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.

A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

https://en.wikipedia.org/wiki/Information_security

https://en.wikipedia.org/wiki/Psychological_manipulation

https://en.wikipedia.org/wiki/Psychological_manipulation

https://en.wikipedia.org/wiki/Confidence_trick

Phishing is a form of social engineering Phishing is the most common threat Usually accomplished through email or phone

call schemes Our employees are our weakest link Continuous/annual employee training is a must

in this area to assist with prevention


Common Data Breaches/Threats

9

Unlike traditional spam, spear phishing is by no means random – it is a highly-targeted operation.

Sender impersonates a friend or colleague of potential victims in order to trick them into opening malware-ridden files or into visiting malicious websites, or do some action for the ‘phishers’ benefit

Has a high success rate

Spear Phishing


https://www.youtube.com/watch?v=bjYhmX_OUQQ&feature=youtu.be&t=2m13s

..\The Edit.mp4

Spear Phishing Example




Common Data Breaches/Threats Malware threats Malware is software designed to infiltrate, damage

or obtain information from a computer system without the owner’s consent (as defined by ISACA)

Spyware/Key logger (records users key strokes – can obtain user names and passwords) – 75% of cases

Backdoor (Ex. Malware creates backdoor access for cyber criminal) – 66%

Captured Stored Data (Ex. Ransomware) – 55% http://us.norton.com/yoursecurityresource/detail.jsp

?aid=rise_in_ransomware


http://us.norton.com/yoursecurityresource/detail.jsp?aid=rise_in_ransomware

http://us.norton.com/yoursecurityresource/detail.jsp?aid=rise_in_ransomware

Hacker builds wireless Microsoft keyboard keylogger disguised as USB wall charger

Keylogger Example


1 - IT General Controls

2- Cyber Security Assessments

3- Training – Employee and IT Specific

4- Risk Assessments and Information Sharing

Risk Mitigation Strategies


1 - IT General Controls


Security Administration

Logical Security

Change Management

Operations

User provisioning

Password controls

Authorization and Approval

Backups

User removal Privilege User review

User Testing Restore test

User Access Reviews/with SoD

Security Monitoring

Access to Production

Vendor Management

Physical Segregation of Duties

Job Monitoring

Internal Network Vulnerability Scans Patching is largest category System configuration

External Network Vulnerability Scans External Penetration Testing Wireless Scans Social Engineering Assessments Social Engineering Training

2 - Cyber Security Assessments


Category Vulnerabilities Resulting from…. Patch Management

Failure to apply patches provided by vendors to address security weaknesses. Software / firmware patches are primarily an administrative detail.

System Configuration

Identified configuration settings on devices that may not be set in an optimal manner for security consideration.

Trust Identification of insecure authentication methods or configurations on workstations/servers.

Application Discovery of applications with known vulnerabilities found on the network. Examples include the discovery of software such as Dropbox, Skype, and Coupons Printer.

2 - Cyber Security Assessments Reporting Categories


Training, training, training (employees as well as clients/customers) Technical training for key employees and

management Set the appropriate tone at the top – make security a priority and not just an IT initiative

3 - Training - Employee and IT Specific



Training Aids

Cisco (DNS) Launched an online quiz to show how easy

it is to get people hooked on a social engineering phishing email.

https://www.opendns.com/phishing-quiz/

Can you pass the quiz (can also be used for training purposes)?

19

https://www.opendns.com/phishing-quiz/

FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.

4 – Information Sharing


4 - Information Sharing


4 - Risk Assessment Reduction Solutions

FFIEC Nov. 3, 2014 Press Release: https://www.ffiec.gov/press/pr110314.htm

FFIEC released observations from the recent cybersecurity assessment and recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC). https://www.fsisac.com/

The assessment included more than 500 community banks. FS-ISAC is a non-profit, information-sharing forum

established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.


https://www.ffiec.gov/press/pr110314.htm

https://www.fsisac.com/

4 – Risk Assessment Reduction Solutions

FFIEC Cybersecurity Assessment – General Observations (Summer 2014) https://www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_Assessment_Observations.pdf - This document presents general observations from

the Cybersecurity Assessment about the range of inherent risks and the varied risk management practices among financial institutions and suggests questions for chief executive officers and boards of directors to consider when assessing their financial institutions’ cybersecurity and preparedness.


https://www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_Assessment_Observations.pdf

https://www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_Assessment_Observations.pdf

Threat Risk Mitigation Strategy

Hardware Patching, Vulnerability Scans Ransomware Risk Assessment/Vendor Management &

Cyber Insurance Vulnerabilities Patching Programs

Payment Systems Physical controls, scans, basic controls

Attacks through Employee Systems

Social engineering, remote access controls

Cloud Services Risk Assessments, Vendor Management

Integrity Monitoring controls, Social engineering

Basic IT General Controls and Assessments



Challenges Risk Mitigation

Third Party Security

Deeper Vendor Management practices

More thorough Risk

Assessments and Vendor Due Diligence

Cyber Insurance

Rapidly evolving, sophisticated & complex technologies

Increased use of mobile technologies by customers

PwC Survey - Top Challenges - Financial Services 2016


PwC proposed Risk Mitigation Approaches 1. Risk-Based Frameworks 91% adoption rate for cybersecurity framework Frameworks provide for better identification and

prioritization of security risks. ISO 27001 NIST / SAN Critical Controls / COBIT

2. Cloud-Based Security 69% use cloud-based cybersecurity services Real time monitoring

PwC- The State of Security 2016 Survey


3. The Impact of Big Data Trending, looking for patterns

4. Threat Intelligence Sharing 65% of respondents collaborate to improve security

and reduce cyber risks (up from 50% in previous year) Information Sharing and Analysis Centers (ISACs)

5. Executive Involvement 45% of respondents stated their boards now

participate in the overall security strategy Resulted in boost in security spending by 24% - http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/key-findings.html

PwC- The State of Security 2016 Survey


http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/key-findings.html

Did you know?

The biggest violators of IT Security are the senior members of the IT/IS team (via controls override) – the team that is responsible for securing the enterprise (and CEOs/Presidents)


Questions


Bonnie Bastow, CIA, CISA, CISM Email: [email protected] Phone: 704.808.5275 Website: www.elliottdavis.com

Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With sixteen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.


http://www.elliottdavis.com/

1

TITLE OF PRESENTATION

CLIENT/LATERAL NAME

DATE

THE CFPB AND COMMUNITY BANKS: MIND THE CREEP!

Tennessee Risk Management Seminar 2016

April 21, 2016

Timothy V. Kemp Butler Snow LLP – Washington and Nashville

CFPB Overview – What It Is • Title X of Dodd-Frank Wall Street Reform and Consumer

Protection Act created a new federal agency, the CFPB.

• CFPB vested with sweeping powers to fulfill its mandate – the protection of consumers related to financial products and services

• Title X of Dodd-Frank Act granted CFPB authority to do:

– rulemaking under Title X and certain “enumerated consumer laws” throughout U.S. Code

– supervision of “covered persons”

– enforcement of Title X and certain “enumerated consumer laws”

• Essentially, Dodd-Frank transferred primary rulemaking and enforcement authority over all or parts of 18 federal consumer protection statutes from 7 different federal

agencies into 1.

3

CFPB Overview – What It Does

• Title X of Dodd-Frank – UDAAP (unfair, deceptive and abusive acts & practices) – UDAAP is a roving commission to do “good”

• Enumerated Consumer Laws, include among others: – Electronic Fund Transfer Act

– Equal Credit Opportunity Act

– Fair Credit Reporting Act

– Fair Debt Collection Practices Act

– Section 43 of the Federal Deposit Insurance Act

– Sections 502 through 509 (Privacy) of the Gramm-Leach-Bliley Act

– Real Estate Settlement Procedures Act

– Truth in Lending Act 4

Introduction

• Consumer Financial Protection Bureau (“CFPB”) – What It Is…?

– What It Does…Authority?

– Who It Reaches…?

• CFPB and the Creep

– Community Banks

– Insurance

• Regulation of Service Providers

• Enforcement Risk Analysis • What CFPB May do Directly

• What CFPB May do Indirectly

• Minimizing your Risk

5

CFPB Overview – Who It Reaches

• CFPB regulates “covered persons” providing consumer financial products and services – banks and non-bank lenders (e.g., payday loans)

– credit reporting agencies

– debt counseling services

• CFPB also regulates “service providers” to covered persons – servicing companies

– others designing / operating / maintaining financial product or service at issue

– escrow or settlement services providers

6

CFPB Overview – Who It Reaches

• “consumer financial product or service” includes, – “extending credit and servicing loans, including acquiring,

purchasing, selling, brokering, or other extensions of credit,” as well as:

– Leasing or real/personal property if equivalent to finance arrangements

– Deposit taking activities

– Check cashing, check collection, or check guaranty services

– Certain financial data processing

– Debt collection

– Stored value or payment instruments

– Financial advisory services

– Consumer report services 7

CFPB and Community Banks

• Ever since Dodd-Frank became law, there has been fear and speculation what the impact would be on community banks

– In 2011, when the CFPB was still a twinkle in Elizabeth Warren’s eye, the Independent Community Bankers Association voiced its concerns that the new bureau would fail to appreciate the difference in the business models and customer bases of the mega-banks or shadow non-bank financial institutions and the community banks

– Admonished the new agency to be careful not to throw the baby out with the bath water

9


• By 2012, industry watchers again warned that even though the examination and enforcement of laws and regulations governing banks with less than $10 Billion in assets remained under their same prudential banking regulators, CFPB could participate in such exams and enforcement actions “on a sampling basis”

• As the CFPB set out to develop new standards and “make the big banks play by the same rules as the community banks”, community banks would inevitably be impacted by the CFPB’s enforcement activities.

