National banking regulators are focusing on a core set of risks they see in the industry landscape, including commercial real estate, liquidity planning, managing interest rate risk, vendor management that includes proper oversight of fintech, banking-as-a-service, and alternative investments (e.g., crypto and DLT firms). With that as a backdrop, a panel of risk officers from a recent California Bankers Association event shared what they’ve been seeing from their perch. The list below, in no particular order, should provide a reasonable checklist for a reader to evaluate their institution for possible threats and programs to keep the institution safe.
Credit Risk
Commercial Real Estate Lending (CRE) is too broad a market to make general observations that will apply to all lenders. Nevertheless, Class A office space is not back to fully occupied in many markets with work-from-home practices persisting. There is not a straight line that leads to 100% landlord non-repayment. Challenges for east and west coast lenders are more acute than in the Midwest.
Lending to senior living facilities has its own unique challenges. There are levels of stress as older, baby boomer parents stay with their families. Staffing costs are going up in response to the nursing shortage.
Retail lending will experience repricing risk as there may have been an unusually high level of underwriting exceptions (in addition to higher real interest rates).
In all cases, some basic, fundamental strategies should be deployed. Maintain strict application of risk rating frameworks to identify downward credit ratings; stratify the portfolio to identify specific borrower issues and not average out troubled loans; and revisit assumptions in stress testing models to ensure the model’s alignment to current market conditions. Remember the good old days when a 400 +/- basis point change was considered unrealistic?
Liquidity Risk
In general, deposits left many institutions in Q4 2022 and early Q1 2023. Customers didn’t leave; deposits moved. Many institutions are observing “sticky” customers bringing cash back. If the liquidity ratio wasn’t tight in Q1 2023 there were no real issues with the movements. We learned that a 10% outbound flow of deposits is a normal event scenario and not a stress; 40% is a stress.
Brokered CDs are once again gaining traction. Regulators are communicating nervousness with this funding source, but it could be documented that these funds are sticky and not a true risk to the institution.
And there is no longer a category named core deposits. The FDIC is looking hard at non-insured deposits and considering changes to the deposit insurance funding rules. Be prepared for some type of risk-based uninsured deposit assessment that could be tied to insurance premiums. Obviously, depositor concentration risk is now as robust a risk area as borrower credit concentration. The only way to reduce uninsured deposits is for commercial companies to distribute deposits across as many as 15-20 different financial institutions. This results in diversity along with a service based on price. Unintended consequences would be a race to the bottom that negatively impacts bank fee income. Unless of course, the Fed pivots and insures 100% of all bank deposits. We can only hope.
Interest Rate Risk
After liquidity risk, this is the next topic taking the oxygen out of the room. The current situation – higher rates and the speed of their increase – is old news. Federal uncertainty on future rate increases or decreases is garnering plenty of attention, and it is anybody’s guess if and when inflation may return to the Fed’s target rate of 2%.
Third-Party Risk
There is a continued focus on strengthening third-party risk management techniques and practices with a specific lens at each lifecycle stage in the relationship. Initial due diligence techniques are immature and require enhancements. Fintech and banking-as-a-service (BaaS) relationships require additional due diligence and monitoring. Be prepared for additional internal staff or consulting assistance to complete this properly.
Privacy, InfoSec, Cybersecurity Risk
High levels of fraud risk are still evident in many institutions. Check fraud rose during the pandemic and is still with us. Mail theft and check washing remain a concern with an elevated number of instances. Inside the institution, altered checks are handled differently than counterfeit checks so consider the resources to manage each. Instances of elder abuse are rising, and this will require new approaches, especially if new state rules and regulations get approved.
Reputational Risk
Social media monitoring tools, once a boutique risk management technique, are now table stakes. As an example, monitoring Yelp for poor reviews by customers and Glassdoor as an outlet for current and former employees is expected.
Mature, and tested incident response plans should now accompany existing business continuity programs – thank you SVB!
Backward-measuring key performance indicators are widely used while forward-looking key risk indicators represent too small a proportion of overall risk monitoring. The March 2023 bank failures have highlighted a need for early warning indicators with intra-day reporting. Some examples include deposit outflow, stock prices, social media, and volume of short selling.
It’s hard to be a banker right now. It feels like the world is against us. But the status quo will give way to a new model. Let’s try to influence it with great customer service or others will control the message.
Strategic Risk
Talent management remains an area requiring focus and execution. Recruiting and retaining Gen Z and millennials is a top priority strategic risk. Don’t neglect retention programs for the people who are with you now. They care about the bank and the community. Turnover ratios by department or line of business are the best risk indicators to measure what is truly occurring across the institution.
Regulatory Compliance
Consent orders are a great source of information as to where banking regulators are focused. This provides a heads-up before your institution’s compliance, information security, and safety and soundness exams. There is observable attention on any banking practice or fee that may result in consumer harm. Bank Secrecy Act (BSA) officers’ compensation is skyrocketing as talent is in short supply.
In summary, global events revealed enterprise risk management programs were not sufficiently robust to prevent significant negative outcomes from the 2008 CMO/CDO meltdown and ensuing recession, and the 2020 global pandemic. There is another global event on the horizon that we can’t quite see yet. Five over-the-horizon events that can’t be black swans include:
- U.S. dollars abandoned as the global reserve currency
- Climate events (e.g., annual Hurricane Sandy events)
- Non-U.S. (e.g., foreign) central bank digital currency adoption
- Default of U.S. Debt securities (if Congress doesn’t act)
- Economic depression in China
The next generation of ERM programs, what we refer to as ERM v3.0, needs to be developed to keep us safe if these or other similar impactful events occur. If you’re looking for guidance in identifying your organization’s risk factors and developing plans and risk boundaries, reach out to our team at Wolf today.
