
News
SDBA Updates
SDBA Events
Online Education
Compliance Alliance
BREAKING NEWS!
Big news for ag producers! Secretary of Agriculture Brooke Rollins (@SecRollins) has announced disaster assistance through the Supplemental Disaster Relief Program (SDRP) for eligible 2023 & 2024 crop losses due to natural disasters. To expedite the implementation of SDRP, the USDA Farm Service Agency (@usdaFSA) is delivering assistance in two stages:
Stage One
Stage One of SDRP opens July 10 in person at FSA county offices, and will be available to producers with eligible crop, tree, and vine losses covered by crop insurance or the Noninsured Crop Disaster Assistance Program. Pre-filled applications are being mailed on July 9, 2025.
Stage Two
During SDRP Stage Two, @usdaFSA will announce additional SDRP assistance for uncovered losses, including non-indemnified shallow losses and quality losses and how to apply later this fall.
USDA is committed to supporting our farmers through challenging times. This $16B SDRP initiative follows @SecRollins’ comprehensive plan to deliver the total amount of Congressionally appropriated $30B in disaster assistance to farmers and ranchers this year. Find out more about SDRP eligibility & how to apply.
NBA News: Business Groups Warn of Scams Targeting PPP Loan Recipients
Something to be watching for...
July 9, 2025
The Nebraska Bankers Association, the Nebraska Chamber of Commerce, the Greater Omaha Chamber, the Lincoln Chamber of Commerce and NFIB Nebraska are warning businesses about scams targeting recipients of Paycheck Protection Program loans. Several Nebraska banks have reported that fraudsters are calling recipients and impersonating bank employees or local law enforcement.
Scammers use PPP borrower information released by the Small Business Administration in 2020. The public SBA database includes business names, addresses, loan amounts, funding dates, number of employees and the names of the financial institutions that issued the loans. Criminals then use this information to trick PPP borrowers into sharing online banking credentials or sending payments. In one common tactic, scammers call customers pretending to be from the bank’s fraud department and claim there is unusual activity on the account. They then send a link to reset login credentials and ask for the one-time passcode, which allows them to take control of the account. In another version of the scam, callers pose as law enforcement officers and claim a warrant has been issued for the customer’s arrest for failing to appear at a court hearing related to a fraudulent PPP loan. The scammers then offer to accept a “cash bond” and provide instructions on how to send payment. Fraud tactics include:
- Spoofing phone numbers: Scammers alter the caller ID so the phone number appears to be from the victim’s bank or law enforcement.
- Credential theft: Victims are pressured into providing usernames, passwords and one-time passcodes.
- Unauthorized access: With this information, scammers are able to reset passwords and bypass security settings.
- Same-day transfers: Criminals move funds out of accounts using Automated Clearing House transfers before the fraud is detected.
What you should do:
- Do not use any phone number provided during the call.
- Contact your bank using the number on its website or the back of your debit card.
- Verify law enforcement claims by calling your local police or sheriff’s department.
- Never share your password, PIN or one-time passcode.
- Be suspicious of anyone who pressures you to act immediately or threatens negative consequences.
Full Article
One Big Beautiful Bill Passed July 4, 2025
After extended debate in the House of Representatives, the One Big Beautiful Bill Act was passed last Thursday evening by a narrow margin of 218 to 214. President Trump signed the bill into law during a White House ceremony on Friday, July 4.
The reconciliation bill includes several key provisions, such as:
- A modified version of the ACRE Act, under which banks will be permitted to exclude from gross income 25% of interest income derived from certain qualified real estate loans without a sunset date.
- The permanent extension of the Section 199A pass-through deduction rate of 20%, which levels the playing field for Subchapter S banks.
- An exemption from remittance tax for almost all transfers from banks and thrifts.
- A permanent increase to the state housing credit ceiling and a lowering of the bond-financing threshold for projects financed by bonds, beginning in 2026.
- Permanent extension of the New Markets Tax Credits that banks use to support growth in distressed communities
- Permanent extension of increased estate tax and gift tax exemption amounts.
- A permanent 100% bonus depreciation effective for most property placed in service on or after Jan. 19, 2025.
- Permanent expensing for domestic R&D expenditures paid or incurred in tax years beginning after Dec. 31, 2024.
- A reinstatement of the EBITDA (instead of EBIT) limitation under Section 163(j) for tax years beginning after Dec. 31, 2024.
- Permanency and enhancements for the Opportunity Zones program.
- Changes to the health savings account landscape, including bronze and catastrophic plans treated as high-deductible health plans.
- A reduction in the amount of funding the CFPB can request from the Federal Reserve.
CISA News: Security Affairs
A flaw in Catwatchful spyware exposed logins of 62,000 users, turning the spy tool into a data leak, security researcher Eric Daigle revealed.
July 4, 2025 | Pierluigi Paganini