10


• By 2013, articles were being published describing the oppressively burdensome regulatory requirements impacting community banks

– Promulgation of consumer protection regulations

• By 2014, headlines were reading “Dodd-Frank is Killing Community Banks”

– Formation of Community Bank Advisory Council, which advises CFPB on regulating consumer financial products or services and specifically to share the unique perspectives of community banks. They share information, analysis, and recommendations to better inform our policy development, rulemaking, and engagement work.

11


12

• By 2015, those same headlines started to read “Is Dodd-Frank Really Killing Community Banks”

– Even though most recently community bank market share decreased at a more rapid rate that in previous periods, the consensus seems to be that the cost of compliance has impacted but not crippled community banks

– Wall Street Journal reported on October 4, 2015 that Dodd-Frank’s impact on small banks was “muted”

So all the worries of Community Banks are over?

13

CFPB and Insurance: A Cautionary Tale

• First Principles

– “business of insurance” is excluded from the list of financial products and services subject to CFPB’s jurisdiction

– CFPB prohibited from enforcing Title X against “any person regulated by a state insurance regulator”

• Second Guesses

– there are a few exemptions to the above rules

14

The “Business of Insurance”

• The “business of insurance” is defined in Dodd-Frank to mean: – “writing of insurance or the reinsuring of risks by an insurer,

including all acts necessary to such writing or reinsuring and the activities relating to the writing of insurance or the reinsuring of risks conducted by persons who act as, or are, officers, directors, agents, or employees of insurers or who are other persons authorized to act on behalf of such persons.”

• Does this include sales and marketing activity?

• other authority: – McCarran Ferguson

– Case law: Dep’t of Treasury v. Fabe (1993); Group Life & Health Ins. v. Royal Drug (1979); FTC v. Nat’l Casualty (1958)

15

CFPB and Insurance

• despite noted exclusions for “business of insurance” and “any person regulated by a state insurance regulator,” CFPB has authority over insurance companies if:

– providing a “consumer financial product or service”

– operating as a “service provider” to a “covered person”

– covered by an “enumerated consumer law”

16

CFPB and Insurance

• instances where an insurance industry participant may

provide a “consumer financial product or service”

– financial advisory services

– loans to policyholders

– insurance premium financing…?

– vehicle service contracts…?


operate as a “service provider” to a “covered person” – debt protection contract administration

– design of a product offering…?

17

CFPB and Insurance


operate under an “enumerated consumer law” – Electronic Fund Transfer Act

– Fair Credit Reporting Act

– Fair Debt Collection Practices Act

– Sections 502 through 509 (Privacy) of the Gramm-Leach-Bliley Act*

• (technically this is outside CFPB scope if state regulator handles)

– Real Estate Settlement Procedures Act

18

Service Providers

CFPB Bulletin 2012-03 (April 2012)

– (a) Supervised banks and nonbanks must oversee vendors (“service providers”) in a “manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm”

– (b) Focus is to avoid presenting any “unwarranted risks to consumers”

19

Service Providers


– (c) Bulletin requires a financial institution to: Conduct thorough due diligence of vendors to verify that they understand and comply with the law

Review vendors’ policies, procedures, internal controls, and

training materials to ensure that they conduct appropriate training and oversight of employees/agents who have consumer contact or compliance responsibilities

20

Service Providers


Include clear expectations about compliance in contracts, as well as consequences for violations of compliance-related responsibilities

Establish internal controls and on-going monitoring to monitor compliance

Take prompt action to address compliance issues

“Indirect” Regulation as a practical impact

21

Insurance as Add-On Product

• Beyond the text of Dodd-Frank, concerns remain that the CFPB may attempt to regulate insurance products offered in conjunction with loans (add-on products) through its authority under the Truth in Lending Act.

• In comment letters submitted to FIO, several trade associations requested that the regulatory actions of the CFPB be monitored to ensure that it does not attempt to directly or indirectly regulate insurance products.

22

CFPB Enforcement Actions

• Noteworthy Enforcement Actions to Date

• CFPB’s “To Do List”

– Payday Lending

– Prepaid Cards

– Arbitration Rules

– Debt Collections

– Overdrafts

• Regulation by enforcement

23

Minimizing Your Risk

• Manage your consumer complaints

• Conduct pre-CFPB readiness evaluations

• Pay attention to your vendor relationships, where you are either vendor or vendee

• Follow CFPB and other agency enforcement actions and observe trends

• Expect inter-agency referrals (federal and state)

• Develop a Strategic Plan

– Enterprise Risk Management

24

Questions?

25

http://rds.yahoo.com/_ylt=A0PDoX50FX1NengApgyJzbkF;_ylu=X3oDMTBwNW44MTcxBHBvcwM0BHNlYwNzcgR2dGlkA0kxMzZfODY-/SIG=1hdf5gio3/EXP=1300071924/**http:/images.search.yahoo.com/images/view?back=http://images.search.yahoo.com/search/images?p=confused&ei=UTF-8&fr=fp-yie8&w=388&h=309&imgurl=www.evengrounds.com/images/confused-character.jpg&rurl=http://www.evengrounds.com/blog/accessibility-or-standards-compliance&size=78KB&name=Confused+person&p=confused&oid=9c14bb226e29dcb7b9f2058eb87931b9&fr2=&no=4&tt=1460000&sigr=125og26kg&sigi=11h1664hp&sigb=12bedr6pm&.crumb=B8KgMXuM7G.

Timothy V. Kemp Butler Snow LLP D:(202) 481-6838 | C: (714) 380-1342 | F: (601) 985-4500 Eleventh Floor South, 601 Thirteenth Street NW Washington, D.C. 20005 D: (615) 651-6793 | C: (714) 380-1342 | F: (615) 651-6701 150 3rd Avenue South, Suite 1600, Nashville, TN 37201 [email protected]

mailto:[email protected]

Pamela Mantone, CPA, CFE, CFF, CITP, CGMA, FCPA, MAFF

Great Internal Controls and Then IT Happens – Fraud!

Pamela S. MantoneCPA, CFF, CFE, MAFF, CITP, CGMA, FCPA

DirectorApril 21, 2016


Great Internal Controls and Then It Happens – Fraud!


Even the best internal control structure is not guaranteed to prevent fraud.

• Inherent limitations• Judgment• Breakdowns• Management override• Materiality• Point-in-time evaluation• Cost/benefit considerations

• Cannot rely on regulatory exams, internal audit or external audits to find fraud. It is a game of chance for those not sufficiently trained to perform forensic accounting.



• The greatest internal fraud preventive technique is monitoring –allows the perception of detection• Authorizations• Approvals• Reviews• Reviews• And review some more

• Opportunity can be controlled by an organization while motive and rationalization cannot be controlled (The Fraud Triangle)



Are banks subject to legal issues when acting as a 3rd

Party in transactions related to fraudulent activity?

• PATCO vs. Ocean Bank – 1st Circuit of Appeals, July 3, 2012• Facts: PATCO, a small construction company in Maine and a

longtime customer of the bank sustained 6 unauthorized ACH transfers from their payroll account ($588,851.26)• Court found in favor of PATCO, despite bank’s security system

was provided through a reputable, well-known vendor• Court referred to FFEIC standards as relevant to standard of care



• Choice (Choice)Escrow and Title vs BancorpSouth Bank(BSB)–8th Circuit of Appeals, June 11, 2014• Facts: Choice sued BSB for $440,000 that internet fraudsters stole

from their account• Court found in favor of BSB since Choice chose to decline BSB’s

fourth security measure of dual control and signed a waiver acknowledging that dual control was declined and understood the risks associated with using a single-control security system• Dual control created a “pending payment order” for approval by a second

party

• Really a win? Court firmly held that when a customer “insists” on using a higher-risk procedure because it is more convenient or cheaper, the account holder has voluntarily assumed the risk and cannot shift responsibility to the bank.



South State Bank (formerly The Savannah Bank)• Lawsuits involving funds put into bank and held in trust (fiduciary

funds) stolen by Probate Court Clerk- on-going with multiple lawsuits from victims in Chatham County State Court• Last motion heard March 24, 2016, last proceeding dated April 1,

2016• Over $800,000 taken from various accounts• “South State Bank improperly monitored the account under the

control of Birge, Probate Court Clerk”• Multiple checks written to “cash” with no endorsement on back• Many of these checks were $2,900 or less• Many of these transactions occurred two at a time on the same day

within minutes of each other • Notations from bank clerks’ stamps “well-known customer”• Generally used the same tellers at the different branches• SARS ??



Fraud risks associated with financial institutions

• Technology threats • Embezzlement• Loan Fraud• Real estate fraud • Mortgage fraud• New Accounts• Money transfer (wire) fraud• ATM Fraud• Money Laundering – and the list goes on



Loan Fraud

• Loans to non-existent borrowers• Sham loans with kickbacks and diversion• Double-pledging collateral• “Daisy chains”• Linked financing• False applications with false credit information and/or credit

data blocking• Single-family housing loan fraud• Construction loans – lots of opportunities• Loan collateral sold “out of trust”



“Red Flags” for Loan Fraud• Non performing loans

• Fraudulent appraisals• False statements• Equity skimming• Construction over budget items• Land flips• Disguised transactions

• High turnover in developer’s personnel (construction lending)• High turnover in tenant mix• Abnormal change orders (construction lending)• Missing documentation in the loan file• Loan increases or extensions, replacement loans, “evergreen loans”• Change in ownership makeup• Cash flow deficiencies (commercial lending)• Disguised transactions



An unusual twist for loan fraud allowing embezzlement of funds• Over $176,000 taken in about 18 months

• New accounts set up using fictitious names and addresses, with name changes on the accounts occurring at various times. 19 accounts used to funnel money from institution.• Hint: Geo-coding is an excellent way to check out addresses, also Google Maps

• Paying off loans of actual customers’ accounts and issuing new loans with a cash withdrawal generally occurring at the same time• Cash tickets destroyed• Missing support documentation for loans• Multiple file maintenance changes performed to various members’

documentation, including extensions of “next payment due” and “last payment date” to prevent loan being shown as past due• Access to “user ids” and ability to change passwords



