SDBA eNews

February 8, 2024

Plan to Join the SDBA at the 2024 ABA Washington Summit | March 18-20

Don't miss this opportunity to get ahead of what’s to come in this election year with ABA’s Washington Summit, March 18-20, 2024. You’ll have your finger on the pulse of policymakers on Capitol Hill, at the regulatory agencies, and in the White House.

The SDBA is currently planning to attend the Summit and would like to invite you and your staff to participate as well. Registration is free and you can learn more and sign up here. Join us as we hear from top-notch speakers, connect with our congressional delegation and dine with our friends at the NDBA. You won’t want to miss this opportunity to engage on multiple levels.

The following forums during the summit will help you stay a step ahead and build lasting industry connections:

• Mutual Community Bank Forum: March 17–18: Participate in the largest gathering of mutual bankers and explore solutions to the challenges faced by your institution.
• Emerging Leaders Forum: March 18: Share challenges and strategies with peers as you work to cultivate a strong, dynamic and diverse banking industry for the future.
• Women and Allies Forum: March 18: Join women leaders and allies in elevating women’s leadership in financial services.

If you or one of your staff would like to attend, the SDBA will provide a $500 stipend (1 per member bank) to help defray the costs of any banker attending from a member bank not currently represented on the SDBA Board. Additionally, the ABA is again offering two $750 emerging leader’s scholarships per state. These will be awarded on a first-come, first-served basis. If you are interested in one of these opportunities, please reach out to Halley Lee. With recent efforts by the SDBA in both of these areas, we strongly encourage you to consider these two opportunities.

REGISTRATION OPEN: 2024 National School for Beginning Ag Bankers | June 24-27, Spearfish, S.D.

Registration is OPEN and spots are filling fast for the 2024 National School for Beginning Ag Bankers, held once again in beautiful Spearfish, S.D., on the Black Hills State University campus, June 24-27, 2024. Fundamentals of Ag Lending: National School for Beginning Ag Lenders is an intensive school designed to train in all facets of agricultural lending with emphasis on credit analysis, credit scoring, risk rating, problem loans and group case study. Attendees will receive personalized instruction and continual peer interaction fostered through a limited class size, case study and group exercises.

This school is limited to 72 students. Priority will be given to bank employees and regulators. In the event the school fills, a waitlist will be implemented and students will be chosen on a first-come, first-served basis off the waitlist.

Click here to review the curriculum and register. For more information or questions, contact the SDBA at [email protected].

SDBA Accepting Nominations for 2024 Women of Impact Award

The SDBA Women of Impact Award has been established to celebrate South Dakota Bankers Association members who have made significant contributions and positive impacts in their organizations, communities and industry. These awards will be presented at the 2024 Lead Strong: Women in Banking event on September 26 in Sioux Falls, S.D. Eligibility Requirements: Nominee must be a member of the SDBA.

Nomination Deadline: Nominations must be received by August 2, 2024 to be considered. Click here to nominate.

Generative artificial intelligence: Threat and solution for financial crime?

AI-generated messages and images can create realistic impersonations, which enable criminals to launch highly effective frauds at scale.

By Alex Capella and Christopher Reimann

The threat landscape for banks has changed dramatically since the start of 2023. In January, as part of a research project, I spoke to dozens of financial crime compliance officers at leading U.S. banks, and they told me that real-time digital payments, cybercrime and fraud would be the top financial crime threats for 2023/24. No one mentioned generative AI or ChatGPT.

But it is now a top threat. ChatGPT use has grown significantly since November 2022. Given the extraordinary capabilities of ChatGPT and other generative AI platforms, we can assume that criminals are already using it to:

Create very real-looking fake profiles, documents, and transactions that get past the best trained compliance person.
Develop bots and malware to commit cybercrime.
Perpetrate scams to obtain people’s bank account information.

And likely, that’s just the tip of the iceberg, because one of ChatGPT’s most valuable capabilities for fraudsters and cybercriminals is the ability to make the fake look real.

For example, AI-generated messages can create highly realistic impersonations, which enables criminals to launch highly effective frauds at scale. There have already been noted criminals using ChatGPT to create legitimate-looking social media personas that gain users’ confidence in order to steal data. FTC chair Lina Kahn has warned that ChatGPT could “turbocharge” fraud and scams, making it more difficult for compliance teams to distinguish criminal from legitimate transactions.

