Internal Audit and Compliance Insights - Home | Elliott Davisserve you. More than 100 banks in the Southeast, large and small, depend on Elliott Davis’ Financial Services Practice

8:30 am - 9:00 am

Registra on & Con nental Breakfast

9:00 am - 9:05 am Welcome Jason Caskey, Financial Services Prac ce Chair, Ellio Davis

9:05 am - 9:30 am

Accoun ng & Audi ng Update—Let’s talk about CECL Lee Haynes, Shareholder, Ellio Davis

9:30 am - 10:30 am

Compliance Update Christopher Purvis, Senior Manager, Ellio Davis

10:30 am - 10:45 am Break

10:45 am - 11:15 am

COSO 2013: Implementa on Strategies For This New Framework Jay Brietz, Senior Manager, Ellio Davis

11:15 am - 12:20 pm

Cybersecurity and Risks Associated with IT Richard Cook, Senior Manager, Ellio Davis

12:20 pm - 1:00 pm Lunch

1:00 pm - 1:30 pm Interest Rate Risk / Liquidity Risk Mark Rufail, Senior Manager, Ellio Davis

1:30 pm - 2:00 pm Vendor Management Program Best Prac ces Karen Neely Louis, A orney, Bryan Cave

2:00 pm - 3:00 pm

Internal Audit / Compliance Panel Jason Caskey — Moderator Elaine Crawford, Senior Vice President—Director of Internal Audit, Park Sterling Bank Karen McCauley, Internal Auditor, First Community Bank Wendy Workman, AVP-Internal Audit Manager, The Palme o Bank

Internal Audit and Compliance Insights Tuesday, May 6, 2014

Columbia Metropolitan Conven on Center—Columbia, South Carolina

AGENDA

el l iottdav is .com ©ElliottDavisLLC©ElliottDavisPLLC

F inanc ia l Ser v ices - 360° Industr y Perspect ive

ARE YOU. . .Concernedaboutrisk?Consideringamergeroracquisition?Interestedinpreservingyourcapital?Lookingforstrategiestomanageeffectivetaxrates?StrugglingtostayabreastofcomplexSECreportingandregulations?Searchingforaresourcetoassistwithever-changingaccountingstandards?

ElliottDavisisamemberofTheLeadingEdgeAlliance,aworldwideassociationofindependentlyownedaccountingfirms.

SOLUTIONS

Assurance• Auditservices• Financialstatementpreparation

Non-Audit Ser v ices• BankSecrecyActcompliancereviews• Informationsystemaudits• Independentloanreviews• Outsourcedinternalaudit• SSAENo.16reports• ALLLvalidation

Tax• Incometaxpreparationandplanning• Stateandlocaltaxservices• Taxestimates• Evaluationofdeferredtaxasset

SEC Re lated Ser v ices• Preparationof10-Qsand10-Ks• SECregistrationandcompliance• SOX404documentationandtesting

Consul t ing• ALCOmodeltesting• Businessvaluationservices• Costsegregationstudies• Directortraining• Loananddepositcompliance•Managementandregulatoryservices•Mergersandacquisitions• Strategicplanning• Stockcompensationcalculations• Compliancewithenforcementactions

The banking industry is complex and rapidly evolving. You deserve the right team with the right leadership to serve you. More than 100 banks in the Southeast, large and small, depend on Elliott Davis’ Financial Services Practice for personal attention, industry experience and services including external and internal audit, SEC reporting, taxation and compliance. With a 60-year reputation and a team of 90 professionals serving financial institutions, we help banks operate stronger, wiser, better.

F INANCIAL SERVICES

Financial Services Shareholder Contact Informa on

Bob Beckwith, CPA Shareholder Direct: 864.552.4763 E-mail: rbeckwith@ellio davis.com

Paul Picke , CPA Shareholder Direct: 804.887.2256 E-mail: ppicke @ellio davis.com

Garry A. Rank, CPA Shareholder Direct: 864.242.2638 E-mail: grank@ellio davis.com

Barbara Rushing, CPA Shareholder Direct: 864.242.2625 E-mail: brushing@ellio davis.com

Jason Caskey, CPA Financial Services Prac ce Leader Direct: 803.255.1203 E-mail: jcaskey@ellio davis.com

Stacy Stokes, CPA Shareholder Direct: 803.255.1472 E-mail: sstokes@ellio davis.com

Lee Haynes, CPA Shareholder Direct: 704.808.5208 E-mail: lhaynes@ellio davis.com

Andy Mitchell, CPA Shareholder Direct: 864.242.2691 E-mail: amitchell@ellio davis.com

Beverly A. Seier, CPA, CPCU Shareholder Direct: 803.255.1214 E-mail: bseier@ellio davis.com

Bill Bossong, CPA, CBA Shareholder Direct: 803.255.1497 E-mail: wbossong@ellio davis.com

George Noonan, CPA Shareholder Direct: 704.808.5293 E-mail: gnoonan@ellio davis.com

© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

Accounting & Auditing Update Let’s Talk About CECL Risk Management and Internal Audit Seminar

2 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

This material was used by Elliott Davis during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis.

2014 Accounting & Auditing Update

AGENDA • Accounting Standards Updates (ASUs)

- ASUs 2014-01 through 2014-08

• Financial Instruments – Impairment (CECL Model) - Background - FASB’s Stated Measurement Objective - Scope - Key Concepts - Implementation Considerations




Accounting Standards Updates (ASUs)

2014 Accounting & Auditing Update Accounting Standards Updates (ASUs)

ASUs ISSUED IN 2014 • ASU 2014-01 – Accounting for Investments in Qualified Affordable Housing Projects (a

consensus of the EITF)

• ASU 2014-02 – Accounting for Goodwill (a consensus of the PCC)

• ASU 2014-03 – Accounting for Certain Receive-Variable, Pay-Fixed Interest Rate Swaps—Simplified Hedge Accounting Approach (a consensus of the PCC)

• ASU 2014-04 – Reclassification of Residential Real Estate Collateralized Consumer Mortgage Loans upon Foreclosure (a consensus of the EITF)

• ASU 2014-05 –Service Concession Arrangements (a consensus of the EITF)

• ASU 2014-06 – Technical Corrections and Improvements Related to Glossary Terms

• ASU 2014-07 – Applying Variable Interest Entities Guidance to Common Control Leasing Arrangements (a consensus of the PCC)

• ASU 2014-08 – Reporting Discontinued Operations and Disclosures of Disposals of Components of an Entity



PRIVATE COMPANY COUNCIL • The Financial Accounting Foundation (“FAF”) Board of

Trustees has established the Private Company Council (“PCC”) in an effort to improve the process of setting accounting standards for private companies.

• Intended to put in place a system for recognizing differences in the needs of public and private company financial statement users and preparers that will avoid creation of a ‘two-GAAP’ system.




ASU No. 2014-02 Accounting for Goodwill (a consensus of the PCC)


ASU 2014-02 – Accounting for Goodwill • Issued on January 16, 2014 • Allows an accounting alternative for the subsequent

measurement of goodwill for private companies. • If elected, the accounting alternative requires the entity

to amortize goodwill on a straight-line basis over 10 years, or less than 10 years if the entity demonstrates that another useful life is more appropriate.




ASU No. 2014-03 Accounting for Certain Receive-Variable, Pay-Fixed Interest Rate

Swaps—Simplified Hedge Accounting Approach

(a consensus of the PCC)


ASU 2014-03 – Accounting for Certain Receive-Variable, Pay-Fixed Interest Rate Swaps—Simplified Hedge Accounting Approach

• Issued on January 16, 2014 • Provide an additional hedge accounting alternative to

private companies that are not financial institutions (simplified hedge accounting approach) for certain types of swaps if certain conditions are met.

• This accounting alternative is not available to financial institutions




ASU No. 2014-07 Applying Variable Interest Entities

Guidance to Common Control Leasing Arrangements

(a consensus of the PCC)


ASU 2014-07 – Applying Variable Interest Entities Guidance to Common Control Leasing Arrangements

• Issued on March 20, 2014 • Allows a private company to elect—when certain

conditions exist—not to apply VIE guidance to a lessor under common control

• Requires certain disclosures about the lessor and the leasing arrangement















ASU No. 2014-01 Accounting for Investments in Qualified Affordable Housing

Projects (a consensus of the EITF)


ASU 2014-01 – Accounting for Investments in Qualified Affordable Housing Projects

• Issued on January 15, 2014

• Provides guidance on accounting for investments by a reporting entity in flow-through limited liability entities that manage or invest in affordable housing projects that qualify for the low-income housing tax credit.

• The ASU permits reporting entities to make an accounting policy election to account for their investments in qualified affordable housing projects using the proportional amortization method if certain conditions are met.



ASU 2014-01 – Accounting for Investments in Qualified Affordable Housing Projects

• Under the proportional amortization method, an entity amortizes the initial cost of the investment in proportion to the tax credits and other tax benefits received and recognizes the net investment performance in the income statement as a component of income tax expense (benefit).

• If elected, must be applied consistently to all qualifying affordable housing project investments rather than a decision to be applied to individual investments.




ASU No. 2014-04 Reclassification of Residential Real

Estate Collateralized Consumer Mortgage Loans upon Foreclosure

(a consensus of the EITF)


ASU 2014-04 – Reclassification of Residential Real Estate Collateralized Consumer Mortgage Loans upon Foreclosure

• Issued on January 17, 2014 • Clarifies when an in substance repossession or

foreclosure occurs: - Specifically, a creditor is considered to have received physical

possession of residential real estate property collateralizing a consumer mortgage loan, upon either (1) obtaining legal title upon completion of a foreclosure or (2) obtaining interest in the property in satisfaction of the loan through a deed in lieu of foreclosure or through a similar legal agreement.



ASU 2014-04 – Reclassification of Residential Real Estate Collateralized Consumer Mortgage Loans upon Foreclosure

• Additionally, the ASU requires interim and annual disclosure of both

- the amount of foreclosed real estate held and - the recorded investment in mortgage loans collateralized by

residential real estate property that are in the process of foreclosure according to local requirements of the applicable jurisdiction




ASU No. 2014-05 Service Concession Arrangements

(a consensus of the EITF)


ASU 2014-05 –Service Concession Arrangements • Issued on January 23, 2014 • Specifies that an operating entity should not account for

a service concession arrangement as a lease • The amendments also specify that the infrastructure

used in a service concession arrangement should not be recognized as property, plant, and equipment

NOTE: A service concession arrangement is an arrangement between a public-sector entity grantor and an operating entity under which the operating entity operates the grantor’s infrastructure (for example, airports, roads, and bridges)




ASU No. 2014-08 Reporting Discontinued Operations

and Disclosures of Disposals of Components of an Entity


ASU 2014-08 – Reporting Discontinued Operations and Disclosures of Disposals of Components of an Entity

• Issued on April 10, 2014 • Requires that only disposals representing a strategic

shift in operations should be presented as discontinued operations

• Requires expanded disclosures about discontinued operations

• Requires disclosure of the pre-tax income attributable to a disposal of a significant part of an organization that does not qualify for discontinued operations reporting















ASU No. 2014-06 Technical Corrections and

Improvements Related to Glossary Terms


ASU 2014-06 – Technical Corrections and Improvements Related to Glossary Terms

• Issued on March 14, 2014 • Contains amendments related to the Master Glossary,

including: - technical corrections related to glossary links - changes to glossary terms - conforming the definition selected terms appearing in the

Master Glossary



EFFECTIVE DATES


Public Companies Private CompaniesASU 2013-02 Comprehensive Income (Topic 220): Reporting of

Amounts Reclassified Out of Accumulated Other Comprehensive Income

Already effective Effective for reporting periods beginning after December 15, 2013*

ASU 2013-04 Liabilities (Topic 405): Obligations Resulting from Joint and Several Liability Arrangements for Which the Total Amount of the Obligation Is Fixed at the Reporting Date (a consensus of the FASB Emerging Issues Task Force)

Effective for fiscal years (including interim periods) beginning after December 15, 2013*

Effective for fiscal years ending after December 15, 2014, and interim and annual periods thereafter*

ASU 2013-11 Income Taxes (Topic 740): Presentation of an Unrecognized Tax Benefit When a Net Operating Loss Carryforward, a Similar Tax Loss, or a Tax Credit Carryforward Exists (a consensus of the FASB Emerging Issues Task Force)

Fiscal years (including interim periods) beginning after December 15, 2013*

Fiscal years (including interim periods) beginning after December 15, 2014*

ASU 2014-01 Investments—Equity Method and Joint Ventures (Topic 323): Accounting for Investments in Qualified Affordable Housing Projects (a consensus of the FASB Emerging Issues Task Force)

Effective for annual periods and interim reporting periods within those annual periods, beginning after December 15, 2014*

Effective for annual periods beginning after December 15, 2014 and interim periods within annual reporting periods beginning after December 15, 2015*

ASU 2014-02 Intangibles—Goodwill and Other (Topic 350): Accounting for Goodwill (a consensus of the Private Company Council)

N/A – PCC issue – only applies to private companies

Effective for annual periods beginning after December 15, 2014 and interim periods within annual periods beginning after December 15, 2015*

ASU Number DescriptionEffective Dates

* Early adoption permitted.