An unusual twist for loan fraud allowing embezzlement of funds - continued

• Security access set up by 3rd party vendor and not reviewed• Background checks not performed for future employees. Credit

reports do not provide sufficient information for the hiring process• Lack of proper safe-keeping of documents• Lack of adequate review from the loan committee• Passive performance from the audit committee• Slow process in hiring new CEO, there was no CEO during the

time the embezzlement occurred• Lack of proper reviews and monitoring at all levels• Case presented to district attorney and state regulatory agency



Loan fraud found accidently by regulatory agency requiring examination by a forensic investigation

• Over $500,000 taken from institution through the use of fictitious loans and ACH transactions• Loan officer had a degree in information technology and very capable

of manipulating computerized records• Set up fictitious loan accounts combining information from existing

customers• Loans set up under lending limits• CD’s and other property used as collateral were CD’s from customers• UCC filings contained falsified VIN numbers and other information• Part of loan proceeds were used to set up separate checking accounts• Credit cards set up for these accounts• Statements sent to two different P. O. box numbers



Loan fraud found accidently by regulatory agency requiring examination by a forensic investigation - continued• Over $500,000 taken from institution through the use of fictitious

loans and ACH transactions• “Loan payments” made from other fictitious accounts and other new

fictitious loans• “Loan payments” washed through multiple times and then applied to

fictitious accounts• Personal favorite was check made to a “T. Swindle”

• Deleted transactions from computerized records• Worked after hours without authorization• Changed 65 transactions night before start of regulatory exam• Part of loan proceeds were used to set up separate checking accounts• Personal property taxes paid out of loan proceeds• Personal items purchased on credit cards



The chain for one check issued!



A lot of work for $1,000 in cash but remember, fraudulent loans must be paid as well!



Loan fraud found accidently by regulatory agency requiring examination by a forensic investigation

• Excellent example of an internal control breakdown• Employee did not follow policies and procedures• Maintained information in such a manner that it appeared that loans

were valid loans and payments made monthly• Followed lending limits to prevent detection

• Pled guilty in federal court, sentenced on December, 2014• Ordered to pay restitution and sentenced to 27 months in a minimum

security federal prison and four years of supervised release


Wire Fraud• Contact within the target company and aggressive in carrying

out theft• Dishonest bank employees• Misrepresentation of identity• System password security compromised• Forged authorizations• Unauthorized entry and interception



A wire fraud case where the insurance company required a forensic investigation before paying for the loss• Shareholder’s computer compromised and identity information

stolen, including social security number, bank information and account numbers and retirement accounts

• “Shareholder” email to bank requesting funds wired to another bank

• Bank email requested phone call but “shareholder” was in a meeting and could not call then, but gave a phone number to call later

• More “shareholder” emails gently persuading transfer of funds• Additional requests for wire transfers• Funds wired to various banks, all under $25,000 until balance in

account was very minimal



A wire fraud case where the insurance company required a forensic investigation before paying for the loss - continued• Funds bounced from various accounts at various branches of a

nationally large bank and funds were “off-shore” within 24 hours- Recipients – Russian “mafia”- Use of “mules”- Persuasive passive aggressive techniques used to promote “compliance”

• Shareholder notified financial institution that identity was “stolen” –too late for the transfers though

• Over $250,000 transferred within a three-day period• No employees from the financial institution were found to be

involved with the wire transfer fraud and losses were paid by insurer



Ways to Prevent and Detect Wire Fraud• Review all wire transfer transactions at the end of each day• Provide fraud awareness training – including social engineering

techniques, especially passive aggressive techniques and phishing• Don’t execute wire transfers solely from faxed or email

instructions• Require all personnel who handle wire transfers to go on

vacation (minimum of one week)• Provide customers with unique codes that are required to

authorize or order wire transfers• Re-assign wire transfer employees who have given notice to

another department for the time left




Fraud risks associated with financial institutions• Embezzlement

• False accounting entries• Suspense accounts• False or unauthorized transfers• Unauthorized withdrawals• Unauthorized disbursements of funds to outsiders• Paying personal expenses from bank funds• Theft of physical property• Dormant or inactive accounts• Unauthorized cash payments• Unauthorized use of collateral• Skimming



“Red Flags” for embezzlement• Missing source documents• Unusual amount of out-of-sequence check numbers• Payees on checks do not match entries in general ledger• Receipts or invoices lack professional quality• Duplicate payment documents• Payee identification information matches an employee’s

information or that of his relatives• Apparent signs of alteration to source documents• Lack of original source documents (photo copies only)• Excessive voids or credits• Abnormal increase in reconciling items• Cashier’s checks made payable to “Cash”



• “Dimensional testing” for Employee Networks as Vendors

- Employee• Emergency contact and other dependents

- Address- Business address- Company phone number- Company or personal fax number



• Conflicts of Interest – Board Member Interrelationships



An embezzlement cover-up with an unusual twist• CEO embezzled more than $1.5M from financial institution

through loans concerning his farming operations• Used second individual at another financial institution to “kite”

checks and “float” deposits for sale of cattle to hide the embezzled funds• Kiting – the process of recording the deposit of an interbank

transfer before recording the disbursement• Floating – Current holder of funds has been given credit for the

funds before the check clears the financial institution upon which it is drawn• Floating makes check kiting possible

• Both more difficult with shorter floating period • Kite continued over one year before the “house of cards fell”



An embezzlement cover-up with an unusual twist• SARS??• Nothing good comes from fraudulent activity – well sometimes

• Financial institution failed• Shareholders of the financial institution lost their investments• CEO destroyed all records and committed suicide• But – the second party of the kite received over $600,000 in

funds from the last float and, under oath, stated that there was no overage of funds in his personal account. So these funds were used for personal expenses.• Ultimately, these funds became part of the recovery costs for the

shareholders of the financial institution



• “The expected never happens; it is the unexpected always.”– John Maynard Keynes

• “Corruption, embezzlement, fraud, these are all characteristics which exist everywhere. It is regrettably the way human nature functions, whether we like it or not. What successful economies do is keep it to a minimum. No one has ever eliminated any of that stuff.”

- Alan Greenspan


Providing Additional Resources to Meet Your Needs

Pam MantoneEmail: [email protected]: 423-266-4021Website: www.elliottdavis.com

Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With sixteen offices across six states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.


Analytical Tools and Techniques


Model Risk Management

Chris Purvis, CPAShareholder

Michael Koupal, CPASenior Manager

© Elliott Davis Decosimo, LLC


Disclaimer


“Models are simplified representations of real-world relationships among observed characteristics, values,

and events.”

Guidance on Model Risk Management (OCC 2011-12)


Per the OCC Supervisory Guidance on Model Risk Management (OCC 2011-12)

A model consists of three components:

• Information input (which delivers assumptions and data to the model)

• Processing (which transforms inputs into estimates)

• Reporting (which translates estimates into useful business information)

Model Definition


• Model Risk Management Policy (including definition)

• Model Inventory

• Model Risk Assessment (drives validation efforts and frequency)

“Model risk should be managed like other types of risk. Banks should identify the sources of risk and assess the magnitude. Model risk increases with greater model

complexity, higher uncertainty about inputs and assumptions, broader use, and larger potential impact.” – OCC 2011-12

Model Risk Management Program


Model Risk occurs for two primary reasons:

1. The model may have fundamental errors and may produce inaccurate outputs Errors can occur at any point from design through implementation.

2. The model may be used incorrectly or inappropriately. Even a fundamentally sound model producing accurate outputs consistent with the design objective of the model may exhibit high model risk if it is misapplied or misused.

Model Risk


• Model risk increases with greater model complexity, higher uncertainty about inputs and assumptions, broader use, and larger potential impact.

• Even with skilled modeling and robust validation, model risk cannot be eliminated, so other tools should be used to manage model risk effectively.

• establishing limits on model use• monitoring model performance• adjusting or revising models over time• supplementing model results with other analysis and information

Model Risk (Continued)


• Model validation is the set of processes and activities intended to verify that models are performing as expected, in line with their design objectives and business uses. Effective validation helps ensure that models are sound. It also identifies potential limitations and assumptions, and assesses their possible impact.

• All model components, including input, processing, and reporting, should be subject to validation; this applies equally to models developed in-house and to those purchased from or developed by vendors or consultants.

Model Validation


• Validation involves a degree of independence from model development and use. Generally, validation should be done by people who are not responsible for development or use and do not have a stake in whether a model is determined to be valid.

• Staff doing validation should have the requisite knowledge, skills, and expertise. A high level of technical expertise may be needed because of the complexity of many models, both in structure and in application. These staff also should have a significant degree of familiarity with the line of business.

Who should complete the validation?


• The range and rigor of validation activities conducted prior to first use of a model should be in line with the potential risk presented by use of the model.

• Validation activities should continue on an ongoing basis after a model goes into use, to track known model limitations and to identify any new ones.

• Validation is an important check on model use during periods of benign economic and financial conditions, when estimates of risk and potential loss can become overly optimistic, and when the data at hand may not fully reflect more stressed conditions.

• Banks should conduct a periodic review—at least annually but more frequently if warranted—of each model to determine whether it is working as intended and if the existing validation activities are sufficient. Such a determination could simply affirm previous validation work, suggest updates to previous validation activities, or call for additional validation activities.

How Detailed? How Often?


• An effective validation framework should include three core elements:

- Evaluation of conceptual soundness, including developmental evidence (Quality of model design and construction)

- Ongoing monitoring, including process verification and benchmarking

- Outcomes analysis, including back-testing

Key Elements of Comprehensive Validation


• Validation should ensure judgement exercised in model design and construction is well informed, carefully considered, and consistent with published research and sound industry practice

• How is this handled when model is outsourced?

• Can sensitivity analysis help evaluate?- Sensitivity analysis – measuring the impact inputs have on model

outputs

Quality of design and construction


BSA Models: Understanding and Maximizing the Backbone of Your AML Program

Chris Purvis, CPAShareholder


• Purpose of the Model – Why do I need this?