The strong link between fraud and financial crime

For many years, fraud and financial crime were treated separately. Fraud was associated with payments, while financial crime was associated with money laundering. But in recent years, banks have integrated these functions for more holistic and effective investigations. As one financial crime compliance officer said to me: “Fraud is the criminal act, and money laundering is the moving of money from that act.”

Fraud, real-time payments, cybercrime and ChatGPT are also linked. Fraud was often the No. 1 financial crime threat for 2023 and 2024 mentioned in these recent interviews, specifically regarding payments and cybercrime. According to research conducted by KS&R, financial crimes involving digital payments, account takeover and payments associated with ransomware and cryptocurrencies are up since 2021 among large U.S. banks. Increased use of bots and synthetic identities are behind this, with ChatGPT providing a new tool for fraudsters to wreak even more havoc.

Compliance teams get overwhelmed with new criminal typologies. Real-time payments and increasingly complex sanctions require real-time screening and monitoring. Cross-border payments add complexity with KYC due diligence. As a result, running names through a screening engine on a nightly basis and checking wire and ACH transactions are now too slow and ineffective. There is a point of diminishing returns with manual compliance processes, where even the best-trained eyes miss anomalies and alerts. And with regulators now putting the onus of preventing and stopping fraudulent transactions on banks instead of customers, it’s clear that banks need to implement automation and AI to keep up with these increasingly sophisticated—and automated criminal organizations.

Financial institutions and the need to fight fire with fire

Digital identity solutions and compliance technology are essential to combating the threat of fraud powered by generative AI. AI/machine learning is particularly useful for analyzing anomalies, links to criminal activities and entities and suspicious transaction patterns at a real-time pace. Real-time payments are putting pressure on compliance teams to conduct real-time transaction and sanctions screening. Keeping up can be a challenge.

ChatGPT can support banks’ fraud detection efforts by quickly analyzing large amounts of data on a person to assess if a real-time payment is consistent with past behaviors and/or having been cleared with previous sanctions screening. Checking for behavioral anomalies and previous sanctions screening will meet the need for speed while improving accuracy and reducing false positives.

In many institutions, though, decision-makers are taking a very cautious approach to using ChatGPT or a similar generative AI platform in the workplace, a real concern since it can be misused. Security and anti-fraud professionals within banks are evaluating the application of generative AI, assessing the risks and ensuring that those charged with using and overseeing its use fully understand and follow policy. Specifically, this includes using at-large data from the Internet in models that may not be accurate and therefore result in screening and detection errors; this could also result in GDPR non-compliance as well. Using internal data or that from established third-party data sources can reduce these risks.

To fully leverage ChatGPT and generative AI, banks benefit when they complete the integration of their cybersecurity and fraud/financial crime operations if they have not already done so. Generative AI such as ChatGPT raises the threat level for financial institutions, making fraud more difficult to detect and easier for criminals to perpetrate at scale. However, even though ChatGPT is a powerful tool in the hands of scammers. It’s a double-edged sword for criminals, because when generative AI is properly implemented in banks, it can also be a great defensive weapon to root out and stop financial crime.

Alex Capella is an associate at KS&R. Christopher Reimann is formerly VP and principal of KS&R.

Don't Fumble Your Cyber Game Plan: Score a Touchdown with Cyber Insurance Know-How!

In football, success begins with thorough practice, preparation, and a well-thought-out playbook. Similarly, in cybersecurity, a cyber risk assessment is your playbook for success, helping you effectively identify, strategize, and defend against potential threats.

Just as a football team needs to prepare and plan for every scenario on the field, a cybersecurity team needs to assess and mitigate every potential threat in the digital realm. A cyber risk assessment is not just a checklist but a strategic playbook that guides your organization to achieve its security goals.

At SBS, we start every project with a risk assessment. This is how we differentiate ourselves from the rest - by delivering customized and effective solutions for each client. Assessing risk is the game plan that sets our organization apart. SBS serves as the "special teams coordinator" in the cybersecurity playbook, providing strategic insights and support during the insurance review process.