EFFECTIVE DATES


Public Companies Private CompaniesASU 2014-04 Receivables—Troubled Debt Restructurings by

Creditors (Subtopic 310-40): Reclassification of Residential Real Estate Collateralized Consumer Mortgage Loans upon Foreclosure (a consensus of the FASB Emerging Issues Task Force)

Effective for annual periods, and interim periods within those annual periods beginning after December 15, 2014*


ASU 2014-06 Technical Corrections and Improvements Related to Glossary Terms

Effective upon issuance Effective upon issuance

ASU 2014-07 Consolidation (Topic 810): Applying Variable Interest Entities Guidance to Common Control Leasing Arrangements (a consensus of the Private Company Council)

N/A – PCC issue – only applies to private companies


ASU 2014-08 Reporting Discontinued Operations and Disclosures of Disposals of Components of an Entity

Effective for transactions occur within annual periods beginning on or after December 15, 2014, and interim periods within those years

Effective for transactions occur within annual periods beginning on or after December 15, 2014, and interim periods within annual periods beginning on or after December 15, 2015

ASU Number DescriptionEffective Dates

* Early adoption permitted.



Financial Instruments – Impairment

(CECL Model)

2014 Accounting & Auditing Update Financial Instruments – Impairment (CECL Model)


Proposed ASU No. 2012-260

Financial Instruments – Impairment


BACKGROUND • After the financial crisis, the Financial Crisis Advisory Group

(“FCAG”) asked to consider how improvements in financial reporting could enhance investors’ confidence in financial markets and noted the following related to accounting standards and their application:

- Identified weaknesses in today’s model for estimating credit losses (“Incurred Loss” model)

• “Probable incurred” loss threshold that was seen as delaying recognition of losses

- Identified weaknesses in existing accounting standards resulting from the inherent complexity of having multiple credit impairment models

• Exposure Draft issued December 20, 2012 31 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC


FASB’s STATED MEASUREMENT OBJECTIVE • Current estimate of all contractual cash flows not expected

to be collected - For financial instruments whose objective to hold the financial

instruments for the collection of contractual cash flows, the FASB believes that the amortized cost measurement objective is consistent with the way an entity expects to realize cash flows from the assets, namely by holding the instrument for the collection of contractual cash flows.

- That amortized cost objective is to reflect the present value of cash flows that an entity expects to collect.



FASB’s STATED MEASUREMENT OBJECTIVE • Current estimate of all contractual cash flows not expected

to be collected - The FASB believes the proposed guidance achieves that

objective through the combined effect of a) the proposed guidance on classification and measurement

that would result in measurement of the amortized cost basis of the financial asset at a present value, based on contractual cash flows and

b) the proposed guidance on credit losses that would result in an allowance for credit losses at a present value, based on contractual cash flows not expected to be collected, both discounted at the effective interest rate.



SCOPE • CURRENT EXPECTED CREDIT LOSSES (“CECL”) MODEL

- Replaces multiple impairment models that exist in U.S. GAAP:

• Allowance for loan losses • Other-than-temporary impairment • ASC 310-30 (SOP 03-3) • ASC 325-40 (EITF 99-20)

- Depending on the nature of the financial asset, under current guidance a credit loss must either be probable or other than temporary before recognition. The proposal eliminates the “probable” recognition threshold on credit losses.




- Applies to all entities, both public and nonpublic. - Must be applied to financial assets not accounted for at

fair value through net income (FV-NI) and exposed to potential credit risk would be affected by the proposed amendments:

• Financial assets measured at amortized cost • Financial assets measured at fair value with qualifying changes in

fair value recognized in other comprehensive income (FV-OCI) - Does not apply to financial assets accounted for at fair

value through net income (FV-NI) 35 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC



- Applies to: • Debt instruments • Securities measured at amortized cost and fair value

(FV-OCI) • Trade receivables • Loans • Loan commitments • Leases • Reinsurance receivables




- For financial assets measured at fair value with qualifying changes in fair value recognized in other comprehensive income (FV-OCI), expected credit losses should be recognized as follows:

1) An entity should not recognize expected credit losses if the financial asset’s fair value equals or exceeds its amortized cost basis.

2) If the financial asset’s fair value is less than its amortized cost basis, an entity should recognize expected credit losses in net income determined under the CECL model but limited to the difference between the financial asset’s fair value and its amortized cost basis.




- For both financial assets measured at amortized cost and financial assets measured at FV-OCI, the FASB plans to discuss at a future meeting whether expected credit losses recognized should be the entire difference between fair value and amortized cost when:

1) an entity subsequently identifies a financial asset for sale 2) it is more likely than not the entity will be required to sell

a financial asset before recovery of its amortized cost basis



KEY CONCEPTS • General “principles” that must be considered

- The entire contractual term of the financial asset - Internal and external information that is relevant to the

collectability of a financial asset’s remaining contractual cash flows

- Time value of money - Both the possibility that a credit loss will occur and the

possibility that no credit loss will occur - Whether and how much credit enhancements (other

than freestanding contracts) mitigate expected credit losses on financial assets



KEY CONCEPTS • Broadens information that must be considered

- Past events - Current conditions - Reasonable and supportable forecasts - Internal and external

• Quantitative and qualitative factors specific to borrower • Current economic environment of entity • Current point and forecasted direction of economic cycle



KEY CONCEPTS • Intended to leverage existing internal credit risk

management tools and systems; however, inputs to the measurement will change

• No specific guidance as to whether credit losses should be measured on an individual or collective (pool) basis



KEY CONCEPTS • Estimate shall reflect time value of money

- Example: discounted cash flow - Other methods implicitly consider time value of money such as

loss-rate, roll-rate, probability-of-default, and provision matrix - FV of collateral permitted for collateral dependent financial

assets

• Neither a best case or worst case scenario - Must reflect both the possibility that a credit loss will occur and

the possibility that no credit loss will occur - Cannot be based solely on the most likely outcome - Probability-weighted approach not required



KEY CONCEPTS • Permitted to measure impairment based on the fair

value of collateral less cost to sell when repayment is expected to be provided “primarily or substantially through the operation of the collateral by the lender or sale of the collateral.”



KEY CONCEPTS • Eliminates ASC 310-30 (SOP 03-3) in its entirety • May assess PCI definition at individual asset or pool basis • Day 1 – recognize allowance based on management’s current

estimate of contractual cash flows that the entity does not expect to collect

- Balance sheet grossed up - Bifurcate discount between credit and non credit

• Day 2 – favorable and unfavorable changes in the allowance recognized immediately through provision for credit losses

- Follow same measurement approach as originated and non-PCI assets



KEY CONCEPTS • The FASB has decided not to expand the PCI approach,

as proposed in the proposed ASU, to other financial assets.

• The FASB has also decided to include in the CECL Model a requirement that the non-credit-related discount or premium resulting from acquiring a pool of PCI financial assets should be allocated to each individual financial asset.



KEY CONCEPTS • Debt Securities

- Would record an allowance for credit losses (vs. current US GAAP which requires an adjustment to the amortized cost when there is OTTI)

• An entity may elect, as a practical expedient, not to recognize expected credit losses for FV-OCI financial assets if both:

- Fair value exceeds amortized cost - Expected credit losses are insignificant



KEY CONCEPTS • In measuring the expected credit losses:

1)An entity should revert to a historical average loss experience for the future periods beyond which the entity is able to make or obtain reasonable and supportable forecasts.

2)An entity should consider all contractual cash flows over the life of the related financial assets.

3)When determining the contractual cash flows and the life of the related financial assets:

a) An entity should consider expected prepayments b) An entity should not consider expected extensions, renewals, and

modifications unless the entity reasonably expects that it will execute a troubled debt restructuring with a borrower.



KEY CONCEPTS • In measuring the expected credit losses:

4)An entity’s estimate of expected credit losses should always reflect the risk of loss, even when that risk is remote. However, an entity would not be required to recognize a loss on a financial asset in which the risk of nonpayment is greater than zero yet the amount of loss would be zero.

5) In addition to using a discounted cash flow model to estimate expected credit losses, an entity would not be prohibited from developing an estimate of credit losses using loss-rate methods, probability-of-default methods, or a provision matrix using loss factors.



KEY CONCEPTS • Charge-off—The proposed ASU carries forward the existing

requirements that a charge-off should be recorded when there is no reasonable expectation of future recovery

• Nonaccrual—The FASB decided to exclude the proposed nonaccrual guidance from the CECL Model.

• TDRs—The FASB decided that the TDR classification remains relevant under the CECL model. In addition, the FASB decided to revise the CECL Model to require that, in certain TDRs, an entity may be required to increase the cost basis of the restructured financial asset through a corresponding increase in the entity’s allowance for expected credit losses.

• Disclosures—Will require expanded disclosures 49 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC


KEY CONCEPTS • Expected to be finalized during the 2nd half of 2014 • Effective date

- To be determined • Transition

- Cumulative-effect adjustment to the statement of financial position as of the beginning of the first reporting period in which the guidance is effective

- No early adoption



IMPLEMENTATION CONSIDERATIONS • Improve Data Collection

- Begin gathering data now to ensure access to the right data and to establish processes to collect information on an ongoing basis:

• Specifically, loan-level data such as: - historical balances - risk ratings - charge-offs and recoveries

• Additionally, other data that could be correlated to loan losses such as:

- national, regional and local economic data - borrower financial data - real estate metrics such as price indexes



IMPLEMENTATION CONSIDERATIONS • Begin Planning for Potential Impact on Capital Levels

- Most analysts and bankers believe that the CECL model will increase an institution’s allowance reserve.

- If this is correct, this will require a one-time capital adjustment.

- Institutions should take proactive steps to increase capital in advance of the changes


Questions?


Contact Information


Lee Haynes Email: [email protected] Phone: 704.808.5208 Website: www.elliottdavis.com

Elliott Davis, LLC/PLLC is one of the largest accounting, tax and consulting services firms in the Southeast and ranks among the top 50 CPA firms in the U.S. With offices in SC, NC, GA and VA, the firm provides clients across a wide range of industries with smart, customized solutions and its people with rewarding opportunities. Founded in 1925, Elliott Davis is a member of The Leading Edge Alliance, an international professional association of independently owned accounting firms based in the U.S. and is strategically aligned with LEA Europe and LEA Asia Pacific, a worldwide network of more than 450 offices in 100 countries around the globe. For more information about Elliott Davis and its services, visit http://www.elliottdavis.com.

http://www.elliottdavis.com/

Compliance Update


Christopher R. Purvis, CPA Audit Senior Manager Sara N. Kollien, CPA Audit Manager



Agenda

I. Dodd-Frank Update – Regulation B, Regulation Z

and RESPA II. UDAAP


I. Dodd-Frank Update

Dodd-Frank Act

Rulemaking Status Update • A total of 280 rulemaking deadlines have passed. This is 70.4% of the 398

total rulemaking requirements, and 100% of the 280 rulemaking requirements with specified deadlines.

• Of these 280 passed deadlines, 128 (45.7%) have been missed and 152 (54.3%) have been met with finalized rules. Regulators have not yet released proposals for 44 of the 128 missed rules.

• Of the 398 total rulemaking requirements, 206 (51.8%) have been met with finalized rules and rules have been proposed that would meet 94 (23.6%) more. Rules have not yet been proposed to meet 98 (24.6%) rulemaking requirements.



1) Equal Credit Opportunity Act (Regulation B) Disclosure and Delivery Requirements for Copies of Appraisals and Other Written Valuations

2) Appraisals for Higher-Priced Mortgage Loans (“HPMLs”) (Regulation Z)

3) Escrow Requirements for HPMLs (Regulation Z)

4) High-Cost Mortgages: Requirements and Prohibited Acts or Practices (Regulation Z)

5) Homeownership Counseling Amendments (RESPA)



6) Loan Originator Compensation Requirements (Regulation Z)

7) Ability to Repay Determination Requirements (Regulation Z)

8) Mortgage Servicing Rules (Regulation Z)

9) Mortgage Servicing Rules (RESPA)




Requires creditors to:

1. Notify applicants of their right to receive a copy of appraisals developed; 2. Provide applicants a copy of each appraisal or “other written valuation;” 3. Permit applicants to waive the timing requirement for providing those

copies; and 4. Prohibits creditors from charging for the copy of the appraisals and other

written valuations.




Other Written Valuations – Any estimate of the value of a dwelling developed in

connection with an application for credit.


1. Report prepared by an appraiser 1. Publicly available lists of valuations

2. Document prepared by the creditor’s staff that assigns value to the property

2. Governmental agency statements of appraised value that are publicly available

3. Report approved by a government-sponsored enterprise for describing to the applicant the estimate of the property’s value

3. Reports reflecting property inspections that do not provide an estimate of the value of the property and are not used to develop an estimate of the property

4. Report generated by use of an automated valuation model to estimate the property’s value

4. Internal documents that merely restate the estimated value of the dwelling contained in an appraisal

5. Broker Price Opinion 5. Manufacturer’s invoices for manufactured homes

Written Valuations Not Written Valuations


2) Appraisals for Higher-Priced Mortgage Loans (“HPMLs”) (Regulation Z) General Rule: A creditor cannot extend a HPML to a consumer without obtaining, prior to consummation, a written appraisal of the property to be mortgaged. Note: The appraisal must be performed by a certified or licensed appraiser who conducts a physical visit of the interior of the property that will secure the transaction.



