SDBA eNews

August 24, 2023

SDBA Bringing Legislation to Reject CBDCs and Protect Financial Privacy

The South Dakota Bankers Association (SDBA) announced today that it will bring forward proposals opposing and rejecting the adoption of central bank digital currency (CBDC) to the 99th Session of the South Dakota Legislature. SDBA, through its alignment with the American Bankers Association, has helped to craft model policy circulated through the American Legislative Exchange Council (ALEC) processes this summer. The model policy will be voted upon by the ALEC board this coming Saturday, August 26, and if passed, SDBA will offer it to the upcoming South Dakota legislative session for consideration.

“During the 2023 South Dakota Legislature, the opposition to HB 1193 ‘An Act to Amend Provisions of the Uniform Commercial Code (UCC),’ disseminated a lot of misinformation. As a result, Gov. Kristi Noem vetoed the HB 1193, in part because there was concern the federal government would adopt a Central Bank Digital Currency (CBDC). The veto message specified potential ‘overreach by the federal government,’ but connecting that claim to 1193 is simply unfounded,” said SDBA president, Karl Adam. “While HB 1193 did nothing to create a CBDC, rejection of CBDC is a policy goal we share with those opponents. We can find no upside to the adoption of a CBDC in this free nation. Therefore, we are pleased to see that ALEC’s proposed model policy does exactly that. That’s why we plan to bring forward similar policy proposals during the 2024 South Dakota Legislative Session.”

“HB 1193 was and will be good law for South Dakotans. Although it did not become law in 2023, we’re hopeful that during the 2024 South Dakota Legislative Session, the model policy ABA and ALEC have created will settle some of the confusion and fears that became part of the discussion around HB 1193,” said SDBA Board Chair, David Nelson, President/CEO of First Fidelity Bank in Burke, South Dakota. “We look forward to seeing continued engagement and support from our industry cohorts to ensure that South Dakotans have the benefit of up-todate commercial law and maintain the freedom to take part in the economy as they see fit. We don’t need CBDC in this country.”

The SDBA has begun seeking sponsors and intends to proceed with its early filing of policy proposals as soon as possible. For additional context on HB 1193, go to https://www.sdba.com/latest-news-blog to read the SDBA’s op eds that were published in the spring supporting the measure.

Order your 2024 Scenes of South Dakota Calendars Now to Receive the Early-Bird Rate!

The SDBA has opened up orders for the 2024 Scenes of South Dakota Calendar! This calendar features photos of South Dakota submitted by South Dakota bankers, their family members and customers.

These calendars are a great opportunity to thank your customers for their business and promote your bank or business. Your bank, branch or business' logo and name can be printed on each calendar to display in homes and businesses all year long.

The SDBA logo is also included to emphasize the strength and security of South Dakota’s banking industry. The Scenes of South Dakota Calendar is exclusive to SDBA member banks and associate members.

Place your order here for the 2024 Scenes of South Dakota Calendar!

Orders placed by September 1, 2023, will receive the early-bird rate of $1.70 per calendar. After September 1, 2023, prices will increase to $1.75 per calendar. Last day to place an order will be September 18.

If you have any questions, email Haley Juhnke or call the SDBA Office at 800.726.7322.

Register for IRA School | September 19-21 in Sioux Falls

The SDBA is hosting IRA School from September 19-21, 2023, in Sioux Falls, SD.

The SECURE Act impacts two main topics: RMDs and death distributions. IRA School will address these relevant changes. In addition, IRAs are one of the most complicated areas of bank personnel responsibility, and it is not possible to learn and understand everything. Continual education is necessary to ensure confidence. Working with IRAs is a process and must start with a strong foundation. This school can provide this foundation through a comprehensive curriculum.

For new IRA and experienced staff, this program is the quickest, easiest and most comprehensive coverage of IRAs and HSAs. The school will cover new and current IRA material, and previous topics covered at the school will be expanded.

For more information and to register, click here.

Registration for Internal Audit School Open | October 2-4

The SDBA is partnering with Michigan Bankers Association and Review Alliance, Inc. to offer the Internal Audit School virtual event on October 2-4.

