TOPIC: Operations

Posting Order & Charged Off Loans

SVP at a bank ($159MUSA)
When determining what posting order to use for most active and non accrual loans we are posting escrow first. The question I have is regarding charged off loans. Do you have escrow posting first or not? Also, if you can help me understand the benefits to doing it either way would be very helpful in making our decision on how we want to handle posting order on these loans. Thank you!! 

    Annual Escrow Notice/ Timing

    SVP at a bank ($159MUSA)
    Hello all, we are beginning to implement and test escrow. Currently we are trying to determine how many advanced days we would like to set our system to conduct the annual escrow analysis. We are aware that it cannot be greater than 93 days however, we are wondering what timeframe is commonly used. Any advice on this process is appreciated and we would love to know how many days out everyone is beginning their analysis for the calculation to prepare the notice to the customer. 

      MFA Push Notifications – User Friendly, but Dangerous

      With institutions having to support more remote users than ever before, protecting the remote access logon process is becoming all the more important.  So, quick question: How does the multi-factor authentication (MFA) part of your remote access portal work?  (You are using MFA, right?).

      In addition to the rotating code we are becoming familiar with, chances are your remote access solution also supports a different type of one-time password (OTP) authentication called “push notifications.”  Instead of the user typing in a rotating OTP, they simply get a notification in their authenticator app or an automated call to their cell phone to approve the logon.  Microsoft Authenticator, FortiToken Mobile, and many other apps support this.  It is simple, fast, and user-friendly.  But is it secure?

      The problem with this type of authentication is that it doesn’t actually require the entry of a code.  All the user has to do is agree that they are logging on at that time.  The danger comes when an attacker attempts to log on, and the user gets the prompt…will they approve it?

      While this seems unlikely, it happens more often than you may think.  Our security engineers have gained access to multiple bank networks with just this type of scenario.  Sometimes we happen to be logging in at the same time as the user, or maybe the user is just used to seeing the prompt and hits accept without thinking.  Sometimes an element of social engineering is used, either way, this opens an avenue of compromise we wouldn’t have if they had to enter the code at the logon prompt.

      Now we aren’t saying throw out push notifications altogether, but we do think it’s more secure if users can be encouraged to favor the OTP entry process.  If you do decide to implement push notification authentication, consider the following:
      • Make sure you train your remote users to never accept a logon notification prompt from their app when they are not actively logging in.
      • Users should also be trained to report out-of-place push notifications if they see them, as this can indicate a compromised account.
      • Log and monitor remote access logons.  If possible with your SEIM solution, remote access authentications that occur from unusual IP addresses or at odd times should generate alerts.

        Commercial Appraisal/Evaluation Guidelines

        VP at a bank ($303MUSA)
        I am wondering if anyone would be willing to share their current Commercial Real Estate Appraisal/Evaluation Guidelines. I understand that this is more of a Loan Policy issue but we are just revising our current policies and are curious to know what others are doing both at new loan inception and also at renewal time. Thank you in advance for your willingness to share!  

          Return Without Entry Chart

          Employee at a bank ($1.3BUSA)
          Hi All,

          Whenever we receive a check return without entry, there's always some confusion surrounding the action that needs to be taken. I'm looking to build out a reference matrix that would help my team (and others) handle these situations more efficiently. I've looked and looked for an existing matrix or site that we could use for reference, but have been unsuccessful in find one. In what situations must we remit funds to the requesting bank regardless of the availability in the account? What is the timeframe for these kinds of returns? Does the requesting institution have to send a notarized letter of forgery? On the other hand, in what cases would we just remit the available funds in the account or decline the return request all together? What are the timeframes for these return requests? 

          Any input would be greatly appreciated!


            Contacting your customers/members

            Employee at a credit_union ($291MUSA)
            We are looking at different avenues for contacting members/customers regarding transactional info on their account; not marketing.  We have some that are not responding to mailed letters or phone calls regarding their dormant accounts and we are considering emails.  We have read the CAN-SPAM reg and will not be marketing to them and will still include the option to "opt out".  We have staff that want to use facebook messenger, but I don't feel social media messaging is the way to go.  Do you use any social media messaging to contact your members?  Do you have a sample of your authorization that your customer/members sign?  We will be running this by legal, but wanted to see what others are doing as we update our policies and procedures. 

              Browser Password Storage Thoughts

              There is some risk when allowing a user’s browser to remember passwords.  If a bad actor gets access to a machine, they could possibly leverage the passwords stored in the browser to increase access and move to other systems.  It should be noted that there are numerous other ways they can do the same, so blocking browsers from remembering passwords is simply a layer in your overall controls.  All browser vendors allow you to block password storage via Active Directory Group Policy, and a Google search for “browser block passwords storage via group policy” should get you going. If you do disable browser stored passwords, it’s important to give users an alternative, otherwise they will likely end up using a Word doc full of passwords on their desktop or maybe just write them down on sticky notes - arguably less secure than letting the browser store passwords!  Some popular password managers are KeePass, LastPass, and 1Password.  Whatever you choose, you will also have to train your employees on proper usage, and it’s a good idea to reinforce this training at least annually.

                IT Asset Management - Help secure your environment and save money, too!

                Do you keep an accurate and up-to-date inventory of your IT assets?  If not, you may be wasting money and decreasing your overall IT security posture. One of the most important aspects of managing your IT environment is knowing what you have.  Inventory all IT assets: desktops, servers, printers, network attached cameras, routers, switches, firewalls – if it plugs into the network, inventory it.  Use this list to make sure all assets are included in the controls you have in place, such as Active Directory, antivirus, DNS, patch and vulnerability management, and log management.  These are all critical functions that depend on having a good inventory to work from, and a system that was missed because it wasn’t in the inventory increases the overall risk to your environment.  Keep your inventory updated with scheduled periodic reviews, and as changes to your environment occur.   From a financial perspective, poor inventory management could lead to issues such as continuing to pay for maintenance or licensing on a system that was decommissioned years ago or leaving a long-gone system on the books.  The finance folks just love it when that happens!  (Protip: They do not love this.) Proper IT Asset Management is a regulatory requirement in many industries, and scales well beyond these basics.  Ensuring you have an accurate inventory is always the starting point.