By Julie KnudsonUncertainty and unpredictability were the watchwords for 2020. The business environment changed nearly overnight, as did consumer behaviors. Banking, shopping, dining, work, school—the pandemic touched it all.
“The velocity of change continues to increase in speed,” says ABA SVP and risk expert Ryan Rasske, CERP, CAFP. “On the community bank side, adoption of technology with their consumer base probably happened at a much faster rate than they ever anticipated due to the pandemic.”
As we move into 2021, the banking risk picture is poised to be both otherworldly and familiar. We asked industry experts how they saw risks shaping up in the coming year. From the rapid shift toward digital banking to economic burdens to election year turmoil, some common areas of focus will remain while new and expanded risks will be on the radar, too.
Interest rates and economic activity just the tip of the risk iceberg
Schaefer anticipates continued pressure on interest margins as banks fight for quality loans and she says managing interest rate risk will be a priority. “As banks look for innovative ways to continue to meet the needs of their customers but also increase their non-interest income, what sort of expertise exists within the bank? Can banks move quickly in this unique rate environment we find ourselves in?” Additional risks on the credit side will evolve as 2021 unfolds. “It’s yet to be seen from a credit perspective how things shake out, whether we’re able to get another stimulus plan through,” Schaefer says. The other question, of course, is what impacts any government programs will have on spending and borrowing for both consumers and businesses.
David Kelly, CERP, CRCM, chief risk officer at FirstBank Holding Company in Lakewood, Colorado, expects to see potential credit risks and loss from a deteriorating economy, particularly as the deferrals that have been granted expire. “We’ll see if economic conditions improve or deteriorate, and this is where uncertainty will play in until the pandemic has a more certain outcome and we know whether we’re going to close back down again,” he says. Kelly also believes liquidity in the current market is a potential future risk in such an uncertain environment. “Stimulus is sitting in the banks, but what will happen with funds during 2021?”
Balance sheet management will also be critical. “Banks will continue to focus further on that compression of interest margin due to the federal reserve strategy of keeping interest rates low or near zero for the next year plus, given the economy,” says Ryan Luttenton, consulting partner at Crowe, which ABA endorses for risk, compliance and governance consulting. Low-cost core deposits will be increasingly valuable to offset some of the compression, and Luttenton believes banks with the data to understand customers’ behaviors and drive actionable insights will be better positioned to retain those core deposits in the coming year. “Increasing the precision on data analytics or creating new data analytics to monitor customer behavior is going to be important,” he says.
Commercial real estate poised for a shift
A portion of those businesses forced to close or scale back operations during the shutdown likely won’t survive. “Vacancies, particularly in the retail sector, could be tough for non-owner-occupied commercial real estate—shopping centers, strip centers and the like,” says Clayton Legear, president and CEO of Merchants and Marine Bank in Pascagoula, Mississippi. Banks active in the commercial real estate sector may see increased risk as tenants and landlords consider their options if businesses can’t restart or sustain operations.
Meanwhile, other industries are rethinking their operating models. Tech-heavy companies were quick to announce long-term work-from-home arrangements for employees, and other verticals are following suit. “For many companies that truly don’t have to have employees working from office space that they pay for, I think you’ll see many of them come back and say they’d be fine giving employees the option to work remotely,” Legear says. Class A office space may no longer be a necessity for firms with WFH flexibility. “There may potentially be volatility even in that traditionally safer realm of owner-occupied commercial real estate,” Legear says.
Security, cyber, and the expanding realm of third-party risk
The operational shift to online created new workflows for employees and it also added another risk component into the cybersecurity landscape: customers. “We’re serving customers in the digital environment now that may not be digitally native,” says Atul Malhotra, managing director of enterprise risk management at Fulton Financial in Lancaster, Pennsylvania. Large commercial customers may be more familiar with cyber best practices, but consumers generally aren’t. “That naturally introduces a host of other considerations and risks,” Malhotra says. He anticipates a heightened focus on mitigating those risks in the months ahead, but the usual tendency to increase control by adding friction to the process may need to be tempered with a scaled approach that better aligns with users’ needs and expectations. “Making it easier for customers to understand what they need to do and how they need to go about doing their banking in a safe and secure manner online or through mobile is going to be equally important as adding the control layer,” Malhotra says.
Customers aren’t the only ones who’ve embraced digital since the pandemic. Threat actors have also been busy. Paul Benda, SVP for risk and cybersecurity policy at ABA, says phishing has increased more than 400 percent since COVID-19 hit. “The odds of someone losing credentials and criminals potentially gaining access to accounts are high,” he says.
Instances of ransomware have also grown, prompting the need for banks to maintain greater awareness around patching and following good cyber hygiene, particularly since their remediation options may be shrinking. “The Treasury Office of Foreign Assets Control recently put out a statement reiterating that anyone that pays a ransom to an entity that is sanctioned or in a sanctioned country is exposing themselves to enforcement action, which could include criminal penalties,” Benda says. With this updated guidance, banks must be mindful to have strong business continuity and data restoration plans in place to prevent them from feeling forced into less savory responses.
Managing third-party risks has also expanded in scope, due to the growth of digital banking and remote work arrangements. “If you’re totally reliant on a single cloud service provider, have you created too much risk in a single place and a single point of failure?” Benda asks. He says most cloud and other providers have their own cascade of technology partners working behind the scenes. “Does that third party have a fourth-party vendor that exposes banks in ways they haven’t expected before?” Institutions should increasingly assess where data is going, who’s managing it along the way and how downstream risks may now exist with providers the bank didn’t even know they were using.
