
News
SDBA Updates
SDBA Events
Online Education
Compliance Alliance
ABA Banking Journal: Senators examine role of regulation in ‘debanking’
February 5, 2025
Republicans on the Senate Banking Committee today blasted regulators for allegedly pressuring banks to cut off services to certain customers while Democrats said overdraft and other bank fees were driving people away from banking.
During a hearing on “debanking,” some Republicans accused banks of turning away conservative customers and customers associated with particular industries, particularly cryptocurrency. Committee Chairman Tim Scott (R-S.C.) equated the alleged practice to racial redlining, although he viewed regulators as the primary force behind the denial of bank services.
“Under the Biden administration, we’ve seen the rise of what many are calling Operation Chokepoint 2.0, where federal regulators exploited their power, pressuring banks to cut off services to individuals and businesses with conservative disposition, or folks aligned with industries they just didn’t like — like the color of one’s skin in my family’s history,” said Scott, who is Black.
A major focus was on alleged debanking of customers engaged in cryptocurrency activities, with the FDIC releasing documents before the hearing reportedly showing that regulators discouraged banks from providing services to the sector. One of the witnesses at the hearing — Nathan McCauley, co-founder and CEO of crypto platform Anchorage Digital — said his firm sought banking services at 40 banks, including firms that wanted Anchorage’s business, but all the banks said no.
“I believe that regulators pressured banks to shut an entire industry out of the federal banking system,” McCauley said, pointing to a series of regulatory actions in the past few years. “The irony of having trouble accessing the federal banking system despite the fact we ourselves are a federally chartered bank cannot be overstated,” he added.
Ranking Member Elizabeth Warren (D-Mass.) said banks not regulators are to blame for any debanking. She said that “tens of millions of customers have been blacklisted by the banking industry because they overdrafted their accounts a few times.” She also said the list of debanked include formerly incarcerated individuals, Muslim and Armenian Americans, nonprofit groups and charities, and lawful cannabis businesses. She accused the largest banks of taking “shortcuts” when it came to assessing risks.
“Rather than investing the time and the resources to identify true criminal risks and shutting down those accounts, big banks are relying on black box algorithms and middlemen companies and shutting down accounts without doing careful due diligence,” she said.
Full Article
ABA Banking Journal: Sanders, Hawley introduce bill to cap credit card interest rates
February 4, 2025
Sens. Bernie Sanders (I-Vt.) and Josh Hawley (R-Mo.) today introduced legislation to cap credit card interest rates at 10%, as suggested by President Trump during his campaign for office.
According to a joint statement by the two senators, the proposed bill would immediately cap credit card rates upon becoming law. It would remain in effect for five years.
Trump last year proposed capping credit card interest rates at 10% “to provide temporary and immediate relief for hardworking Americans.” The president has not indicated whether he will support the bill.
In a statement, ABA President and CEO Rob Nichols said consumers benefit from a highly competitive and vibrant credit card market, and the bill would only serve to limit their choices.
“As history makes clear, this proposal would result in the loss of credit access for the very consumers who need it the most, forcing them to use less-regulated, more risky alternatives including payday lenders and loan sharks,” Nichols said. “Congress has rejected these kinds of government price controls in the past, and we urge lawmakers to reject this misguided proposal.”
CISA News: Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History

A publicly accessible database belonging to DeepSeek allowed full control over database operations, including the ability to access internal data. The exposure includes over a million lines of log streams with highly sensitive information.
January 29, 2025 | Gal Nagli
Wiz Research has identified a publicly accessible ClickHouse database belonging to DeepSeek, which allows full control over database operations, including the ability to access internal data. The exposure includes over a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information. The Wiz Research team immediately and responsibly disclosed the issue to DeepSeek, which promptly secured the exposure.
In this blog post, we will detail our discovery and also consider the broader implications for the industry at large.
Executive Summary
DeepSeek, a Chinese AI startup, has recently garnered significant media attention due to its groundbreaking AI models, particularly the DeepSeek-R1 reasoning model. This model rivals leading AI systems like OpenAI’s o1 in performance and stands out for its cost-effectiveness and efficiency.
As DeepSeek made waves in the AI space, the Wiz Research team set out to assess its external security posture and identify any potential vulnerabilities.
Within minutes, we found a publicly accessible ClickHouse database linked to DeepSeek, completely open and unauthenticated, exposing sensitive data. It was hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000.
This database contained a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details.
More critically, the exposure allowed for full database control and potential privilege escalation within the DeepSeek environment, without any authentication or defense mechanism to the outside world.