A flaw in the Catwatchful Android spyware exposed its full user database, leaking email addresses and plaintext passwords of both customers and its admin, TechCrunch first reported.
Security researcher Eric Daigle first discovered the vulnerability.
Catwatchful is spyware masquerading as a child monitoring app that claims to be “invisible and cannot be detected,” all the while uploading the victim’s phone’s private contents to a dashboard viewable by the person who planted the app. The stolen data includes the victims’ photos, messages, and real-time location data. The app can also remotely tap into the live ambient audio from the phone’s microphone and access both front and rear phone cameras.
Spyware apps like Catwatchful are banned from the app stores and rely on being downloaded and planted by someone with physical access to a person’s phone. As such, these apps are commonly referred to as “stalkerware” (or spouseware) for their propensity to facilitate non-consensual surveillance of spouses and romantic partners, which is illegal.
Catwatchful is the latest example in a growing list of stalkerware operations that have been hacked, breached, or otherwise exposed the data they obtain. This incident highlights how consumer-grade spyware keeps spreading, even though it’s often poorly built and riddled with security flaws that put both users and victims at risk of data leaks.
“According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims’ devices.” reads the report published by TechCrunch.
Most Catwatchful spyware victims were in Mexico, Colombia, India, and other Latin American countries, with some data dating back to 2018. The database also exposed the operation’s administrator, Omar Soca Charcov from Uruguay, who did not respond to requests for comment. TechCrunch shared the leaked data with Have I Been Pwned to help inform potential victims of the breach.
Catwatchful secretly uploads victims’ data to a Firebase database, accessible to users via a web dashboard. After registering, users receive a pre-configured APK that requires physical access to install. Once active, it enables real-time spying. Security researcher Eric Daigle found a SQL injection flaw that exposed the entire Firebase database, revealing plaintext logins, passwords for 62050 accounts, and links between users and devices.
“The second notable thing is that all the personal data collected here seems to be stored in Firebase, served from Cloud Storage URLs in the form catwatchful-e03b8.appspot.com/o/usersFiles/JIOgo826TPfb0pMFKmzkE7jz9JO2/M6GPYXHZ95ULUFD0/micRecorders/grab_2025-06-09_17-04-34 . Intercepting my test phone’s traffic confirms that the files are directly uploaded to Firebase, and reveals that the commands for features like live photos are also handled through FCM.” reads the report published by Daigle.
An attacker can use the information in the database to take over any account.
Daigle shared his findings with TechCrunch security editor Zack Whittaker, who contacted Google on June 23, 2025. Google flagged it via Safe Browsing, while the Firebase team said they were investigating, but the database remained online at that time.
Below is the timeline for this vulnerability:
- 2025-06-09: Vulnerability discovered, Zack (Zack Whittaker is the security editor at TechCrunch) contacted
- 2025-06-23: Zack contacts Google who flag it in Safe Browsing, Firebase team claim they’re looking into it (DB still up as of this writing)
- 2025-06-25: Zack contacts Hosting.com who host
catwatchful.pink (site is down by end of day, breaking the service) and individual identified as running the service (no response as of this writing)
- 2025-06-26: Service is restored with
catwatchful.pink replaced by xng.vju.temporary.site which is still vulnerable
- 2025-06-27: A WAF goes up on
xng.vju.temporary.site , successfully blocking the SQLI
- 2025-07-02: Publication
TechCrunch reported that the presence of Catwatchful can be revealed and uninstalled by dialing “543210” on the infected device.
“This code is a built-in backdoor feature that allows whoever planted the app to regain access to the settings once the app is hidden. This code can also be used by anyone to see if the app is installed.” concludes TechCrunch.
Full Article

