By John Hintze
Banks were early adopters of artificial intelligence, but the extent to which it changes the inner workings of banking remains to be seen. The same can be said about the impact of stablecoins following the passage of the Genius Act in July and President Trump’s executive order at the end of August to end the practice of debanking. Even traditional bank risks, such as fraud, have taken never-before-seen shapes through the use of deepfakes and other technology-fueled scams.
“These are all new challenges for banks to address, and there’s no playbook to fall back on,” sys Kristina Schaefer, CRCM, CERP, senior vice president and associate general counsel at Dacotah Bank. “We can identify the risks and we may know how to mitigate them, but they’re all novel challenges that we’re facing.”
Add the dramatic changes at the federal banking regulators, and banks today face what Stephanie Lyon, SVP for financial services content at Ncontracts, calls a “whirlwind of activity.”
Whereas previously bankers could focus on staying compliant with federal laws and regulations, “Now you also have to pay attention to major changes to federal regulations and examiners, your state agencies and relevant litigation trends,” Lyon says. “There’s just so much going on everyplace you look — not something a lot of folks expected.”
Anticipated instability drives RAS revisions
A significant majority of financial institutions see at least moderate instability ahead and are re-examining their risk-appetite statements, according to a survey released in September by the Center for Financial Professionals and FIS.
Nearly three quarters (73%) of respondents, mostly in risk roles at banks across the globe, from systemically important banks (SIBs) to regionals, said they expect moderate to significant instability over the next three to five years.
The study notes that the instability is pressuring static, judgment-based RASs, and firms are questioning whether their current frameworks can keep pace with fast-moving, interconnected risks. As a result, 48% of respondents said they are updating their RASs, while 18% are considering changes but have yet to act.
A full 86% of respondents recognized that their current capabilities need improvement, with 62% saying they’re already investing in simulation and scenario analysis to manage uncertainty and systemic risk, and 24% actively exploring solutions. In terms of areas benefiting the most from such investments, respondents pointed to risk appetite visualization and monitoring (53%); capital planning (52%); liquidity and funding stress testing (50%); and operational and non-financial risk simulations (49%).
Geopolitical and geoeconomic risks topped respondents’ list of short- to medium-term risks, followed by macroeconomic risks, including inflation and interest rates, as well as technology and cyber risks.
Deregulation and compliance risk
On the plus side, especially for regional and community banks, onerous laws and regulations are being trimmed. The Consumer Financial Protection Bureau, for example, plans to revise the small business lending data collection rule required under Section 1071 of the Dodd-Frank Act. The proposal is expected to be issued soon, with a 30-day comment period, and will stick closely to the statute’s requirements rather than the agency’s far more burdensome version, which was completed in 2023 and has been held up in litigation. The rule’s compliance deadline was recently extended to July 1, 2026, for the banks with the most small-business transactions and to 2027 for other lenders.
“While there will be significant costs to implement the rule, we think the reporting regime will hue to the statute and shouldn’t threaten community banks’ ability to lend to their small-business customers,” says ABA EVP Ginny O’Neill.
Following a similar re-proposal schedule, the CFPB’s Section 1033 “open banking” rule requires financial institutions to share consumers’ financial data with consumers as well as authorized third parties, such as the fintech firms used by banks to provide a wide variety of services. (At press time, enforcement had been temporarily halted by an order from a federal judge in Kentucky.)
“This year we may know the status of those two really important rulemakings that have gone through a gantlet of litigation,” Lyon says.
Federal banking regulators have similarly proposed rescinding the 2023 Community Reinvestment Act final rule and replacing it with the 1995 framework that banks are currently required to comply with. The new rule’s implementation has also been delayed by lawsuits from the ABA and other banking organizations, which argue that it is too complex.
