News and topics of interest to financial institutions regulated by the Department of Banking and Finance Inside this issue: Information Security 3 Risk Assessment Action on Applications 4 for the Month August 2017 Emergency Closing Notification Procedures In preparation for the possible impact of Hurricane Irma, the Department would like to remind all Georgia state-chartered institutions of emergency closing notification procedures. Financial institutions have the discretion to close business operations in the event of a natural disaster or other emergency, including situations where an emergency may be imminent. Financial institution offices directly affected by severe weather conditions may close under the conditions set forth in O.C.G.A. 7-1-111 and Department Rule 80-5-2-.02. All financial institutions are reminded that current regulations provide for management to exercise its own discretion, with notification to the Department, in closing any institution for one business day (renewal for successive days) upon its determination that the safety of customers, employees, or assets would be in jeopardy due to civil disorder, fire, acts of God, or similar circumstances which render the institution unable to conduct business in a safe and sound manner. Office closings due to emergency situations should be communicated to the Department as soon as transmission is feasible. Further, financial institutions should make every effort to reopen as quickly as possible to address the banking needs of their customers. If your institutions' emergency contact information has recently changed, then please log on to the Emergency Communications System ("ECS") of the Federal Reserve Bank of St. Louis to update your emergency contact information. Use of the ECS allows the Department to quickly establish a two-way communication channel with financial institutions, provide key updates, ascertain the operational status of an institution and provide ongoing updates throughout an emergency situation or crisis. If you have any questions or concerns about logging into the ECS system, please contact ECS support at ECS.Support@stls.frb.org. Order to Cease and Desist Issued to Southern Cherokee Nation and the Red Fire People Central Bank and Depository Trust and Walter Charlie Pressley a/k/a Chief Gees-Due OO-Neh-Gah Usti On August 23, 2017, the Department of Banking and Finance, State of Georgia ("Department") issued an Order to Cease and Desist to Southern Cherokee Nation and the Red Fire People Central Bank and Depository Trust ("SCNRFP Central Bank") and Walter Charlie Pressley a/k/a Chief GeesDue OO-Neh-Gah Usti. It is unlawful to conduct and/or be affiliated with a banking business in Georgia without a bank charter. It is also unlawful to use the words "bank" and/or "trust" in any entity's name without the permission of the Department. The Department has no record of SCNRFP Central Bank and has not approved this entity or Mr. Pressley to organize a bank and/or conduct a banking business in or from Georgia. Furthermore, the Department has not granted SCNRFP Central Bank permission to use "bank" or "trust" in its name. More information about the Order, including the terms of the Order, may be obtained here. Implementation of "Sensitivity to Market Risk" Rating Component for Credit Unions The Department's implementation of the Sensitivity to Market Risk, or "S", component in credit unions becomes effective for examinations beginning after January 1, 2018. In 1997, the Federal Financial Institutions Examination Council (FFIEC) included the "S" component in the modified Uniform Financial Institution Rating System (UFIRS). In implementing the "S" component for credit unions, the Department will use the UFIRS ratings definitions and guidance. The sensitivity to market risk component reflects the degree to which changes in interest rates, Page 2 August 2017 foreign exchange rates, commodity prices, or equity prices can adversely affect a financial institution's earnings or economic capital. When evaluating this component, consideration should be given to: management's ability to identify, measure, monitor, and control market risk; the institution's size; the nature and complexity of its activities; and the adequacy of its capital and earnings in relation to its level of market risk exposure. Market risk is rated based upon, but not limited to, an assessment of the following evaluation factors: The sensitivity of the financial institution's earnings or the economic value of its capital to adverse changes in interest rates, foreign exchange rates, commodity prices, or equity prices. The ability of management to identify, measure, monitor, and control exposure to market risk given the institution's size, complexity, and risk profile. Sensitivity to Market Risk Component Ratings 1 A rating of 1 indicates that market risk sensitivity is well controlled and that there is minimal potential that the earnings performance or capital position will be adversely affected. Risk management practices are strong for the size, sophistication, and market risk accepted by the institution. The level of earnings and capital provide substantial support for the degree of market risk taken by the institution. 