2025 Women of Impact Award
Do you know an outstanding woman in banking who has made a significant contribution to her organization, community, and industry?
If so, nominate her for the "SDBA Women of Impact Award"! These awards will be presented at the 2025 Lead Strong: Women in Banking event on September 10 in Sioux Falls, SD.
Nomination deadline EXTENDED to August 15: Submit your nomination
2026 Scenes of South Dakota Photo Contest

The SDBA invites amateur photographers from across the state to showcase the beauty and heritage of South Dakota through your lenses. We would love a variety of submissions to choose from! Landscapes, camping, farming & ranching, plants, animals, architecture, urban, rural, seasonal (especially winter!), hunting, fishing...you name it!
Submit your photos by July 31.

2025 GSB Financial Managers School
September 22-26, 2025 | Madison, WI

Designed by experienced CFOs especially for financial managers, this prestigious school goes beyond the basics to present best practices and provide community financial institution financial managers the tools to build a solid foundation in asset/liability management. Learn the unique concepts and terminology of bank finance and asset/liability management along with the practical implementation tools to profitably manage a financial institution’s balance sheet, develop effective strategies and communicate strategies to the board and senior management that ensure effective decision-making.
Enrollment Deadline: August 22, 2025
Learn more and apply HERE.
Online Education

Participating in learning opportunities outside the bank can be challenging. Take advantage of the SDBA's extensive selection of webinars and on-demand training to enhance your banking expertise directly from your computer.
GSB Online Seminars OnCourse Learning SBS Institute ABA Training
Question of the Week
Q: Our bank recently received an ACH deposit that looked suspicious, and our team wanted to put a hold on the funds – can we do that?
A: While ACH transfers are generally governed by NACHA rules – and, notably, those rules do not contemplate nor address the holding of an ACH - the ability to delay availability for ACH transactions is covered under Regulation CC, which treats ACH credits and ACH debits very differently:
“The reference to “debit and credit transfers” does not refer to the corresponding debit and credit entries that are part of the same transaction, but to different kinds of ACH payments. In an ACH credit transfer, the originator orders that its account be debited and another account credited. In an ACH debit transfer, the originator, with prior authorization, orders another account to be debited and the originator's account to be credited..." § 229.2(b)
In a nutshell - ACH credit transfers (e.g., direct deposit of payroll, etc.) are treated as electronic payments under Reg. CC and must generally be made available by the next business day after receipt (for reference, generally, see 12 CFR § 229.10(b).)
ACH debit transfers - on the other hand - are not considered electronic payments under Reg. CC, primarily because the receiving bank has the right to return them (there is an element of “prior authorization.”) As a result, Reg CC does not impose an availability requirement for ACH debits, and banks may delay funds availability per the terms of their account agreement (i.e. ideally, the bank will want to use a hold that it finds to be reasonable to allow for the return of the ACH debit entry to the RDFI.)
The distinction effectively boils down to risk: with ACH credits, the funds are pushed into the account and are irrevocable once settled - hence the requirement for prompt availability. But ACH debits can be returned, which introduces an element of uncertainty, and, in turn, potentially allows more flexibility for holds.
For deeper reading, see § 229.2(p) and § 229.2(b) in the Reg CC commentary, the latter of which is particularly helpful in offering additional clarity on the definitions of ACH credit vs. debit transfers and their treatment under the rule.
Learn how to put compliance management solutions from Compliance Alliance to work for your bank, by contacting (888) 353-3933 or [email protected] and ask for our Membership Team. For timely compliance updates, subscribe to Bankers Alliance’s email newsletters.

SDBA eNews Archive
Advertising OpportunityLearn more about sponsoring the SDBA eNews
Questions/Comments
Contact the SDBA at 605.224.1653 or via email
|