Bank Director | Federal Financial Institutions Examination Council Archives

What to Know About Cannabis Banking in 2022

Posted on October 15, 2021 at 12:01 am.

The cannabis industry is growing exponentially, and nationwide sales are estimated to exceed $30 billion in 2022.

This growth comes with extraordinary opportunities for banks to offer services to the still largely unbanked and underbanked cannabis industry. Board members and C-suite executives cannot afford to ignore the potential impact of cannabis on their bank in 2022, whether they are banking it or not. Here’s some trends that the industry should be on the lookout for.

More states will legalize marijuana in 2022
The website Ballotopedia is tracking over a dozen proposed marijuana legalization initiatives as of September. These include attempts to legalize marijuana for medical purposes in Wyoming, Idaho and Mississippi, medical and adult uses in Nebraska and adult recreational uses in Arkansas and Ohio. Any kind of legalization in Nebraska would be significant; it is currently the only state with no loosened legal restrictions on marijuana possession or use. Banks located in states without a legal marijuana program, including adult or medical, may see that change by the end of 2022 and need to start planning now for how this could affect your bank.

Marijuana licensing and sales will begin in states that legalized or expanded their programs in 2021.
Marijuana-related business (MRB) licensing and sales don’t begin the day after it’s legalized. A governor’s signature is just the first step. Legalization requires months of work by a newly appointed marijuana regulatory authority to develop the actual regulations — the infrastructure — that make licensing and sales possible. 2022 can expect to finally see sales in states that legalized marijuana in 2021.

There’s no guarantee that any federal marijuana legislation will pass in 2022.
There are currently two major proposed bills that would loosen federal policy towards marijuana: the Secure and Fair Enforcement Banking Act (SAFE Banking Act) and the Cannabis Administration and Opportunity Act (CAO Act).

The most attractive to banks is the SAFE Banking Act, which would ensure federal regulators could not take adverse action against banks that provide services to state-legal MRBs. It would also require the Federal Financial Institutions Examination Council to establish uniform exam guidelines for evaluating marijuana banking programs. This legislation passed the House of Representatives by a comfortable margin in 2020 and again in 2021, but has yet to make it to the Senate floor for a vote.

Senate leadership has made it clear that passage of the CAO Act is their priority, with Sen. Cory Booker (D-NJ) going so far as to say, “I will lay myself down to do everything I can to stop an easy banking bill […] as opposed to focusing on the restorative justice aspects.” There’s been another attempt in the House to push through the SAFE Banking Act as an amendment to the National Defense Authorization Act but there’s no guarantee this will be included in the final version of the bill. As a result, banks shouldn’t count on the SAFE Banking Act passing in 2022, with Senate leadership focused on the CAO Act.

In 2022, cannabis banking will move from “nice to have” to “unavoidable.”
Something new we’ve seen this year is that an increasing number of institutions are building cannabis banking programs because they risk losing high-worth customers if they don’t. For instance, a bank in the Midwest was approached by a member of a prominent farming family that had decided to start growing marijuana. They were upfront about their plans and made it clear that, despite a multi-generational relationship with the bank, they were prepared to go elsewhere if necessary.

We saw something similar in the South: a major customer decided to pivot from growing flowers in their greenhouses to marijuana, and the bank decided to release their marijuana restrictions only after they lost a good part of their customer’s business to a cannabis-friendly competing financial institution. Banks risk losing valuable customers in 2022 if they do not establish cannabis banking programs.

Due to a combination of widespread destigmatization, a steady march of state-by-state legalization and the immense business opportunity of this industry, an increasing number of banks are building lines of business to benefit from this market — or at the least, avoid losing customers to it.

To learn more about what this industry will look like in 2022, and the financial modeling and risk assessment behind successful programs, click HERE.

Tips to Navigate Top Risk Factors for Banks in 2021

Posted on July 9, 2021 at 12:01 am.

Written by Tricia Lesh

Risk is always a prominent factor for banks. Their ability to strategically navigate change proved to be crucial in a year of unprecedented challenges caused by the Covid-19 pandemic.

Moss Adams partnered with Bank Director to conduct the 2021 Risk Survey that explored key risks facing the industry — and forecast how banks will emerge from the pandemic. Below is a summary of top insights from the survey, as well as considerations that bank leadership should keep front of mind as they go into the second half of the year.

