April 27, 2021

Data Security for Banks and Financial Institutions: Top 4 Myths About Moving to the Cloud

Many small-to-midsize banks and financial institutions are still running on-premise Microsoft Exchange email servers, whether in their own walls, or in the walls of their technology service provider. Microsoft recently announced that multiple hacking groups were targeting Microsoft Exchange servers in coordinated attacks, which could cause a damaging data breach for these organizations. With all of the security threats to Microsoft Exchange servers and the amount of sensitive data that banks and financial institutions hold, why haven’t these organizations moved their workloads to Exchange Online? Here are a few common myths we hear and feedback to clear up the misconceptions.

Myth #1: “Exchange servers better protect sensitive customer data.”

Many financial institutions still have Outlook Web Access without multi-factor authentication enabled, which is an easy in for a hacker to access a mailbox and any personal or financial information found in emails. Microsoft recognizes the issue that their older platform is in use and not adequately configured to curb modern security threats on its own. The most recent vulnerabilities on Microsoft Exchange servers that are making national headlines are good evidence for organizations to migrate from an email server to a mail service like Office 365. 

The Capital One data breach of 2019 may have scared away any intentions of financial institutions moving workloads to the cloud. In reality, the cloud-based platform was not actually at fault, as it was a configuration issue on their firewall that caused the breach. That breach may have added a level of untrustworthiness to cloud servers, when the responsibility actually fell on the professionals deploying the firewall. In contrast, no one points out that mega-bank competitor, Bank of America, has never had a breach near the size of Capital One and has been using Microsoft cloud-based products for several years.

Myth #2: “Moving to the cloud is too expensive.”

Some may hear that moving to the cloud is too expensive, but in reality, it can be more cost-effective. Let’s look at the breakdown of server costs according to our Systems Engineer, Joe Szoke. A new Exchange Server might cost $10,000 just for the hardware. If you’re running on-prem Exchange, you’ll also need at least 2 Domain Controllers at another $10,000 each. You’ll need licensing for each server – that’s around $1000 for Windows Server 2019, $780 for Exchange Server, plus about $97 in CAL licensing for EVERY user who wants to access the server. Then, you’ll still need to buy Outlook for your users – Office 2019 Professional Plus is $439.00 today. Once all of that’s done, you’ll still have to pay to maintain the systems – if your server goes down, you pay to fix it.

In contrast, a Microsoft 365 Business Premium license costs just $20/user per month. The entire environment is baked into that license – the administrative dashboards, the servers, the storage space the Office Professional licensing. You don’t have to buy hardware and patching happens automatically. Administration is much less labor intensive – in fact, Anders Technology advisors can handle this for you for a small monthly fee. In this model, your 100 users would cost just $24,000 for the entire first year. Your software would remain perpetually up to date, not just for the year, but for as long as you pay for the license. And, following best practices, your user accounts and data would be secure right out of the box.

Myth #3: “Our technology vendor doesn’t believe we should move to Exchange Online.”

Sadly, most organizations we meet with that have an Exchange server have not even been approached about moving to Microsoft 365. Major technology vendors have invested a lot in providing hosted Exchange services and they are lucrative for them but might not be the best solution for your business’s needs. Make sure to work with a technology partner that has the cybersecurity expertise you need and your best interests and goals in mind.

Myth #4: “We don’t need to move to the cloud because regulatory entities aren’t enforcing it.”

It’s true that even the largest agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), cannot tell you to pick one platform over another yet, but they did recently make the statement: “Regulated entities should immediately assess the risk to their systems and consumers, and take steps necessary steps to address vulnerabilities and customer impact.” This rises above which platform you are using and focuses on the important part: protecting your data.

While there are clearly a lot of myths and misconceptions out there around if, when and why to move to the cloud, it’s important to know the facts. As a Microsoft Gold Partner, Anders Technology advisors can make the migration seamless so your business can be better protected from a costly data breach. Contact an Anders advisor below to discuss your company’s unique migration situation.

All Insights

April 1, 2021

Jessica M. Lyeki

March 17, 2021

Banking and Financial Institutions Services

Whether you’re a regional bank, credit union or a community bank, we offer the industry insights and financial
expertise you need to grow. We’ll work with you to navigate complex compliance requirements and evolving
regulations so you can do what you do best: helping your clients reach their goals.

Download All Resources

January 29, 2021

RECORDED WEBINAR – Home Mortgage Disclosure Act: What You Need to Know

Download our recorded webinar presented by Brad R. Stumpe, CPA, CRCM of the Anders Banking and Financial Institutions group as he takes a deep dive into new HMDA updates and how they will affect reporting for banks, credit unions and other financial institutions. The presentation covers key insights around the HMDA, including:

– Updates to the rules and regulations of reporting – where do you fit in?