Community banks’ new friend
In an October 9 speech to the Federal Reserve’s Community Bank Conference, Secretary of the Treasury Scott Bessent noted the “embarrassingly complicated 60,000-word” CRA rule among several other rules that the Trump administration is revisiting to reduce banks’ compliance challenges. “Bessent is the first treasury secretary to not only talk about the importance of community banks and the need to right size regulation and supervision but also to initiate policy actions to unleash the economic growth community banks make possible,” O’Neill says.
Bessent mentioned several other items on the Trump administration’s policy agenda that should reduce banks’ compliance hurdles, including the FDIC’s proposal to raise banks’ asset thresholds to account for inflation and provide regulatory relief to smaller banks. He also noted the Office of the Comptroller of the Currency’s efforts to reduce assessments on smaller banks, reverse the plan to merge community bank supervision into large-bank supervision and replace community banks’ formulaic examination schedules with more risk-based ones.
Tracking so many regulatory changes will be challenging, and banks can’t overlook the reality that the laws fueling the regulations will remain on the books — perhaps with consumer-advocacy groups and state attorneys general attempting to enforce them. In addition, state legislatures may pass laws affecting state-chartered banks. In June, for example, Pennsylvania’s House of Representatives passed a bill to reduce bank overdraft fees following the successful Congressional Review Act resolution that overturned the CFPB’s overdraft fee cap rule.
The disparate impact conundrum
Lyon notes that some states, including New York and Massachusetts, have actively sought to bolster enforcement by hiring regulatory staff recently laid off or retiring from federal banking agencies. In July, the Massachusetts AG reached a settlement with a student loan company to resolve, in part, allegations that its lending practices violated consumer protection and fair lending laws, leading to a disparate impact that harmed black, Hispanic and non-citizen applicants and borrowers. “The settlement was the latest example of state enforcement activity in the wake of scaled-back federal enforcement under the current administration,” according to a recent blog post from law firm Frost Brown Todd.
Massachusetts’ decision to employ disparate impact theory illuminates a conundrum for banks. President Trump signed an order in April that aims to eliminate from federal enforcement the use of the disparate impact liability, which occurs when a practice results in different outcomes for different groups of people, even if discriminatory intent and action cannot be proven. In response, the OCC said it would no longer consider disparate impact risk in its fair lending supervisory processes. However, disparate impact analysis has been held up as a valid legal theory in circuit courts, and even the Supreme Court, that other parties can still deploy.
“There are two types of risk to manage: federal examination risk, and the risk from consumers, consumer advocacy groups and state AGs,” Lyon says.
The administration will instead look for disparate treatment. Such instances are typically identified from consumer complaints and “mystery shopping” campaigns, which the CFPB has pursued before but is considered unlikely to perform under current leadership.
“What’s important for bankers to understand is that while examiners won’t be looking for that, other groups with access to the banks’ data will, including consumer advocates,” Lyon adds.
She adds that state agencies can enforce unfair or deceptive acts or practices statutes at both the state and federal level, and bankers must be aware of new laws states are instituting.
“States like Colorado and Texas are implementing their own AI fairness and explainability requirements,” Lyon says. “That’s an interesting new trend we’re seeing, when [state agencies] say the federal government isn’t doing enough to protect consumers.”
The risk of less supervision?
The OCC issued bulletins October 7 that eliminated fixed, policy-based exam requirements for community banks in favor of a risk-based approach. “For example, the OCC is ending the policy-driven requirement for examiners to conduct a fair lending risk assessment during every supervisory cycle; instead, that decision will be risk based,” O’Neill says. “The OCC is also reassessing its data collection requests; they will leverage banks’ audit and risk management reports to help them determine exam scope and to reduce exam burden.”
The regulators are also backing off on annual model validations, especially burdensome for smaller banks, and they will limit the issuance of matters requiring attention when there is evidence of unsafe or unsound practices or actual violations of bank-related law. “Their focus will be supervision of material financial risks, rather than the processes and procedures that examiners got so focused on,” O’Neill explains.
