By Julie Knudson
As 2020 came to a close, banks, consumers and the world at large were eager to see it go. And then 2021 happened, and we learned just how sticky the pandemic’s many challenges could be.
Customers discovered they like the convenience of newly launched digital channels, but their patience with the teething stage of online banking evaporated. Banks suddenly risked losing accounts if their digital game wasn’t top notch. The shifts in regulatory priorities that often follow a change in administration created new risk profiles for banks already grappling with emerging social and financial issues on an unprecedented scale.
Amid so much ongoing upheaval, what risks will 2022 bring? We gathered insight from industry experts on how they anticipate issues such as cybersecurity, third-party partnerships and compliance will shape banks’ risk management strategies in the year to come.
Undergirding these converging risk trends is an emphasis on the importance of the entire risk governance structure, which ABA SVP and risk expert Ryan Rasske, CERP, CAFP, says will likely be front and center in the new year and beyond. “Given the uncertainty that’s still in front of us and the rapid changes we’re having to deal with, whether they’re internal or external circumstances, I think risk management oversight and decisioning has moved into a position that’s more critical for bank success than ever before,” says Rasske.
Though risk management has always been a vital component, Rasske believes the priority, scope and value of the function as a whole has escalated. “The risk governance part is coming into focus more than ever,” he says. “What structure is in place to make sure the decisions that are being made are the right ones, and that the right people are making those decisions?” Rasske also emphasizes the need to ensure the information stemming from those decisions flows smoothly across the organization in a collaborative way, something established communication channels may need to adjust for today’s increasingly hybrid work structure.
1. Changing client practices raise viability risk
Maintaining customer connections despite the continued disruption to in-person activities—and in line with consumers’ shifting expectations—is a risk Brendan Mulvey, a managing director in Promontory Financial Group’s compliance practice, sees going into 2022. “How do banks continue to have the right touch with their customers who have so many other options to pick from?” he asks. Many institutions struggled with customer engagement before the pandemic, and large-scale changes in the way business is done only intensifies the need for banks to consider their outreach strategies. “In terms of risk, it’s really about finding ways for banks to better listen to their customers,” Mulvey says. He believes the focus on the customer must now go beyond active engagement into issues such as complaints and satisfaction surveys. Managing the risks may require expanded metrics to provide direction on the effectiveness of customer interactions and uncover areas where friction is hampering the customer experience rather than delivering any real value.
Customer retention in a quickly changing world is just one concern, but it leads into the broader issue of viability, which John Epperson, managing partner, financial services at Crowe, believes will be an important element for banks in 2022. Operational resilience has been a growing priority in recent years, as organizations watch their legacy infrastructures struggle to keep up with monumental disruptions. Now, Epperson says the bigger issue may be operational viability. “We have new competition, increased consumer adoption of digitization, an increasing scale and velocity of innovation and we’ve got a rise in the use of data,” he says.
Among the most significant risks in financial services is remaining relevant amid so much upheaval. “How are financial institutions going to define a differentiated strategy?” Epperson asks. Delivering unique and valuable offerings in a sea of shiny new things could prove to be a tremendous challenge. “My sense is that there are a lot of financial services that haven’t necessarily been pushed to be really good at defining strategy, or really good at understanding and deploying unique and valuable offerings,” Epperson says. Many organizations have historically stuck to a somewhat homogenous set of products and services. One risk in the coming year may be whether banks can accurately evaluate the marketplace and deliver offerings customers want in a highly competitive market.
2. Supply chains, CRE and other post-COVID hangovers
Supply chain issues can’t be ignored when assessing the risk environment in 2022. Industries that wouldn’t normally be affected are feeling the pinch in supply availability and logistics disruptions, and the effects are rippling downstream in unanticipated ways. Potential shortages of baseline materials—magnesium, microchips—combined with higher prices, longer shipping times and a lack of workers are hitting businesses that are otherwise doing everything right. Kristina Schaefer, CRCM, general counsel and chief risk officer at First Bank and Trust in Brookings, South Dakota, says it’s worrisome and adds: “It’s impacting our customers and our communities in a lot of different ways.”
One area where there may be an overabundance of a good thing is commercial real estate. “With so many people working from home, there’s some added uncertainty for the commercial real estate market,” Schaefer says. From global enterprises to local small businesses, it seems no one is immune to the changes trickling out of the previous couple of years. Even companies with long track records of financial stability are hurting and it’s something banks will need to continue to monitor in the coming year. “I don’t know whether we’re going to continue to have as much need for these big office buildings, and that affects the surrounding businesses that support them,” she adds.
3. Maturing third-party relationships and cybersecurity
From cloud to mobile to traditional infrastructures, David Kelly, CERP, CRCM, chief risk officer at FirstBank Holding Company in Lakewood, Colorado, says the underlying principles of managing third-party risk remain the same. However, he encourages banks to put a new focus on the actions they’re taking in 2022. “You have to understand what third-party providers’ activities are, how they’re interconnected and how they’re evolving over time,” Kelly says. That means reviewing vendor risk profiles more frequently to understand how changes might impact the institution. And just as banks need to assess their own resiliency, they also must consider third-party partners’ ability to be resilient, too. “You need to look into their business response capabilities, their incident response, their cybersecurity and how well they can respond,” Kelly says. “If they don’t have the right capabilities, such as if their services go offline, that could impact you drastically or potentially compromise you on some levels.” Banks with limited reliance on third-party services take note—2020 showed how quickly a small piece of operations could morph into a major component, and an elevated third-party risk management strategy helps ensure maximum agility.