2 A rating of 2 indicates that market risk sensitivity is adequately controlled and that there is only moderate potential that the earnings performance or capital position will be adversely affected. Risk management practices are satisfactory for the size, sophistication, and market risk accepted by the institution. The level of earnings and capital provide adequate support for the degree of market risk taken by the institution. 3 A rating of 3 indicates that control of market risk sensitivity needs improvement or that there is significant potential that the earnings performance or capital position will be adversely affected. Risk management practices need to be improved given the size, sophistication, and level of market risk accepted by the institution. The level of earnings and capital may not adequately support the degree of market risk taken by the institution. 4 A rating of 4 indicates that control of market risk sensitivity is unacceptable or that there is high potential that the earnings performance or capital position will be adversely affected. Risk management practices are deficient for the size, sophistication, and level of market risk accepted by the institution. The level of earnings and capital provide inadequate support for the degree of market risk taken by the institution. 5 A rating of 5 indicates that control of market risk sensitivity is unacceptable or that the level of market risk taken by the institution is an imminent threat to its viability. Risk management practices are wholly inadequate for the size, sophistication, and level of market risk accepted by the institution. By comparison, the Liquidity component will focus on evaluating the adequacy of a financial institution's liquidity position, with consideration given to the current level and prospective sources of liquidity compared to funding needs, as well as to the adequacy of funds management practices relative to the institution's size, complexity, and risk profile. Liquidity is rated based upon, but not limited to, an assessment of the following evaluation factors: The adequacy of liquidity sources compared to present and future needs and the ability of the institution to meet liquidity needs without adversely affecting its operations or condition. The availability of assets readily convertible to cash without undue loss. Access to money markets and other sources of funding. The level of diversification of funding sources, both on- and off-balance sheet. The degree of reliance on short-term, volatile sources of funds, including borrowings and brokered deposits, to fund longer term assets. The trend and stability of deposits. The ability to securitize and sell certain pools of assets. The capability of management to properly identify, measure, monitor, and control the institution's liquidity position, including the effectiveness of funds management strategies, liquidity policies, management information systems, and contingency funding plans. Liquidity Component Ratings 1 A rating of 1 indicates strong liquidity levels and well-developed funds management practices. The institution has reliable access to sufficient sources of funds on favorable terms to meet present and anticipated liquidity needs. 2 A rating of 2 indicates satisfactory liquidity levels and funds management practices. The institution has access to sufficient sources of funds on acceptable terms to meet present and anticipated liquidity needs. Modest weaknesses may be evident in funds management practices. Page 3 August 2017 3 A rating of 3 indicates liquidity levels or funds management practices in need of improvement. Institutions rated 3 may lack ready access to funds on reasonable terms or may evidence significant weaknesses in funds management practices. 4 A rating of 4 indicates deficient liquidity levels or inadequate funds management practices. Institutions rated 4 may not have or be able to obtain a sufficient volume of funds on reasonable terms to meet liquidity needs. 