2) Appraisals for Higher-Priced Mortgage Loans (“HPMLs”) (Regulation Z) Additional Appraisal Requirements for Certain HPMLs - Two written appraisals are required in the following cases:

1) The seller acquired the property 90 or fewer days prior to the contract date and the price in the contract exceeds the seller’s purchase price by more than 10%; or

2) The seller acquired the property 91 to 180 days prior to the contract date and the price in the contract exceeds the seller’s purchase price by more than 20%.



2) Appraisals for Higher-Priced Mortgage Loans (“HPMLs”) (Regulation Z) Disclosure Requirements 1) Application Disclosure (3 days after application date) - “We may order an appraisal to determine the property’s value and charge you for

this appraisal. We will give you a copy of any appraisal, even if your loan does not close. You can pay for an additional appraisal for your own use at your own cost.”

2) Copy of Appraisal - A creditor must provide to the consumer a copy of any written appraisal performed

in connection with a HPML subject to the appraisal requirements. - Timing:

- No later than 3 business days prior to consummation of the loan; or - No later than 30 days after the creditor determines that the loan will not be consummated.



3) Escrow Requirements for HPMLs (Regulation Z)

Summary: 1) Amends the existing rule that creditors establish and maintain escrow accounts

for at least one year after originating a HPML to require generally that the accounts be maintained for at least five years

2) Creates an exemption from the escrow requirements for small creditors that operate predominantly in rural or underserved areas

3) Expands upon an existing exemption from escrowing for insurance premiums for condo units to extend the partial exemption to other situations in which an individual consumer’s property is covered by a master policy

4) Revised the definition of HPML




High-Cost Mortgage: Consumer credit transaction that is secured by the consumer’s principal dwelling that meets any one of the following three tests: 1) APR Test: The APR will exceed the average prime offer rate (“APOR”) for a comparable transaction by more than:

- 6.5 percentage points for a first lien transaction other than one where the dwelling is a personal property and the loan amount is less than $50k;

- 8.5 percentage points for a first lien transaction if the dwelling is personal property and the loan amount is less than $50,000; or

- 8.5 percentage points for a subordinate lien transaction.




High-Cost Mortgage: Consumer credit transaction that is secured by the consumer’s principal dwelling that meets any one of the following three tests, continued: 2) Total Points and Fees Test: The transaction’s total points and fees will exceed:


$20,000 or more 5% of Total Loan Amount

< $20,000 The lesser of 8% of the Total Loan Amount or $1,000

LOAN AMOUNT TOTAL POINTS AND FEES EXCEED



High-Cost Mortgage: Consumer credit transaction that is secured by the consumer’s principal dwelling that meets any one of the following three tests, continued: 3) Prepayment Penalty:

Under the terms of the loan contract or open-end credit agreement, the creditor can charge a prepayment penalty more than 36 months after consummation or account opening, or prepayment penalties can exceed, in total, more than 2% of the amount prepaid.




Disclosure Requirements: - Specific disclosures are required for high-cost mortgages. - Must be furnished at least 3 business days prior to consummation. - If there is more than one consumer, the disclosures may be made to any

consumer who is primarily liable on the obligation. However, if the high-cost mortgage is rescindable, the disclosures must be provided to each consumer who has the right to rescind.




Limitations and Prohibited Acts or Practices: 1) A high-cost mortgage cannot provide for any of the following terms:

Balloon payment Negative amortization Advance payments Increased default interest rate Rebates Prepayment penalties Acceleration of debt




Limitations and Prohibited Acts or Practices, continued: 2) Home Improvement Contracts – A creditor cannot pay a contractor under a

home improvement contract from proceeds of a high-cost mortgage, other than: - By an instrument payable to the consumer or jointly to the consumer and the

contractor; or - At the election of the consumer, through a third-party escrow agent in accordance

with terms established in a written agreement signed by the consumer, the creditor, and the contractor prior to the disbursement.




Limitations and Prohibited Acts or Practices, continued: 3) Notice to Assignee – A creditor may not sell or otherwise assign a high-cost

mortgage without furnishing the following statement to the purchaser or assignee:

“Notice: This is a mortgage subject to special rules under the Federal Truth- in-Lending Act. Purchasers or assignees of this mortgage could be liable for all claims and defenses with respect to the mortgage that the consumer could assert against the creditor.”




Limitations and Prohibited Acts or Practices, continued: 4) Refinancings Within One Year Period – Within one year of having extended a

high-cost mortgage, a creditor cannot refinance any high-cost mortgage to the same consumer into another high-cost mortgage, unless the refinancing is in the consumer’s interest.

5) Repayment Ability for High-Cost Mortgages – A creditor cannot originate a high-cost mortgage without regard to the consumer’s repayment ability.




Limitations and Prohibited Acts or Practices, continued: 6) Pre-Loan Counseling – A creditor cannot extend a high-cost mortgage to a

consumer unless a creditor receives written certification that the consumer has obtained counseling on the advisability of the mortgage from a counselor that is approved to provide such counseling by the Secretary of the HUD.

7) Recommended Default – A creditor or mortgage broker cannot recommend or encourage default on an existing loan or other debt prior to and in connection with the consummation of a high-cost mortgage that refinances all or any portion of such existing loan or debt.




Limitations and Prohibited Acts or Practices, continued: 8) Modification and Deferral Fees – A creditor, successor-in-interest, assignee, or

any agent of such parties cannot charge a consumer any fee to modify, renew, extend or amend a high-cost mortgage, or to defer any payment due under the terms of such mortgage.

9) Late Fees – Any late payment charge imposed in connection with a high-cost mortgage must be specifically permitted by the terms of the loan contract and cannot exceed 4% of the amount of the payment past due.




Limitations and Prohibited Acts or Practices, continued: 10) Payoff Statements – A creditor cannot charge a fee for providing a payoff

statement for a high-cost mortgage to a consumer.

11) Financing of Points and Fees – A creditor cannot finance charges that are required to be included in the calculation of points and fees.

12) Structuring Loan to Evade Requirements – A creditor cannot structure any transaction that is otherwise a high-cost mortgage with intent to evade the requirements of a high-cost mortgage.



5) Homeownership Counseling Amendments (RESPA) Overview: A lender must provide a loan applicant with a clear and conspicuous written list of homeownership counseling organizations that provide relevant counseling in the loan applicant’s location. - List must be provided not later than three business days after a lender, mortgage

broker, or dealer receives an application, or information sufficient to complete an application.



5) Homeownership Counseling Amendments (RESPA) Obtaining the list of Homeownership Counseling Organizations: - The list of homeownership counseling organizations provided to the applicant

must be obtained from either: 1) The web site maintained by the Bureau for lenders to use in complying with

these requirements; or 2) Data made available by the Bureau or HUD for lenders to use in complying

with these requirements, provided that the data is used in accordance with instructions provided with the data.



6) Loan Originator Compensation Requirements (Regulation Z) Overview: Imposes requirements and restrictions concerning: I. Loan Originator Compensation II. Loan Originator Qualification and Identification Requirements III. Compliance Policies and Procedures



6) Loan Originator Compensation Requirements (Regulation Z) I. Loan Originator Compensation Prohibition against Compensation Based on Terms of a Transaction: - No loan originator can receive and no person can pay to a loan originator,

directly or indirectly, compensation in an amount that is based on a term of a transaction.



6) Loan Originator Compensation Requirements (Regulation Z) I. Loan Originator Compensation, continued Permissible Methods of Compensation: - The loan originator’s overall dollar volume delivered to the customer. - The long-term performance of the originator’s loans. - An hourly rate of pay to compensate the originator for the actual number of hours

worked. - Whether the consumer is an existing customer of the creditor or a new customer. - A payment that is fixed in advance for every loan the originator arranges for the

creditor. - The % of applications submitted by the loan originator to the creditor that results in

consummated transactions. - The quality of the loan originator’s loan files.



6) Loan Originator Compensation Requirements (Regulation Z) I. Loan Originator Compensation, continued Prohibition Against Dual Compensation: - If any loan originator receives compensation directly from a consumer in a

covered transaction: - No loan originator can receive compensation, directly or indirectly, from any

other person other than the consumer in connection with the transaction; and

- No person who knows or has reason to know of the consumer-paid compensation to the loan originator (other than the consumer) can pay any compensation to a loan originator, directly or indirectly, in connection with the transaction.



6) Loan Originator Compensation Requirements (Regulation Z) II. Loan Originator Qualification and Identification Requirements - Qualification:

A loan originator must be registered and licensed in accordance with applicable state or federal laws, including the SAFE Act.

- Identification: Loan originator organization’s name and NMLSR ID and loan originator’s name and NMLSR ID must be included on the following loan documents: i. Credit Application ii. Note or Loan Contract iii. Security Agreement



6) Loan Originator Compensation Requirements (Regulation Z) III. Compliance Policies and Procedures - Requires banks to establish and maintain written policies and procedures

reasonably designed to ensure compliance with the loan originator compensation requirements.



7) Ability to Repay Determination Requirements (Regulation Z) Overview: - Prohibits creditors from making mortgage loans without regard to the

consumer’s repayment ability. - The creditor’s determination of a consumer’s repayment ability must be

reasonable and in good faith.



7) Ability to Repay Determination Requirements (Regulation Z), continued Examples of “reasonable and in good faith”: - The consumer demonstrated actual ability to repay the loan for a significant period

of time after origination. - The bank used underwriting standards that have historically resulted in low rates of

delinquency and default.



7) Ability to Repay Determination Requirements (Regulation Z), continued Examples of “not reasonable and in good faith”: - The consumer defaulted on the loan a short time after origination.

- The creditor used underwriting standards that have historically resulted in high levels of delinquency.

- The creditor applied underwriting standards inconsistently or used underwriting standards different from those used for similar loans without reasonable justification.

- The creditor disregarded evidence that the underwriting standards it used are not effective at determining consumers’ repayment ability.

- The creditor disregarded evidence that the consumer may have insufficient residual income to cover other recurring obligations and expenses, taking into account the consumer’s assets other than the property securing the loan, after paying the monthly payments for the covered transaction, any simultaneous loans, mortgage-related obligations, and any current debt obligations.

- The creditor disregarded evidence that the consumer would have the ability to repay only if the consumer subsequently refinanced the loan or sold the property securing the loan.



7) Ability to Repay Determination Requirements (Regulation Z), continued 3 Ways to Comply with the Ability-to-Repay Requirements: i. Meet the General Ability-to-Repay (“ATR”) Standard ii. Refinance a “Non-Standard Mortgage” into a “Standard Mortgage” iii. Originate a “Qualified Mortgage” (“QM”)



7) Ability to Repay Determination Requirements (Regulation Z), continued i. Meeting the General Ability-to-Repay (“ATR”) Standard This Standard requires a creditor to consider eight (8) specific underwriting factors, verify these factors with reasonably reliable third-party records, and underwrite the mortgage using specific payment calculations. 1. Current or reasonably expected income or assets, other than the value of the

dwelling, including any real property attached to the dwelling, that secures the loan. 2. Current employment status, if the creditor relies on income from the consumer’s

employment in determining repayment ability. 3. Monthly payment, using the “fully indexed rate.”

Fully indexed rate - the interest rate calculated using the index or formula that will apply after recast, as determined at the time of consummation, and the maximum margin that can apply at any time during the loan term.



7) Ability to Repay Determination Requirements (Regulation Z), continued i. Meeting the General Ability-to-Repay (“ATR”) Standard, continued 4. Monthly payment on any simultaneous loans (i.e. HELOC secured by same dwelling). 5. Monthly payment for mortgage-related obligations. 6. Consumer’s current debt obligations, alimony, and child support. 7. Consumer’s monthly debt-to-income ratio, or monthly residual income.

- Ratio considers the ratio of the consumer’s “Total Monthly Debt Obligations” to “Total Monthly Income.”

8. Consumer’s credit history.



7) Ability to Repay Determination Requirements (Regulation Z), continued ii. Refinancing a Non-Standard Mortgage into Standard Mortgage A creditor is exempt from the general ability-to-repay requirements if the creditor refinances a non-standard mortgage into a standard mortgage, and other specified conditions are met.



7) Ability to Repay Determination Requirements (Regulation Z), continued iii. Originating a Qualified Mortgage A creditor of a covered transaction complies, or is presumed to comply, with the repayment ability requirements if the covered transaction is a “qualified mortgage” and the creditor complies with the requirements for origination of a qualified mortgage.