The need for robust vendor resilience is brought into sharp relief when talking about cybersecurity and the risks of ransomware. As several high-profile attacks demonstrated with almost vicious clarity, banks may do a good job of protecting their networks from intrusion but the risks are no longer limited to their own systems. “It’s the third-party vulnerability to things like ransomware,” says Paul Benda, SVP for operational risk and cybersecurity at ABA. “And it isn’t just that they’re going to come in and hack the bank through a third party—that third party may hold your data.” Thanks to big jumps in digital adoption driven by the pandemic, third parties are more central to banking operations than ever and their prominence is sure to grow. Protecting the institution from third-party vulnerabilities—ransomware being just one concern among many—will be high on the risk radar in 2022.
Another issue banks will likely grapple with in the coming year is additional regulatory requirements with respect to ransomware and similar threat vectors. Benda doesn’t think the rulemaking will specifically target financial institutions, but he says, “There are multiple pieces of legislation that talk about potential reporting requirements and potential fines for lack of reporting.” This could complicate the relationship between banks and third-party providers when it comes to unraveling where the line falls between reporting responsibilities and whether it’s on the bank or its providers. Some of the legislation includes potentially onerous stipulations, such as 24-hour reporting obligations for suspected ransomware attacks. “It’s something banks will need to watch to make sure they stay on top of what those requirements are going to be,” Benda says.
4. Changing priorities at the regulators
The shifting emphasis signaled by regulators means banks would be wise to prepare for additional scrutiny around consumer protection, according to Rasske, and he adds they’ll also want to keep an eye on elements of the Anti-Money Laundering Act of 2020 that are scheduled for implementation in the coming year. “That’s going to bring some substantial changes, beneficial ownership being one of those, that banks will need to pay close attention to and make sure they’re implementing appropriately.”
Along with meeting regulatory requirements, Rasske says banks should also expect a spotlight on the effectiveness of their compliance departments. “Compliance officers have to continuously find ways to be more effective across the enterprise,” he explains. That means enhancing existing partnerships, deploying automated systems that can help the business manage its compliance programs and looking holistically at data quality coming out of the tech stack. “It’s harder to find qualified compliance professionals in today’s competitive environment, and especially if we’re adding technology, those costs are not going down,” Rasske says.
As often happens with regulatory elements, there’s a feeling within the industry that what’s old is new again heading into 2022. Bankers are already aware of the focus on fair lending, but Mulvey says that “the OCC and CFPB have both cited addressing racial inequity as a priority.” Greater emphasis on the servicing side and treatment of customers working through forbearance as the CARES Act winds down is something institutions will want to consider as part of their risk management process. “It’s taking those fair lending concepts around how banks look at things in terms of identifying potential discrimination and disparate impacts and treatment, and then apply[ing] that outside of the credit space,” Mulvey says. With fraud monitoring and investigations increasing, for example, banks should assess if unintended consequences may result from the ways those issues are handled. “If you’re putting a hold on accounts because of activity that’s viewed as fraudulent, is that being done in a way that’s disproportionately impacting certain people?” Mulvey asks. From investigations to complaints and even things like waivers on overdrafts, he encourages banks to view their strategies through a risk management lens.
5. Interest rates, technology, talent: Longstanding risk priorities still loom
Consistently low interest rates and relatively steady interest margins have created a unique environment for banks, but Epperson says volatility will likely crop up in 2022. “From a bankers’ perspective, there will be a need to dust off that asset liability management and interest rate management playbook and start to get good at those functions again.” Financial institutions may have invested less time into those activities over the last year or so, but changes might be in the offing. Asset liability management and interest rate risk management strategies will once again be on the radar. “It’s important to begin to test and stress our interest rate environments to make sure that, as we start to see more volatility in the interest rate market, we’re able to effectively manage the spread of our assets and liabilities,” Epperson says.
Heightened emphasis on priorities such as fair and responsible banking could result in additional risks elsewhere. “I think we’re going to see an increase in the use of innovative analytics and how they can be applied to new areas of banking,” says Mary Clouthier, CERP, CRCM, chief risk officer at the proposed Cornerstone Capital Bank SSB—being formed from an in-process merger of Cornerstone Home Lending and Roscoe State Bank—in Houston. She points to examples such as regression analysis and its application in pricing and underwriting across all types of lending, and possibly other data analytics applied to deposit product fees.
But a wider deployment of analytics throughout the product and service portfolio isn’t a simple undertaking. “The risk is that we all need to stay ahead of what the regulators are doing and try to do that to our best ability so we’re better prepared and have our own oversight of our programs,” Clouthier says. That strategy requires significant resources, however, and she believes smaller organizations may need to look outside the bank to secure the necessary specialized skills. “It’s about managing where your highest risk is because you have to approach it from a risk perspective in what you focus on.” With talent at a premium and internal funding still lean, Clouthier believes that conducting a risk assessment to determine where each bank should spend its time, attention, resources and talent will be extremely important in the year ahead.