Rising Credit Risk Concerns

Unsurprisingly, concerns around credit risk increased in 2020.

Two-thirds of bank respondents worry about concentrations in their loan portfolio, particularly around industries significantly strained during the pandemic, including commercial real estate and hospitality. Almost all respondents modified loans in second and third quarters of 2020 to aid their customers during the initial wave; some of these modifications extended into the fourth quarter.

Evaluation Metrics and Portfolio Concerns

Two separate metrics are now in play for regulators’ evaluations. As a result, it’s important to remember that just because your bank’s loan portfolio doesn’t receive a favorable rating doesn’t mean your bank or management won’t be evaluated favorably.

Regulators might downgrade a portfolio rating as some credits went into deferrals due to business shutdowns and borrowers being unable to make payments. However, bank management could receive a strong rating because of actions they took to keep the bank running and support customers.

While modifications reflect current realities, they don’t diminish the fact that portfolios are degrading from a stability standpoint. Forty-three percent of respondents tightened underwriting standards during the pandemic, while roughly half are unsure if they’ll adjust standards in 2021 and 2022.

Banks that have good governance will loosen their underwriting standards and will be strategic about to whom they lend money. In addition, they will assess which loans they’ll permit to be in delinquent status without taking action, and which they’ll defer.

Increases in Stress Testing

While annual stress tests are common for banks, 60% of respondents expanded the quantity or depth of economic scenarios in response to the pandemic. This is despite regulators’ previous increase of the asset cap threshold for required testing.

Most institutions focus not just on interest rate stress testing — they test the whole portfolio. This is driving more stress testing on the viability of collateral for loans and liquidity. Institutions know they’ll face increased allowance provisions and write-offs, so they’re stress testing the capital resiliency of their organization and see how they would shoulder that burden.

Looking forward, banks may want to focus on concentrated risks within the portfolio. They may also want to apply different, more specific stress testing criteria to various segments such as multifamily real estate, hospitality and mortgages, knowing certain areas may pose greater risk.

Improved Plans for Continuity and Disaster Recovery

The pandemic placed a renewed focus on continuity and disaster recovery. While most organizations had a pandemic provision in their plans following guidance from the Federal Financial Institutions Examination Council (FFIEC), they had been considered only hypothetical exercises. When an actual pandemic hit, many organizations had to react quickly, focus and learn how to adapt during the experience. Most banks will enhance their business continuity plans as a result of the pandemic: 84% of respondents say they’ve made or plan to make changes to their plans.

Key improvement areas include plans to:

Formalize remote work procedures.
Educate and train employees.
Provide the right tools to staff.
Ensure the bank’s IT infrastructure can adapt in a crisis.

Cybersecurity and Remote Work Setups

Three-quarters of respondents plan for at least some employees to work remotely after the pandemic abates. This makes cybersecurity a significant concern that boards need to further explore and implement additional precautions around.

Previously, with employees working in one space, there was only one entry point of attack for cybercriminals. Suddenly, with employees working from potentially hundreds of different locations, hundreds of entry points could exist.

Factoring in employees’ mental states is also a crucial vulnerability. It’s easier for cybercriminals to take advantage of or deceive employees that are navigating the difficulties of working from home and the general stresses of the pandemic. Increased staff training, as well as technology improvements, can help better detect and deter cyberthreats and intrusions.

Looking Forward

Though many respondents noted the resilience of the industry, it’s important to not get complacent. Banks certainly weathered the hard times, but the biggest impacts of the past year likely won’t be fully visible until the pandemic subsides.

Once that occurs, some businesses will reopen but may need more capital. Others may still close permanently, leaving banks to determine which loans won’t get repaid, engage bankruptcy courts, take cents on the dollars for the loan and charge write-offs.

So while this past year has been a major learning experience, the lesson likely won’t be concluded until early 2022.

Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC.

Managing Social Media Risk: New Guidance From Regulators

Posted on February 20, 2013 at 3:30 pm.

Written by lodom

Social media has become ubiquitous and many banks are wondering if they can survive without a trendy presence on Facebook, LinkedIn, Twitter, YouTube, and in the “blogosphere.” It is a bit of the Wild West out there though, with few rules in place to protect your message. Instead of yelling at the TV at home, a person can post a negative comment about your business for the world to see and, even if unfair and baseless, there may be little you can do about it.

