By John Hintze
Some bank risks just never seem to go away, and that’s certainly been the case with fraud. In fact, the opportunities for fraud keep expanding.
Kristina Schaefer, CRCM, CERP, chief risk officer and general counsel at Sioux Falls-headquartered First Bank and Trust, lists fraud as her number one concern in 2025, and not just ever-evolving cyber fraud but resurging, old-fashioned check fraud, for retail as well as commercial customers.
“Customers control so much via technology, and while it can be a great resource and defense against fraud, if customers aren’t coming into the bank anymore, how can we make sure they’re using the necessary tools?” Schaefer says.
The issue of fraud often accompanies other risks banks will face next year, including the relentless pursuit of new technology and technology-fueled services, usually via third-party vendors. In addition, banks continue to face volatile interest rates, which capsized Silicon Valley Bank and others in 2023, as well as the regulatory uncertainty stemming from new president and Congress.
Third parties, fourth parties and beyond
ABA EVP Paul Benda cites banks’ use of third parties and even fourth parties — a bank vendor’s vendor — as a key risk, given the intense competition among banks to roll out new products and services.
The issue moved to the front burner after CrowdStrike IT, a Microsoft vendor, accidentally sent out a corrupted software update in July that affected 8.5 million Windows systems. The issue is especially complicated for highly regulated banks that lack the heft to demand that large technology vendors respond to questionnaires about their offerings’ security.
“The risk has always been there, but as fraud and cybercrime continue to be concerns, banks really need to get ahold of what their vendors are doing,” Schaefer says.
At the very least, bankers should make sure they understand the security options available to them when partnering with third parties, and set the controls at levels they deem adequate to reduce risk adequately.
“Don’t rely on the default settings,” Benda says.
He adds that ABA is actively engaging officials at the Treasury Department and other government agencies about the issue. It co-authored a report published in July under the auspices of the Financial Services Sector Coordinating Council that identified key issues for banks to consider when obtaining vendor services via the cloud.
The issue is critical to for the bottom lines of banks, which may be expected to reimburse customers who lose money through fraudulent activity adversely impacting their accounts. New rules in the U.K. require banks to reimburse customers tricked into sending money to fraudsters up to £85,000, and governments worldwide are addressing fraud and banks’ responsibility. In the U.S., a recently drafted bill assigning responsibility to banks for payment fraud is unlikely to become during the Trump presidency, but could reemerge.
New tech: promise and peril
Complicating matters is the emergence of new and less understood technologies, led by artificial intelligence, that can heighten banks’ risks. ABA SVP Ryan Rasske, CERP, CAFP, a former bank risk manager, notes that today’s competitive lending environment has prompted banks to explore alternative sources of revenue and rapidly adopt new technologies, sometimes jumping ahead the capabilities within their risk-management frameworks.
“Where do banks draw the line and not accept certain types of risk is going to be a priority in 2025,” Rasske says, adding that new technology increases risks ranging from inadequate internal controls to compliance to reputation exposure. “The interconnectedness of these issues in its totality becomes the biggest risk.”
In fact, simply adopting the new technology can present a major risk.
“We’re seeing a lot of unmanaged innovation risk when financial institutions get into complex partnerships, such as trying to leverage AI, but don’t have the basics fully fleshed out,” says Stephanie Lyon, VP for compliance at Ncontracts, a provider of risk- and compliance-management software.
Those basics include strong third-party risk management oversight, understanding vendors’ security measures, especially when it comes to customer data or any personally identifiable information, and being able explain that to bank examiners. Lyon notes that 14 of the 18 most recent bank regulatory enforcement actions have involved “unmanaged innovation risk.”
“Banks are going to see negative consequences — consumer harm, privacy violations and the financial impacts — if they don’t get it right,” she says.
A bank implementing AI technology in-house, to protect their data, must have the technology staff that understands how AI works, data scientists and the ability to integrate data sources. “In a lot of cases, banks are just starting to come up with their policies and procedures for AI technology, including how AI can be used in the bank, who can use it, and what data can be uploaded into the AI technology,” says Carl McCauley, CEO of 360factors, a provider of risk-management solutions to banking institutions. “It’s a lot of work for banks right now.”
