A Trusted Advisor to Financial Institutions

Upcoming Speaking Engagements

 
  • September 2017
    • 13: California Bankers Association: Risk Management Conference, Newport Beach
    • 20: South Dakota Bankers Association: Tech Conference, Sioux Falls
    • 25: Conference of State Bank Supervisors: Directors Conference, Cour D'Alene, Idaho
  • October 2017
    • 3: Kansas Bankers: Peer Roundtables, Wichita
    • 23: North Carolina Bankers Association: Management Conference, Greensboro
    • 25: Arkansas Bankers Association: Mega Conference, Little Rock
  • November 2017
    • 16: Wisconsin Bankers Association: CFO Conference, Madison
     
    Facebook
    Twitter

     

    Archives

    Trent Fleming

    Managing Deposit Account Liabilities
    In this issue, I want to point out some potential liabilities if your staff fails to properly handle routine tasks.  I recently learned about a case involving employee theft from a business. This was a classic case, whereby a “trusted employee” leveraged his autonomy in the bookkeeping arena to steal, and cover his tracks.  Discovery was delayed by well over a year, and then, as is often the case, only by accident did the owner realize what was done.  The business, of course, claims that the bank should have found the fraud, and stopped it.  The bank, in like fashion, feels, and frankly has the strength of the UCC (article 4-406) behind it, that discovery should have come more quickly, that the business owner was effectively complicit by not providing proper oversight.  It will be interesting to watch. It is noteworthy that the employee actually went to the trouble (and thus had ample opportunity) to alter the images of checks written to himself once the statements arrived.  Also noteworthy: the bank was unable to provide proper signature cards, corporate resolutions, and in some cases, images of the backs of checks (instrumental in clearly understanding what the checks were actually used for).   At issue here is whether the courts will find that the bank’s failure to maintain good records creates any liability for them in what is otherwise a pretty clear case.
     Also in recent days, a court has rendered a verdict in favor of a financial institution in a case regarding loss over a wire transfer transaction.  Here, the business had actually “refused” the bank’s offer of dual control technology, requiring that one person submit a wire, and another approve it.  To the bank’s credit, all of this was documented, including a letter from the customer declining the dual control methods.  When the business experienced a loss, via an unauthorized wire transfer, they still looked to the bank for restitution.  The court denied it.

    Here’s the link to the article:
    This led me consider how diligent your staff might be in ensuring that account records and documents, such as signature cards, corporate resolutions, faxed requests for wire transfers, etc, are complete and properly maintained.  It would be a good time to re-evaluate your bank’s policies and procedures – and your training – around this area.  We all know that attention to detail suffers over time, unless the important of those details are re-iterated.  
    Here are some key issues to consider
    > Retention of Paid Checks.  Refer to your state’s guidelines for record retention, but generally there is a requirement that you retain the source document, or a legible copy, for seven years after posting.  This includes legible copies of the front and back of each item.  In addition to the retention period, note the term legible.  Be sure that your check imaging system is identifying, and thus allowing you to return, any items that are not sufficiently readable to meet the IQA (Image Quality) standard. 
    > Complete Signature Cards.  Often, the practice of opening a new account involves obtaining signatures over a period of time.  While this might seem understandable, especially for a larger organization that may have multiple authorized signers, it is not good banking practice.  In general, you should not begin servicing the account for which these signature cards are intended, without completely and properly filled out signature cards.  Make a trip to the business, and have management present to you each individual that will be a signatory.  Obtain and document proper ID for each.  Even on consumer accounts, resist the urge to let one spouse sign, and take the card home for the other to sign.  If you begin servicing the account without the necessary documentation, you take away your leverage for getting that documentation.
    > Complete, Detailed Corporate Resolutions.  For any business concern, you should, in addition to signature cards, prepare and have signed a corporate resolution.  This should set forth the terms and conditions of the agreement, including services to be rendered, references to fee schedules, and expectations of performance for both parties.  In today’s world, references to once unheard of issues like Internet Security and Virus protection, enforced dual control of access and access codes, and the like, should be in your corporate resolution.  
    When adding new products and services like cash management, ACH Origination, or remote deposit capture, prepare and execute addenda that detail the terms and conditions of using those services.
    > Electronic Solutions.  As referenced above, these must be appropriately deployed . . . and properly utilized by customers.  Dual control, separation of duties, proper Internet security are all matters that must be agreed to.  Rather than dictating operating practices too closely, be sure that you give broad guidance, and then assess compliance.  Banks must be careful not to exert “management control” particularly if there is a lending relationship, but can certainly give good guidance.  You can also (this is difficult to think about, but becoming a reality) turn off access to all or part of your electronic solutions if you feel a customer is a risk.  This would include customers without proper Internet Security and Virus Protection on their own networks, or those who refuse to utilize the security measures your system provides. 
    >  Bank Controls Over Internet Activity.  The software that drives your commercial banking solutions includes parameters by which you can monitor and manage the risk associated with such systems.  Examples include, but are not limited to, the number of ACH origination transactions, average daily deposit limits, and wire transfer dollar amounts and frequency.  Leveraging data you have from processing your customer’s accounts, and working with customers to understand their legitimate business practices, you can build in these controls in such a way that you protect both your customer’s and your bank’s interests.
     I hope you will share this article with your staff, and in so doing, begin a process of inspecting current practices to realign them with your polices, and reduce your risks. Remember that the most successful organizations are those who identify best practices, and strive, through training and education, to execute on them well.  Should you need help in these areas, I am always available.
    Remember that I am not an attorney, and the above should be construed as operational, not legal, advice.  Please involve your counsel in any decisions involving proper interpretation of rules, regulations, and laws.