5 A rating of 5 indicates liquidity levels or funds management practices so critically deficient that the continued viability of the institution is threatened. Institutions rated 5 require immediate external financial assistance to meet maturing obligations or other liquidity needs. This bulletin article is the last in a three-part series detailing the Department's implementation of the "S" component. The June 2017 and July 2017 bulletins should be used as additional reference sources. Any further questions can be submitted to Supervisory Manager Justin McElheney at 770-986-1633 or JMcElheney@dbf.state.ga.us. Information Security Risk Assessment As information technology (IT) programs become more and more critical to the operational and financial success of the financial services industry, it is important that the Board and senior management thoroughly assess information security (IS) risks and develop a comprehensive set of policies, procedures, processes, controls, and audit programs designed to directly address those risks. Furthermore, management should engage independent testing of key control processes with a scope and frequency commensurate with the institution's unique IT risk profile. The IS risk assessment process includes a number of steps that should result in a comprehensive understanding of the institution's risks and mitigating controls. At a minimum, IS risk assessment steps should include: 1. Identification of all information assets that are used to create, store, or transmit data, either in electronic or paper form. Assets will include all electronic hardware and software but should also consider paper documents and the methods to create, store, and transmit paper, such as filing cabinets or courier services. Vendors that are responsible for creation, storage, and transmission of data should also be considered an information asset. 2. Identification of specific threats and vulnerabilities to the confidentiality, integrity, and accessibility of data and to the assets that create, store, and transmit data. 3. A supportable and reasonable assessment of the likelihood that each threat could manifest itself and the potential impact that the threat could have on the confidentiality, integrity, and accessibility of data. For vulnerabilities, management should identify and understand how each vulnerability exposes institution data and information assets to specific threats. 4. Identify current policies, procedures, processes and controls designed to: protect data and assets against threats, address the vulnerabilities that compromise data and assets, and minimize the impact to the confidentiality, integrity, and accessibility of data and assets. 5. Make a determination, based on comparison of threats, vulnerabilities, and potential impacts to current policies and controls, of the residual risks to data and assets. The final product should provide a foundation for the Board and senior management to develop a comprehensive set of policies, procedures, processes, and controls that are designed to address the identified threats and vulnerabilities and mitigate the risk of loss of confidentiality, integrity, and accessibility. Timely independent testing of control processes is necessary to identify any weaknesses that may exist in the control environment. After testing it is imperative that action is taken expeditiously to address any weaknesses identified to mitigate vulnerabilities. After corrective measures are implemented, the Board and management should re-assess IS risks, re-starting a continuous risk management cycle of assessment, controls, testing, and adjustment. In addition, any new introduction of information assets into the environment (such as electronic hardware or third-party vendors), identification of significant new threats (such as ransomware), or discovery of potential vulnerabilities (such as a bulletin on a newfound weakness in an operating system) should require a re-assessment of risks between the normal risk management cycle. For more information, please consult the FFIEC IT Handbooks at the FFIEC IT Handbooks InfoBase found at: https:// ithandbook.ffiec.gov/. Please contact Supervisory Manager Justin McElheney at (770)-986-1643 or JMcElheney@dbf.state.ga.us with any questions regarding this article. Page 4 Action on Applications for the Month August 2017 The following is a summary of official action taken on applications by state financial institutions under Title 7, Chapter 1 of the O.C.G.A. and petitions for certificate of incorporation of financial institutions and other matters of interest during the month of August 2017: APPLICATIONS TO ESTABLISH A BRANCH OFFICE FINANCIAL INSTITUTION BRANCH OFFICE APPROVAL DATE SunTrust Bank Atlanta Liberty Village 2600 Old Milton Parkway Alpharetta, GA 30009 Fulton County 08-14-2017 BEGIN BUSINESS DATE SunTrust Bank Atlanta SunTrust Bank Atlanta Synovus Bank Columbus Synovus Bank Columbus Metro City Bank Doraville NOA Bank Duluth State Bank and Trust Company Macon The Piedmont Bank Norcross Flagler Beach 2410 FL 100 Flagler Beach, FL 32136 Flagler County Creighton Road 2627 Creighton Road Pensacola, FL 32504 Escambia County Overton 3400 Overton Park