• Key Areas of the Model

• Tuning – Did I Buy a Car?

•Understanding the Importance of the Model

Objectives/ Areas to Cover


Manual Reports = Ineffective and Inefficient Monitoring

Regulators Make Us It’s the Right Thing To Do

The “Why”


Automated Monitoring

Before After


•Who has to understand how the model works? Isn’t that an IT thing?

•No – BSA Officers should understand the functionality of the model, including details about how the model is scoring and flagging transactions for additional review.

Understanding the Model


“Alert”

• YellowHammer BSA = Worklist Item• Banker’s Toolbox BAM = Report Item• Fiserv’s FCRM = Alert

Definition of Terms


• Customer Information

- Customer Due Diligence

- Customer Risk Scoring

- Ongoing Due Diligence

Key Model Areas


• Suspicious Activity Monitoring

- Unusual Transactions

- Out of Pattern Behavior

- Transactions in High Risk Areas

Key Model Areas (Continued)


Too Much Static or “Noise”

Tuning – Like a Radio?


reduce the noise to get a clearer picture

Tuning


Tighten the net…

… and loosen it.

Tuning and Optimization


T&O (Continued)

• Evaluate Coverage Based on Triggering Events– Manual SAR Referrals– Regulation Changes– Bank M&A Activity– New Products– Enforcement Actions

• Evaluate Thresholds– Dollar Amounts– Transaction Frequency

• Challenge Customer Risk Scores– New Markets– High Risk Areas


•Model Validation- OCC 2000-16: Model Validation

•Model Risk Management- OCC 2011-12 and SR Letter 11-7: Model Risk

Management

Making Sure It Works


• Reviewing system parameters, settings, security and validating that the system is working

•Assessing the setup of the model to ensure appropriate coverage in terms of customer risk and transactional risk

• Reviewing parameters and thresholds to verify they are set in line with the Bank’s size and BSA risk profile

Elliott Davis Decosimo Approach


• Independent Review

•Defined Responsibility

•Model Documentation

•Ongoing Validation

•Audit Oversight

Keys to Model Governance


Interest Rate Risk andManagement



• Interest Rate Risk- What is IRR?- Current Regulatory Focus- Internal Control System- Independent Review and Validation

Overview


• Banks are in the business of managing IRR- Repricing Risk: timing differences between coupon

changes or cash flows of assets and liabilities- Yield Curve Risk: non-parallel changes in yield curve- Option Risk: cash flows change with embedded

options (prepayment/extension, call options, runoff)- Basis Risk: different indices with same maturity move

at different pace

What is IRR?


•Margin pressure is hindering meaningful earnings recovery• Increases in long-term asset exposure to support

yield coupled with surge in non-maturity deposits• Fear of substantial deposit runoff (surge deposits and

parked funds)• Examiner focus on assumptions, sensitivity analysis,

internal controls/validation

Current Regulatory Focus


• Board established system of internal controls- Corporate governance- Compliance with policies and procedures- Comprehensive measurement system

Internal Control System


• Roles, responsibilities, and authority•Adequate segregation of duties• Inputs and measurements are accurate and complete• Policy compliance• Independent review and validation•Management response and follow-up• Size, nature, and complexity of institution should be

incorporated in evaluating all aspects

Effective Control Structure


• Review/Test- Lines of authority- Segregation of duties- Corrective actions- Compliance with risk limits

• Ensure staff compliance with procedures

Adequacy and Compliance of Control System


•Data Integrity - Is data accurate, complete, and useful? - Source of data

•Data Input Controls- Automatic vs. Manual input- Reconciliation and review process

• Test Data Inputs- Balance sheet- Budgets/forecasts- Assumptions

Data Inputs


• Reasonableness- Can compare to historical and current data- If using peer or national data, should still determine if

reasonable for your institution- Should be based on expectations, not just budget

•Documentation- Understandable format and includes all assumptions- Basis for balance sheet predictions- Conclusions and strategies developed based on

identified risks

Assumptions


• Sensitivity analysis- Which factors are most important? (Stress Testing)

• Sufficiency of modeled scenarios- Reasonable range of rate changes and models

• Board approval and understanding

Assumptions


• Internal Models - Significant amount of time required for validation

process. - Includes validation of model mechanics and

mathematics.

• External Models- Vendors normally provide validation results.

Management should review and assess at least annually.

Validation


• Compare Modeled vs. Actual Results- Who should complete?- Annually or quarterly?- Should include rate vs volume variance- Detailed enough to determine accuracy

•Were assumptions accurate?- If not, has management identified changes for future

modeling?• Identify causes of differences

Backtesting


• Report to Board/Audit Committee- Testing details- Findings summary- Key assumptions- Management’s responses

Reporting


• FIL-52-96 - Joint Agency Policy Statement on Interest Rate Risk- http://www.fdic.gov/news/news/financial/1996/fil9652.html

• FIL-2-2010 - Financial Institution Management of Interest Rate Risk- http://www.fdic.gov/news/news/financial/2010/fil10002.html

• FIL-2-2012 - Interest Rate Risk Management: Frequently Asked Questions- http://www.fdic.gov/news/news/financial/2012/fil12002.html

• FIL-46-2013 - Managing Sensitivity to Market Risk in a Challenging Interest Rate Environment

- https://www.fdic.gov/news/news/financial/2013/fil13046.html

• FIL-10-2016 - Interest Rate Risk Videos Updated- https://fdic.gov/regulations/resources/director/technical/irr.html

Guidance


Allowance for Loan and Lease Loss Validations




Title


• ASC 450 (FAS 5) General Reserve- Historical Loss Factors- Environmental Factors • (Qualitative adjustments to historical loss rates)

- What if a migration analysis is used?

• ASC 310-10-35 (FAS 114) Specific Reserve- Impaired Loans/Troubled Debt Restructures (“TDRs”)

Overview


• Historical Loss Factors - Calculated using historical charge-offs by loan pool over a designated time period

• Test loss factors by :- (a) Recalculating the historical loss factor

• Subject a sample of current year charge offs to proper approval and recording • Reconcile charge-offs / recoveries to allowance roll forward and GL • Verify loss history is properly applied against average loan balances of proper

pool• Verify impaired loans are excluded from the outstanding average loan

balances in the application of the loss factors in order to avoid layering

General Reserve - ASC 450 (FAS 5)


• Historical Loss Factors

• Test loss factors by :- (b) Evaluating the appropriateness ofthe historical loss period

• Usually between 8 quarters and 16 quarters is reasonable historical loss period

General Reserve - ASC 450 (FAS 5)


•What happens if the Bank is using a migration analysis instead of a historical analysis for their general reserve?

- Need to gain an understanding of the migration to determine if the methodology is reasonable

- Recalculate at least a sample to determine if the system is working properly (trace/vouch)

- Great use of Excel - If using third party system, see if they’ve already done

a certification/validation on the model so you only have to focus on the inputs and outputs.

Migration Analysis


• Environmental Factors (per FIL 105-2006)• Changes in lending policies, including underwriting standards• National and local economic trends and conditions• Trends in delinquencies and impaired loans• Levels and trends in recoveries and charge-offs• Trends in volume and terms of loans• Experience and ability of lending management and relevant staff• Credit concentrations• Changes in loan review system• Other (not limited to factors above)

• Supportable/documented• Reasonable

Environmental Factors


• Impaired Loan- Impairment occurs when it is probable that the entity will be

unable to collect all amounts due according to the contractual terms of the receivable

- All amounts due according to the contractual terms means that both the contractual interest payments and the contractual principal payments will be collected as scheduled according to the receivable's contractual terms. Need not consider an insignificant delay or insignificant shortfall in amount of payments.

Specific Reserves ASC 310-10-35 (FAS 114)


•Methods for calculating impairment

- Impairment calculated based on fair value of collateral• For collateral dependent loans

- Impairment calculated based on present value of expected future cash flows • For non collateral dependent loans

- Fair Value (rarely used)



• Collateral dependency- Repayment is expected to be provided solely by the

underlying collateral • Should adjust for selling costs (taxes, repairs, agents, etc.)

- Repayments from proceeds of sale of collateral

- Cash flows from continued operation of collateral• Apartment building, shopping mall• Cash flows are derived solely from the

property’s rental income



• Sale of underlying collateral• It is important to:

- Evaluate the professional qualifications of the appraiser- Consider the date and age of the appraisal- Obtain an understanding of the appraiser’s relationship to the

borrower and consider the objectivity of the appraiser- Obtain an understanding of the methods and assumptions

used by the appraiser- Make appropriate tests of data provided to the appraiser,

including the legal description of the property and any other assumptions such as expected cash flows



• Impairment based on PV of expected cash flows

• Examine evidence that supports management’s expected cash flows. (For example, evidence might include borrower financial statements and income tax returns.)

• Consider contradictory evidence that suggests that management’s cash flow expectations are unreasonable.

- Contractual payment terms required under modified loan are not necessarily the best estimate of expected future cash flows



• Impairment based on PV of expected cash flows

• Compare the discount rate used in the cash flow calculation to the loan’s original effective rate (not modified rate)

• Test the clerical accuracy of the cash flow calculation

• Consider default and prepayment assumptions

• Environmental factors – industry, geographical, economic, political



• Impairment based on PV of expected cash flows- Cash flows from other available sources (including guarantors)

must be more than nominal to conclude a loan is not collateral dependent

- E.g., cash flows generated by operation of a business or other source outside of lender’s security interest in the collateral

- Balloon payments- Significant uncertainty may exist regarding the borrower’s ability to

refinance/pay the loan off at maturity when contractual balloon payments are required

- Acceptable approach is to utilize the fair value of collateral (less costs to sell) as expected future cash flows at maturity• Unless balloon payment amount is less than FV of collateral; in

those cases, use the balloon payment



• Impairment based on PV of expected cash flows- In general, GAAP does not allow impairment calculations

to run beyond the contractual term- Exceptions• E.g., automatic renewal at maturity• Regulators are open to possibility of adjusting the

impairment measurement by a qualitative factor if quantifiable/objectively measured

- More accurately approximate the risk and economics of the relationship between the institution and borrower

- Key point is to have a well-documented workout plan if measuring impairment beyond contractual term



• Troubled Debt Restructuring• Loan modified by granting a concession on

- Rate- Term/maturity extension- Payment amount- Interest or principal forgiveness

• For economic or legal reasons related to the borrowers financial difficulties

- Should be considered impaired and accounted for as an impaired loan in accordance with ASC 310-40



• Troubled Debt Restructuring• It is ok to pool, non-collateral dependent, insignificant loans?• How would the reserve be calculated?