7) Ability to Repay Determination Requirements (Regulation Z), continued iii. Originating a Qualified Mortgage, continued Qualified Mortgage – A covered transaction that meets all of the following requirements: 1. Provides for regular periodic payments that do not:

- Result in an increase of the principal balance; - Allow the consumer to defer repayment of principal; or - Result in a balloon payment.

2. The loan term does not exceed 30 years. 3. The total points and fees payable in connection with the loan do not exceed the

amounts specified.



7) Ability to Repay Determination Requirements (Regulation Z), continued iii. Originating a Qualified Mortgage, continued 4. The creditor underwrites the loan, taking into account the monthly payment for

any mortgage-related obligations, using the “fully indexed rate” during the first five years.

5. The creditor considers and verifies, at or before consummation, the consumer’s current or reasonably expected income or assets other than the value of the dwelling (including any real property attached to the dwelling) that secures the loan.

6. The creditor considers and verifies, at or before consummation, the consumer’s current debt obligations, alimony, and child support.



7) Ability to Repay Determination Requirements (Regulation Z), continued iii. Originating a Qualified Mortgage, continued 7. The ratio of the consumer’s total monthly debt to total monthly income at the

time of consummation does not exceed 43%. (Not required if the creditor qualifies for the small creditor portfolio loan.)



7) Ability to Repay Determination Requirements (Regulation Z), continued iii. Originating a Qualified Mortgage, continued QUALIFIED MORTGAGE SMALL CREDITOR PORTFOLIO LOAN – Certain creditors may originate a qualified mortgage that does not have to meet the requirement limiting the consumer’s total monthly debt-to-income ratio to 43%, if the loan is generally held in the creditor’s portfolio for at least three years. In order to originate a qualified mortgage small creditor portfolio loan, a creditor must meet both of the following criteria: - During the preceding calendar year, the creditor together with its affiliates

originated 500 or fewer first-lien covered transaction; and - As of the end of the preceding calendar year, the creditor had total assets that do

not exceed the current asset threshold established by the Bureau. For calendar year 2013, the asset threshold was $2,000,000,000.



7) Ability to Repay Determination Requirements (Regulation Z), continued iii. Originating a Qualified Mortgage, continued Prepayment Penalties A covered transaction cannot include a prepayment penalty unless: - The prepayment penalty is otherwise permitted by law; and - The transaction:

- Has an APR that cannot increase after consummation; - Is a qualified mortgage; and - Is not a higher-priced mortgage loan.



7) Ability to Repay Determination Requirements (Regulation Z), continued iii. Originating a Qualified Mortgage, continued Prepayment Penalties, continued - If allowed, a prepayment penalty must be limited as follows:

- The penalty must not apply after the three-year period following consummation; and

- The penalty must not exceed the following percentages of the amount of the outstanding loan balance prepaid:


First two years following consummation 2%Third year following consummation 1%

If prepayment penaltyis incurred during

. . . then penalty cannot exceed this %of outstanding loan balance prepaid


8) Mortgage Servicing Rules (Regulation Z) Small Servicer Exemption Servicers that qualify as small servicers are exempt from certain parts of the Mortgage Servicing Rules. Criteria for Small Servicer Exemption: - Servicer, together with any affiliates, must service 5,000 or fewer mortgage loans. - Servicer, or an affiliate, must be either the creditor or assignee for all of the

mortgage loans it services. This means that the servicer must either currently own or have originated all of the mortgage loans it services.



8) Mortgage Servicing Rules (Regulation Z), continued I. ARM Initial Rate Adjustment Notice and Payment Change Notices (Required for Small Servicers)

- Initial Rate Adjustment Notice:

- Must be delivered or placed in the mail at least 210, but no more than 240, days before the first payment at the adjusted level is due.

- Payment Change Notice:

- Must be delivered or placed in the mail at least 60, but no more than 120, days before the first payment at the adjusted level is due.



8) Mortgage Servicing Rules (Regulation Z), continued II. Servicing Practices Related to Mortgage Loans Secured by Dwelling (Required for Small Servicers)

- Prompt Crediting of Periodic Payments

- A periodic payment to the consumer’s loan account must be credited as of the date of receipt, unless a delay does not result in any charge to the consumer or in the reporting of negative information to a consumer reporting agency.

- Payoff Statements (Open or Closed-End Credit Secured by Dwelling) - A creditor, assignee, or servicer must provide an accurate statement of the total outstanding

balance that would be required to pay the consumer’s obligation in full as of a specified date. - The statement must be sent within a reasonable time, but in no case more than seven business

days, after receiving a written request from the consumer or any person acting on the consumer’s behalf.



8) Mortgage Servicing Rules (Regulation Z), continued V. Sections Not Applicable to “Small Servicers”

- Periodic Statements for Residential Mortgage Loans



9) Mortgage Servicing Rules (RESPA) I. Mortgage Servicing Transfers (Required for Small Servicers)

- Servicing Disclosure Statement:

- Disclosure must be provided within three calendar days after the consumer applies for a first-lien mortgage loan.

- If the application is denied within the three-day period, disclosure is not required.

- Notice of Transfer of Loan Servicing: - The transferor servicer must provide the notice of transfer not less than 15 days before

the effective date of the transfer. - The transferee servicer must provide the notice of transfer not more than 15 days after

the effective date of the transfer.



9) Mortgage Servicing Rules (RESPA) II. Error Resolution Procedures (Required for Small Servicers)

- Notice of Error:

- A servicer must comply with the requirements of this section when a borrower or an agent of the borrower submits any written notice that asserts an error and includes the name of the borrower, information that enables the servicer to identify the borrower’s mortgage loan account, and the error the borrower believes has occurred (a “qualified written request”).

- Acknowledgement of Receipt of Notice of Error: - The servicer must provide the borrower a written response acknowledging receipt of

the notice of error within five days (excluding legal public holidays, Saturdays and Sundays) of receiving a notice of error from a borrower.



9) Mortgage Servicing Rules (RESPA) II. Error Resolution Procedures, continued (Required for Small Servicers)

- Reporting of Adverse Information Prohibited:

- A servicer cannot provide to any consumer reporting agency adverse information regarding any payment that is the subject of an asserted error for 60 days after receipt of a notice of error.

- Response to Notice of Error: - A servicer must respond to a notice of error by either:

- Correcting the error or errors identified by the borrower and providing the borrower with a written notification of the correction; or

- Conducting a “reasonable investigation” and providing the borrower with a written notification.



9) Mortgage Servicing Rules (RESPA)

III. Requests for Information (Required for Small Servicers)

- A servicer must comply with the requirements of this section when a borrower

submits any written request for information that includes the name of the borrower, information that enables the servicer to identify the borrower’s mortgage loan account, and states the information the borrower is requesting with respect to the borrower’s mortgage loan.

- The servicer must provide to the borrower a written response acknowledging receipt of the information request within five days (excluding public holidays, Saturdays and Sundays) of receiving a request for information.



9) Mortgage Servicing Rules (RESPA) IV. Force-Placed Insurance (Required for Small Servicers)

- A servicer is prohibited from charging a borrower a premium charge or fee for

force-placed insurance coverage unless the servicer has a reasonable basis to believe the borrower has failed to maintain hazard insurance and has delivered or placed in the mail to the consumer the required initial, reminder, and renewal notices.



9) Mortgage Servicing Rules (RESPA) V. Sections Not Applicable to “Small Servicers” - The prohibition on purchasing force-placed insurance where a servicer could

continue the consumer’s existing hazard insurance coverage by advancing funds to escrow under certain circumstances

- The general servicing policies, procedures, and requirements provisions

- The early intervention provisions

- The continuity of contact provisions

- Some of the loss mitigation provisions


Unfair, Deceptive or Abusive Acts or Practices “UDAAP”

In 2010 the Dodd-Frank Act created specific provisions for banks, prohibiting UDAAP. Rule-making authority was granted to the Consumer Financial Protection Bureau “CFPB” or “Bureau” Defined under the Dodd-Frank Act as unlawful for any provider of consumer financial products or services or a service provider to engage in any unfair, deceptive or abusive act or practice UDAAP is considered to be a supplement to other regulations, it is a general “catch-all”


Definitions

1. Unfair Acts or Practices 1. It causes or is likely to cause substantial injury to

consumers; 2. The injury is not reasonably avoidable by

consumers; and 3. The injury is not outweighed by benefits to

consumers or to competition


Definitions

2. Deceptive Acts or Practices 1. The act or practice misleads or is likely to mislead the

consumer; 2. The consumer’s interpretation is reasonable under the

circumstances; and 3. The misleading act or practice is material – FTC’s “four P’s”

1. Is the statement prominent enough for consumer to notice? 2. Is information presented in an easy-to-understand format that does

not contradict other information in the package and at a time when the consumer’s attention is not distracted elsewhere?

3. Is the placement of the information in a location where consumers can be expected to look or hear?

4. Is the information in close proximity to the claim it qualifies?


Definitions

3. Abusive Acts or Practices 1. Materially interferes with the ability of a consumer to

understand a term or condition of a financial product or service; or

2. Takes unreasonable advantage of a consumer’s: 1. lack of understanding of the material risks, costs, or conditions of the

product or service; 2. inability to protect his or her interests in selecting or using a consumer

financial product or service; or 3. reliance on a covered person to act in his or her interests


Examples of UDAAP Related to Collection of Consumer Debt

- Failing to post payments timely or properly to credit a consumer’s account with payments that the consumer submitted on time and then charging late fees to that consumer

- Revealing the consumer’s debt, without the consumer’s consent, to the consumer’s employer and/or co-workers

- Threatening any action for non-payment that either cannot be taken or is not intended to be taken

- Representing yourself as an attorney, consumer reporting agency or government official


Costs of Non-Compliance

• Enforcement Actions • Monetary Penalties (civil money & restitution) • Litigation • Harm to Reputation • Eventually Additional Regulation

Keep in mind, even if you are in technical compliance, you may still have a UDAAP violation


Consumer Complaints

How Can You Identify a UDAAP Issue from Consumer Complaints? • Have a structured process for compiling customer complaints • Assign someone with compliance knowledge to review all complaints on a

routine basis • Have an escalation plan • Track complaints regarding vendors The goal is to look for and identify any emerging trends indicating the consumer feels misled and address the problem immediately


Recent UDAAP Violations

Higher One, Inc. & Bancorp Bank – August 2012 – FDIC Settlement The Companies were fined in total $282 thousand and had to pay

restitution of $11 million to approximately 60,000 students The Bank had student accounts that were being charged excessive

overdraft fees The Consent Order requires: Higher One to change the manner it imposes NSF fees. Accounts are

now limited to no NSF fees after 60 days of insufficient funds, no more than 3 charges per day, and only 1 fee per transaction over 21 days. Bancorp Bank to increase board oversight, improve compliance

management, enhance audit programs, increase management of third party risk.



Two Subsidiaries of RBS Group – April 2013 - FDIC & OCC Settlement The Companies were fined in total $10 million in civil fines and

had to pay restitution of $3.9 million Allegations of inaccurate or misleading disclosures involving the

Banks’ overdraft protection programs, checking rewards programs, and recurring electronic fund transfers Violations were discovered during regulatory examinations



CashCall Sued by CFPB for Illegal Online Loan Servicing – December 2013 CashCall is an online loan servicer based in California Bureau’s investigation showed that high-cost loans violated either

licensing requirements or interest-rate caps, or both Loans ranged from $850 to $10,000 and typically had upfront fees,

lengthy repayment terms, and annual interest rates from nearly 90% to 343%

The Bureau wants CashCall to refund consumers the money they took when the loans were void or the obligation was otherwise nullified Additional damages and civil penalties are also being sought


Chris Purvis Sara Kollien Email: [email protected] [email protected] Phone: 704.808.5216 704.808.5294 Website: www.elliottdavis.com



mailto:[email protected]

mailto:[email protected]


COSO 2013: Implementation Strategies for this New Framework


Jay Brietz, CPA and CIA Senior Manager

Agenda

• COSO Overview • Updated Internal Control-

Integrated Framework • New Areas of Focus • Transition Plan


COSO Overview

What is COSO? • Committee of Sponsoring Organizations of the Treadway

Commission (formed in 1985) - Sponsoring Organizations include – AICPA, IIA, AAA, FEI and IMA

• Responsible for the development of thought leadership and guidance for:

- Internal Controls - Enterprise Risk Management - Fraud Deterrence


3

Updated Internal Control-Integrated Framework

Why the change/update? • 20-year old framework • Business and operating environments have changed

- More technology driven - More complex - More global

• Stakeholders are more engaged and want greater transparency and accountability


4


Why the change/update? • To better support efforts to design and adapt systems of

internal control - Agility – adapt to increasing complexity and pace of change - Confidence – mitigate risks to achieve important objectives - Clarity – provide reliable information to support sound

decisions


5


What has changed: The updated framework builds upon the original version.

What has not changed… 1. Definition of internal control 2. Five components of internal

controls 3. The fundamental criteria used to

assess effectiveness of systems of internal control

4. Use of judgment in evaluating the effectiveness of systems of internal control

What has changed… 1. Update to reflect current

conditions in business and operating environments

2. Codify principles that support the five components of internal control

3. Expand financial reporting and non-financial reporting

4. Increase focus on operations, compliance and reporting objectives


6 Source: COSO’s May Update of the Internal Control-Integrated Framework


What has changed?