    Severe Weather and Your Contingency Plan

    Here in the United States, last week was “Severe Weather Awareness Week” with each day featuring a different type of severe weather that might impact you.  Tornadoes are particularly challenging for us due to their sudden appearance, and erratic behavior.  Forecasting is improving, and many areas are benefiting from more timely warnings than ever before.

    As you work to enhance and test your contingency plans, remember to include attention to matters that may arise suddenly, affecting not only your staff, but customers, vendors, or others who are in your facilities when a sudden crisis – like a fire or a tornado warning – arises.

    Your planning and testing activities should include attention to non-employees who may be in the building.  Both fire and tornadoes create a sudden need for action.  Fire creates a need for an orderly, safe evacuation, while tornadoes create a need for shelter.  By considering the “non-employee” individuals in your planning and testing activities, you increase the chance of protecting them as well as your employees.  Doing so makes you the best possible corporate citizen, and reduces both reputation risk and legal liability.

    Just another insight into the complex world of contingency planning.

    Widespread Security Breach of Bank Executive Data

    Breaking news overnight about what may be a serious breach of data, including the online identities and passwords of several thousand bankers.  Rather than fretting about whether you are involved, first move to change all of your online passwords, both personal and bank related.  Move away from simple words toward nonsensical phrases that are sprinkled with special characters.  “arctic01penguins#%” for example.

    http://www.washingtonpost.com/business/technology/anonymous-posts-file-claiming-to-have-information-from-4000-bank-execs/2013/02/05/8f8b0488-6f9b-11e2-ac36-3d8d9dcaa2e2_story.html

    More as this story unfolds.

    The current issue of my banking newsletter “Trent’s Comments” is now available on my website.  Visit www.trentfleming.com and select the Newsletter tab.  From there, you can download several recent issues, as well as a document that summarizes each issue going back to 2010.  I welcome your feedback and comments.

    Planning Ahead: Budgeting vs Strategy

    Here’s a year end thought for you: budgeting is not strategy. While preparing and managing to a budget is an important part of your “looking forward” activities, don’t let your annual budget substitute for a real strategic plan. Budgets lack vision, passion, and can’t convey leadership directives.  Strategies need to clearly outline Executive Management’s vision of the markets to be served, the types of products and services to be offered, and efforts to establish and enhance your company’s brand in the marketplace.  From these strategies, clear tactical guidelines can be developed for executing initiatives and affecting real change.
    Most strategic planning efforts fall down on execution.  By establishing clear tactical directives, naming responsible parties, and demanding regular progress updates, you can avoid the “dusty plan on the shelf” trap that so many fall into.
    Often, an outside moderator can offer value by preparing for and conducting planning sessions, aiding in the development of tactical initiatives, and mentoring your key players to actually get things done.  Don’t be afraid to ask for help – successful strategic planning is worth the investment.

    Alert on Recent Hacking Activity

    Quite a lot of buzz in the last few days over some of the largest US banks being the target of hacking activity.  While few community banks will be affected, customers who see the media coverage may, nonetheless, express concern.  Here are some talking points that I hope will help you in communicating to your employees how to address customer concerns.