Have a Game Plan
Scout the Opponent: Just as a football team studies its opponents to understand their strengths and weaknesses, a cyber risk assessment helps you "scout" and understand potential cyber threats and vulnerabilities. The knowledge gained from studying your opponent’s history allows you to develop a game plan (cybersecurity strategy) to defend against these threats effectively. By knowing your "opponent," you can better prepare and make informed decisions on tackling cyber risks. Similarly, cyber threat intelligence involves gathering and analyzing data about potential threats, including the tactics, techniques, and vulnerabilities that cyber adversaries might exploit. This "scouting" helps organizations anticipate and prepare for cyberattacks, just as football teams prepare for their next game.

Have a Cyber Offense: In football, the quarterback is the leader on the field, guiding the team's offense. With a cyber risk assessment, you become the quarterback of your cybersecurity team. You can strategically call the plays, allocate resources, and prioritize offensive efforts based on the identified risks and perceived threats. This proactive approach allows you to quarterback your offensive cybersecurity effectively, minimizing the chances of a cyber "turnover." SBS can help quarterback the review of cyber insurance policies and help the client develop a comprehensive cybersecurity game plan that aligns with their coverage needs and risk management goals.

Prevent the Blitz: Just as a quarterback wants to avoid a blitz, a business aims to prevent unexpected cyberattacks. A cyber risk assessment helps you identify potential "blitzes" (attacks) before they occur. By understanding where your vulnerabilities lie, you can implement preventive measures and build a strong offensive line to stop cyber threats in their tracks. This proactive offense keeps your digital "end zone" secure and minimizes the impact of potential cyber incidents. SBS assists our clients in ensuring cyber insurance policies provide adequate coverage to mitigate risks effectively. It’s critical to assess the policy for potential coverage gaps and ensure our clients are well-protected against cyber threats.

Practice
Just as a football team must prepare and plan for every possible scenario on the field, practicing incident response and ransomware simulation is like training and preparing your football team for the big game. It reduces the likelihood of costly turnovers, enhances your readiness, and earns you points with insurers, ultimately leading to lower cyber insurance costs. It’s essential to conduct cybersecurity drills and simulations to prepare the client for potential cyber incidents. SBS assists clients with these drills to help the client's team understand how to respond effectively, minimize the impact of an incident, and maximize the benefits of their insurance coverage.

Prepare a Game-Ready Defense: Football teams practice their defense against various offensive strategies. Practicing incident response and ransomware simulation hones your cybersecurity defense to be "game ready." When you face a cyber incident, your team will be well-prepared to tackle the situation efficiently. Insurance providers often reward proactive defense measures with lower premiums, recognizing that a well-prepared team is less likely to incur substantial losses.

Reduce Turnovers: In football, turnovers can be costly mistakes. A successful ransomware attack can be a costly turnover in the cyber world. By simulating ransomware scenarios and practicing incident response, you can minimize the risk of turnovers (successful attacks). This reduces the likelihood of filing insurance claims and could lower your cyber insurance costs. Insurers appreciate policyholders who take steps to prevent costly incidents.

Score Points with Insurers: Just as a football team scores points by executing successful plays, demonstrating your commitment to cybersecurity through incident response and simulation scores points with insurers. Insurance providers often view businesses with proactive cybersecurity measures more favorably. Investing in these practices shows insurers that you are a responsible and low-risk policyholder, which can lead to discounts and lower premiums on your cyber insurance policy.

Build a Winning Defense
Defense Wins Championships: Just as a strong defense is crucial in football, cyber insurance is a key defense against cyber threats. Cyber insurance can help protect your team from significant financial losses, penalties, and legal challenges resulting from cyberattacks, offering a robust defensive line against digital adversaries.

Know Your Playbook: To succeed in football, teams must know their playbook inside out. Similarly, understanding your cyber insurance policy's terms, conditions, and coverage details is an essential element of your incident response playbook. Customize your playbook (policy) to match your business's unique risks and needs to ensure you're always prepared for the game.

Don't Let the Blitz Catch You Off Guard: In football, a blitz is a sudden and aggressive attack that can disrupt your offense or force a penalty for intentional grounding. Cyberattacks can strike without warning and from multiple angles in the digital world. Cyber insurance is the middle linebacker in your defense strategy, helping you recover and bounce back from a breach or attack. It is more than just a policy; it is a playbook for incident response, risk management, and disaster recovery.