Original COSO Cube Revised COSO Cube


7


Summary of updates:

Source: COSO’s May Update of the Internal Control-Integrated Framework

Control Environment 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability

Risk Assessment 6. Specifies relevant objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change

Control Activities 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures

Information & Communication

13. Uses relevant information 14. Communicates internally 15. Communicates externally

Monitoring Activities 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies


8


• Updated framework supersedes the 1992 Internal Control-Integrated Framework and 2006 Guidance on Internal Control Over Financial Reporting-Guidance for Smaller Reporting Companies

• Transition will occur between now and December 15, 2014


9

New Areas of Focus

• Fraud Risk Assessments • Outsourced Service Providers (OSPs) • Information Technology • Comprehensive Risk Assessments


10

New Areas of Focus

Fraud Risk Assessments • Financial institutions continue to be the most frequent

victims of fraudulent activities • Common fraud schemes and stats for banks • Sample approach:

- Identify fraud risk factors - Identify fraud risks and schemes - Assess and prioritize fraud risks and schemes - Determine controls that mitigate fraud risks and assess

anti-fraud controls


11

New Areas of Focus

Outsourced Service Providers (OSPs) • Processes outsourced…not the risk • Greater emphasis on how OSPs are monitored • Vendor management focus by the regulators…not just COSO! • Common pitfalls:

- Management fails to evaluate exceptions noted in SOC reports - Lack of SOC reports obtained and no additional work performed

when a SOC report is not available - Risk assessments (including fraud risk assessments) that do not

consider risks associated with OSPs


12

New Areas of Focus

Information Technology • Specific points of focus related IT (see Principle 11) • Focus on process for ensuring the quality of information • Common pitfalls:

- Lack of understanding regarding the source of data and/or validation of data included in reports

- Design gaps in controls addressing the accuracy, completeness and integrity of data included in reports (e.g., spreadsheets)


13

New Areas of Focus

Comprehensive Risk Assessments • Risk analysis is a dynamic process that is updated as

new processes are introduced or new risks identified • Historically, there have been separate risk assessments

conducted by various functions within the bank • COSO-2013 suggests that your risk assessment consider

(“include”) the 17 principles


14

Transition Plan

Transition Approach (5-Step Plan): 1. Develop awareness, expertise, and alignment 2. Conduct preliminary impact assessment 3. Perform detail review of the new areas of focus 4. Develop and execute COSO transition plan for SOX

compliance, including: - Remediation plans - Updated documentation and test plans

5. Communicate updates to external auditors


15

Transition Plan

Transition Timeline: 1. Develop awareness, expertise, and

alignment 2. Conduct preliminary impact assessment 3. Perform detail review of the new areas of

focus 4. Develop and execute COSO transition plan

for SOX compliance, including: - Remediation plans - Updated documentation and test plans

5. Communicate updates to external auditors


16

2014

Ongoing

Complete by 6/30

Complete by 6/30

Complete by 9/30

Ongoing

Jay Brietz, CPA and CIA Email: [email protected] Phone: 704.808.5247 Website: www.elliottdavis.com




Cybersecurity and Risks Associated with IT


Jay Brietz, CPA and CIA

Richard Cook, CISA, CISM and CRISC

Agenda

• I’m not an IT Specialist – Where Do I Start? - IT 101: An Introduction to Some Basic IT Concepts

and Suggestions Regarding How to Increase Your IT Comfort Level

• Icebergs Ahead! • Overview of Cyber Terrorism • Common Data Breaches/Threats • Strategies to Mitigate Cyber Terrorism Risks


I’m not an IT Specialist –

Where Do I Start?


IT 101

• IT 101: An Introduction to Some Basic IT Concepts and Suggestions Regarding How to Increase Your IT Comfort Level


IT 101

Key Concepts for this IT introduction: • To assist non-technical (non-IT) management to gain a

better understanding of IT and Security related processes • How to increase your comfort level when interacting with

the IT security Group • Increase your knowledge set of specific IT security topics • Leave the session with several good references to

increase your knowledge and follow new trends in IT/Security that can be understood by non-technical (non-IT) management


• Ask questions to gain knowledge, thus increasing your comfort level. (Ex. new, Reader’s Digest)

• Try to not be afraid of IT, many people have limited knowledge in this area. As we move forward into the future, IT will become a larger part of our lives and our jobs.

• Individuals that have both IT and functional knowledge are highly prized by their employers. (Ex. Dual resource, junior staff, part of management team)

• Teams that incorporate an integrated approach (business and IT groups working together) have a much higher chance for success when using IT/Security related processes.

• Your IT team will appreciate your efforts to learn their language as well as understand their challenges. (Ex. junior staff, pre-set questions)

• Generally most IT members are more than glad to share their knowledge.


How can I increase my comfort level when interacting with the IT security Group?

• Join committees with an IT component - IT Steering Committee

• General focus is on application system changes - IT Strategic Planning Committee

• Ensure the enterprise and IT are aligned - Incident response team - Participate in risk assessment projects (provided the project has

an IT component) - Participate in system selection team - Be a part of the Disaster Recovery Planning (DRP) Team – or

Business Continuity Planning (BCP) Team - Show up prepared and be ready to ask questions



• Be curious - When you hear an IT term that you are not familiar

with, write it down and look it up later. - Read IT or security related articles from professional

publications. - Periodically listen to webinars related to IT/Security. - Practice your craft to increase your skill set and

develop your baseline knowledge. - When you go to training – sign up for classes out of

your comfort zone.



What is an Internal Network Vulnerability Assessment?

• The assessment is performed by using an automated tool (app) that “scans a range of IP addresses” and produces as automated report which will show risk rated vulnerabilities that were identified and potential fixes.

• Each device has an IP address and each type of device has known vulnerabilities that are easily accessible on the internet.

- To prevent – all systems must be appropriately patched as vulnerabilities are identified (patch management applies to network, operating system, application and database layers). Patches are provided by the vendors.


Mobile Device Security

• iPads and tablets are difficult to secure. • Remote access to systems should be appropriately restricted and

remote access should be via a secure path, such as VPN (virtual private network).

• Mobile (smart) phones should be required to have passwords and remote wipe capabilities if the mobile device can access email or other systems.

- This still applies even if the device is not owned by the enterprise. BYOD – bring your own device.

• All laptops should have encrypted hard drives and remote wipe capabilities.

- There is free ware available to perform this task.


Basic Security (layers of an onion)

• Most secure should be the center of the onion (database).


User Security

• If the systems allows – use group or role based security – as opposed to menu based security.

• Apply the concept of “least privilege” for system access rights. • Business users should not be performing the user provisioning

function for systems. This process should be performed by the IT/IS group.

• Privileged user access rights should be limited. • Third party access should be temporary, logged and

monitored. • System access rights for users should be explicitly requested.

We should not use the “copy same as X” system access request process.


Password Security

• Heartbleed – did you change passwords? Often times we use the same passwords in our personal lives that we use at work.

• Be cautious – social media is a mecca for hackers. - Information available via just facebook: name,

birthday, family member names and home towns, pet names, addresses, anniversary dates. Is any of this public information part of your passwords? • Example of email chain with family member names,

birthdays, etc.


So many passwords – how can I remember them all?

A few tips for creating and remembering passwords • Use a password creation methodology

- Ihbbxxx! ERP (2 letter phrase, 2 letter common theme – this is the part that changes, random number, special character)

- Ihfbxxx! Payroll - Ihswxxx! SharePoint

• Storing passwords (save in benign document – maybe titled recipes – or in a spreadsheet with other data).

- xxbb# ERP - xxfb# Payroll - xxsw# SharePoint


Vendor Management

SOC Report Reviews • User Control Considerations must be validated to ensure the

bank has appropriate controls in place. • If the SOC1 or SOC2 has carveouts, the content and impact of

the carveout should be reviewed to determine if additional procedures need to be performed (could be obtaining an additional SOC report or determining how your third party provider gained comfort over the carveout content).

• Did you know? Often times your third party provider sets up your accounts with minimal password security configurations.


Sample of Observations

• User reviews – using a tracking spreadsheet. All user access reviews should start with a system generated list.

• Most common observations related to user security are because temporary workers and contractors are not paid through the regular payroll process. Often times the provisioning of temps and contractors follow an inconsistent process. Generally contractors have privileged access rights.

• User IDs for online banking – was SSN for 80% of users. You should require that user IDs be alphanumeric.



• User had same passwords for 25 years. She was distraught when she realized they would be expiring.

• Controller had the company’s most sensitive passwords on a note pad in top desk drawer (no lock on drawer, no lock on door).

• COO resisted adding an inactivity timeout to the domain because he thought his employees would lose all the work that they were working on. Then he insisted the setting be set to 120 minutes. In the end he relented and we set it at 30 minutes. Rumor had it that he did not know any of his passwords and his EA had to log in for him.



• Hall of Fame! - Client three person IT staff assigned passwords that could

not be changed by the users. The IT staff maintained a running list of passwords and user IDs for all users of ALL systems, including financial users. Under this scenario, the company was unable to validate that any single financial transaction was appropriate as there was no individual accountability.

- A C-level executive lost laptop that had all his passwords on a sticky note pasted to the key pad. When a new laptop was issued – he added an new sticky note with his new passwords!


Icebergs Ahead!

• So many risks…so little time - Credit risk - Market risk - Interest rate risk - Liquidity risk - Regulatory risk - Legal risk - Fraud risk - And so on…


19

Icebergs Ahead!

• Cyber criminals are targeting all banks • So…don’t forget about cyber risks

- Financial risk - Reputational risk - Regulatory risk - Legal risk


20

Overview of Cyber Terrorism

• Cyber Terrorism defined…. Criminal acts using computers and networks as tools or targets


21


• Quotes from Verizon’s Data Breach Investigations Report:

- “Some organizations will be a target regardless of what they do, but most become a target because of what the do.”

- “87% of all breaches were avoidable through simple or intermediate controls.”

- 37% of all breaches affected financial institutions. - 66% of all breaches took months to discover. - 69% of all breaches were discovered by third parties.


22


• Regulators will be looking at how banks are addressing cyber risks:

- In a June, 2013 webinar on The Evolving Cyber Landscape: Awareness, Preparedness and Strategy for Community Banks, the Office of the Comptroller of the Currency (OCC) warned that the number of cyber attacks continues to grow and that smaller banks are being targeted.

- SEC’s cyber security disclosure guidelines.


23


• More from the OCC… - “The cyber threats continue to increase in both

sophistication and volume and require a heightened awareness and appropriate resources to be able to identify and mitigate the associated risks,” said Carolyn DuChene, the OCC’s deputy comptroller of operational risk, in a conference call with reporters. “We continue to implement a broader strategy that involves increased outreach to all of the banks we supervise in an effort to increase their ongoing awareness and preparedness strategies.”


24


Cyber terrorism video 1


25

http://vimeo.com/91692646

Common Data Breaches/Threats

The chart below shows the percentage of tactics utilized across all data breaches:

Source: Verizon Data Breach Investigations Report (2013) © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

26


Hacked in breaches - Leading culprits are:

• Use of stolen credentials • Brute force • Backdoor or C2

- Brute force is particular an issue for small organizations and for financially motivated groups


27


Malware threats - Malware is software designed to infiltrate, damage or

obtain information from a computer system without the owner’s consent (as defined by ISACA)

- The biggest malware culprits: • Spyware/Keylogger – 75% of cases • Backdoor – 66% • Export Data – 62% • Captured Stored Data – 55%


28


Use of physical attacks - Physical threats encompass

deliberate actions that involve proximity, possession, or force.

- Skimmers installed inside ATM’s, POS devices, and gas pump terminals comprise almost all incidents in the physical category.


29


• Speaking of “Skimming” - Been around for a while, but the skimmers keep

getting more sophisticated. - Beginning to leverage 3D printing technology to

improve efficiency and adapt to changes in card reader design.

Pictures: from Krebs on Security © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

30

http://krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/

http://krebsonsecurity.com/2010/02/atm-skimmers-part-ii/


• Nordstrom Case - Found 6 skimmers attached to their point-of-sale

computers back in the fall of 2013. - Team of 3 individuals used devices similar to this to

collect/store/transmit credit card data.

Picture: from Google Shopping © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

31


Social Engineering - Gaining sensitive information or unauthorized access

privileges by building inappropriate trust relationships with insiders.

- Phishing is the most common threat. • Usually accomplished through email or phone call

schemes.


32


Social Engineering • Washington Post announced in August 2013 that its

website was hit by a phishing attack. - Accomplished through an Outlook

Web phishing app. - Resulted in readers being redirected

to site hosted by The Syrian Electronic Army.

- Key aspects of this hack included the use of a third-party application and Twitter.


33

http://krebsonsecurity.com/wp-content/uploads/2013/08/postoutlookphish.png


Misuse actions - Top three misuse cases are:

• Embezzlement • use of unapproved hardware • privilege abuse


34

Strategies to Mitigate Cyber Terrorism Risks

There are so many risks…where to start?