    1) These are denial of service (DDOS) attacks on the web sites of the banks in question.  The result of these attacks is to make some or all of the web site unavailable for use.  In some cases, the pages and links customers use to access Internet banking may be targeted.  These are NOT hacks into the customer information, however, merely a denial of access.  To date, no data has been exposed or compromised.

    2) While the banks are of course the target of this activity (which appears to be politically motivated) the site hosts for the banks’ web sites are actually being hacked, NOT the banks themselves.

    3) Customers remain the weakest link relative to security breaches.  Use any opportunity to discuss such matters with customers to remind them that it is crucial that they have, and continue to update, current virus protection on their own computers and other devices.

    4) Take this opportunity to be sure that your bank’s systems are properly protected, with all security updates and patches applied.  Firewall reports should be monitored for unusual activity, as should all internal systems.  Raising your bank’s and your customer’s level of awareness goes a long way toward preventing unauthorized access.

    As always, contact me if I can be of assistance in these or other matters.

    Today’s Speaking Engagement

    I’m in Kansas this morning, to address the KBA’s Young Bankers Conference. We are going to get serious about the challenges of supporting customers in an era where much of our technology is customer-facing. “This Stuff Doesn’t Work” is both a funny and serious look at customer expectations and the work banks have to do in order to be successful. Very excited to talk to this group of rising stars!

    Telephone Banking – The Forgotten Technology?

    By far one of the most popular customer facing technologies banks have introduced is Interactive Voice Response (IVR). Customers flocked to this technology, calling over and over to hear a balance or see if a payment has cleared, many calling multiple times per day even if account balances and other information was not in real-time. The advent of Internet Banking may have slowed the usage, but it did not go away. Convenience might be an issue: a customer checking an account balance may find the touch tone phone faster than logging into your web site. These systems are simple and easy to use.
    Internet Banking is well into its second decade, however, and many of you are already investing in the next generation: Mobile Banking. The question is, what to do with our IVR systems? Especially if you are running IVR “in-house,” it is likely that your system is aging, and support may be lacking. If you’ve priced a new system, you may be taken aback by the cost. If you can keep that old clunker running a bit longer, here’s my step by step process for getting a handle on this technology before it causes you a real problem.
    1. Do an operational and contractual assessment of your current system. Get the vendor involved (if they are still around) and make sure you have ready access, in the short term, to replacement parts and support in the event of a failure. Get your core vendor involved (if they are not the IVR vendor) and ask them to help you plot a backup strategy, if your IVR vendor is not around. Or call an expert (that would be your humble author) Your goal here is to put together a strategy to keep the technology working for another year or two, while you move these users to other solutions.
    2. Take a hard look at the number of calls you are receiving, and who these folks are. Generally, you will find a significant group of “repeat offenders.” Hopefully, your system produces reports, but if not, go to the phone logs to see what you can learn.

    3. If you have outsourced your IVR, think about aligning the efforts listed below with that contract’s expiration date, so that you can retire the technology at that time. A benefit of outsourcing is that you are relieved from worry over the state of your system. A downside, however, are the costs associated with the technology and the calls.

    4. Taking into account (based on available reporting) the frequency and type of activity you see, design an aggressive marketing campaign to move those folks to Internet Banking.

    5. If you currently have mobile banking, even better. Promote that directly to your IVR users, with particular attention to the SMS “text” capability, as it offers the path of least resistance to their using the product.
    My hope is that, over time, with some concentrated effort, you can eliminate your IVR system in favor of newer technology that offers customers even more functionality.

    Mobile Banking Webinar

    There is still time to sign up for my webinar on mobile banking this Monday afternoon.  Use the link below, and click on your state to sign up.  If your state isn’t listed, just adopt a state for the day!  Looking forward to a rousing discussion of current issues in mobile banking.

    http://www.bankersed.com/tba/intro.asp

    New Password Security Threats

    Please take time to read the attached article, and be sure that your IT and Operations staff sees it as well.  It points out the flaws in many of today’s common password and authentication methods.  It also clearly points out the need for multi-factor authentication in almost every situation.  While few banks are currently storing data in “the cloud” such methods are, for both technological and economical reasons, trending, and will be something that must be dealt with.

    http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/