- Search for TDRs

- Options for removing TDRs ASC 310-20 (FAS 91)



Chris Purvis, CPAEmail: [email protected]: 704.808.5216

Michael Koupal, CPAEmail: [email protected]: 704.808.5211

Website: www.elliottdavis.com

Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.


360° of Vendor Management

Jay Brietz, CPA and CIA Shareholder



Disclaimer


• Overview of Vendor Management • Vendor Management Steps • SOC Report Reviews

Agenda


Who are third party vendors: • FDIC’s definition is the most simple – “All entities that

have entered into a business relationship with a financial institution.”

• OCC’s definition provides more examples of third parties that provide – “…outsourced products and services, independent consultants, networking arrangements, merchant payment processing services…” so forth.

• The FRB and CFPB also have their own definitions.

Overview of Vendor Management


• Outsourcing dates back to the 1800’s • 1970’s and 1980’s

- Advancement of IT environments - Move from payroll outsourcing to IT outsourcing

• 1990’s and 2000’s - Y2K scare and the boom of IT consulting - Speed of change (broadband, storage, internet, and

security) - Education and training



• Think back to your bank in the 1980’s (maybe even in the 1990’s):

- Core processing system was home grown (probably on a computer the size of a tank)

- Payroll was one of the first processes outsourced - Most other functions were performed in-house



• Common processes at banks that are outsourced today: - Core processing system and related bank products - Payroll processing - Investments safekeeping and recordkeeping - Benefit plan processing - Others



THOUGHT OF THE DAY:

You can outsource the process…but you still need to manage risks associated with the process.



• Vendor Management is an important aspect of the bank’s overall risk management program

• According to the FDIC: “An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling risks arising from such relationships, to the same extent as if the activity were handled within the institution.” (FIL 44-2008, “Guidance on Managing Third Party Risk”)



What are typical risks associated with the use of third parties?



Strategic Risks

Credit Risks

Transactional Risks

Compliance Risks

Operational Risks

Reputational Risks


Identifying Risk Responses

11

Management’s response to risk

Avoidance Exiting the activities giving rise to the risk

Acceptance

No action is taken to affect risk likelihood or impact

Reduction Action taken to reduce the risk

likelihood or impact or both

Sharing Reducing the likelihood or impact by transferring or

sharing a portion of the risk



Use of third parties means you have “Accepted” the risk!

12

Management’s response to risk

Avoidance Exiting the activities giving rise to the risk

Acceptance

No action is taken to affect risk likelihood or impact

Reduction Action taken to reduce the risk

likelihood or impact or both

Sharing Reducing the likelihood or impact by transferring or

sharing a portion of the risk


THOUGHT OF THE DAY:




• Effective vendor management programs typically contain four key steps:

- Risk Assessment - Due Diligence - Contracting - Monitoring

Vendor Management Steps


Risk Assessment

Due Diligence Contracting Monitoring

• Some key considerations in assessing vendor risk (always thinking WCGW – what could go wrong):

- Longevity of the relationship and/or service/product - Materiality of the contract to the Bank’s financials - Significance of the process/services outsourced - How easily can service/product be moved or brought in-house - Where is critical/sensitive information housed and how quickly can it

be recovered - Will third party have access to and/or transmit sensitive data - What are reputational risks if the services are not performed correctly - Compliance risks associated to outsourced services - Experience of internal personnel managing the relationship

Vendor Management Steps – Risk Assessment


Classifying Risks:

Vendor Management Steps – Risk Assessment


High

Moderate

Low

Critical Vendors - cannot be easily replaced if services are interrupted or terminated, which in turn may cause significant operational and/or financial impact

Other High Risk Vendors - has unsupervised access to sensitive data, critical applications, technology infrastructure or related control systems, then they should be deemed as high risk.

Moderate and Low Risk Vendors – risks do not meet the criteria of a high risk category, and due diligence is typically performed less frequently.

Items typically obtained and reviewed: • Audited financial statements • Insurance coverage and exclusions • Experience of principals and business reputation • External reports:

- SOC reports - Compliance and regulatory reports - Peer reviews

• Hiring policies and use of background checks

Vendor Management Steps – Due Diligence


Items typically obtained and reviewed (continued): • IT Security Policy, including:

- Protection of confidential information - Business continuity and disaster recovery plans - Data removal and destruction policies and procedures

• Strategic plans for upgrades and changes to hardware and/or software

• Pending lawsuits

Vendor Management Steps – Due Diligence


Contracting considerations: • Ensure scope and key terms are clearly defined • Incorporate performance measures, such as SLAs and

project plans • Legal language, such as indemnification provisions and

limits of liability • Right to audit clause or requirements for SOC reports • Use of subcontractors (prior notice/approval) • Data privacy – confidentiality and security • Business continuity and disaster recovery plans

Vendor Management Steps – Contracting


Monitoring Considerations: • Who – person with the requisite knowledge and skills to

critically review all aspects of the relationship • What – established performance benchmarks such as

financial condition, performance against stated terms or project plans, reputation, and external reviews/SOC reports

• When – frequency determined by risk classification • How – typical monitoring procedures include separate

evaluations and ongoing monitoring efforts

Vendor Management Steps – Monitoring


THOUGHT OF THE DAY: You can outsource the process…but you still need to manage risks associated with the process.

Vendor Management Steps


SOC Report Reviews


• SOC reports are important part of the vendor management program, so it is important to know how to leverage these reports

• In this final section, we will cover: - An overview of SOC reports - Key aspects of these reports to leverage - Bank’s responsibilities related to SOC report reviews and

User Control Considerations (UCCs)

SOC Report Reviews


Why do companies get a SOC report?

User Organizations

User Organizations'

Auditors

Service Organizations

Independent Accounting or Auditing Firm

(Service Auditor)

In an audit of a user organization's financial

statements, the user auditor obtains an understanding of the

entity's internal control sufficient to plan the audit as required by

AU-C Section 315, Understanding the Entity and its Environment

and Assessing the Risks of Material Misstatement.

Services

If a service organization provides transaction

processing or other data processing services to the user organization, the user auditor may be required to

gain an understanding of the controls at the service

organization.

The service organization will engage the

independent accounting firm to perform a SOC

examination and issue a report on the

organization's internal controls

Subservice Organizations

SOC Report Reviews

Let’s compare the three SOC reports Who Why What

SOC 1 User entity management and user auditors

Audit Controls relevant to user entities’ internal controls over financial Reporting

SOC 2 User entity departments other than accounting

Governance Risk and Compliance programs Oversight Due diligence

Controls relevant to security, availability, processing integrity, confidentiality, or privacy

SOC 3 Any users with need for confidence in service organization’s controls

Marketing “confidence without the detail”

Seal and easy to read report on controls


SOC Report Reviews

Type 1 Type 2 Type 1 Type 2

• There are two “Types” of reports for both SOC 1 and SOC 2


SOC Report Reviews

• Difference between a Type 1 and Type 2

Type 1

Type 2

A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.


SOC Report Reviews

• What reports are required to be reviewed? - Key processes that are outsourced

• Investment recordkeepers and pricing services • Payroll service providers • Core processing package

- Other processes that may need reviewing • Benefit plan and claims processors • Certain add-on modules from the core processor • Data centers


SOC Report Reviews


Processes or functions covered by this report

Audit period covered

Type I vs. Type II

User entity controls are a key part of the internal control system.

Scope We have examined Example Co., Inc.’s (“Example” or the “Company”) description of its Payroll Processing Services system and related controls for processing user entities’ transactions (the “Description”) throughout the period July 1, 2014 to June 30, 2015 (“Specified Period”) and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the Description. The Description indicates that certain control objectives specified in the Description can be achieved only if complementary user entity controls contemplated in the design of the Company’s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls.

SOC Report Reviews


Scope (continued) The Company uses various subservice organizations for certain functions of its Payroll Processing Services system and related controls, as described in Section Three. The Company’s control objectives and related controls, which are listed in Section Four of this report, include only the control objectives and related controls of the Company and exclude the control objectives and related controls of the subservice organizations. Our examination did not extend to the controls of the subservice organizations.

This paragraph describes the subservice organizations that are carved-out or excluded from the scope of this report.

SOC Report Reviews


Scope (continued) The information presented in Section Five titled “Other Information Provided by the Service Organization” describes additional processes performed by the Company. It is presented by the management of the Company to provide additional information and is not a part of the Company’s Description. Information presented in Section Five has not been subjected to the procedures applied in the examination of the Description and the suitability of the design and operating effectiveness of controls to meet the related criteria stated in the Description and accordingly, we express no opinion on it.

This paragraph describes other information presented by the Company not included in the scope of the opinion

SOC Report Reviews


Basis for Qualification The Company states in it Description that it has controls in place to review the accuracy of fee schedule codes applied to new account setups or maintenance to existing accounts. However, as noted on page 117 of the description of tests of controls and results thereof, these controls were not operating effectively throughout the Specified Period. As a result, controls were not operating effectively to achieve the control objective, “Controls provide reasonable assurance that trust fees are accurately calculated and recorded” throughout the Specified Period.