35


Cyber terrorism video 2


36

http://vimeo.com/60738040


Core Processor

The Bank

Customers

The Bad Guys © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

37


• The three-legged approach to protection - Secure the bank - Secure the core processor - Secure the customer

• Each leg has to work together in order to be successful

• Each leg considers controls around people, process and technology


38


Securing the Bank • Implementing IT security controls

- Examples: firewalls, patched, physical protections, etc.

• Training, training, training - Examples: IT security issues, social engineering, social

networking, passwords, etc.

• Monitoring - Examples: review of security logs, current

developments in IT security, etc.


39


Securing the Core Processor • Implementing IT security controls • Review the SOC reports

- User control considerations - Exceptions and suitability of controls

• Communication - Frequent conversations with core processor regarding

IT security measures they are implementing


40


Securing the Customer • Implementing IT security controls

- Examples: ensuring secured communications, updated patches, password security, etc.

- Wire transfer call back procedures • Customer training

- Examples: IT security issues, social engineering, passwords, etc.


41


Other strategies to consider • Create a response team to handle issues, often called

a Computer Emergency Response Team (CERT) - Much like a Business Continuity/Disaster Recovery

Plan • Network with local cyber experts to understand

emerging threats


42

Summary

• While banks face many different risks, cyber terrorism is quickly becoming a challenge

• The way that banks address the risks of cyber crimes is becoming a focus of the regulators

• While it is important to put IT security controls in place, training and periodic reminders about the threats of cyber terrorism are also very important


43

Summary

Did you know? • The biggest violators of IT Security are the senior members

of the IT/IS team – this is the team that is directly responsible for securing the enterprise.

Final thoughts: - How do you know that your enterprise is secure? - Has an independent assessment been performed to

validate the IT controls? Is an appropriate audit trail in place?

- Auditors and examiners will generally conclude that if no audit trail exists the control is not operating effectively.


Questions


Resources

• http://ithandbook.ffiec.gov/ • FFIEC handbook – really nice framework • http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadab

ledocuments/faqs_service_orgs.pdf • SOC1 and SOC2 information – from American Institute of CPA’s • http://whatis.techtarget.com/ • Reference for IT terms/glossary – in most cases Google will do • https://www.isaca.org/Pages/default.aspx • ISACA (information Systems Audit and Controls Association) - webinars and cpe • https://na.theiia.org/Pages/IIAHome.aspx • Institute of Internal Auditors • http://www.journalofaccountancy.com/ • Journal of Accountancy


http://ithandbook.ffiec.gov/

http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/faqs_service_orgs.pdf

http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/faqs_service_orgs.pdf

http://whatis.techtarget.com/

https://www.isaca.org/Pages/default.aspx

https://na.theiia.org/Pages/IIAHome.aspx

http://www.journalofaccountancy.com/

We may need some help!

Some IT and Security related services provided by Elliott Davis • Internal and External Audit Support (ITGCs) • Co-Sourcing • Compliance Reviews (FFIEC, SOX, PCI) • SOC1 and SOC2 reviews – Service Organization Control • HIPAA Reviews • Cyber Security (Internal Network Vulnerability Assessments,

External Penetration Testing, Social Engineering Reviews – physical and remote) Reviews

• SOX/Process Optimization • Pre and Post System Implementation Reviews • System Selection


Jay Brietz, CPA and CIA Richard Cook, CISA, CISM and CRISC Email: [email protected] Email: [email protected] Phone: 704.808.5247 Phone: 704.808.5243 Website: www.elliottdavis.com




Interest Rate Risk and Liquidity Risk Management


Mark F. Rufail Senior Manager



Overview

• Interest Rate Risk - What is IRR? - Current Regulatory Focus - Internal Control System - Independent Review and Validation

• Liquidity Risk Management - Internal Control System - Independent Review and Validation


What is IRR?

• Banks are in the business of managing IRR - Repricing Risk: timing differences between coupon

changes or cash flows of assets and liabilities - Yield Curve Risk: non-parallel changes in yield curve - Option Risk: cash flows change with embedded

options (prepayment/extension, call options, runoff) - Basis Risk: different indices with same maturity move

at different pace


Current Regulatory Focus

• Margin pressure is hindering meaningful earnings recovery

• Increases in long-term asset exposure to support yield coupled with surge in non-maturity deposits

• Fear of substantial deposit runoff (surge deposits and parked funds)

• Examiner focus on assumptions, sensitivity analysis, internal controls/validation


Margin Pressure


Source: FDIC “Interest Rate Risk Overview & Recent Industry Trends” Call Reports & TFRs. Based on median figures of all institutions under $1B in assets

Long-Term Exposure


Share of Banks with Long-term Assets Representing 30% or More of Earning Assets

Source: FDIC “Interest Rate Risk Overview & Recent Industry Trends” Call Reports. Based on consistent sample of active Call Filers as of 4Q12 with assets < $1B. Excludes any former TFR filers

Internal Control System

• Board established system of internal controls - Corporate governance - Compliance with policies and procedures - Comprehensive measurement system


Effective Control Structure

• Roles, responsibilities, and authority • Adequate segregation of duties • Inputs and measurements are accurate and complete • Policy compliance • Independent review and validation • Management response and follow-up • Size, nature, and complexity of institution should be

incorporated in evaluating all aspects


Adequacy and Compliance of Control System

• Review/Test - Lines of authority - Segregation of duties - Corrective actions - Compliance with risk limits

• Ensure staff compliance with procedures


Data Inputs

• Data Integrity - Is data accurate, complete, and useful? - Source of data

• Data Input Controls - Automatic vs. Manual input - Reconciliation and review process

• Test Data Inputs - Balance sheet - Budgets/forecasts - Assumptions


Assumptions

• Reasonableness - Can compare to historical and current data

• Documentation - Understandable format and includes all assumptions

• Sensitivity analysis - Which factors are most important? (Stress Testing)

• Sufficiency of modeled scenarios - Reasonable range of rate changes and models

• Board approval and understanding


Validation

• Internal Models - Significant amount of time required for validation

process. - Includes validation of model mechanics and

mathematics. • External Models

- Vendors normally provide validation results. Management should review and assess at least annually.


Backtesting

• Compare Modeled vs. Actual Results - Static vs. Dynamic modeling for NII sensitivity

• Were assumptions accurate? - If not, has management identified changes for future

modeling? • Identify causes of differences


Reporting

• Perform annually and report to Board/Audit Committee

- Testing details - Findings summary - Key assumptions - Management’s responses


IRR Guidance

• FIL-52-96 - Joint Agency Policy Statement on Interest Rate Risk - http://www.fdic.gov/news/news/financial/1996/fil9652.html

• FIL-2-2010 - Financial Institution Management of Interest Rate Risk

- http://www.fdic.gov/news/news/financial/2010/fil10002.html

• FIL-2-2012 - Interest Rate Risk Management: Frequently Asked Questions - http://www.fdic.gov/news/news/financial/2012/fil12002.html

• FIL-46-2013 - Managing Sensitivity to Market Risk in a Challenging Interest

Rate Environment - https://www.fdic.gov/news/news/financial/2013/fil13046.html


http://www.fdic.gov/news/news/financial/1996/fil9652.html



https://www.fdic.gov/news/news/financial/2013/fil13046.html

Liquidity Risk Management

• What is Liquidity Risk? - The risk that an institution's financial condition or

overall safety and soundness is adversely affected by an inability (or perceived inability) to meet its obligations.


Types of Liquidity Risk

• Funding mismatches • Market constraints on the ability to convert assets

into cash or in accessing sources of funds • Contingent liquidity events • Changes in economic conditions • Exposure to credit, market, operation, legal, and

reputation risks


Internal Control System

• Policies and Procedures • Risk Identification • Risk Management • Reporting • Compliance with applicable rules and regulations • Independent Review and Evaluation


Independent Review and Evaluation

• Assess compliance with supervisory guidance and industry practices

- Corporate governance - Policies, procedures, and risk tolerances - Monitoring and reporting - Diversification of funding and sources - Contingency funding plan


Testing

• Compliance with supervisory guidance - Interagency Policy Statement on Funding and Liquidity

Risk Management • http://www.fdic.gov/regulations/laws/rules/5000-5230.html

- FIL-84-2008 – Liquidity Risk Management • http://www.fdic.gov/news/news/financial/2008/fil08084.html


http://www.fdic.gov/regulations/laws/rules/5000-5230.html


Q & A


Questions?

Mark F. Rufail Email: [email protected] Phone: 803.255.1484 Website: www.elliottdavis.com




2014 Internal Audit and Compliance Insights


Practical Tips for Vendor Management

Karen Louis Atlanta GA

1

May 6 and 8, 2014

REGULATORY GUIDANCE • Office of the Comptroller of the Currency

– Oct 2013: Third-Party Relationships, Risk Management Guidance

• Federal Reserve – Dec 2013: Guidance on Managing Outsourcing Risk

• Consumer Financial Protection Bureau – Apr 2012: Service Providers

• Federal Deposit Insurance Corporation – Jun 2008: Guidance for Managing Third-Party Risk

2

WHO IS A THIRD PARTY? • All entities that have entered into a business relationship with a financial institution ~

FDIC • Third-party relationships include activities that involve outsourced products and

services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the bank has an ongoing relationship or may have responsibility for the associated records…. Third-party relationships generally do not include customer relationships. ~ OCC

• Service providers is broadly defined to include all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities. Entities may be a bank or nonbank, affiliated or non-affiliated, regulated or non-regulated, or domestic or foreign. ~ FRB

• Service provider is generally defined in section 1002(26) of the Dodd-Frank Act as ‘any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.’ (cite omitted) A service provider may or may not be affiliated with the person to which it provides services. ~ CFPB

3

FDIC’s STATEMENT:

An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from

such relationships, to the same extent as if the activity were handled within the institution.

4

4 CORE ELEMENTS • Planning / Risk Assessment • Due Diligence • Contracting • Performance Monitoring

5

#1: PLAN FOR IDENTIFIED RISKS

• Consistent with Strategic Plan

• Identifying Objectives RFP • Controls to Match the Risk

6


7

critical activities • OCC

significant relationships • FDIC

substantial impact • FED

material service

• CFPB

operational compliance reputation strategic & credit


8

critical activities • OCC

significant relationships • FDIC

substantial impact • FED

material service

• CFPB

operational compliance reputation strategic & credit

INFORMATION TECHNOLOGY

FORECLOSURE EVICTIONS

THIRD-PARTY PRODUCTS

PAYMENT PROCESSORS

#2: PERFORM YOUR DUE DILIGENCE

9

Vendor Certifications Questionnaires

Professional References

Onsite Visits Audited

Financials

Online Searches Lawsuits Customer

Complaints


• Ocwen Complaint

10


• How Extensive Is Your Due Diligence – Audited financials – Significance of the contract on vendor’s financial condition – Insurance coverage – Use of subcontractors – Experience of principals – Background checks

• Maintain records

11

#3: GET IT IN WRITING • LICENSING • EXPERIENCE • COMPLIANCE

REPRESENTATIONS

• PERMIT/PROHIBIT • PRIOR APPROVAL/NOTICE

SUBCONTRACTORS

• CUSTOMER NON-PUBLIC INFORMATION • BANK LOGOS & SYSTEM ACCESS • SECURITY BREACH

DATA PRIVACY

• CATASTROPHIC EVENTS • DATA LOSS • LOSS/CHANGE OF SUBCONTRACTORS

CONTINGENCY

12

#3: GET IT IN WRITING • INCORPORATE SLAs, SOWs • OTHER STANDARDS • COMPENSATION

PERFORMANCE

• RIGHT TO AUDIT, 3RD PARTY AUDITS • RECORDKEEPING • REGULATOR ACCESS

AUDIT

• INDEMNIFICATION PROVISION • LIMIT ON BANK’S LIABILITY LIABILITY

• HANDLING • REPORTING COMPLAINTS

13

#4: MEASURE PERFORMANCE

• Oversight Responsibility – “requisite knowledge and skills to critically review all aspects of

the relationship” • Tools to Measure Performance

– Ongoing monitoring – Self-Assessments – Scorecards

• Establish Frequency – Annual – Semi-Annual – Quarterly

14

#4: MEASURE PERFORMANCE

• Performance Benchmarks – Financial condition – Licensing – Significant change in staff or subcontractors – Legal compliance – Data privacy practices/training

• Document Issues / Escalate

15

BONUS: KNOW WHEN TO CALL IT QUITS

• Typical Termination Triggers: – Poor performance results – Negative publicity – Significant decline in financial condition

• Contingency plan • Returning records, terminating system access

16

THANK YOU

KAREN LOUIS [email protected]