This school teaches the basics as well as more complex aspects of the audit function. This three-day course will discuss the establishment and execution of an effective and efficient internal audit program. Attendees will learn the objectives of internal audit and helpful techniques to reach those objectives. Internal audit should be a value-added function and not just a “check the box” cost center. This course will teach attendees how to create and maintain a value-added internal audit function.

This school is designed for new to intermediate level internal auditors. It is also an excellent refresher for experienced personnel to keep them abreast of current techniques and procedures.

For more information or to register, click here.

ABA Fall Outlook Webinar

ABA President and CEO Rob Nichols, Chairman Dan Robb and ABA staff will hold a free webinar on Tuesday, Sept. 12, at 1 p.m. CT to share the latest on the key issues facing the banking industry this fall, including the outlook for post-Silicon Valley Bank regulatory changes, the ongoing threat posed by the Durbin-Marshall credit card bill and ABA’s ongoing legal challenges to the CFPB. Bankers will learn the latest on ABA's advocacy efforts and learn how they can engage on behalf of the industry. Learn more and register.

Keeping Bankers Smart on Cybersecurity

Artificial intelligence and other advanced technologies have become critical components of modern financial services, enabling banks to competitively deliver more efficient and personalized services. As digital interactions continue to grow, so does the importance of cybersecurity. Any changes implemented in business operations create exposure to new risks and vulnerabilities, so banks are investing heavily in cyber risk management solutions.

But many banks have substantial, often unseen gaps in their cybersecurity defenses: Their employees.

With even the most powerful cybersecurity solutions in place, a simple mistake can suddenly cause considerable monetary loss, reputational damage and disruption of business continuity. Due to unique challenges, strict regulatory requirements and valuable protected assets, banks make a resolute effort in cyber risk management by investing in the best security products and monitoring support. Many banks also eagerly follow the most current and important recommendations to implement a proactive plan to detect, prevent, and mitigate cyberattacks. Banks are ready for the war against cybercrime. And then, one of the C-level executives who has been specifically targeted mistakenly clicks on a phish. Cue data breach: Assets are at risk. Sensitive client information has been compromised. And this cyberattack was 100 percent preventable.

Security Today reports: “A joint study by Stanford University Professor Jeff Hancock and security firm Tessian has found that a whopping 88 percent of data breach incidents are caused by employee mistakes. Similar research by IBM Security puts the number at 95 percent.”

You have secured your house, purchased the strongest locks, installed the latest home security system … and then you leave a window open. Reinforcing employee cyber risk awareness and education is as critical to the maturity of your program as the products in your cyber tool set. To prevent avoidable and costly mistakes, it is important to understand why they happen in the first place so your employees stay “smart” in the face of cybercrime.

Problematic behavior

Some of the most destructive cyber-attacks have happened due to a simple lack of cyber risk awareness. Are your employees opening emails on their phones and just clicking away without looking for signs of a phish? Are they leaving their laptops unlocked and unattended to stand and wait for their orders at the local coffee shop? Have they used the same passwords across several accounts? But the most important question is: Do they KNOW that these actions make them vulnerable?

Another challenge associated with cybersecurity awareness is outright distraction. Employees are running busy constantly, opening messages on the go and juggling multiple tasks at once. We know there are risks. BUT are we paying attention?

Consider this incident: You’re hurrying to shut down for the day to get to your kid’s soccer game on time when an email pops up in your inbox. It’s from your CEO with the subject line: “Explain these numbers.” Your heart practically stops. What numbers?

The clock is ticking to get to that game, so you immediately open it. You barely read through the email before opening the attachment. You’ve fallen for it: CEO spoof. If you had taken a minute, you would have realized that the email says your CEO’s name, but the address is from an outside entity. If you had read through carefully, you would have seen that the message has slightly broken English, and the closing sounds odd. You’ve been duped. It happens. But how often?

Have all employees been trained to understand the importance of operating in a constant state of vigilance? Or are they so distracted that they just simply forget? Best practices for cybersecurity awareness include continuous education and training. Try these effective strategies to keep your employees “smart” about cyber risk:

Include cybersecurity training during the onboarding of new employees.
Provide ongoing training to identify questionable links, emails or other possible threats.
Teach proper protocol to create strong passwords, handle sensitive information and use technology responsibly.
Train all employees. When we say train all employees, this means ALL. From the interns to the c-level executives.
Provide regular simulations for employees to practice and learn how to identify harmful links or suspicious communications. Simulated phishing exercises can help your employees master how to distinguish between a possible threat and genuine communication.
Motivate, remind and empower. Implement cyber awareness campaigns with memorable slogans that can be used internally. Use catchy reminders such as: “Think before you click,” or “One click is all it takes.”