This paragraph describes the reason for the Qualified Opinion is provided just before the opinion paragraph

SOC Report Reviews


Opinion In our opinion, except for the matter in the preceding paragraph, in all material respects, based on the criteria described in the Company’s assertion in Section Two of this report: • The Description fairly presents the Payroll Processing Services system and related

controls that were designed and implemented throughout the Specified Period. • The controls related to the control objectives stated in the Description were

suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the Specified Period and user entities applied the complementary user entity controls contemplated in the design of the Company’s controls throughout the Specified Period.

• The controls tested, which, together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the Description were achieved, operated effectively throughout the Specified Period.

Opinion 1: Description was fairly stated.

SOC Report Reviews






Opinion 2: Controls were suitably designed.

SOC Report Reviews






Opinion 3: Controls were operating effectively.

SOC Report Reviews


This is an excerpt of the User Entity Controls (also referred to as User Control Considerations (UCCs))

Evaluating UCCs • Create a matrix of all UCCs that are applicable to your

Bank, including: - Service organization - User entity control (listed in the SOC report) - Applicable to the bank (Yes or No) - Control at the bank to address the UCC - Test procedure and results of testing

SOC Report Reviews


SOC Report Reviews


Designed Properly?

Remediation Needed?

Implemented & Operating

Effectively?Remediation

Needed?The user organization is responsible for notifying the service organization of changes in the authorized contacts list.

Jane Doe is the only individual at the Company who is currently on the authorized contacts list. Authorized Company personnel would notify the service organization immediately of any changes to be made to the list.

Yes/No Yes/No <1> N/A or Description of

required remediation

Yes/No <2> N/A or Description of


Yes/No

The user organization is responsible for ensuring that only authorized and properly trained personnel are allowed logical access to service organization’s systems, fax input worksheets and coversheets.

The Company has procedures in place for ensuring that only authorized and properly trained personnel are allowed logical access to the service organization’s systems, fax input worksheets and coversheets.

Yes/No Yes/No <1> N/A or Description of


Yes/No <2> N/A or Description of


Yes/No

<1>

<2>

Should retain documentation of what factors considered (i.e. specific control objectives addressed, relevant assertions, etc., as appropriate).

Should retain documentation of what procedures performed to evaluate implementation & operation effectiveness.

Example UCC Documentation and Testing Matrix

UCC Description Control Activity at Company

Design Implementation & OperationReliance on

UCC Appropriate?

Service Organization

XYZ Payroll Service

XYZ Payroll Service

Applicable to the Bank?

SOC Report Review and Vendor Management Summary • Key Aspects of the Opinion:

- Processes/functions covered by the report - Audit period covered and Type I versus Type II - Subservice providers carved out – you may need to request

their SOC report separately - Other information included but not covered by the opinion

(usually in Section Five of the report) - Any qualification(s) or emphasis of a matter

SOC Report Reviews


SOC Report Review and Vendor Management Summary (continued) • Other Key Aspects of the SOC Report:

- Complementary User Entity Controls/UCCs - Exceptions in the testing procedures and management’s

response to those exceptions - Bridge letters – not necessarily a key part of vendor

management but can be important when using the SOC report for Sarbanes-Oxley and financial reporting

SOC Report Reviews


THOUGHT OF THE DAY:


SOC Report Reviews


Questions?


Website: www.elliottdavis.com Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.

Jay Brietz, CPA, CIA Email: [email protected] Phone: 704.808.5247 Mobile: 704.996.4655


http://www.elliottdavis.com/

mailto:[email protected]

TN Risk Management Seminar Bios IT Security – Update on Practical Risk Mitigation Strategies Bonnie Bastow, Director, Elliott Davis Decosimo Bonnie has over 20 years of experience in Accounting, Finance, Operations and Information Systems. Her main focus is providing IT related assurance, consulting, advisory, compliance and security services. She has executed SOC1 and SOC2 engagements, FFEIC engagements, developed custom audit work-programs and conducted several system implementation audits and reviews. Bonnie’s ERP experience includes: SAP, Oracle, Lawson, Dynamics GP, JD Edwards, UltiPro, and PeopleSoft (Financials & HRMS) – operating systems: Unix/Linux, iSeries (AS/400), Windows Server and mainframe – and databases; Oracle, SQL and DB2. Bonnie has worked with various frameworks including: COBIT, FFIEC and COSO.

Regulatory Compliance Hot Topics Tim Kemp, Attorney, Butler Snow, LLP After more than 20 years in-house, most recently serving as deputy general counsel, chief regulatory and government relations counsel and chief compliance officer of a $5 billion public insurance and bank holding company with international operations, Kemp resumed private practice in 2014 to build a nationwide practice focusing on financial services and insurance regulation, with an emphasis on the representation of insurance holding companies, underwriters and agents in matters before federal and state regulatory agencies, including the Consumer Financial Protection Bureau (CFPB) and all state departments of insurance. He also counsels regulated businesses on matters of compliance, corporate governance and vendor management. He uses his extensive business experience to assist clients in developing innovative solutions that help manage legal, regulatory and enterprise risks while keeping sight of their corporate and business objectives. Kemp completed his undergraduate education at Millsaps College in Jackson, Miss. before earning his Juris Doctor at The University of Mississippi . He is admitted to practice in the District of Columbia, Tennessee, Illinois and Mississippi. Great Internal Controls and Then it Happens – Fraud! Pam Mantone, Director, Elliott Davis Decosimo Pam specializes in litigation support services with emphasis on forensic accounting and fraud examinations. She has performed forensic and fraud auditing services for organizations, including the gathering of forensic evidence and testifying to findings. Pam also provides consulting services regarding implementation of fraud prevention and fraud detection internal control systems. Her experience includes conducting and supervising audits of local banks, credit unions, local not-for-profit

organizations and HUD audits. She manages and performs external and internal audits of financial institutions. Pam is an accomplished author. Her book, Using Analytics to Detect Possible Fraud – Tools and Techniques, was published in 2013 and provides a common source of analytical techniques used in forensic accounting investigations. It is also used as a college textbook.

Performing Model Validations Chris Purvis, Shareholder, Elliott Davis Decosimo Chris has more than a decade of experience providing audit and consulting services for financial institutions. Chris leads the firm’s Compliance Consulting Services group. Training relevant to compliance includes the North Carolina Bankers Association's Regulatory Compliance School. Prior to joining Elliott Davis Decosimo in August 2009, Chris was employed as the Controller of American Founders Bank, a mid-sized community bank headquartered in Lexington, Kentucky. Chris' prior experience in public accounting was with BKD, LLP in Louisville, Kentucky and Dean, Dorton & Ford PSC in Lexington, Kentucky. Chris' primary focus in public accounting has been in providing services for community banks, including external audit, internal audit, regulatory compliance, external loan reviews, Bank Secrecy Act reviews and Interest Rate Risk testing. Michael Koupal, Senior Manager, Elliott Davis Decosimo Michael focuses on providing accounting and assurance services to clients in the financial institution industry sector. Prior to joining Elliott Davis Decosimo in September 2012, Michael was employed with Plante Moran, PLLC in Toledo, Ohio and served community banks throughout Michigan and Ohio. With approximately 10 years of experience in public accounting his experience includes working with community banks ranging in size from $100 million to more than $3 billion in assets. Michael’s external audit experience includes both private and public institutions, including SOX 404 and FDICIA requirements. Michael’s internal audit experience also includes private and public institutions, including assisting in determining and setting up key controls for SOX 404 and FIDICIA requirements. He also specializes in interest rate risk and liquidity risk management audits, Automated Clearing House (“ACH”) audits, and loan/credit reviews.

360° of Vendor Management Jay Brietz, Shareholder, Elliott Davis Decosimo With more than 20 years of experience in finance and accounting, Jay focuses on providing assurance and consulting services to financial institutions and third-party processing organizations, including internal audits, risk management, information technology and Sarbanes-Oxley compliance. Jay also leads the firm’s SSAE 16 – Service Organization Controls Reporting practice. Jay is both a certified public accountant and a certified internal auditor. His experience includes serving as senior compliance manager for a global banking institution, a business advisory senior manager for an international CPA firm, a managing consultant for a large technology and process consulting firm and a financial statement auditor for a Big Four accounting firm. Jay has written numerous articles on dealing with Sarbanes-Oxley, corporate governance and internal controls. He also was a principal contributor in COSO’s Guidance on Monitoring Internal Control Systems.

Risk Management Roundtable June Crowell, Shareholder, Elliott Davis Decosimo June has more than 26 years of experience in both public accounting and the financial institutions industry. She provides external and internal audits, regulatory compliance reviews, loan reviews, Bank Secrecy Act (BSA) reviews and Automated Clearing House (ACH) reviews. In addition to serving financial institutions, June also provides audit services and corporate and individual tax return preparation for manufacturing clients, trade associations and investment companies. Prior to joining Elliott Davis Decosimo, June was a founding partner of Crowell & Crowell, PLLC. Samantha Meyer, Chief Risk Officer, First Community Mortgage Samantha Meyer has been in the mortgage business for almost 15 years and has worked for First Community Mortgage in Murfreesboro, TN for over 10 years. She has been involved in or managed every operational department at First Community Mortgage and has played a key role in its leadership as it has grown from a company of approximately 25 to nearly 300 during her tenure. Currently, Samantha is the Chief Risk Officer and oversees the Compliance Department, Quality Control Department, Fraud and Risk Department as well as Regulatory Policy and Audit. She is a member of the Executive Management Team and works closely with both Sales and Operations. FCM closed 1.6 billion in loans in 2015, with 18 mortgage branches in the Southeast and Midwest and currently lends in 35 states.

Richard Tripp, Compliance & Risk Officer, First Volunteer Bank Richard has been in banking since 1999. He has held many positions in Auditing, Compliance and Risk over the years. Richard has been serving as Compliance and Risk Officer for First Volunteer Bank in Chattanooga, TN since 2011. Previously he was with Carolina Financial Corporation in Charleston, SC, The Fidelity Bank in Fuquay-Varina & Cary, NC and Central Carolina Bank in Apex, NC. Richard is an ABA Certified Regulatory Compliance Manager and a graduate of the University of NC-Chapel Hill/Ken Flagler Business School. Brandon Woodard, Compliance Officer, Macon Bank & Trust Brandon Woodard is an Assistant Vice President and Compliance Officer with Macon Bank & Trust Company located in Lafayette, TN. Brandon is responsible for managing regulatory loan and deposit compliance for the $378 Million Institution which is regulated by the FDIC.