(404) 572-6766

17

2014 Internal Audit and Compliance Insights


Accounting & Auditing Update- Let’s talk about CECL Lee Haynes, Shareholder, Elliott Davis Lee has more than 20 years of combined experience in public accounting and accounting/management positions in publicly held companies. He has participated in the audits of larger entities, including multinational and multistate operations. Lee concentrates his time in the financial services industry serving both publicly traded as well as privately held community banks located in North Carolina, South Carolina and Virginia. In addition to financial services expertise, Lee has extensive experience with preparation of consolidated financial statements, Securities and Exchange Commission (SEC) filings and Sarbanes-Oxley compliance. This experience is complemented by Lee’s experience with engagements involving internal controls within an organization. Lee works on audits of the design and effectiveness of internal controls of service organizations under SSAE 16 (formerly SAS 70) SOC1 Type 1 and Type 2 engagements as well as AT101 SOC2 Type 1 and Type 2 engagements and has also overseen audits of internal control over financial reporting as required by Sarbanes-Oxley and FDICIA for audit clients as well as assisted in the design, documentation and implementation of internal control programs for non-audit clients. Compliance Update Chris Purvis, Senior Manager, Elliott Davis Chris has more than nine years of accounting experience, including eight years in public accounting and one year in corporate accounting with a bank. Chris specializes in providing audit and consulting services for financial institutions. Prior to joining Elliott Davis in August 2009, Chris was employed as the Controller of American Founders Bank, a mid-sized community bank headquartered in Lexington, Kentucky. Chris' prior experience in public accounting was with BKD, LLP in Louisville, Kentucky and Dean, Dorton & Ford PSC in Lexington, Kentucky. Chris' primary focus in public accounting has been in providing services for community banks, including external audit, internal audit, regulatory compliance, external loan reviews, Bank Secrecy Act reviews and Interest Rate Risk testing. Chris leads the firm’s compliance consulting services group. Training relevant to compliance includes the North Carolina Bankers Association's Regulatory Compliance School. COSO 2013: Implementation Strategies for This New Framework Jay Brietz, Senior Manager, Elliott Davis With more than 18 years of experience in finance and accounting, Jay focuses on providing assurance and consulting services to financial institutions including external and internal audits, risk management, SAS 70 and Sarbanes-Oxley compliance. Jay is both a certified public accounting and a certified internal auditor. His experience includes serving as senior compliance manager for a global banking institution and he formerly worked for a Big Four accounting firm as well as another international CPA firm. Jay has written numerous articles on dealing with Sarbanes-Oxley, corporate governance and internal controls. He also was a principal contributor in COSO’s Guidance on Monitoring Internal Control Systems.

Cybersecurity and Risks Associated with IT Richard Cook, Senior Manager, Elliott Davis Richard has 11 years of IT consulting/audit experience as an IT Risk Management professional primarily with Big Four and national firms. His main focus is providing IT related assurance, consulting, advisory and security services. He has an extensive IT services technical background and has executed engagements in the following industries: Financial Institutions (regional, community and De Novo banks) Manufacturing & Distribution, Healthcare, Retail, Agriculture and Grocery; his range of experience includes assessing IT environments of public (accelerated-SOX 404 and non-accelerated filers, including Fortune 500 companies) and private enterprises both large and small from an internal and external perspective. Also, he has significant experience implementing the PCAOB’s AS5 top-down risk-based approach for SEC registrants as well as implementing the updated COSO 2013 framework.

He has executed SOC1 and SOC2 engagements. In addition, Richard’s ERP experience includes: SAP, Oracle, JD Edwards, and PeopleSoft (Financials & HRMS) – operating systems: Unix/Linux, iSeries (AS/400), Windows Server and mainframe – and databases; Oracle, SQL, DB2, and Informix among others. Richard has worked with various frameworks including: COBIT, FFIEC, AICPA, PCAOB, COSO, and FISMA. Interest Rate Risk/Liquidity Risk Mark Rufail, Senior Manager, Elliott Davis Mark has more than four years of public accounting experience, focusing on financial institutions and SEC registrants. He serves as engagement manager on a number of banking clients which range in size from de novo status to $800 million in assets. These services include external audits, internal audits, loan reviews, and various consulting engagements. In addition, Mark is one of the firm’s specialists in performing BSA reviews and Interest Rate Risk reviews. Vendor Management Program Best Practices Karen Neely Louis, Attorney, Bryan Cave Karen Neely Louis' practice concentrates on compliance matters in the financial services industry with a focus on default and vendor management issues. She has served as internal compliance counsel for a national mortgage servicer for matters regarding federal agency directives and compliance program development. Ms. Louis has experience litigating a variety of commercial and financial disputes and has represented financial institutions, construction and transportation companies, and Fortune 500 corporations in a variety of matters, including defense of wrongful foreclosure claims. In the construction industry, she has experience litigating disputes including representation of contractors and subcontractors in contractual disputes arising from nonpayment and defective performance. Internal Audit/Compliance Panel Elaine Crawford, Senior Vice President-Director of Internal Audit, Park Sterling Bank Elaine Crawford is the Senior Vice President and Director of Internal Audit for Park Sterling Bank ($2.2 billion institution) headquartered in Charlotte, NC. Park Sterling Bank has 43 branches in SC, NC and GA, with one loan production office in VA. Elaine is responsible for managing and coordinating Audit activities for the company, including SOX 404 project management duties. She has more than 30 years of banking experience, with 25 of those years in Internal Audit.

Karen McCauley, Internal Auditor, First Community Bank Karen McCauley serves as the General Auditor at First Community Bank headquartered in Lexington, SC. Karen is a graduate of the University of South Carolina with a Bachelors of Science degree in Accounting. Karen has worked in banking since 1980 in various positions and began her career in internal audit in 1997 at a local financial institution. She served as Treasurer for the Palmetto Chapter of the Institute of Internal Auditors and as a member of the Board of Governors. Karen is a Certified Bank Auditor (CBA) and working on the Certified Internal Auditor (CIA) designation. She lives in Irmo with her husband, Ronnie; son, Matt, and their dog, Tucker. Wendy Workman, AVP-Internal Audit Manager, The Palmetto Bank Wendy Workman is the Internal Audit Manager at The Palmetto Bank in Greenville, SC. She has been with the bank for about seven and half years and in her current position over two years. Prior to serving as the Internal Audit Manager, Wendy was the Senior Auditor through December 2011. She led the transition from a full internal audit group to a co-source engagement with business partner Crowe Horwath LLP in 2012.

el l iot td av is . co m © Elliott Davis LLC © Elliott Davis PLLC

200 East Broad Street

Suite 500

Greenville, SC 29601

Direct: 864.552.4763

Office: 864.242.3370

Fax: 864.241.5713

[email protected]

Robert Beckwith, CPA Shareholder

Services: Tax | Industries: Financial Services

Professional Overview

Bob focuses on providing tax consulting services to clients in the financial services

industry. Bob has more than 30 years of bank tax consulting and compliance

experience, including 20 years at a Big Four accounting firm. He assists clients with

financial reporting in accordance with FASB ASC 740 and planning and analysis of C

corporation tax issues including mergers and acquisitions, tax benefit limitations

upon Sec. 382 change-of-control, compensation and golden parachutes, and

accounting methods and periods. Bob has served multi-billion dollar organizations,

filing complex consolidated and multi-state returns. He also possesses expertise in

planning for the election to be an S corporation bank and the resulting compliance

issues.

Education, Credentials and Special Training

Certified Public Accountant

M.S., Accounting, Colorado State University

B.S., Business Administration with emphasis in accounting, University of Nebraska

Professional Affiliations

American Institute of Certified Public Accountants

South Carolina Association of Certified Public Accountants

Thought Leadership

Panelist, Bank Tax Institute Community Banking Panel

Co-instructor, Co-Community Bank Tax Workshop


1901 Main Street

Suite 900

Columbia, SC 29201

Direct: 803.255.1497

Office: 864.242.3370

Fax: 803.255.0733

[email protected]

William (Bill) J. Bossong, CPA, CBA

Shareholder

Financial Institutions Group Consulting

Services: Consulting | Industries: Financial Services


Bill has more than eight years of public accounting experience with an emphasis in financial

institutions and SEC registrants. He leads the firm’s Financial Institution Consulting Practice

for merger and acquisition matters. These services include due diligence projects, Day 1

valuations, Day 2 accounting and internal audits over other Day 2 providers. This team has

developed ValuCastTM, a proprietary solution designed to assist banks with Day 2

accounting. In addition, Bill has a significant amount of experience related to the Allowance

for Loan and Lease Losses (ALLL) under ASC 450-20 and ASC 310-10 to include building an

ALLL model for a large regional bank. Bill has served on numerous FDIC-assisted and whole

bank valuation projects – managing the credit review of the loan portfolios being acquired;

gathering data for the loan valuation; and working closely with other members of the

valuation team to develop an expected cash flow model for Day 2 accounting under ASC

310-30.

Bill has also worked closely with the valuation team for various financial service line of

business acquisitions to include leasing companies, mortgage companies, and broker

dealer/investment companies. Bill provides consulting services to numerous clients ranging

in size from $400 million in assets to over $20 billion in assets.



Certified Bank Auditor

Master of Accountancy, University of South Carolina

B.S., Accounting, University of South Carolina

SEC Reporting, AICPA




Civic and Community Activities

Walk Team Captain, Juvenile Diabetes Research Foundation

Board of Directors, Midlands March of Dimes

Deacon and Former Member of the Finance Committee, First Baptist

Church of Columbia


1901 Main Street

Suite 900

Columbia, SC 29201

Direct: 803.255.1203

Office: 803.256.0002

Fax: 803.255.0714

[email protected]

R. Jason Caskey, CPA Shareholder and Financial Services Practice Leader

Services: Assurance | Industries: Financial Services


As leader of the firm’s Financial Services practice, Jason focuses on serving financial

institutions and SEC registrants. With more than 20 years of experience, he serves

community banking clients in both the private and public sector. Jason has assisted

clients with the formation of holding companies, public stock offerings, mergers and

acquisitions, and has been shareholder on numerous de novo banks. In addition, he

also serves clients with a number of consulting engagements including outsourced

internal audit, external loan reviews, Bank Secrecy Act reviews and Day 1 and Day 2

accounting. Jason recently completed six years as an elected member of the firm’s

Executive Committee. He also serves as the managing shareholder of the firm’s

Columbia office.




University of Virginia National Banking School



South Carolina and North Carolina Association of Certified Public Accountants

State Bankers Associations in South Carolina, North Carolina, Georgia and Virginia

Independent Bankers Association of South Carolina


Board of Directors and Audit Committee, United Way of the Midlands

Board of Directors and Audit Committee, Navigating from Good to Great

Board of Directors and Audit Committee, South Carolina Student Loan Corporation

Board of Directors and Audit Committee, Central Carolina Community Foundation

Board of Directors and Audit Committee, SC Economics

Board of Advisors and Audit Committee, USC Business Partnership Foundation

Member, Greater Columbia Chamber of Commerce Finance Committee

Deacon, First Baptist Church of Columbia

Columbia Chamber of Commerce Committee of 100

Former Member Board of Directors, Children’s Trust of South Carolina

Former Member Board of Trustees, Charleston Southern University

Former Member Board of Directors, Juvenile Diabetes Research Foundation

2011 Heart Ball Chair, American Heart Association, Columbia

2008 Distinguished Young Alumnus, USC Moore School of Business

Class of 2006 "20 Under 40,” The State

el l i ot td av is . co m © Elliott Davis LLC © Elliott Davis PLLC

700 East Morehead Street Suite 400 Charlotte, NC 28202 Direct: 704.808.5208 Office: 704.333.8881 Fax: 704.749.7908 [email protected]

Lee E. Haynes, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Lee has more than 20 years of combined experience in public accounting and accounting/management positions in publicly held companies. He has participated in the audits of larger entities, including multinational and multistate operations. Lee concentrates his time in the financial services industry serving both publicly traded as well as privately held community banks located in North Carolina, South Carolina and Virginia. In addition to financial services expertise, Lee has extensive experience with preparation of consolidated financial statements, Securities and Exchange Commission (SEC) filings and Sarbanes-Oxley compliance. This experience is complemented by Lee’s experience with engagements involving internal controls within an organization. Lee works on audits of the design and effectiveness of internal controls of service organizations under SSAE 16 (formerly SAS 70) SOC1 Type 1 and Type 2 engagements as well as AT101 SOC2 Type 1 and Type 2 engagements and has also overseen audits of internal control over financial reporting as required by Sarbanes-Oxley and FDICIA for audit clients as well as assisted in the design, documentation and implementation of internal control programs for non-audit clients. Education, Credentials and Special Training Certified Public Accountant B.A, Accounting, Furman University National Banking School, McIntire School of Commerce at the University of Virginia Professional Affiliations American Institute of Certified Public Accountants North Carolina Association of Certified Public Accountants South Carolina Association of Certified Public Accountants Georgia Society of Certified Public Accountants North Carolina Bankers Association South Carolina Bankers Association Virginia Bankers Association Independent Bankers Association of South Carolina Georgia Bankers Association



Suite 500


Direct: 864.242.2691

Office: 864.242.3370

Fax: 864.241.5798

[email protected]

F. Andrew Mitchell, CPA Shareholder

Services: Assurance, Consulting | Industries: Financial Services, Manufacturing &

Distribution, Professional Services


Andy focuses on providing clients with corporate strategy, transaction, finance and

auditing services. With more than 35 years of accounting experience, including 20

years with a Big Four accounting firm, his extensive background includes significant

work with public companies and merger and acquisition transactions in the

financial services, professional services, manufacturing and distribution industry

sectors. As an audit partner, Andy served numerous public company clients and

was the partner for more than a dozen initial public offerings. He also presently

serves as an elected member of the firm’s Executive Committee.