– The types of loans to report

– A walkthrough of the report details

Download the webinar below.

All Insights

January 19, 2021

HMDA Data is Due March 1st for Banking Organizations – Are You Ready?

Organizations with loan compliance responsibilities probably came back to work to begin the new year fine tuning a game plan to submit a clean Home Mortgage Disclosure Act (HMDA) Loan Application Register (LAR) by March 1st. While our compliance professionals perform HMDA reviews and field HMDA questions throughout the year, each January comes with a renewed focus on what loans should be reported and how to ensure that each entry is consistent with information that can be found in the loan file. With this in mind, we’re diving into frequently asked questions around HMDA reporting to help make the process easier.


Gathering data for HMDA can be cumbersome because an incredible amount of information must be reported to a high level of precision for each application. While the integrity of your HMDA data might not be top of mind throughout the year when other more pressing matters require your attention, integrating HMDA reporting into your everyday processes and scrubbing data throughout the year will result in fewer surprises to manage when the pressure is on to submit data by the March 1st deadline. Add to this the fact that Regulation C requires quarterly recording of HMDA data in a format that can be provided to examiners upon request and it just makes sense for HMDA to be a year-round effort rather than a February fire drill.


The HMDA rules have been in a permanent state of flux with both permanent and temporary reporting thresholds on the move. The latest adjustment became effective July 1, 2020.

Keep in mind that there are separate thresholds for both closed-end credit and open-end credit, so you may have to report one but not the other, both, or neither. For 2020, the reporting thresholds are as follows:

  • Closed-End Loans – If your institution originated fewer than 100 reportable closed-end loans in either 2018 or 2019, then you do not have to report applications for closed-end loans with an action taken date in 2020. This threshold became effective July 1, 2020 and was an increase from 25 loans. If you would have been a reporter had the threshold remained at 25 but are not a reporter with the 100 loan threshold, then you still need to record data for the first quarter of 2020, but do NOT need to report that data. If you choose to voluntarily report 2020 data, then you must report for the entire year.
  • Open-End Loans – If your institution originated fewer than 500 reportable open-end loans in either 2018 or 2019, then you do not have to report applications for open-end loans with an action taken date in 2020. The temporary threshold of 500 reportable open-end loans expires at the end of 2021. For 2022 data (reported in 2023), the threshold will decrease to 200 reportable open-end loans in each of the two preceding calendar years.

If you are approaching either of these thresholds but do not exceed them, be sure to keep adequate documentation to support your exempt status should it be questioned.


Under the Truth in Lending Act, there are allowed tolerances for the annual percentage rate, finance charge and certain closing costs. Unfortunately, Regulation C does not include allowed tolerances for HMDA data except when calculating error rates for certain purposes. In these instances, a tolerance of three calendar days for application dates and action taken datesand a tolerance of $1,000 for loan amounts/amounts applied for and income. Errors that are within these tolerances are not included in the calculation to determine whether the examiners’ sample will be expanded, or resubmission will be required.

Many fields can accept very precise information. For example, the Debt-to-Income (DTI) ratio can be entered to 15 decimal places. If the file contains several documents with similar, but different, DTI ratios you need to determine which document was relied on to make the credit decision. No tolerance applies, so 43% is incorrect if the DTI ratio that was relied on was 42.95%.


While regulatory agencies have many tools at their disposal to encourage compliance with a wide variety of rules and regulations, the two most common that surface in discussions regarding HMDA are civil money penalties (CMP) and resubmission.

With the implementation of the new rules in 2018, punitive measures such as these have not been commonplace with examiners, allowing for a learning curve so long as a good faith effort to implement the new rules could be demonstrated. That being said, a $200,000 penalty was imposed in 2020 for inaccurate reporting on 2016 and 2017 LARs. Error rates for both years exceeded 30% and this same institution incurred a $34,000 penalty in 2013 for errors on its 2011 LAR.

Error rates that could trigger resubmission can be found in the HMDA Examination Procedures and are dependent on the number of entries on the LAR and calculated separately for each data field, such as loan purpose, action taken and income. A sample of the error rates that could result in resubmission are summarized below. When determining what is an internally acceptable error rate for your institution, these are a good place to start.

# of EntriesResubmission Threshold
101 – 1306.4%
131 – 1905.4%
191 – 100,0005.1%

Keep in mind that HMDA data is publicly available, so it’s accessed not only by various governmental entities, but also by the media, community groups, academicians, other financial institutions and anyone else who may be interested. Should any of these groups approach your institution with questions about your HMDA data do you want your response to be that the data is not accurate?