A DefenseStorm’s client motivates employees to pause and think about cybersecurity by using two monthly raffles. Employees are entered into the first raffle when they successfully identify a campaign phish and submitted for the second raffle if they identify a real phish. Using motivational tools and incentives creates opportunities for positive reinforcement so employees remember to stay alert.

Don’t forget your cybersecurity personnel

Even the most technologically savvy employees can make mistakes and create vulnerabilities in your cyber defenses. Burnout, gap in talent, waning skills and complacency among internal cybersecurity teams are the cause of significant vulnerabilities in your cyber defenses, exposing your bank to increased risk. How are your internal cybersecurity personnel managing? Is your executive team actively supporting one of your most essential departments?

Banks report major burnout because the number of cyber events can be overwhelming. The demands to scrutinize the constant flood of cyber events cannot be managed by outdated manual processes and understaffed teams. When employees are overloaded, mistakes happen. Consider these strategies to alleviate burnout:

Ensure your internal cybersecurity team receives active support from the executive team.
Leverage AI technology for threat detection and prevention.
Partner with a cyber risk management provider to co-manage your monitoring.
Stop using manual processes and utilize automation to aggregate data and create reports to satisfy regulatory requirements.

Another concern is that internal security operations center tasks become redundant for individuals. Boredom fuels complacency, which in turn, spawns errors and oversights. Solutions to these problems include cycling employees through different roles and providing learning opportunities with new technology for analysts. Equally promising is the suggestion to create partnerships between base analysts and incident responders, ultimately providing advancement of skills. While your security operations center team members are continuously improving and learning, they stay current and prepared.

Keep your team alert and motivated by strengthening skills with maturity mapping to evaluate your internal team’s capability and preparedness. Maturity mapping models are defined by The Federal Financial Institutions Examination Council (FFIEC) as “an evaluation across five domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management and cyber incident management and resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced and innovative.” Running through simulated exercises and evaluations gives insight into your institution’s performance and readiness in the face of emerging cyber threats. Understanding your internal team’s response, resilience and recovery abilities allows for setting goals, benchmarks and performance expectations.

Stay alert and informed

Staying up-to-date and informed to prepare for emerging threats is an important part of your bank’s cyber risk management strategy. Always share and distribute important news and alerts to employees.

With the increasing sophistication of cyber threats, cybersecurity is a top priority for banks, but it is just not sufficient enough to invest in technology and monitoring support alone to maintain an effective level of cyber risk readiness. To keep your bankers smart and savvy about cybersecurity, foster a culture of vigilant cyber risk awareness, nurture your cybersecurity teams and implement comprehensive training programs. Ultimately, empowering and equipping employees with the knowledge and tools to recognize and stop cyber threats is the key to maintaining a strong and resilient cyber risk management solution, so your bank can outsmart threat actors.

View the article here.

CISA News: Cybersecurity Lifecycle

A great diagram depicting the components that go into an effective cybersecurity hygiene program. View the diagram here.

QUESTION OF THE WEEK

Q: Is a co-signer on a mortgage loan required to receive any disclosure specifically regarding their status as a co-signer?

A: The Cosigner Notice required under the former Reg AA is not specifically required by law anymore after the repeal of the regulation, but it's not uncommon for it to still be provided from a UDAP perspective under bank policy or procedure - for example:

" The Agencies note that the FTC’s Credit Practices Rule requires—and the former credit practices rules applicable to banks, savings associations, and Federal credit unions required—creditors to provide a “Notice to Cosigner” explaining the cosigner’s obligations and his or her liability if the borrower fails to pay. The Agencies believe that creditors have properly disclosed a cosigner’s liability if, prior to obligation, they continue to provide a “Notice to Cosigner.”"

https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20140822a2.pdf

Compliance Alliance offers a comprehensive suite of compliance management solutions. To learn how to put them to work for your bank, call (888) 353-3933 or email [email protected] and ask for our Membership Team.

For timely compliance updates, subscribe to Bankers Alliance’s email newsletters.