Biebel Joins Merchants Bank as Mortgage Operations Manager

BiebelDan

Dan Biebel, Mortgage Operations Manager

Dan Biebel has joined Merchants Bank as Vice President and Mortgage Operations Manager, according to Cindy Harrison, Senior Vice President for Credit Administration.

“We are excited to have Dan join our team. He has the experience and expertise in both mortgage sales and operations to successfully guide this critical area of our organization,”Harrison said.

As the leader of the mortgage operations area, Biebel will guide the 40 employees who support and process mortgage loans for Merchants’21 locations, as well as the 164 other community banking locations and credit unions across five states that make up Merchants Bank’s correspondent mortgage banking network.

“This is an exciting role with an organization with a well-known and growing reputation for excellence. I am looking forward to helping propel the continued growth of this area through providing exceptional service throughout the mortgage process to both our internal and external customers,”Biebel said.

Biebel has been in the mortgage industry since 1984, including time serving in leadership roles for LenderLive Network and TruHome Solutions, companies with both a regional and national presence. Biebel and his wife, Kathy, have two grown children.

Tammy Johnson Named Cash Management Sales Manager for the Merchants Bank Organization

Tammy Johnson, Cash Management Officer

Tammy Johnson, Cash Management Sales Manager

Tammy Johnson has been promoted to Assistant Vice President and Cash Management Sales Manager, according to Sue Hovell, Director of Retail Banking Performance for Merchants Bank.

Johnson will be the cash management sales and market support for the local teams at all 21 Merchants Bank locations in Minnesota and Wisconsin. She had been the Cash Management officer for the organization’s southern tier of banks since 2011 and has been with Merchants Bank for 17 years.

“Cash management products and services are designed to save businesses time and money, protect against any potential fraudulent activity and create opportunities for those businesses to grow,” Johnson said. “I look forward to working with experts at our locations to present the best options available for our current and future customers.”

The cash management/treasury management area is a focus for the Merchants Bank organization.

“Being able to service relationships locally sets us apart,” Hovell said. “With Tammy working with the local teams the result will be exceptional service for our customers. It is part of the personal relationship our tellers, customer service representatives, personal bankers and commercial bankers offer to all our customers. They look forward to applying their knowledge to develop solutions unique to your business and tailored for success.”

Johnson will support Merchants Bank Minnesota locations in Winona, St. Charles, Goodview, Rochester, Rushford, Lanesboro, Caledonia, La Crescent, Spring Grove, Cannon Falls, Red Wing, Hampton, and the southern Twin Cities metropolitan suburbs of Apple Valley, Cottage Grove, Hastings, Lakeville and Rosemount. She will also support Wisconsin locations in Eau Claire and Onalaska. All banks are FDIC members and equal housing lenders. Subject to credit approval. Additionally, Twin Cities-based Merchants Bank Equipment Finance is also a division of Merchants Bank, N.A.

Katie Lund Joins Merchants Bank in Rochester as a Mortgage Lender

LundKatie

Katie Lund, Mortgage Lender

Katie Lund has joined Merchants Bank in Rochester as a Mortgage Lender, according to John Doyle, President of Merchants Bank in Rochester.

Lund has been part of the Merchants Bank team since 2008, when she joined Merchants Bank Equipment Finance (then known as Merchants Capital Resources). Since 2013, she has worked at Merchants Bank in Rosemount as a Mortgage Loan Coordinator.

“Katie brings a great deal of knowledge and experience with the mortgage origination process, which will be an immediate benefit to our customers,”Doyle said. “She puts the needs of our customers first, and she is dedicated to making sure those needs are met. I know people will enjoy working with her.”

Lund’s office will be at Merchants Bank’s Northwest Plaza location. She is a native of St. Charles, MN, and has recently moved to Rochester with her family.

“I’m familiar with the needs of the individuals and families who are part of the Rochester market,”Lund said. “I’m excited to help people realize their dreams of home ownership with the programs and support we can offer at Merchants. Given the very active Rochester housing market, I’m especially looking forward to helping people get pre-qualified for their loans, so they can be first in line when they make an offer on their next home.”

Best Practices in Risk Management

SAWRiskAssessmentFollowUP

Previously we discussed risk assessment and how, while it is both an IT and human undertaking, most risk assessments need to start and end with business processes. After you have conducted a risk assessment, it might seem that you simply need to review the assessment and determine which risks should be reduced or eliminated. While this is true, managing risk goes beyond responding to a risk assessment process. In this article, we’ll take up the topic of risk management, which involves dealing with a continuum of risks.

