How Did You Handle Your Holiday Shopping?

We're not being nosy, just reminding you that your bank's customers are part of a national economy as well as a local one, and that your own preferences in such matters as how you pay for things aren't unrelated to your job as a director. After all, bank directors are consumers, too. So if your behavior is changing, chances are you are part of a trend.

What brings this up is new research released in midDecember regarding how consumers pay for things in stores. For the first time, electronic payments-especially in the form of debit cards-proved more popular than cash or checks.

The research, conducted by ABA and Dove Consulting, Boston, found that almost one in three in-store purchases were made using debit cards in 2003. This 31% usage level represented an increase over the 21% tracked four years ago. Add the debit card transactions to the 21% made by credit cards in 2003, and you have a 52% share for electronic payment methods for the year. By contrast, cash accounted for 32% of purchases and checks for 15%-47%. (The remainder of the in-store payments stream consists of pre-paid cards, like those gift cards you see so often now.)

Bill payers still prefer to use checks, but even there things are changing, the researchers note. While 60% of consumers paid bills with checks in 2003, that's a big drop from the 72% that did so in 2001. As an alternative to checks and mail, a growing number of bill payers are choosing automatic payments-where bills are submitted directly to their checking-account bank for payment by electronic transfer-and online bill payment, where consumers use their computers to direct their bank whom to pay and from what account.

In the new year this data should fuel discussions regarding electronic banking and bill-paying, debit-card operations and pricing, and your bank's use of the automated clearinghouse system. The 2003-2004 Study of Consumer Payment Preferences costs $500 for members and $1,500 for nonmembers. Call 1-800-BANKERS.

TECHNOLOGY AUDITS AND YOUR BOARD From the automated cash machines in front of your bank's branches to the servers that run your internet banking program to the laptop that your CEO carries to the computer that does the bulk of your bank's processing to the bank's phone system, all that tech has one thing in common: The requirement that its use be periodically subject to audit.

The federal banking regulators, acting jointly through the Federal Financial Institutions Examination Council, issued new guidance on the matter last year that you may have missed. Specifically, the agencies published "Audit," part of the new FFIEC Information Technology Examination Handbook. The new manual is intended to help federal bank examiners to assess the quality and effectiveness of a bank's information technology audit program. (See "Filing Cabinet" at www.bdbonline.biz for a copy.)

As you might guess, the regulators hold the bank's board accountable for much of the overall responsibility in this area.
"The board of directors and senior management are responsible for ensuring that the institution's system of internal controls operates effectively," the handbook section states. "One important element of an effective internal control system is an internal audit function that includes adequate information technology coverage."

Elaborating on the board's role, the publication states that a board or its audit committee must: provide for an internal audit function capable of evaluating information technology controls; or hire consultants or outside auditors to perform the internal audit function in this area; or use a combination of both methods.
In other words, directors don't have to use technology or understand the nitty-gritty details, but they have to make sure someone with qualifications is looking over the tech staff's shoulder.

More specifically, the regulators say the following are the responsibilities of a board or its audit committee in regard to the information technology audit:

(1) Guidelines-Ensuring that written guidelines for conducting such audits have been adopted.

(2) Responsibilities-Assigning responsibility for such audits to a member of management who has sufficient audit expertise and who is independent of the bank's own operations area. This person, the "internal audit manager," should report directly to the board or its audit committee.
What regulators say a board should expect of this person:
"Auditors should make recommendations about procedures that affect information technology controls. In this regard, the board and management should involve the audit department in the development process for major new information technology applications. The board and management should develop criteria for determining those projects that need audit involvement. Audit's role generally entails reviewing the control aspects of new applications, products, conversions, or services throughout their development and implementation. Early information technology audit involvement can help ensure that proper controls are in place from inception. However, the auditors should be careful not to compromise, or even appear to compromise, their independence when involved in these projects."

(3) Boundaries-Establishing reporting lines for the internal audit staff that enable them to perform their duties impartially and without undue influence by senior managers nor technology managers is critical.

(4) Strategies-Reviewing and approving audit strategies and monitoring the effectiveness of the audit program.

In this, there is the responsibility, working with management, to direct the setting of priorities for the information technology audit.

As in a growing number of regulatory areas these days, the key phrase is "risk-based." The manual states that "the frequency and depth of each area's audit will vary according to the risk assessment of that area." One option, for instance, is for the board to have management and, if necessary, outside parties, devise a scoring system so that activities registering the highest levels of risk to the bank are audited most frequently.

NEW ROLES FOR COMPLIANCE IN THE POST-ENRON AGE
Typically, bank compliance officers handle all the "alphabet soup" regulations dealing with everyday banking, such as lending, deposit gathering, and so forth. But as all industries come under heavier scrutiny regarding ethics, is there more help that your board can obtain from the compliance staff?
Paul Osborne, a CPA with the accounting and consulting firm Crowe Chizek & Co. LLC, Indianapolis, says this is already happening among some banks. He spoke on the impact on the compliance function of the SarbanesOxley Act and in corporate governance at ABA's Regulatory Compliance Conference in 2003.

Osborne gave some food for thought:

(1) Whistleblower center-The Sarbanes-Oxley Act's Title III, dealing with audit committee duties, requires that publicly traded companies' audit committees provide a means for anonymous reporting of questionable accounting or auditing matters. (Title VIII provides legal redress for whistleblowers who claim they have been discriminated against.)

Osborne suggests that compliance officers could be a good place to put a whistleblower function.
(2) Ethics agreements-Has your bank considered putting Compliance in charge of making sure these are signed and kept current for those bank employees for whom they apply? In charge of ethics training?

(3) Gift policies-Certain rules and statutes apply here-such as the federal Bank Bribery Act-as do banks' own traditions and practices. Who maintains and polices internal policies relating to acceptance of gifts from customers and vendors in your bank?
"The days of Christmas hams and tins of caramel corn for the credit staff from the local car dealers is over," said Osborne.

(4) Insider transaction monitoring-Osborne says his firm has been seeing more banks put Compliance in charge of monitoring insider business matters. One key example: Compliance officers are becoming banks' "ROLOs" fairly regularly. ROLO stands for "Regulation O Loan Officer," responsible for ensuring that that and other rules pertaining to insider borrowing are observed.

OFFICE STREAMLINES NATIONAL BANK DIRECTOR RULES Following a 2000 law, the Comptroller of the Currency recently published rule changes that become effective Jan. 16, 2004. They include:

* Permission to national banks to create boards with staggered terms (a common anti-merger weapon), and, to facilitate such boards, permission to national banks to create directorships with terms of up to three years, instead of only one.

* Permission to place more than 25 directors on the board of a national bank.