200 East Broad Street Suite 500 Greenville, SC 29601 Direct: 864.552.4763 Office: 864.242.3370 Fax: 864.241.5713 [email protected]

Robert Beckwith, CPA Shareholder Services: Tax | Industries: Financial Services Professional Overview Bob focuses on providing tax consulting services to clients in the financial services industry. Bob has more than 40 years of bank tax consulting and compliance experience, including 20 years at a Big Four accounting firm. He assists clients with financial reporting in accordance with FASB ASC 740 and planning and analysis of C corporation tax issues including mergers and acquisitions, tax benefit limitations upon Sec. 382 change-of-control, compensation and golden parachutes, and accounting methods and periods. Bob has served multi-billion dollar organizations, filing complex consolidated and multi-state returns. He also possesses expertise in planning for the election to be an S corporation bank and the resulting compliance issues. Education, Credentials and Special Training Certified Public Accountant M.S., Accounting, Colorado State University B.S., Business Administration with emphasis in accounting, University of Nebraska Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants Thought Leadership Panelist, Bank Tax Institute Community Banking Panel Co-instructor, Co-Community Bank Tax Workshop

el l i ot td av is . co m © Elliott Davis Decosimo LLC

1901 Main Street Suite 900 Columbia, SC 29201 Direct: 803.255.1497 Office: 864.242.3370 Fax: 803.255.0733 [email protected]

William (Bill) J. Bossong, CPA, CBA Shareholder Financial Institutions Group Consulting Services: Consulting | Industries: Financial Services Professional Overview Bill has more than eight years of public accounting experience with an emphasis in financial institutions and SEC registrants. He leads the firm’s Financial Institution Consulting Practice for merger and acquisition matters. These services include due diligence projects, Day 1 valuations, Day 2 accounting, internal audits over other Day 2 providers, and accounting policy creation and review. This team has developed ValuCastTM, a proprietary solution designed to assist banks with Day 1 and 2 accounting in accordance with the Accounting Standards Codification (ASC). Bill has led numerous FDIC-assisted and whole bank valuation projects including valuing various net assets acquired to include but not limited to the loan portfolio, core deposit intangible, time deposits, borrowings and other long term debt, and share based payment awards. In addition to the Day 1 valuations and Day 2 experience, Bill and his team have assisted their clients by developing projection and other financial planning models and reports. Bill also has a significant amount of experience related to the Allowance for Loan and Lease Losses (ALLL) under ASC 450-20 and ASC 310-10 to include building an ALLL model for a large regional bank. Bill has also worked closely with the valuation team for various financial service line of business acquisitions to include leasing companies, mortgage companies, and broker dealer/investment companies. He provides consulting services to numerous clients ranging in size from $400 million in assets to over $20 billion in assets. Education, Credentials and Special Training Certified Public Accountant Certified Bank Auditor Master of Accountancy, University of South Carolina B.S., Accounting, University of South Carolina SEC Reporting, AICPA Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants Civic and Community Activities Walk Team Captain, Juvenile Diabetes Research Foundation Board of Directors, Midlands March of Dimes Deacon and Former Member of the Finance Committee, First Baptist Church of Columbia



R. Jason Caskey, CPA Shareholder and Financial Services Practice Leader Services: Assurance | Industries: Financial Services Professional Overview As leader of the firm’s Financial Services practice, Jason focuses on serving financial institutions and SEC registrants. With more than 24 years of experience, he serves community banking clients in both the private and public and public sector. Jason has assisted clients with public stock offerings, mergers and acquisitions and SEC filings including comfort letters. In addition, he also serves clients with a number of consulting engagements including outsourced internal audit, external loan reviews and Bank Secrecy Act reviews. Jason recently completed six years as an elected member of the firm’s Executive Committee. He recently completed four years as the managing shareholder of the firm’s Columbia office. Jason currently serves as engagement shareholder on First Bancorp and Palmetto Bankshares, among others. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting, University of South Carolina University of Virginia National Banking School Professional Affiliations American Institute of Certified Public Accountants South Carolina and North Carolina Association of Certified Public Accountants State Bankers Associations in South Carolina, North Carolina, Georgia and Virginia Independent Bankers Association of South Carolina Civic and Community Activities Board of Directors and Audit Committee, United Way of the Midlands Board of Directors and Audit Committee, Navigating from Good to Great Board of Advisors and Audit Committee, USC Business Partnership Foundation Member, Greater Columbia Chamber of Commerce Finance Committee Deacon, First Baptist Church of Columbia Columbia Chamber of Commerce Committee of 100 Former Board of Directors and Audit Committee, Central Carolina Community Foundation Former Member Board of Directors, Children’s Trust of South Carolina Former Board of Directors, South Carolina Student Loan Corporation Former Board of Directors and Audit Committee, SC Economics Former Member Board of Trustees, Charleston Southern University Former Member Board of Directors, Juvenile Diabetes Research Foundation 2011 Heart Ball Chair, American Heart Association, Columbia 2008 Distinguished Young Alumnus, USC Moore School of Business


400 Sugartree Lane Suite 600 Franklin, TN 37064 Office: 615.790.0542 Fax: 615.591.6939 [email protected]

June A. Crowell, CPA, CGMA Shareholder Services: Assurance | Industries: Banking and Financial Services Professional Overview June has more than 26 years of experience in both public accounting and the financial institutions industry. She provides external and internal audits, regulatory compliance reviews, loan reviews, Bank Secrecy Act (BSA) reviews and Automated Clearing House (ACH) reviews. In addition to serving financial institutions, June also provides audit services and corporate and individual tax return preparation for manufacturing clients, trade associations and investment companies. Prior to joining Elliott Davis Decosimo, June was a founding partner of Crowell & Crowell, PLLC. Education, Credentials and Special Training Certified Public Accountant Chartered Global Management Accountant American Bankers Association National Compliance School B.B.A., Accounting, Belmont University Professional Affiliations American Institute of Certified Public Accountants Tennessee Society of Certified Public Accountants, Member, Financial Institutions Committee American Bankers Association Tennessee Bankers Association, Member, Compliance Conference Committee Financial Managers Society Civic and Community Activities Member, Williamson, Inc. Member, Heritage Foundation Member, University of Tennessee (Knoxville) Accounting and Information Management Advisory Round Table Treasurer, Maplewood Office Park Condominium Association Former Treasurer, CABLE


400 Sugartree Lane Suite 600 Franklin, TN 37064 Office: 615.790.0542 Fax: 615.591.6939 [email protected]

Chris Loyd, CPA, CISA, CGMA Shareholder Services: Assurance | Industries: Banking and Financial Services Professional Overview Chris has more than 13 years of public accounting experience and works exclusively with financial institutions. He provides external and internal audits, Sarbanes-Oxley control audits, Loan Review and IT audits to community banks ranging from $80 million in assets to multi-billion dollar financial institutions. Prior to joining Elliott Davis Decosimo, Chris worked with various industries and service areas including financial institutions, healthcare, manufacturing and distribution and benefit plans. Education, Credentials and Special Training Certified Public Accountant (CPA) Certified Information Systems Auditor (CISA) Chartered Global Management Accountant (CGMA) Master of Accountancy, University of Mississippi B.S., Accounting, Arkansas State University Graduate School of Banking at Louisiana State University Professional Affiliations American Institute of Certified Public Accountants (AICPA) Tennessee Society of Certified Public Accountants (TSCPA) Institute of Internal Auditors (IIA) American Bankers Association (ABA) Tennessee Bankers Association (TBA) Information Systems Audit and Control Association (ISACA) Professional, Civic, and Community Activities IT Conference Committee Member, TBA Former Credit Conference Committee Member, TBA Former Member of the Financial Institutions Committee, TSCPA Graduate School of Banking at Louisiana State University Class of 2015 Officer



F. Andrew Mitchell, CPA Shareholder Services: Assurance, Consulting | Industries: Financial Services, Manufacturing & Distribution, Professional Services Professional Overview Andy focuses on providing clients with corporate strategy, transaction, finance and auditing services. With 40 years of accounting experience, including 20 years with a Big Four accounting firm, his extensive background includes significant work with public companies and merger and acquisition transactions in the financial services, professional services, manufacturing and distribution industry sectors. As an audit partner, Andy served numerous public company clients and was the partner for more than a dozen initial public offerings. He recently completed five years as an elected member of the firm’s Executive Committee and currently serves as the managing shareholder for the Greenville office assurance practice. Andy also served as chief financial officer for a publicly held company and two large private companies. In this capacity, he was responsible for all financial areas including accounting, acquisitions, budgeting, forecasting, credit, cash management, borrowings, information systems and stock offerings for these companies. Andy participated in the completion of an initial public offering and a secondary offering for the public company which owned numerous retail stores, then negotiated the sale of the company. He also participated in the acquisition of a large operating subsidiary in the aviation service industry where he was actively involved in the completion of an underwritten bond offering and subsequent registration of those securities. For the third company, he was responsible for the reorganization and ultimate sale of the company which was involved in the sale of hardware and software development and integration services for national retail chains. Since joining Elliott Davis Decosimo in 2004, Andy has been responsible for the formation and development of the firm’s transaction services practice and serving financial institutions as a client service shareholder, including several public reporting companies. Education, Credentials and Special Training Certified Public Accountant B.B.A., Accounting, University of Cincinnati Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants Ohio Society of Certified Public Accountants


700 East Morehead Street Suite 400 Charlotte, NC 28202 Direct: 704.808.5293 Office: 704.333.8881 Fax: 704.749.7993 [email protected]