Financial institutions use social media in a variety of ways, including marketing, promotions, account applications, consumer feedback and communicating with new and existing customers. Since these communications occur in an informal and largely unsecured environment, it introduces new risks. If your bank is active in social media, or simply advertises consumer banking or other products through social media, new proposed guidance from the Federal Financial Institutions Examination Council (FFIEC) instructs your bank to adopt compliance policies and procedures governing these activities. Even if your financial institution is not active in social media, you need a process for responding to negative comments or complaints that surface through social media platforms.

This article briefly summarizes the proposed FFIEC guidance.

We encourage all interested banks to submit comments on this guidance by the deadline of March 25, 2013.

What are the compliance expectations for banks using social media?

On January 23, 2013, the FFIEC issued a request for comment on a proposed “Social Media: Consumer Compliance Risk Management Guidance.” The intent of the guidance is to help banks, thrifts and non-banks under the supervision of the Consumer Financial Protection Bureau identify, address, oversee and control risk from social media within their overall risk management program.

What forms of social media are within the scope of the guidance?

The FFIEC considers social media to include forms of interactive online communication in which users generate and share content through the use of text, images, audio and/or video, including:

Micro-blogging sites (Facebook, Google Plus, MySpace and Twitter);
Forums, blogs, customer review web sites and bulletin boards (Yelp);
Photo and video sites (Flicker and YouTube);
Professional networking sites (LinkedIn)
Virtual worlds (Second Life); and
Social games (FarmVille and CityVille).

What should your social media compliance program include?

A financial institution should have a risk management program that allows it to identify, measure, monitor and control risks related to social media. The size of the program should relate to how active the bank is on social media.

Governance structure: Should enable senior management to direct the use of social media to contribute to its strategic goals;
Policies and procedures: To monitor social media use and compliance within all applicable laws, including methodologies to manage risks from online activities such as postings, edits, replies and retention;
Due diligence process: For managing applicable third party vendor relationships;
Employee training: Program that incorporates policies for official, work-related use of social media, and potentially for other uses of social media, including listing prohibited activities;
Oversight process: For monitoring data posted to third party social media sites;
Audit and compliance: To ensure ongoing compliance; and
Reporting parameters: To evaluate the effectiveness of social media against defined goals.

What are the key areas of concern?

Compliance and legal risks: Banking and consumer laws must be followed, even in the social media space
- Deposit/lending products
  1. A lending advertisement mentioning APY or bonus has certain requirements under the Truth in Lending Act. A link to the full disclosures can be provided in social media.
  2. A creditor must preserve prescreened solicitations made through social media, as required by the Equal Credit Opportunity Act Regulation B.
- Bank Secrecy Act/Anti-Money Laundering
  An e-banking product offered or conducted through social media is subject to the BSA/AML policies that apply to all customers, products and services.
- Payment systems
  If social media is used to facilitate a consumer’s payment transactions all laws, regulations and industry rules apply such as the Electronic Fund Transfer Act/Regulation E, UCC, the Expedidted Funds Availability Act Regulation CC and PCI DSS.
- Community Reinvestment Act (CRA
  If a depository institution is subject to the CRA and must maintain specific items in a public file, its policies and procedures should include monitoring social media sites.
- Privacy
  1. If social media is part of your customers’ online account opening or use experience, Title V of the Gramm-Leach Bliley Act will apply, which restricts use of personal information shared with third parties, and gives customers the option to opt out of the sharing of such information.
  2. If a financial institution sends unsolicitied communications to consumers through social media (e.g., spam or SMS text message) the CAN-SPAM Act and the Telephone Consumer Protection Act may govern.

Reputational risk
- Fraud and brand identity
- Privacy concerns: Policies and procedures must address risks from receipt, use and sharing of consumer information on a social media.
- Consumer complaints and inquiries: The inherent nature of social media exposes a bank to reputation risks when users post critical or inaccurate statements.
- Employee use of social media sites: An employee’s use of social media, even through a personal account, may appear to a customer as reflecting the bank’s official policies.
Operational risk
- Use of information technology, including social media, requires identification, monitoring and management of risk of loss from inadequate or failed processes, people or systems.
- The incident response protocol for a data breach or account takeover needs to address social media risk.