Regulatory risk dynamics under Trump 2.0
Bankers may be relieved that an incoming Republican executive branch may pursue new rules and enforcement less aggressively. However, changing regulations is a long process, notes Peter Dugas, executive director at consultancy Capco. He expects the president to take initial actions via the budget process or executive orders that rescind guidance, bulletins and circulars not subject to notice-and-comment rulemaking.
“Examples include additional changes to the UDAAP exam manual from the CFPB, which the industry says didn’t go through a formal rulemaking process, or climate-change guidance for banks with more than $100 billion in assets,” Dugas says.
He warns that bankers should not assume a Republican Congress will reverse a large number of regulations that emerged under the Biden administration, since it doesn’t have 60 votes in the Senate to move final legislation. (However, recently finalized rules from 2024 may be overturned through the Congressional Review Act process, which allows Congress to act on a simple-majority basis.) More likely, Dugas says, is that the agencies will deprioritize investigations and enforcement.
For regulations whose compliance dates arrive over the next few years, such as the CFPB’s Section 1071, requiring banks to collect and report data on small business credit applications, some changes could occur. “It was finalized before the Congressional Review Act deadline and the rule is unlikely to be stricken, but the number of data requirements will probably be reduced,” Dugas says.
The leaders the Trump administration chooses for the CFPB, FDIC, OCC and other agencies — all of which may be filled by acting leaders immediately after the inauguration — will indicate the extent to which they will defend new rules currently in litigation, such as Section 1071 or the recently modernized Community Reinvestment Act rules. “There could be significant rollbacks, especially if the regulatory requirements exceed what the law itself permits,” Lyon says.
She adds that historically enforcements dip during an administration’s first year, but she cautions banks not to scale back their internal-controls environment and their compliance and risks management software and operations. The enforcement actions over the last year were for infractions that occurred three to five years ago, she explains, adding that a reduction in federal enforcement typically results in other entities stepping up. “In 2025, I expect less enforcement from federal regulators and more enforcement from state agencies and litigation from cities and consumer advocacy groups. We can’t forget that the basic regulations haven’t changed.”
The banking regulators said during an oversight meeting November 20 that there are no plans to finalize major rulemaking until next year.
Portfolio risk in the evolving rate environment
Credit risk has increased marginally over the last year but could increase further if interest rates remain stubbornly high. Todd Cuppia, who heads up Chatham Financial’s balance-sheet management practice, pointed out that the 10-year Treasury rate increased upwards of 75 basis points between late September and mid-November, unwinding the benefit of the Federal Reserve’s rate cuts.
“We’re talking to clients about locking in some of their funding costs by buying instruments like a cap,” Cuppia says, adding that anticipation of further Fed cuts makes those hedges relatively inexpensive.
Chatham also recommends hedging the values of bond and loan portfolios. “The synthesis of that is not to place too much stock in what markets are expecting, and instead focus on the core business and protect against unexpected outcomes,” Cuppia says.
Should rates continue to rise, banks’ investment portfolios could see increased unrealized losses, putting them at risk — similar to early 2023 when a handful of large regionals imploded — should they need to sell those assets. In fact, the portfolios of many regional and community banks are 15 to 20 percent under water, currently, says Ethan Heisler, editor and chief of the Bank Treasury Newsletter and a former banking analyst at Citigroup, citing data he culled from bank call reports.
However, most banks are well capitalized today and should be able to withstand an increase in long-term rates, at least in the short to medium term. “If a bank carries capital levels above regulatory minimums and the bank’s own risk tolerances, AOCI losses can carry through to maturity when the bank would receive full value for the bonds,” says Mariner Kemper, chairman and CEO of Kansas City-headquartered UMB Financial.
Still, a fair number of banks are at risk. “There are 500 or so institutions whose capital ratios are below a tangible common equity ratio of 5 percent, and that’s down 20 to 30 percent from where they would be without that impairment,” Heisler said.
With risks coming from many directions today, Rasske says, risk management has become a critical skillset necessary across the bank, up to the level of executive management and boards of directors.
“At times it seems risk management became much more complex overnight and caught some banks off-guard,” Rasske adds. “More than ever, a deep knowledge and understanding of risk management needs to be imbedded every key position across the bank.”
Contributing editor John Hintze is a financial journalist who writes frequently for the ABA Banking Journal.
TOOLKIT > Join the ABA Member Exchange on risk management and connect with your bank risk professional peers. Start the conversation at aba.com/communities.