Because vendors and their partners are continuously enhancing the technology infrastructure, a change in cadence may be necessary to keep pace with downstream vendor risk. Rasske suggests the traditional due diligence processes that touched bases with vendors periodically may no longer be adequate given how quickly things are changing. “Does this need to be touched more frequently than it’s ever been in the past?” he asks. Changes in the governance process could help ensure that risk management efforts remain effective as the chain of providers and its overall attack surface become more complex.
Compliance takes on new focus
Regulatory issues could also grow in 2021. Kelly points to allowances made around working with borrowers during the height of the pandemic and the supportive stance taken by regulatory agencies at the time. It’s yet to be seen if those we’re-all-in-this-together feelings carry forward into the new year. (View more on what to expect when examiners pop the hood in 2021.) “If we start seeing deterioration, will there be second guessing of the actions the industry took during 2020 and scrutiny over that?” Kelly asks. Concerns about a potential shift in sentiment are compounded by election year uncertainties, with banks unsure how vigorously any earlier actions may be defended or denounced.
Linda Gallagher, executive managing director for the United States at Promontory Financial Group, an IBM company, sees fairness in servicing emerging as a greater risk for banks in the coming months. “Think about all these mortgage loans in forbearance, that are tied to government programs which will eventually go away,” she says. If affected consumers seek mortgage modifications from their servicers, the level of discretion within that process could bring additional attention. “Any time you have judgment in lending or servicing, it can easily give rise to disparate treatment,” Gallagher says. “If that disparate treatment falls disproportionately on any member of a protected class, then on the face it could be considered discriminatory.” These modification requests will likely occur during a time of greater focus on equal treatment. “It’s the perfect storm when you think about fair servicing,” Gallagher says. She expects it will be an issue regardless of the election year climate. “We expect fair servicing to be a significant risk and likely to be enforced with vigor for the first time.”
It isn’t just regulators that could draw focus toward fair lending issues. Data is abundant and available in today’s digital environment, and Clayton Mitchell, principal at Crowe, points to past data disclosure acts that have expanded access. He believes it would be short-sighted to think that nonbank groups—such as community organizations, activists and others—aren’t analyzing the same data, and he says past underutilization of the power to refer risk issues related to fair lending to the Justice Department is likely to change. “If we as an industry don’t get out in front of it, then it’s not going to be good.” Mitchell says it’s a compliance matter but adds that “the bigger issue is really around reputational risk and the challenge with your customers [if]you’re seen as being discriminatory.” Banks that lead the way will focus on risk mitigation, using data to manage and monitor and, if issues are identified, proactively implement fixes.
The relationship between regulatory issues and cyber threats is also becoming more complex. “Regulators have encouraged banks to be innovative and to embrace new technology, which includes artificial intelligence, machine learning and other things, but those are subject to threats and attacks as well,” Rasske says. “If a bank deploys machine learning, which is driven by algorithms, and somebody infiltrates that and causes the machine learning to get off base by inserting bad data, by changing the data or changing the code, which causes the machine learning to behave differently than it was originally intended to, it could give the bank an output that is not good.” Data or coding changes could introduce bias or other unwanted influences, and the resulting subtle variances in the output could remain undetectable for an extended period of time. If those manipulated algorithms affect lending or credit decisions, it could create significant and unexpected risk for a bank.
Operational risks looming
Digital transformation was a primary theme during 2020, but Malhotra says one of the biggest operational risks going into 2021 will be the rest of that transformation journey. “All of us need to be mindful that digital transformation is not just standing up digital banking or mobile banking for our customers,” he warns. “It is in fact also digitizing the back office and the middle office to make sure our processes can support that type of digital work environment.” A digital front end may not perform as well as intended, or follow-on problems may crop up later, if the back office continues to be populated with manual or paper-based processes.
By evaluating the processes and procedures underpinning how banks engage customers and how employees conduct day-to-day activities, some deeply held beliefs in banking could be challenged. “Most commercial banks put their primary emphasis—and rightly so—on lending, credit underwriting, credit administration and deposit gathering,” Legear says. However, as we learned in 2020, banks aren’t simply makers of loans and gatherers of deposits. “They’re highly complex businesses that, despite their size, are very complex by many other standards,” Legear says. Institutions are already adapting to the new paradigm, but the risk is that the experience and skills necessary to evolve outside those traditional functions may not be in place. “Let’s take people with strong technology or operational backgrounds and put them in roles where they can help us grow the business going forward,” Legear says.
In areas where in-person operations continue to be restricted, Schaefer says new risks may arise. “Should the fraud team be doing enhanced monitoring? Should we be increasing certain audits or reviewing digital banking transfers more carefully? Should we be increasing the frequency of checking in with our commercial customers?” she asks. Banks responded quickly to the needs of their communities—assisting with the flurry of PPP loans, helping customers transition to online banking and turning handshake meetings with customers into web conferences—but Schaefer believes it’s time to step back and evaluate where those changes may create risks. “What are other steps and controls we used to do when we were in the office, and are we still doing them?”
Julie Knudson is a frequent contributor to the ABA Banking Journal.