Full Article
ABA Banking Journal: Cloud services: Outsourcing the service, but not risk
Banks must have strong risk-management practices in place when using third-party cloud service providers, starting with contract language.
January 29, 2025 | Walt Williams

There is a saying among risk management professionals that you can outsource the task, but you can’t outsource the risk, according to Jaime Manriquez, CIO and CISO at Santa Cruz County Bank. “At the end of the day, the bank itself or the institution is still going to be responsible and accountable for whatever security breach they may have,” he explains.
That philosophy is pertinent when it comes to cloud adoption, as federal regulators have repeatedly stated that they expect banks to have third-party risk management frameworks in place when outsourcing technology services. Cloud providers may do the tasks, but it is banks that assume much of the risk. “A lot of these tech companies don’t fully understand that,” Manriquez says. “So it is kind of ironic that, in some cases, we’re trying to hire bankers or regulators so they can teach them about the frameworks that we operate under.”
There are different strategies for approaching cloud services risk management. Santa Cruz County Bank uses a hybrid strategy in which it maintains responsibility for security. Other banks may outsource most of their functions to the cloud. There are few wrong or right answers when it comes to deciding which approach works best for an institution, and there are resources available to help banks make that choice. “It pretty much goes back to what the business strategy is,” Manriquez says.
Federal focus
In 2022, U.S. Treasury Department officials started reaching out to bank executives from institutions of all sizes about how their institutions were using cloud computing and the challenges they faced, says John Carlson, SVP for cybersecurity regulation and resilience at ABA. Prior to Treasury focusing on cloud computing, the federal banking agencies had issued several advisories on cloud computing and conducted audits of major cloud service providers as part of a program to assess significant service providers that banks rely upon. Treasury officials wanted to know the benefits for banks in using cloud technology as well as some of its challenges. Their findings were outlined in a paper published the following year.
“When Treasury published their paper in February 2023, they laid out all these benefits, but also flagged a number of pretty significant challenges that financial institutions were encountering,” Carlson says. “Among those were insufficient transparency to support due diligence and monitoring by financial institutions, as well as exposure to potential operational incidents, including those originating at a cloud service provider, and also some concerns about the potential impact of market concentration.”
The Treasury Department created a steering committee with representatives from both the government and private sectors. The agency also partnered with the Financial Services Sector Coordinating Council, an industry-led organization of which ABA is a member. Those efforts led to the release last year of a suite of resources to enhance the relationship between cloud service providers and financial institutions. The resources were also meant to give regulators more confidence that those institutions were using cloud services safely and soundly.
Fine print
One of those resources was a 21-page document, titled “Financial Sector Cloud Outsourcing Issues and Considerations,” providing a non-exhaustive list of key considerations for developing contractual language with cloud service providers, specifically to address risk and supervisory and compliance expectations when using the services. For example: In those contracts, what rights and availability does a financial institution have to get information from the cloud provider?
“Even if you use a third party, whether it is an on-premise provider or a cloud provider, you as the institution still own the responsibility for compliance,” says Allen Brandt, chief privacy officer at Depository Trust and Clearing Corporation, who spoke about the paper during Cloud Security Alliance webinar in August.
“You cannot outsource your regulatory compliance. … What ability does the financial institution have to get information from the third party?”
Another consideration in contract language should be notification and reporting, he says. “We all have incident notification requirements. We potentially have things when you make material changes. And what type of reporting can the provider give to you, as the financial institution, [and] in what timely manner? Does it meet your regulatory requirements?”
Then there are roles and responsibilities. “What’s the responsibility of the cloud provider to maintain their piece? What’s yours?” Brandt says. “How do they interface together? How do you notify each other when there are incidents? How do you notify each other when there are changes?”
Testing for when things go wrong
Another area banks should consider when drafting contracts is what processes cloud service providers have in place for testing and resilience, says John McDonald, global head of cloud governance at Bank of America, who also participated in the CSA webinar. As an example, he points to the CrowdStrike outage in July, which caused widespread service disruptions at banks and many other sectors of the economy.
“When [a cloud service provider] has an outage, understanding the downstream impact on that is important, and that information is not consistently provided to financial service institutions who need to incorporate it into their business continuity testing and resilience programs,” McCloud says.
Banks need to understand how cloud service providers are testing for resiliency and what plans they have for bringing those services back online, he says. “And then you have to link that to what you can do as a customer, because there is a significant responsibility from a customer standpoint.”
Human resources
Manriquez — who is also a member of ABA’s Core Platforms Committee — stresses the need to establish clear contractual terms and responsibilities regarding security, incident response and data location. But after those contracts are signed, banks must continue to have regular meetings and open communication with cloud providers to stay up to date on product changes and strategic plans, he says.
“What we do in our case, with our Microsoft relationship, is we meet once a month,” he says. “We touch base on what’s working, what’s not working, what products do you guys have.”
Still, at the end of the day, the best advice Manriquez has for banks trying to manage their cloud risks is to invest in their workforce. “And what I mean by investing in their human capital is sending them to training, keeping their certificates current and also retaining and developing staff,” he says.
Full Article
GSBC+Invest Community Bank Performance Institute
May 19-22, 2025 | University of Colorado Boulder
The Community Bank Performance Institute is a four-day school designed to inform and enhance community banks’ financial performance through the examination of ALM strategies, investments, liquidity management and scenario planning and analysis.
Registration Information