Andy also served as chief financial officer for a publicly held company and two

large private companies. In this capacity, he was responsible for all financial areas

including accounting, acquisitions, budgeting, forecasting, credit, cash

management, borrowings, information systems and stock offerings for these

companies. Andy participated in the completion of an initial public offering and a

secondary offering for the public company which owned numerous retail stores,

then negotiated the sale of the company. He also participated in the acquisition of

a large operating subsidiary in the aviation service industry where he was actively

involved in the completion of an $80 million underwritten bond offering and

subsequent registration of those securities. For the third company, he was

responsible for the reorganization and ultimate sale of the company which was

involved in the sale of hardware and software development and integration

services for national retail chains.

Since joining Elliott Davis, Andy has been responsible for the formation and

development of the firm’s transaction services practice. As an assurance

shareholder, he primarily serves financial institution clients, including several

public reporting companies.



B.B.A., Accounting, University of Cincinnati





700 East Morehead Street

Suite 400

Charlotte, NC 28202

Direct: 704.808.5293

Office: 704.333.8881

Fax: 704.749.7993

[email protected]

George Noonan, CPA Shareholder

Services: Tax | Industries: Financial Services


With more than 18 years of experience in public accounting, George has worked

extensively in the banking and related industries. He provides his clients with a

variety of services including tax planning and research, ASC 740 consultation, FIN

48 analysis, tax return preparation, quarterly estimate preparation, forecasts and

projections. His experience includes tax preparation and consulting of numerous

financial institutions. George has served multi-billion dollar financial institutions

filing complex consolidated and multi-state income tax returns.



B.S., Accounting and Finance, Wright State University

Bank Tax Institute, Annually



North Carolina Association of Certified Public Accountants

North Carolina Bankers Association

South Carolina Bankers Association

el l i ot td av is . co m © Elliott Davis LLC © Elliott Davis PLLC

Riverfront Plaza West Tower, Suite 1000 901 E. Byrd Street Richmond, VA 23219 Direct: 804.887.2256 Office: 804.612.4380 Fax: 877.803.0432 [email protected]

Paul M. Pickett, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Paul focuses on providing professional accounting services to the financial services industry, specifically community banks. With more than 20 years of public accounting experience, he has served on audit engagements for more than 40 community banks and bank holding companies in Virginia, West Virginia, North Carolina and South Carolina. Paul has extensive knowledge of GAAP and SEC policies and assists clients with the preparation of consolidated financial statements, quarterly reviews and assistance with SEC filings and reporting, and merger and acquisition reporting. In addition, he serves as an instructor for a number of continuing education courses relating to financial institution accounting and auditing. Education, Credentials and Special Training Certified Public Accountant University of Virginia National Banking School and National Banking Conference,

American Institute of Certified Public Accountants B.B.A., Accounting, Radford University Professional Affiliations American Institute of Certified Public Accountants Virginia Society of Certified Public Accountants North Carolina Bankers Association Virginia Association of Community Banks Virginia Bankers Association West Virginia Bankers Association



Suite 500


Direct: 864.242.2638

Office: 864.242.3370

Fax: 864.241.5819

[email protected]

Garry A. Rank, CPA Shareholder

Services: Assurance | Industries: Financial Services, Manufacturing & Distribution


Garry focuses on corporate auditing and accounting as well as consultation

regarding governance, financial systems and internal controls. With more than 33

years of experience, his industry concentrations include financial services,

manufacturing and Securities and Exchange Commission (SEC) reporting.

Additional professional experience includes the management of complex

engagements, mergers and acquisitions, projects involving subsidiary companies

and the application of accounting and reporting standards.



Graduate, American Bankers Association, Business of Banking School

B.S., Accounting, University of Akron


American Institute of Certified Public Accountants, Center for Audit Quality Small

Firm Task Force

South Carolina Bankers Association

North Carolina Bankers Association

Georgia Bankers Association


Past President and Past Treasurer, Habitat for Humanity of Greenville County

Alumnus, Leadership Greenville, Greenville Chamber of Commerce

Past President and Past Treasurer, Greenville Breakfast Rotary Club

Thought Leadership

Speaker on audit committee responsibilities

SCBA/FDIC Directors College, 2003-2011

NCBA Bank Directors Assembly, 2004, 2007-2011

Presentations on SEC, corporate governance and new accounting pronouncements

Elliott Davis CFO consortium, 2003-2011

Authored various articles for publication regarding corporate governance,

Sarbanes-Oxley Act of 2002 and ethics



Suite 500


Direct: 864.242.2625

Office: 864.242.3370

Fax: 864.241.5830

[email protected]

Barbara S. Rushing, CPA Shareholder

Services: Assurance | Industries: Financial Services


Barbara focuses on providing services to SEC clients in the financial services

industry. With more than 20 years of experience, including several years at a Big

Four accounting firm, Barbara has extensive knowledge of GAAP and SEC policies.

She works with SEC registrant clients with complex accounting issues, comment

letters, stock offerings and merger and acquisition reporting. Barbara has serviced

more than 40 public offerings.

Barbara is Vice Chairperson of the Firm’s Assurance & Advisory Committee, a

technical committee that oversees quality control policies and risk management of

the Firm’s attest practice.








1901 Main Street Suite 900 Columbia, SC 29201 Direct: 803.255.1214 Office: 803.256.0002 Fax: 864.241.5808 [email protected]

Beverly A. Seier, CPA, CPCU Shareholder

Services: Tax | Industries: Financial Services and Insurance


With more than 20 years of experience, Bev focuses on serving financial

institutions, insurance companies and SEC registrants. She provides both public

and private clients with a wide range of services, including tax planning and

compliance, ASC 740 and SSAP 101 tax provision consulting, federal and state audit

examinations assistance, mergers and acquisitions tax planning and Sec. 382

change-in-control and 280G golden parachute studies.

Prior to joining Elliott Davis, Bev was a Tax Partner at a Northeast-based

accounting firm.



Chartered Property Casualty Underwriter

B.S., Business Administration/Accounting and Mathematics, magna

cum laude, University of Mary Washington



Pennsylvania Institute of Certified Public Accountants


1901 Main Street

Suite 900

Columbia, SC 29201

Direct: 803.255.1472

Office: 803.256.0002

Fax: 803.255.0730

[email protected]

Stacy S. Stokes, CPA Shareholder

Services: Tax | Industries: Closely-Held Businesses, Personal Financial Services


With more than 18 years’ experience, Stacy focuses on providing comprehensive

tax services to a diverse client base which includes closely-held businesses, pass-

through entities and high-net worth individuals. He has extensive experience in the

area of wealth management solutions for family owned businesses and high-net

worth individuals.



Masters of Taxation, University of South Carolina






President, Habitat for Humanity - Central South Carolina Chapter

Treasurer, Congaree Land Trust

Past Board Member, Family Connection of SC

Past President, University of South Carolina Friends of Accounting

Past Board Member, Juvenile Diabetes Research Foundation

Past Treasurer, Satchel Ford Elementary PTO

Past President, Kiwanis Young Professionals of Columbia

South Carolina Internal Audit and Compliance Insights Tuesday, May 6, 2014

Columbia Metropolitan Convention Center Columbia, South Carolina

Beth Adkins

First Citizens Bank

Senior Auditor

Elizabeth Anders

McNair Law Firm

Attorney

Thomas Anderson

First Palmetto Bank

Controller

Casey Bannister

First Citizens Bank

Senior Auditor

Nancy Batchelder

The Bank of South Carolina

Vice President

Sandy Boozer

Southern First Bank

Senior Vice President Corporate Administration

Lent Bridges

First Palmetto Savings Bank FSB

Chief Financial Officer

Jay Brietz

Elliott Davis

Senior Manager

Jason Caskey

Elliott Davis

Financial Services Practice Chair

Jennifer Champagne

Cornerstone National Bank


Richard Cook

Elliott Davis

Senior Manager

Elaine Crawford

Park Sterling Bank

Senior Vice President/Director of Internal Audit

Nathan Crowe

Elliott Davis

Manager

Jessica Cummins

Security Federal Bank

Treasurer

Debbie Dandridge

Enterprise Bank of South Carolina

internal auditor

Amanda Diehl

HeritageBank of the South

Assistant Vice President, Internal Audit

Jean Dillard

Cornerstone National Bank

Internal Audit Coordinator

Renee Douglas

First Bank of Georgia

Vice President and Controller

Melissa Downs-High

South Atlantic Bank

Vice President- Controller

David Duncan

VistaBank

Chief Financial Officer/Chief Opperating Officer

Heather Elliott

Anderson Brothers Bank

Senior Accountant

Thomas Flournoy


Senior Vice President and Chief Financial Officer

Dustin Formo


Internal Auditor

Joyce Frankenfield


Internal Audit Coordinator

Frances (Frankie) Garber

Kingstree Federal Savings and Loan Association

Accountant

Dean Goewey



Connie Graham

Horry County State Bank

Internal Auditor



Ann Gregorie


Vice President

Jeremy Groom

First Reliance Bank

Senior Vice President, Compliance and Risk Management

Kathy Hall

Harbor National Bank

Senior Vice President/Senior Operations Officer

Betsy Harbers

Alliance Bank & Trust

Controller

Kevin Harmon

Elliott Davis

Senior

Lee Haynes

Elliott Davis

Shareholder

Megan Heindl

Elliott Davis

Assurance Quality Contol Manager

Jeremy Helms

Elliott Davis

Staff

Lisa Herring

Four Oaks Bank & Trust Company

Executive Vice President, Chief Risk Officer

Jamin Hujik

CresCom Bank

Executive Vice President

Beverly Jacobs

South Carolina Community Bank

Accounting Manager

Kenya Johnson

Enterprise Bank of South Carolina

Compliance Manager

Paige Kilton

Southern First Bank

Vice President, Financial Analyst

Mike Komar

South Carolina Bank & Trust

General Auditor

Roy Lindburg

Security Federal Bank


Martha Long

Independence National Bank


Karen Neely Louis

Bryan Cave

Regulatory Compliance - Consumer Financial Service

Charlie Lovering

Congaree State Bank

Executive Vice President/Chief Financial Officer

Daniel Mauldin

Elliott Davis

Senior Auditor

Karen McCauley

First Community Bank

General Auditor

Morgan McKnight


Vice President/Controller

Matthew Miller

Elliott Davis

Senior

Terry Mobley

First National Bank of SC

Vice President Operations and Deposit Compliance

Rhonda Moore

First National Bank of SC

Vice President

Salena Mulliken

SC Student Loan Corporation

Director of Internal Audit and Risk Management

Diane Nexsen

Bank of Greeleyville

Vice President

James O'Neal

First Palmetto Bank

Internal Auditor



Rick Pace

SC Student Loan Corporation

Senior Internal Auditor

Jeff Paolucci

First Reliance Bank

Exectuive Vice President & Chief Financial Officer

Tim Pitts

Oconee Federal Savings and Loan

Risk Management Officer

Chris Purvis

Elliott Davis

Senior Manager

Amber Rabon

Conway National Bank

Senior Auditor

Garry Rank

Elliott Davis

Shareholder

Chad Reingardt

Elliott Davis

Senior Manager

Charlene Richards

First Community Bank

Internal Auditor

Stewart Richardson


Executive Vice President, Chief Credit Administrator

Mark Rufail

Elliott Davis

Senior Manager

Becky Russell

Horry County State Bank

Internal Auditor

H. Allen Salter

Oconee Federal Savings and Loan Association


Denise Senter

Four Oaks Bank & Trust Company

Senior Vice President, Compliance Officer

Mark Shannon


Compliance Officer

Nathan Skipper

Elliott Davis

Senior Manager

Mark Smith

First Citizens Bank

Senior Auditor

Howie Sohm

Farmers & Merchants Bank of SC

Vice President-Audit & Compliance

Marshall Stein

Elliott Davis

Manager

Robert Stevens

Elliott Davis

Senior Manager

Nixia Tenzin

Elliott Davis

Senior

Allison Timmons

GrandSouth Bank

Compliance Officer

Christine Vroblesky

Elliott Davis

Senior

Gene Walpole


Assistant Vice President

Jennifer Walters

Farmers & Merchants Bank of SC

Asst Cashier- Audit & Compliance

Rose Washofsky

Elliott Davis

Business Development Director

Wendy Workman

The Palmetto Bank

Assistant Vice President-Internal Audit Manager

Documents

Internal Audit and Compliance Insights - Home | Elliott Davisserve you. More than 100 banks in the Southeast, large and small, depend on Elliott Davis’ Financial Services Practice