|
News
SDBA Updates
SDBA Events
Online Education
Compliance Alliance
An ABA Banking Journal special report on how bankers are rethinking innovation with new tools to accelerate change.
October 7, 2025
 How banks are reinventing the product design paradigm
An evolution has spurred new approaches to innovation that emphasize speed and iteration.
By Evan Sparks
How AI provides an edge in lending
Recent research reveals banks with greater AI usage offered lower interest rates and experienced fewer instances of default.
By Walt Williams
Decoding digital money
The real difference between stablecoins and tokenized deposits.
By Brooke Ybarra and Yikai Wang
How to fuel customer growth with strategic product design
Clarity and simplicity go a long way in demonstrating to a customer or prospect the benefits of each product.
By Ally Akins
ABA: FDIC proposes defining unsafe and unsound practices, removing reputational risk
October 7, 2025
The FDIC board today voted to advance two proposed rules to formally define “unsafe and unsound practices” and to remove reputational risk from bank supervision.
There currently is no statutory or regulatory definition of what constitutes an “unsafe or unsound practice,” and courts and administrative tribunals have provided different definitions of the term, according to the FDIC staff memo. The proposed rule would define an unsafe and unsound practice as something that is “contrary to generally accepted standards of prudent operation,” and is likely to materially harm the bank or present a material risk of loss to the Deposit Insurance Fund.
In explaining the need for the definition, FDIC Acting Chairman Travis Hill pointed to the 2023 failure of Silicon Valley Bank, where most of the outstanding supervisory criticisms “were unrelated to core financial risks.”
“It is important that supervisors have the capacity to identify problems and require remediation before it is too late,” Hill said. “But today, too often, examiners focus on a litany of process-related items that are unrelated to a bank’s current or future financial condition.”
The proposed rule to eliminate reputational risk from supervision — issued jointly with the Office of the Comptroller of the Currency — would codify a change that the agencies’ leaders have already instructed supervisors to make. It comes amid a Trump administration push to weed out policies that allegedly encouraged regulators to discriminate against cryptocurrency and other industries.
In a staff memo, the FDIC said banking agencies never explained how banks should measure the reputation risk from different activities. “Without clear standards, the agencies’ supervision for reputation risk has been inconsistent and has at times reflected individual perspectives rather than data-driven conclusions,” the agency said.
After the votes, American Bankers Association President and CEO Rob Nichols said ABA welcomed the proposed rules and will review them with its members.
“For too long, bank supervision has shifted away from focusing on the most important factors affecting safety and soundness — a shift that has had negative consequences for banks, their customers and the broader economy,” Nichols said. “That is finally beginning to change thanks to new leadership at the regulatory agencies.”
Full Article
ABA: Top Cyber Risks and Ways Banks Can Leverage “Project Fortress”
October 23, 2025 | 2-3pm EST | FREE Webinar
ABA will hold a free webinar for members on Thursday, Oct. 23, at 2 p.m. ET during which officials from the Federal Reserve and Treasury Department will discuss top cyber risks and ways banks can leverage “Project Fortress”, a public-private initiative by the U.S. Treasury to improve the cybersecurity and resilience of the financial services sector. ABA is hosting the webinar as part of National Cybersecurity Awareness Month. This is a live only webinar and will not be recorded.
Full Article
CISA News: How secure are passkeys, really? Here's what you need to know
September 25, 2025
We’ve known for a long time that passwords have their flaws. Whether it’s phishing, brute force, or dictionary attacks, password-based authentication remains one of the weakest links in cybersecurity. In fact, Verizon’s 2025 Data Breach Investigations Report shows that 88% of breaches involved the use of stolen credentials.
That’s why more and more organizations are exploring passwordless authentication, with passkeys emerging as one of the top contenders to replace traditional passwords entirely.
The FIDO Alliance, a key player in developing passwordless standards, reports that 54% of users consider passkeys more convenient than passwords, and 53% believe they’re more secure.
But what exactly are passkeys? And are they really as secure as the hype suggests? Let’s find out.
What are passkeys are how do they work?
Passkeys are a form of passwordless authentication based on public key cryptography. Instead of relying on something you remember (e.g. a password), passkeys rely on something you have. This is usually a device like a phone, laptop, or security key.
Here’s a simple breakdown of how they work:
- When you create a passkey, your device generates a key pair: one public, one private.
- The public key is stored by the service you’re logging into.
- The private key stays securely on your device and never leaves it.