Breaking Into Banking 101 & 201
101: February 26, 2025 | 201: March 26, 2025
Breaking Into Banking 101: Commercial banking can be intimidating because of its complexity and the risk-oriented nature of the work. This course is a clear and thorough introduction to the key concepts, terminology, and processes involved in credit and lending. It doesn’t assume much prior knowledge of the topic, so it’s ideal for those in their first year in the industry. Learners will walk away with a clear understanding of their job and how their specific role fits into the bank’s overall profitability goals.
101 Information & Registration
Breaking Into Banking 201: This 9-module online course is a “sequel” to the 101 course and is best taken after completion of that course, though it is not a prerequisite. The 201 course includes a case study and dives deeper into topics covered in modules 4, 6, and 8 of the 101 course: analyzing a borrower’s balance sheet, income statement, collateral, and risk ratings.
201 Information & Registration
ABA Washington Summit
April 7-9, 2025 | Washington DC

Join the biggest annual gathering of bank leaders in Washington to push for a bank policy framework that lets your bank stay focused on serving your customers, clients and communities. Hear directly from the key players in the 119th Congress and the new administration on what the future holds for banks of all sizes.
The SDBA is currently planning to attend the Summit and would like to invite you and your staff to participate as well. Registration is free and you can learn more and sign up here. Join us as we hear from top-notch speakers, connect with our congressional delegations' offices and dine with our friends at the NDBA. You won’t want to miss this opportunity to engage on multiple levels.
If you or one of your staff would like to attend, the SDBA will provide a $500 stipend (1 per member bank) to help defray the costs of any banker attending from a member bank not currently represented on the SDBA Board. There will also be an Emerging Leaders’ Forum and a Women’s Leadership Forum held in conjunction with the Summit.
Information and Registration
Understanding Bank Performance
Building Better Bankers
Virtual: April 3, 4, 10, 11, 17, 18, 24, 25| 10 a.m. - 12 p.m. Central Time
Participants will learn how to assess and analyze a bank’s financial performance by working with data from real institutions. Using financial statements from one sample financial institution along with statements from their own banks, participants will become familiar with the ins and outs of balance sheets and income statements and learn how to apply key performance metrics to the data presented in these documents.
Having learned how to interpret and analyze a bank’s financial statements, participants will gain deeper insight into the factors affecting bank performance. Later sessions in this course will address ways in which performance may be hindered or improved by funding strategies and risk management. Ultimately, participants will be able to review a bank’s financial statements to identify strengths and weaknesses and be able to recommend changes that will lead to improved performance.
In the final session of this course, participants will put what they have learned into practice. Participants will analyze a new data set, rate the bank’s performance and suggest strategic adjustments that might benefit the bank.
Information and Registration
2025 Fraud Academy
August 12-14, 2025 | Lexington, KY or Virtual
Fraud Academy is a pioneering initiative designed to arm bankers with the skills needed to detect and combat fraud. Our unique program features insights from experts across the DEA, FBI, the Secret Service, law enforcement, AARP, and the financial industry, offering a robust education in fraud prevention from those who know it best.
With fraud costing every bank valuable time and money, our curriculum targets over eighteen types of fraud, including check fraud, elder fraud, cybercrimes, and introduces effective prevention tools. Equipping bankers with the knowledge to minimize fraud-related losses and protect your institution's bottom line.
This two-and-a-half-day school will take a deep dive into the types of fraud most affecting financial institutions.
Information & Registration
Online Education
Participating in learning opportunities outside the bank can be challenging. Take advantage of the SDBA's extensive selection of webinars and on-demand training to enhance your banking expertise directly from your computer.
GSB Online Seminars OnCourse Learning SBS Institute ABA Training

Question of the Week
Q: Does the newly released National Flood Insurance Program (NFIP) Installment Payment Plan Final Rule apply to the force-placement of flood insurance?
A: Unfortunately, 89 FR 87299 – the Final Rule that was released on November 1st 2024 (and that will be effective as of December 31st, 2024), which permits NFIP policyholders to pay their annual flood insurance premiums in monthly installments (in certain situations) – does not specifically address nor explicitly make changes to the current federal force-placement of flood insurance rules.
However, under a conservative interpretation: because the scope of the Final Rule is limited to residential and non-residential SFIP policyholders – and in a force-place scenario, the policyholder is seemingly the lender, rather than the borrower [see: “Policyholder Information” in the April 2024 NFIP Flood Insurance Manual] – it would appear that this rule and its guidance may likely exclude force-placement situations.
DID YOU KNOW?
Did you know, as a best practice, a bank’s BSA/OFAC/AML/CFT policy should include a 314(b) statement?
- It is recommended the policy state whether or not the bank participates in 314(b) sharing.
Learn how to put compliance management solutions from Compliance Alliance to work for your bank, by contacting (888) 353-3933 or [email protected] and ask for our Membership Team. For timely compliance updates, subscribe to Bankers Alliance’s email newsletters.
SDBA eNews Archive
Advertising OpportunityLearn more about sponsoring the SDBA eNews
Questions/Comments
Contact the SDBA at 605.224.1653 or via email
|