Categorizing Risk
Before you can begin to manage risk, it can be helpful to segment your potential risks into categories for further definition and review. Typically, risks can be placed in one of three categories:

  1. Known Knowns are risks are a part of our industry, business, or simply part of our lives. For example, almost every business using electronic payments the danger lies in being hacked, losing customer credit or debit card information, or having funds misdirected by a criminal – or even by human error.
  2. Known Unknowns are risks that cannot be foreseen, but can be understood. For example, while the risk of a computer/network system being hacked is a known risk, it is unknown who will do it, where it will come from or the purpose of the hack.
  3. Unknown Unknowns are risks you only see in hindsight only. Recent technology events that fit this class of risks include the “poodle’ and ‘heart bleed’ vulnerabilities. Both of these highly technical vulnerabilities actually existed in thousands of computer systems for decades but were completely innocent until someone discovered they could be exploited for malicious intent. It is quite possible that many more of these unknown unknowns exist in the computer systems we rely on every day.

Risk Management Practices
With these three categories in mind, you can establish risk management practices for your business. When considering the first two categories, your risk assessment can help you rank and rate each risk, its potential to occur and, if it occurs, the magnitude of its impact. From here, risk management policies can help you handle risks effectively and in a reasonable manner. For example, if a very low probability risk would have catastrophic results for your business, it may be a matter of policy that your company would work at reducing or eliminating that risk regardless of the risk assessment score.

Risk management is an active and ongoing process. Once policy is in place, a set of operating standards are needed to set expectations for IT and other staff who deal with risks. Standards may include existing controls or new controls to help reduce or eliminate risks. For example, one operating standard could be to have an out of band authentication (a process of secure verification of your staff member) on any online corporate funds transfer. Beyond existing controls, risk management standards could include requiring risks of a certain magnitude will be handled within a set number of days. If the risk is not resolved within that time frame, management can review and discuss why the risk is not yet reduced, and take additional action or, in some cases, decide to extend the time to cure the risk.

Once risk is reduced, it’s important to complete a review of the ‘residual’ risk, that risk which cannot be eliminated. For example, using out of band authentication reduces the risk of a bad actor transferring funds, but there is still the risk of human error in posting the funds, transferring to the wrong person or entity, and the like. These risks may then be addressed through procedures or processes.

Processes establish the methodology for meeting policy requirements at the level set by standards. In the funds transfer example above, using out of band authentication reduces the technology risk that money will be stolen. However, internal processes still need to be established to reduce the risk of human error. Moreover, and while disturbing to consider, more incidents of employee theft have been cited in recent years. Therefore, separation of duties and normal, traditional human control mechanisms are just as important as technical risk management.

The following six steps briefly summarize the risk management process:

SecurityGraphic

Risk management needs be an ongoing and integral part of your business management today. Technology risks are often more than purely IT issues and involve humans who conduct every part of your daily business. Especially when processes involve money, it is important to have these processes tied to policies and standards, which creates a measurable and defined set of risk management capabilities. Finally, while all three are tied together, it is important to manage risk dynamically as the risk environment changes

5 Tips for Secure Use of Business Online and Mobile Banking

SAWBOLB

We can never overstate the importance of protecting your online security, especially when it comes to your business’s use of Online and Mobile Banking. These top tips from our Electronic Banking Specialists to help reduce security threats:

  1. Never share log in IDs and passwords. Each individual user under the business should have a separate log in and password.
  1. Delete inactive/dormant profiles. Remove inactive users, whether former employees or accountants. In Merchants Bank Online Banking, you can make these kinds of updates through the Preferences tab.
  2. Never have your browser or phone remember passwords. Always type in your password. While it may seem a bit inconvenient at times, it greatly increases the security of your account information.
  3. If logging in on a mobile device, be sure your phone or tablet is password protected. In case your device is lost or stolen, you don’t want the fraudster to have access to information you have on your device.
  4. Be sure to keep contact information up to date for yourself and other users. It’s very frustrating to request a password reset and not receive it due to a bad email address. To update your information with Merchants Bank, give us a call.

Bonus Tip for Business Online Banking Supervisors and Business Owners: Review your company users annually, checking what access they have to which accounts. Also, review debit cards the account may have open and close any cards that are no longer used. Both of these quick reviews will help reduce fraud on business accounts.