- To log in, your device uses the private key to sign a challenge, proving your identity without revealing any secrets.
Are passkeys really that different from passwords?
Simply put: yes. Unlike passwords, passkeys can’t be stolen in phishing attacks, reused across sites, or guessed through brute-force methods. They’re unique to each site or app, stored locally on your device, and protected by local authentication (like biometrics or PINs).
Even if a threat actor breaches a company’s database, they’ll only find the public keys, and these are useless without the corresponding private key on your device. This makes passkeys much more secure than traditional passwords.
Major companies are adopting passkeys
Many organizations are already making the switch to passwordless authentication via passkeys.
- Microsoft made a big move in May 2025 by going “passwordless by default” for all new accounts. Passwords are no longer required at sign-up. Instead, users authenticate with passkeys, push notifications, or hardware security keys. Microsoft say nearly 1 million passkeys are registered daily, with a 98% login success rate – versus just 32% for passwords.
- Aflac, a leading US insurance provider, became the first major insurance company to adopt passkeys according to the FIDO Alliance. This has reportedly led to a 32% drop in password recovery requests, and saved their support team from handling around 30,000 identity-related calls every month.
What makes passkeys so appealing?
There are a few reasons why organizations – and users – are starting to favor passkeys over traditional passwords:
- Stronger security by design: Passkeys eliminate common attack vectors like phishing and credential stuffing. Because the private key never leaves the user’s device and can’t be guessed, attackers are left with nothing to exploit.
- Simplified user experience: Logging in with a passkey is quick and easy, usually only needing a fingerprint or face scan. No more having to remember long strings of characters.
- Reduced support costs: With fewer password-related issues, helpdesk teams see a drop in support tickets.
- Consistent experience across platforms: Passkeys work across devices and browsers using industry-backed standards, allowing users to authenticate securely whether they’re on a laptop or phone.
The limitations of passkeys
Passkeys are promising, but they’re not without challenges. According to FIDO Alliance research, some of the top barriers reported by organizations include complexity (43%), costs (33%), and lack of clarity (29%).
With that in mind, here are some limitations to consider:
- Device dependency: As passkeys are tied to the user’s device, if they lose access to their phone or laptop account recovery can become tricky and time-consuming.
- Complex setup: Setting up a passkey-compatible authentication system requires changes to existing infrastructure, which can be very complicated – particularly for larger or older environments.
- Limited compatibility with legacy systems: Not all services and platforms support passkeys yet. Organizations still relying on older software or third-party tools may need to run hybrid models while things transition, which can actually make security trickier.
- Initial cost: Setting up passkey support, from infrastructure changes to user training, requires investment in both time and money, which may be a barrier too high for some organizations.
- User education and awareness: Passkeys are still relatively new, which means many users aren’t familiar with how they work. Adoption may be a slow and lengthy process, with a strong need for robust onboarding and communication.
Will passkeys replace passwords altogether?
Passkeys are moving quickly toward mainstream adoption, particularly for high-security environments and mobile-first applications. But even so, that doesn’t mean passwords will be disappearing tomorrow.
There are still plenty of scenarios in which passkey adoption just isn’t feasible yet – for example, legacy systems that aren’t compatible with passkey technology, or users without access to a compatible device.
During this transitional phase, many organizations will likely run hybrid models where passkeys are encouraged, but passwords are still used as important fallbacks. That’s why it’s critical to continue enforcing strong password hygiene wherever passwords are still available.
Don’t overlook the importance of password security
Even with passkeys on the rise, passwords are still part of the authentication landscape – and they need to be secured properly.
Specops Password Policy helps you enforce stronger password policies by blocking weak, commonly used passwords and continuously scanning your Active Directory against a live database of over 4 billion compromised passwords.
If you’re still relying on passwords, even as a fallback, make sure they’re not your weakest link.
Order your 2026 South Dakota Bank Directory
The South Dakota Bank Directory provides detailed information on all South Dakota banks including addresses, telephone numbers, important contact names and additional pertinent information. The directory also contains information on the SDBA, banking associations, regulatory agencies, endorsed vendors, associate members and South Dakota officials.
Place your order for your 2026 SD Bank Directory!
All member banks, associate members, and endorsed vendors receive one complimentary copy.
 
Staying Ahead in an Evolving Fraud Landscape
ABA Fraud Webinar | October 16, 2025 | Zoom
As fraud schemes grow more sophisticated, banks face an ever-changing mix of persistent threats and emerging risks. This session provides a comprehensive look at today's most pressing fraud challenges - from traditional scams fueled by social engineering to the rise of AI-driven schemes and the resurgence of check fraud.