Drive Atlanta, GA 30339 Fulton County Augusta 720 St. Sebastian Way, Unit 130 Augusta, GA 30901 Richmond County Flushing 138-35 39th Avenue Space D-1 Flushing, NY 11354 Queens County Sugarloaf 1185 Old Peachtree Road Suwanee, GA 30024 Gwinnett County Mall Boulevard 602 Mall Boulevard Savannah, GA 31406 Chatham County Chamblee 5070 Peachtree Boulevard Suite B110 Chamblee, GA 30341 DeKalb County 08-14-2017 08-14-2017 03-13-2017 08-03-2017 08-09-2017 08-24-2016 08-29-2017 08-23-2017 08-21-2017 08-14-2017 Page 5 August 2017 FINANCIAL INSTITUTION SunTrust Bank Atlanta SunTrust Bank Atlanta APPLICATIONS TO CHANGE LOCATION CHANGE LOCATION OF APPROVAL DATE West End From: 1715 West End Avenue Nashville, TN 37203 Davidson County 04-04-2017 To: 210 21st Avenue South Nashville, TN 37203 Davidson County Coral Ridge From: 2626 East Oakland Park Boulevard Fort Lauderdale, FL 33306 Broward County 02-06-2017 To: 3850 N Federal Highway Fort Lauderdale, FL 33308 Broward County EFFECTIVE DATE 08-18-2017 08-25-2017 FINANCIAL INSTITUTION (SURVIVOR) PrimeSouth Bank Blackshear, GA United Community Bank Blairsville, GA FINANCIAL INSTITUTION MERGERS MERGED INSTITUTION Atlantic National Bank Brunswick, GA Four Oaks Bank & Trust Company Four Oaks, NC Entegra Bank Franklin, NC Chattahoochee Bank of Georgia Gainesville, GA State Bank and Trust Company Macon, GA The Piedmont Bank Norcross, GA AloStar Bank of Commerce Birmingham, AL Mountain Valley Community Bank Cleveland, GA Guardian Bank Valdosta, GA Pelham Banking Company Pelham, GA APPROVAL EFFECTIVE DATE DATE 08-15-2017 Pending Pending Pending Pending Pending APPLICATIONS TO BECOME A BANK HOLDING COMPANY AND/OR TO ACQUIRE VOTING STOCK OF A FINANCIAL INSTITUTION BANK HOLDING COMPANY United Community Banks, Inc. Blairsville, GA TO ACQUIRE Four Oaks Fincorp, Inc. Four Oaks, NC APPROVAL DATE 08-21-2017 Page 6 DBF Outreach and Upcoming Speaking Engagements August 2017 Rule of Law Defense Fund FinTech Policy Roundtable Fly-In: Commissioner Kevin Hagler will speak at the FinTech Policy Roundtable Fly-In, to be held at the Hodges Room, Centergy Building, Georgia Institute of Technology, Atlanta, Georgia, on September 7. Visit http://ruleoflawdefensefund.org/fintechpolicy-roundtable-fly/ for more information. Georgia Credit Union Affiliates Compliance Council: Supervisory Manager Justin McElheney and Senior Financial Examiner Maggie Hsu are speaking on Bank Secrecy Act compliance issues at the Compliance Council, to be held at the National Credit Union Administration Region 3 Office, Atlanta, Georgia, on September 13. For more information, visit https://gcua.org/compliance/index.php. King & Spalding FinTech Summit: Commissioner Kevin Hagler will speak at the FinTech Summit, to be held in Atlanta, Georgia, on September 18. Visit https://www.kslaw.com/news-and-insights/king-spalding-fintech-summit for more information. Georgia Bankers Association Compliance Conference: Deputy Commissioner for Supervision Melissa Sneed will speak at the Compliance Conference, to be held at the Professional Sciences Conference Center of Middle Georgia State University, Macon, Georgia, on September 20. For more information, visit http://www.gabankers.com/. Georgia Bankers Association President/CEO Conference: Commissioner Kevin Hagler will speak at the President/CEO Conference, to be held at The Ritz-Carlton Lodge, Reynolds Plantation, Greensboro, Georgia, on October 3. For more information, visit http://www.gabankers.com/. The Department is the state agency that regulates and examines Georgia state-chartered banks, state-chartered credit unions, state-chartered trust companies, and bank holding companies that own Georgia state-chartered financial institutions. The Department also has responsibility for the supervision, regulation, and examination of Merchant Acquirer Limited Purpose Banks chartered in Georgia. In addition, the Department has regulatory and/or licensing authority over mortgage brokers, lenders and processors, mortgage loan originators, check cashers, sellers-issuers of payment instruments, money transmitters, and international banking organizations. Our Mission is to promote safe, sound, competitive financial services in Georgia through innovative, responsive regulation and supervision. Our Vision is to be a willing and able partner with our regulated entities in order to support vibrant economic growth and prosperity in Georgia. Subscribe to Receive this Publication: Notice of this publication is delivered to interested parties via e-mail. To subscribe to this publication as well as other items of interest, please visit our website at https://dbf.georgia.gov/. Department of Banking and Finance 2990 Brandywine Road, Suite 200 Atlanta, Georgia 30341-5565 Phone: (770) 986-1633 Fax: (770) 986-1654 or 1655 http://dbf.georgia.gov/