To learn more about our Online and Mobile business banking options, click on the appropriate link below:

Fraud: It’s Social

SAWSocialEngineering

Mitigating fraud is especially critical to business success today. Regardless of what industry you’re in, the threat of fraud impacting you or your customers is ever-present. The impact may be financial, loss of trust, damage to reputation, or all of these. And the perpetrators of fraud are growing both in number and in sophistication, which leads us to the topic of social engineering.

One definition provided by Techtarget.com lists social engineering as “an attack…that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.” While awareness of social engineering is growing, the actual theft of money and confidential information obtained through social engineering is growing faster. According to the FBI, thieves stole nearly $750 million in (email phishing) scams from more than 7,000 companies in the U.S. between 2013 and 2015.

Social engineering uses the good will of employees and customers, who often believe they are being helpful, to acquire confidential information. How does this evolve into a crime? Social engineering data is taken from a broad and meaningful set of sources by deceiving users to disclose information and from publically available sources such as Facebook or professional aggregation sites such as spokeo.com or, by purchasing stolen data that is readily for sale online. This information is analyzed in conjunction with other data to enable serious crimes that may be perpetrated later on. Once a criminal has enough information, they no longer need to steal money by brute force, but simply log on as an employee, posting real credentials and security information, and steal money in what appears to be a legitimate transaction. So what should a business do to prevent fraud that may go undetected for some time?

Companies are now employing best practices that extend beyond the fraud software used in today’s business operations —they include the integration of deep technology controls and dynamic cybersecurity practices into more traditional risk management techniques. The success of this effort depends on the ongoing, up-to-date expertise of a company’s staff with respect to rapidly changing security threats. Staff training and scenario planning need to be a constant effort with reminders to people throughout the organization to be on the lookout for the unusual request or event.

Even with strong training and due diligence, a fraud event may well occur. When it does, the business should have a three-part response:

  1. Halt the event
  2. Assess the damage
  3. Address how to recover.

Finally, complacency is not acceptable. The nature of fraud will continue to evolve, creating new threats that need to be combatted with a proactive, disciplined approach by both businesses and the customers they serve.

Why Your Business Should Conduct a Risk Assessment

SAWRiskAssessment

Risk is inevitable. It’s simply part of any business, and because of that, managers often believe that understanding risk is an organic process that is either self-evident or intuitive, and based on the nature of the business itself. It’s not a bad approach because it tends to focus on business functions and not just the technology. But by themselves, intuition and experience are inadequate. And because they’re inadequate, a formal risk assessment process is critical to managing the growing, changing, and challenging threat environment that continues to evolve at the frenetic pace of technology today.

A structured risk assessment consists of three basic steps:

  1. Identify and define the risks to be assessed.
  2. Decide how likely it is that each risk will occur.
  3. Decide the magnitude of the impact to the business if a given risk does occur.

Notice that steps two and three are decisions. It’s not always easy to determine just how likely it is that a given risk will occur. Unless we have a good set of data to back up our evaluation, we can only reason, applying common sense to understanding each risk.

Yet to understand and communicate risk throughout the organization it should be quantified. This can be accomplished using a simple risk scoring methodology we are all familiar with. For example, if we use a 1-5 ranking system, we can let 1 = low and 5 = high. Then if a risk is very likely to occur, we rank it a 5. If the risk would have a serious impact on the business, we rank that a 5. Finally, we multiply the 2 together for a risk score of 25. Using this approach over and over we can develop a hierarchy of risks that cascade from high to low, and prioritize which of those to address first. At the same time, it’s important not to make all decisions based on the risk score alone.

Let’s say a risk is very unlikely and we rate it a 1, but if it occurred, the impact on the organization would be catastrophic so we rate that a 5. The total risk score is a 5 and judging by the number alone, should be low on the list of risks needing remediation. At this point we need to look past the numbers and determine our organization’s risk appetite. If we’re willing to live with a risk having potentially catastrophic results, then we would likely not develop a disaster recovery plan nor would we have a disaster recovery site because the risk of complete loss of the data center is usually very low and the cost of a fully functional back up site is high. But most organizations understand that essentially all catastrophic risks need to be addressed and while the scoring approach is very helpful, it cannot be used in a vacuum, leading us back to the application of intuition and experience.

In short, a risk assessment is a structured process used in identifying and classifying risks, deciding what and how much to do about them. Once we’ve agreed on the assessment and classifications, we can focus on the two remaining aspects of risk management: risk remediation and, once that is accomplished, agreement that the remaining (or, residual) risk is acceptable.