Prepare for the Blitz, the Sack, and the Penalties
Avoid the Blindside Blitz: Just as a sudden blitz can blindside a quarterback, policyholders can be caught off guard by hidden clauses and exclusions in their cyber insurance policies. A common pitfall is not fully understanding your policy, including its limitations and exclusions. Reviewing your insurance policy thoroughly is essential to avoid getting blindsided by coverage gaps when you least expect it.

Prevent a False Start Penalty: A false start penalty sets the team back. Similarly, a pitfall in cyber insurance is failing to meet the security and compliance requirements outlined in your insurance policy. If you don't adhere to these requirements, you might face penalties and “blown” insurance coverage, leaving you on the sidelines without the resources you thought you had.

Don’t Rely on the Hail Mary: Just as a "Hail Mary" pass is a high-risk, low-probability play, expecting cyber insurance to cover all losses and risks without investing in robust cybersecurity practices is a pitfall. Relying solely on insurance without a winning cybersecurity culture can lead to higher premiums, potential coverage denials, and a higher likelihood of getting sacked by cyber threats.

Special Teams are Critical to Success
Football has special teams dedicated to handling kicks and punts. Similarly, cybersecurity often involves specialized teams or tools dedicated to monitoring and responding to threats. These teams can help with strategy, execute critical kicks and returns, provide expert guidance, provide critical game-day support, and act as the defense line against cyber adversaries. SBS is like the special teams coach in football, providing critical expertise and support that can make all the difference for a client's cybersecurity game plan. We’re ready to be a part of your cyber team.

Avoiding cyber insurance pitfalls involves a thorough insurance policy review, compliance with security requirements, and a proactive cybersecurity strategy to ensure a strong game-day plan against cyber risks. Insurance policy review can help clients optimize their insurance coverage and potentially reduce premiums, allowing them to allocate resources strategically to other areas of their cybersecurity defense.

As “special teams coordinators," we provide strategic insights and support during the insurance review process. Ensuring that our clients' insurance policies align with their cybersecurity goals, minimizing coverage gaps, and helping our clients recover swiftly from cyber incidents is kicking a field goal in the defense against cyber threats.

By SHERYL RYAN | Sheryl has over 25 years of information technology and security experience in the banking, education, and oil and gas industries. She has working knowledge in governance, risk, and compliance; change management; IT management audit facilitation; and incident response and business continuity management. Before joining the SBS team in 2023, Sheryl spent over ten years as a bank Vice President and Information Security Officer.

SDSU Extension 2024 Ag Land Value Survey Now Open

Ag lenders are invited to take part in South Dakota State University Extension's 2024 South Dakota Farm Real Estate Market Survey. SDSU Extension is requesting select groups of individuals to complete the survey including appraisers, assessors, realtors, agricultural lenders and Extension field specialists.

The principal purpose of the survey is to obtain market value and cash rental rate information, by type of agricultural land, in different regions of South Dakota. Farmers, landowners, investors, lenders, real estate professionals and public officials are the majority users of the data provided by the survey.

The deadline to complete the 2024 survey, which is in its 34th year, is March 15. Questions, contact SDSU Extension's Jack Davis or Hoanh Le.
• Complete the 2024 survey.
• View the results of past surveys.

CISA News: WIN: Hacking Network Shutdown

The U.S. Government got legal authorization to remotely disable aspects of the Chinese hacking operation run by Volt Typhoon, which had successfully compromised thousands of internet-connected devices. Click here to read.

QUESTION OF THE WEEK

Q: Does MLA apply to the purchase of vacant land?

A: Generally, yes, MLA would apply as vacant land loans are not specifically exempt. Note, however, that transactions to finance initial construction of a dwelling that will secure the loan would be exempt as a residential mortgage, so in some cases this exemption may apply:
“…Exceptions. Notwithstanding paragraph (f)(1) of this section, consumer credit does not mean:
A residential mortgage, which is any credit transaction secured by an interest in a dwelling, including a transaction to finance the purchase or initial construction of the dwelling, any refinance transaction, home equity loan or line of credit, or reverse mortgage…”
https://www.ecfr.gov/current/title-32/part-232#p-232.3(f)(2)

Compliance Alliance offers a comprehensive suite of compliance management solutions. To learn how to put them to work for your bank, call (888) 353-3933 or email [email protected] and ask for our Membership Team.

For timely compliance updates, subscribe to Bankers Alliance’s email newsletters.