Nick Klein, CERP, chief risk officer at Pennsylvania’s Ephrata National Bank, welcomes the changes but warns of complacency. He adds that despite the likelihood of longer periods between exams, his bank will remain vigilant. “We’re upping our compliance and audit game, with dedicated employees who are doing more audits and compliance testing internally, rather than relying solely on our outsourced audit partner,” Klein says. “These laws came about because customers were impacted, so let’s make sure we’re following the spirit of the law and adding value for our customers.”
Debanking concerns
Keeping track of where rules stand, applicable court decisions, and the impact on bank services has created a new type of uncertainty risk. That uncertainty extends to new challenges, such as Trump’s “Guaranteeing Fair Banking for All Americans” executive order, also referred to as “debanking,” signed August 7. The order lays out several requirements, including bank regulators removing guidance by early 2026 that could lead to politically motivated restrictions, reviewing banking institutions for past debanking actions, and the SBA requiring lenders to identify and reinstate debanked customers.
“The challenge from a banking perspective is that bankers make decisions based on their banks’ risk profiles,” Schaefer says.
Banks typically determine which customers and businesses to open accounts for based on Bank Secrecy Act, anti-money laundering procedures and fraud risk, she explains, adding that a bank may avoid cryptocurrency or cannabis clients because it doesn’t have the internal expertise or resources to mitigate risk.
“Debanking is definitely an emerging risk,” O’Neill says, noting that the OCC responded first to the order by sending out information requests in September to the nine largest banks. She anticipates examiners may eventually ask all bankers about their account opening and closing policies and procedures.
“Banks won’t be able to provide a categorical statement — for example, ‘We do not bank money service businesses’ — to explain why they declined to open or close certain accounts,” she says. “They will have to provide more documentation, such as explaining why the bank lacks the staff and other resources to monitor a potential MSB customer. And they’ll have to monitor the bank’s compliance with those policies to make sure they’re not making exceptions.”
Deposit insurance risk remains
The October scare concerning regional banks’ credit quality, which caused some banks’ shares to plummet, shone the spotlight again on the $250,000 deposit-insurance cap, unchanged since 2010, and whether it heightens the risk of runs on bank deposits during times of stress. Ethan Heisler, editor of the Bank Treasury Newsletter, notes the Senate Banking Committee’s September 10 hearing on the topic, its first since the failure of three banks in spring 2023, when the FDIC stabilized the market by covering both insured and uninsured depositors.
“It’s up in the air where that issue is going,” Heisler says. “But it has big implications for how bank treasurers analyze their deposits and liabilities.”
Cybersecurity scams
Another major source of uncertainty for banks is the rapid development of technology. Cybersecurity has been a long-time risk, and it is now apparent that, as much as a bank builds its own defenses, it remains vulnerable to vendors that may be infiltrated by bad actors and used as pathways into the bank.
ABA EVP Paul Benda points out that the Cybersecurity and Infrastructure Security Agency issued emergency directives in August, September and October involving Microsoft Exchange, Cisco Adaptive Security Devices and F5’s BIG-IP products. “CISA’s three emergency directives over the past three months is a cadence we’ve never seen before,” Benda said. “Banks can’t depend on securing their perimeters when they’ve let third parties inside. So they have to make sure they have the controls in place to limit bad actors moving horizontally in their networks.”
Banks must also contend with increasingly elaborate and realistic deepfake audio and video scams, which seek not only to deceive the bank’s own employees into divulging valuable information or wiring funds to fraudulent accounts, but also to impersonate the bank to deceive its customers. Benda said banks can’t assume a transaction is legitimate just because a customer approved it. They also need the right analytics to spot and investigate suspicious or unusual activity.
Criminals are spoofing the CallerID to fraudulently show a bank’s name and number, using customers’ personal data they’ve bought on the dark web, and even “deepfaking” their voices to remove any accent, all to convince customers they’re from their bank.