George Noonan, CPA Shareholder Services: Tax | Industries: Financial Services Professional Overview With more than 20 years of experience in public accounting, George has worked extensively in the banking and related industries. He provides his clients with a variety of services including tax planning and research, ASC 740 consultation, mergers and acquisition consultation, FIN 48 analysis, tax return preparation, quarterly estimate preparation and forecasts and projections. His experience includes tax preparation and consulting of numerous financial institutions. George serves community banks ranging from $100 million in assets to multi-billion dollar financial institutions filing complex consolidated and multi-state income tax returns. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting and Finance, Wright State University Bank Tax Institute, Annually Professional Affiliations American Institute of Certified Public Accountants North Carolina Association of Certified Public Accountants North Carolina Bankers Association South Carolina Bankers Association Virginia Bankers Association


Riverfront Plaza West Tower, Suite 1000 901 E. Byrd Street Richmond, VA 23219 Direct: 804.887.2256 Office: 804.612.4380 Fax: 877.803.0432 [email protected]

Paul M. Pickett, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Paul focuses on providing professional accounting services to the financial services industry, specifically community banks. With more than 20 years of public accounting experience, he has served on audit engagements for more than 40 community banks and bank holding companies in Virginia, West Virginia, North Carolina and South Carolina. Paul has extensive knowledge of GAAP and SEC policies and assists clients with the preparation of consolidated financial statements, quarterly reviews and assistance with SEC filings and reporting, and merger and acquisition reporting. In addition, he serves as an instructor for a number of continuing education courses relating to financial institution accounting and auditing. Education, Credentials and Special Training Certified Public Accountant University of Virginia National Banking School and National Banking Conference,

American Institute of Certified Public Accountants B.B.A., Accounting, Radford University Professional Affiliations American Institute of Certified Public Accountants Virginia Society of Certified Public Accountants North Carolina Bankers Association Virginia Association of Community Banks Virginia Bankers Association West Virginia Bankers Association


700 East Morehead Street Suite 400 Charlotte, NC 28202 Direct: 704.808.5216 Office: 704.333.8881 Fax: 704.749.7916 [email protected]

Christopher R. Purvis, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Chris has more than a decade of experience providing audit and consulting services for financial institutions. Chris leads the firm’s Compliance Consulting Services group. Training relevant to compliance includes the North Carolina Bankers Association's Regulatory Compliance School. Prior to joining Elliott Davis Decosimo in August 2009, Chris was employed as the Controller of American Founders Bank, a mid-sized community bank headquartered in Lexington, Kentucky. Chris' prior experience in public accounting was with BKD, LLP in Louisville, Kentucky and Dean, Dorton & Ford PSC in Lexington, Kentucky. Chris' primary focus in public accounting has been in providing services for community banks, including external audit, internal audit, regulatory compliance, external loan reviews, Bank Secrecy Act reviews and Interest Rate Risk testing. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting, University of Kentucky B.B.A., Finance, University of Kentucky General School of Banking, Kentucky Bankers Association Regulatory Compliance School, North Carolina Bankers Association Professional Affiliations American Institute of Certified Public Accountants North Carolina Association of Certified Public Accountants North Carolina Bankers Association Civic and Community Activities Board of Directors, Charlotte Steeplechase Association/Charlotte Queen’s Cup



Garry A. Rank, CPA Shareholder Services: Assurance | Industries: Financial Services, SEC Reporting Professional Overview Garry focuses on corporate auditing and accounting as well as consultation regarding governance, financial systems and internal controls. With more than 34 years of experience, his industry concentrations include financial services, manufacturing and Securities and Exchange Commission (SEC) reporting. Additional professional experience includes the management of complex engagements, mergers and acquisitions, projects involving subsidiary companies and the application of accounting and reporting standards. Education, Credentials and Special Training Certified Public Accountant Graduate, American Bankers Association, Business of Banking School B.S., Accounting, University of Akron Professional Affiliations American Institute of Certified Public Accountants, Center for Audit Quality Small

Firm Task Force South Carolina Bankers Association North Carolina Bankers Association Georgia Bankers Association Civic and Community Activities Past President and Past Treasurer, Habitat for Humanity of Greenville County Alumnus, Leadership Greenville, Greenville Chamber of Commerce Past President and Past Treasurer, Greenville Breakfast Rotary Club Thought Leadership Speaker on audit committee responsibilities

SCBA/FDIC Directors College, 2003-2012 NCBA Bank Directors Assembly, 2004, 2007-2012

Presentations on SEC, corporate governance and new accounting pronouncements Elliott Davis Decosimo CFO forum, 2003-2013

Authored various articles for publication regarding corporate governance, Sarbanes-Oxley Act of 2002 and ethics



Barbara S. Rushing, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Barbara focuses on providing services to SEC clients in the financial services industry. With more than 20 years of experience, including several years at a Big Four accounting firm, Barbara has extensive knowledge of GAAP and SEC policies. She works with SEC registrant clients with complex accounting issues, comment letters, stock offerings and merger and acquisition reporting. Barbara has serviced more than 40 public offerings. Barbara is Vice Chairperson of the Firm’s Assurance & Advisory Committee, a technical committee that oversees quality control policies and risk management of the Firm’s attest practice. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting, University of South Carolina Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants



Beverly A. Seier, CPA, CPCU Shareholder Services: Tax | Industries: Financial Services and Insurance Professional Overview With more than 20 years of experience, Bev focuses on serving financial institutions, insurance companies and SEC registrants. She provides both public and private clients with a wide range of services, including tax planning and compliance, ASC 740 and SSAP 101 tax provision consulting, federal and state audit examinations assistance, mergers and acquisitions tax planning and Sec. 382 change-in-control and 280G golden parachute studies. Bev also provides tax consulting services related to IRS Section 597 loss share tax accounting. Prior to joining Elliott Davis Decosimo, Bev was a Tax Partner at a Northeast-based accounting firm where she provided tax compliance, outsourcing and consulting to community banks ranging in size from de novos to $16 billion in assets. Bev has more than 12 years of experience in private industry as a Tax Manager at a $5.4 billion bank holding company and Senior Tax Coordinator at an insurance company. She was responsible for federal/state tax compliance, tax accounting/reporting, 1099 information reporting, executive compensation and deferred compensation tax reporting, sales and use tax compliance, federal and state audit examinations and escheat reporting. Education, Credentials and Special Training Certified Public Accountant Chartered Property Casualty Underwriter B.S., Business Administration/Accounting and Mathematics, magna cum laude, University of Mary Washington Bank Tax Institute, annually Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants Member, Georgia Bankers Association Tax Advisory Committee Civic and Community Activities Board of Directors, Midlands Housing Alliance – Transitions Member, United Way of the Midlands’ Women in Philanthropy


Tennessee Risk Management Seminar Thursday, April 21, 2016

Franklin Marriott Cool Springs Franklin, Tennessee

Bonnie Bastow

Elliott Davis Decosimo

Charlotte, North Carolina

Richard Bird

Franklin Synergy Bank

Franklin, Tennessee

Andy Bonner

First Century Bank

Tazewell, Tennessee

Jay Brietz



Karen Bue

First National Bank of Pulaski

Pulaski, Tennessee

Elaine Chaffin

Community First Bank and Trust

Columbia, Tennessee

Derek Church

Pendleton Square Trust Company

Nashville, Tennessee

Tina Cline

First Century Bank

Tazewell, Tennessee

Joey Croom


Franklin, Tennessee

June Crowell


Franklin, Tennessee

Anthony Dugan


Knoxville, Tennessee

Dora England

Clayton Bank & Trust


Joanne Ervin

First Community Bank of

Bedford County

Shelbyville, Tennessee

Andrew Fine

First Community Mortgage

Murfreesboro, Tennessee

Jill Giles

First Farmers and Merchants Bank

Columbia, Tennessee

Lisa Hill

Foothills Bank & Trust

Maryville, Tennessee

Mickie Hodge

The Farmers Bank

Portland, Tennessee

Vicky Inzer

Peoples Bank & Trust Co

Manchester, Tennessee

Christopher Jernigan

The Farmers Bank

Portland, Tennessee

Billy Johnson


Franklin, Tennessee

Rebecca Jones

First Community Bank of

Bedford County

Shelbyville, Tennessee Ransom Jones

Citizens Bank

Lafayette, Tennessee

Patricia Justis


Franklin, Tennessee

Tim Kemp

Butler Snow


Michael Koupal



Joseph Lackey

TriStar Bank

Dickson, Tennessee

Denise Ledford

First Vision Bank

Tullahoma, Tennessee

Tennessee Risk Management Seminar Thursday, April 21, 2016

Franklin Marriott Cool Springs Franklin, Tennessee

Chris Loyd


Franklin, Tennessee

Pam Mantone


Chattanooga, Tennessee

Cynthia McClard

Citizens Bank


Samantha Meyer

First Community Mortgage

Murfreesboro, Tennessee

Kimberly Monday

The Farmers Bank

Portland, Tennessee

Debbi Moore

Citizens Bank


Ryan Moore



Justin Nipper

The Farmers Bank

Portland, Tennessee

Jeffrey Pardon

Bank of Frankewing

Frankewing, Tennessee

Jason Price


Franklin, Tennessee

Chris Purvis



Glenda Sloan


Franklin, Tennessee

Melanie Smith

Clayton Bank and Trust


Marshall Stein


Brentwood, Tennessee

Jeff Stewart

Bank of Frankewing

Frankewing, Tennessee

Renee Taylor

First Vision Bank

Tullahoma, Tennessee

Richard Tripp

First Volunteer Bank

Chattanooga, Tennessee

Clara Willis

Citizens Bank


Brandon Woodard

Macon Bank & Trust


Teresa Woodard

Citizens Bank

Hartsville, Tennessee

Elizabeth Yackel

Peoples Bank & Trust Co

Manchester, Tennessee

tennessee risk management seminar 2016 - elliott davis · the cybersecurity assessment about the...

Documents