Attendees will gain practical insights into evolving prevention strategies, innovative industry tools, and best practices to strengthen defenses. Together, these topics offer a comprehensive view of the tactics reshaping the modern fraud environment and the tools needed to combat them.
Details & Registration
 
NEXT STEP: Emerging Leaders Summit is designed to help cultivate, connect, engage and empower South Dakota’s future bank leaders. This event will encourage emerging bank leaders to find and express their voices within their organizations, communities and the banking industry and provide opportunities to network and exchange ideas with other industry professionals. It will also increase emerging bank leaders’ knowledge of topics of interest to the banking industry and promote involvement and advocacy.
We have a fantastic lineup of speakers, including Lena Scullard, who will also serve as our event emcee; Kristina Schaefer; Dr. Sal Villegas, Northern State University; SDBA President, Karl Adam; and Arthur Williams Jr.
Register Today!
Wisconsin Bankers Association: BSA/AML Workshop
October 30, 2025 | Zoom
This Back to Basics workshop will cover all the essentials of running a sound BSA/AML and Sanctions Program for all financial institutions. From CTR filing, CTR Exemptions, SAR filing, high-risk customer reviews, alert dispositions, policies and procedures and everything in between. Highly operational with a focus on how foundational strength can lead to sound and effective programs.
At a minimum, this workshop will cover:
- An overview of the beginning through current day regulatory requirements and trends
- Written program elements that move a program forward
- Effective Board communication and statistics
- CTRs, SARs, and DOEP program elements
- CDD/EDD and how to ensure it impacts your program
- Effective approaches to alert dispositions and high-risk customer reviews
- Why OFAC/Sanctions must be a dynamic part of the AML program
Details & Registration
Online Education
Participating in learning opportunities outside the bank can be challenging. Take advantage of the SDBA's extensive selection of webinars and on-demand training to enhance your banking expertise directly from your computer.
GSB Online Seminars
OnCourse Learning
SBS Institute
ABA Training
Question of the Week
Q: Does the bank need to obtain a form W-9 from each of its new customers?
A: Ultimately, whether a bank “needs” a W-9 may likely depend, at least in part, on the purpose for which the W-9 is being relied upon. For instance, while a bank does of course have its BSA obligation under 31 CFR 1020.220 to verify customer information before the opening of an account and obtain the minimum required information, including Tax ID / Identification number, the BSA doesn't specifically mandate that this verification be via a W-9, or any particular documentary form. Rather, it requires that the bank verify the information in a way to form a reasonable belief that it knows the true identity of the customer, and the validity of the information it has obtained. (for reference, generally, please see: FinCEN - FAQs: Final CIP Rule.) Broadly, what form of obtaining and verifying this Tax ID will be a risk-based decision for the bank based on its policies and procedures.
To this end, the bank will have to refer to its own CIP, CDD, and BSA / AML policies and procedures to determine whether this is in line with their 31 CFR 1020.220(a) policies and procedures (and our BSA / AML / OFAC Toolkit has several additional resources on the subject!).
Similarly, if the W-9 is being used for tax reporting purposes (specifically, for backup withholding for interest-bearing accounts), IRS guidance indicates that "in most cases,” a payee may be treated as a U.S. person if the payee provides the bank with Form W-9, and though this would be considered a straightforward an best practice way of confirming this, it does not appear to be an outright requirement (please see, generally: IRS Guidance - Determining an Individual's Tax Residency Status, IRS Guidance - Backup withholding). Though, broadly, it does appear to be a requirement to certify that the customer is not subject to backup withholding due to previous underreporting of interest and dividends on interest-bearing accounts.
Essentially, this will likewise be a risk-based internal determination as well (and a caveat that, as this will be a determination reliant on tax law, we do recommend consulting with the bank's CFO, CPA, counsel, or other qualified tax professional for guidance related to the Internal Revenue Code and related IRS publications).
Learn how to put compliance management solutions from Compliance Alliance to work for your bank, by contacting (888) 353-3933 or [email protected] and ask for our Membership Team. For timely compliance updates, subscribe to Bankers Alliance’s email newsletters.
SDBA eNews Archive
Advertising OpportunityLearn more about sponsoring the SDBA eNews
Questions/Comments
Contact the SDBA at 605.224.1653 or via email
|