“Once the criminal gains the trust of the customer, they can convince them to give up their security credentials or even authorize payments directly to the criminals,” Benda says.
Another impersonation scam, often done through “smishing,” is the “toll-text scam,” where criminals impersonate a toll authority to convince consumers they owe money and then capture their credit or debit card information. With those details, they engineer a method to obtain the one-time passcode necessary for multi-factor authentication to load the card into a mobile wallet on a cell phone. Using sophisticated software, the criminals then duplicate the electronic wallet on multiple phones, which can proceed to make purchases in different geographies within minutes. “Unless banks have controls in place to recognize that impossibility, they won’t see it and won’t be able to stop it,” Benda explains.
New AI risks
AI will also likely create completely new challenges for banks. For example, Walmart announced its partnership with OpenAI in mid-October, allowing customers to interact with ChatGPT about their desired purchases and letting the AI agent handle the rest of the transaction, from item selection to payment and delivery. It’s unclear how Reg E, which protects consumers in electronic fund transfers, might apply.
“If I authorize AI to buy me a blue bike and I get a green bike, is that a chargeback or an unauthorized transaction?” Benda asks. “There may be a really simple answer, but the bankers I’ve spoken to don’t think so.”
AI is also proving to be a plus for banks. Klein notes that his bank has grown increasingly comfortable applying AI, most recently approving its use to write policies and training materials but not to engage in credit decisions. Any use of AI, he added, must involve a human overseeing the output, and a dedicated team must analyze new use cases to ensure the proper parameters are in place.
However, AI results aren’t perfect, so what happens if a bank uses AI in a customer-service function that results in a terrible experience for clients? All banks feel they need to be doing something AI-related, says Schaefer, but how does that application look against a bank’s risk profile and can it oversee its use properly? “And is your data clean?” she asks banks to consider. “Because if AI isn’t working with clean data, it’s going to be garbage in, garbage out.”
Trump signed the Genius Act into law July 18, but it remains unclear how stablecoins will impact the banking industry. Heisler reported in July that bank CEOs on analyst calls were skeptical about actual demand in the market for stablecoins. Furthermore, the law won’t take effect until bank regulatory agencies write rules to implement it, and the deadline isn’t until January 2027.
Nevertheless, Heisler says in an interview, bankers are monitoring signs of stablecoins’ potential impact on deposits, lending and other areas, such as the cross-border trade finance market, which the International Monetary Fund estimates will reach $1 quadrillion in 2024. “It’s a potential opportunity for banks, especially the largest institutions,” Heisler says.
Risks driving M&A
Some technology risks have been around for a while and are growing, such as the core platforms on which banks rely. Bessent said one of the Treasury Department’s goals will be to review core platform providers and determine whether their contractual terms prevent community banks from innovating — a longstanding area of advocacy for ABA. Brett Mastalli, banking practice lead at West Monroe Partners, anticipates that community and regional banks will face increased pressure to adopt more modern systems as they contend with growing competitive pressure from private credit and other nonbank lenders.
Running legacy platforms is costly, and the workforce familiar with them is aging. New demands, such as AI and the need for APIenabled open banking, compound the pressure on banks to invest significantly in upgrading their systems. “Banks need to review not just from their front-facing platforms but their architecture behind the scenes and the strategies they want to scale, lower their total cost of ownership, and be more responsive to the market,” Mastalli says.
Noting PNC’s recent acquisition of FirstBank Holding Company and Fifth Third’s merger with Comerica, Mastalli anticipates that more banks will take advantage of today’s deregulatory environment to build scale and address their technology investment needs. “I think we’re going to see a huge uptick in M&A next year,” he adds.
Contributing editor John Hintze writes frequently on financial services topics.
TOOLKIT — Manage risk and optimize your bank’s 2026 coverage at the ABA Insurance Risk Management Forum, Jan. 25-28 in Orlando. Register at aba.com/IRM.