Unaccepted counteroffers can be a problem area for many institutions. One of the most common scenarios we see is an appraised value that does not support the original amount requested. The institution then counteroffers with a lower loan amount. If the applicant accepts and the loan is originated this is easy, the amount of the originated loan is reported, but what if the applicant does not accept the counteroffer? We often see this reported as a withdrawal; however, the Official Interpretations to Regulation C by the Consumer Financial Protection Bureau state that when “the applicant declines to proceed with the counteroffer or fails to respond, the institution reports the action taken as a denial on the original terms requested by the applicant.”


The answer to this question became more complicated when the current set of rules became effective with 2018 HMDA data. The first consideration is the closed-end and open-end thresholds discussed earlier in this article. If those thresholds have been exceeded, the next consideration is the type of loan, such as consumer, commercial, or agricultural. These rules apply equally to originated loans and to applications for these loans that do not result in origination, such as denials and withdrawals.

Consumer Loan Reporting

Consumer loans that are secured by a dwelling will be reported unless they meet one of the exclusions in the rule, the most common of these is temporary financing. A bright line loan term (six months, one year, etc.) does not exist, rather the Official Interpretation to Regulation C states that a loan is excluded as temporary financing if it “is designed to be replaced by separate permanent financing extended by any financial institution to the same borrower at a later time.” Construction loans, are the quintessential example of temporary financing that is not reported on the LAR.

Commercial Loan Reporting

Commercial loans that are secured by a dwelling must meet the definition of a home purchase, refinance, or home improvement loan under Regulation C. Only a portion of the loan proceeds need to be for one of these purposes for the loan to be included on the LAR. Home purchase loans are those that are to purchase a dwelling and that are secured by a dwelling. The dwelling that secures the loan does not have to be the dwelling that is being purchased. Home improvement loans are those that are to repair, rehabilitate, remodel, or improve a dwelling or the real property where a dwelling is located. Refinance loans are those that satisfy and replace and existing dwelling-secured loan by the same borrower. Finally, the temporary financing exclusion discussed above for consumer loans also applies to commercial loans.

Agricultural Loan Reporting

Agricultural loans are excluded from HMDA reporting if either the loan proceeds will be used primarily for agricultural purposes or if the loan is secured by a dwelling that is located on real property that is used primarily for agricultural purposes. Any reasonable standard may be used on a case-by-case basis to make this determination and Regulation C refers to Section 1026.3 of Regulation Z as a source for what constitutes an agricultural purpose.

Preapproval and Prequalification

Preapproval and prequalification requests are another common point of confusion. Refer to Regulation C and accompanying regulatory guidance to determine whether these types of requests should be reported. Regulation C, with some reference to Regulation B (Equal Credit Opportunity), is very specific about what constitutes a preapproval request, which may be reported, and a prequalification request, which is not reported. Do not rely on how your institution labels these requests. When determining HMDA-applicability, refer to Regulation C.


No, if the applicant does not provide this information you should not make this distinction based on visual observation or surname. The more detailed ethnicity and race categories such as Puerto Rican and Cuban were introduced with the rules that became effective with 2018 data and are known as disaggregated subcategories. When an applicant indicates an ethnicity of Hispanic or Latino or race of American Indian or Alaskan Native, Asian, or Native Hawaiian or Other Pacific Islander, then the applicant may further identify as one of several subcategories. If the applicant indicates a race of Black or African American or White, then there are no subcategories from which to choose. If the application was taken in person or via electronic media with a video component and the applicant declined to provide ethnicity, race, and sex information, then you must record this information on the basis of visual observation or surname. When doing so, select only from the aggregate categories of Hispanic or Latino or not Hispanic or Latino for ethnicity and American Indian or Alaskan Native, Asian, Black or African American, Native Hawaiian or Other Pacific Islander, and White for race.


Look for the most analogous situation in official guidance and apply the same concept to your circumstances. Both the CFPB and the FFIEC have dedicated HMDA pages on their websites. Once you reach a decision, apply it consistently across your LAR. The compliance specialists at Anders are also happy to help walk you through the scenario and reach a conclusion. Finally, this could also be a good time to consult with your primary regulator as they may have encountered a similar situation and already developed an opinion on the matter.

HMDA reporting is constantly evolving and compliance can be difficult to navigate. The Anders team of Banking and Financial Institutions compliance specialists closely follow changes to the HMDA rule and related guidance. If you have any questions or that unique situation that is slowing you down, we’re here to help. Contact Anders below to discuss your unique situation and reporting requirements.

All Insights

November 24, 2020

Gary W. Netemeyer

August 27, 2020

Amy J. Tepen

August 27, 2020

Sandra K. Lane

August 27, 2020

Sadie V. Carrera

August 27, 2020

Patrick C. Peters

Keep up with Anders

Want to keep up with all the latest insights from Anders? Subscribe and receive the information that matters to you.

  • This field is for validation purposes and should be left unchanged.