Skip to main content

December 2015 High and Emerging Risk List

December 31, 2015
(Data as of June 30, 2015)

PDF of December 2015 Risk List

Risk List Process

We begin development of the Risk List by identifying areas of risk potentially faced by Ninth District financial institutions – see Table 1. Then we assess each risk for level of concern, level of exposure, and trend – see Table 2. Table 1 also summarizes all risks considered and shows the level of concern and level of exposure for the current period and two prior periods. The report includes trend data only for the current period. While there is a slight bias toward issues affecting SMBs, the process assesses risk exposure for all Ninth District banks and holding companies.

Key risks and the related supervisory responses are summarized in order of risk severity. We also include brief discussions of risks that, although currently below the threshold for a complete write-up, have the potential to emerge as significant concerns in the near term or for which additional information is needed to assess the actual level of risk. Finally, we do not comment on risk dimensions that are not currently significant areas of concern.




Summary of Key Risks

Cybersecurity Risk Red arrow

Cybersecurity risk remains high, with significant exposure and an increasing trend. Cybersecurity is the universe of technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access.

The high level of cybersecurity risk is a function of both the frequency and potential severity of losses that could result in a control breakdown. Many of the cybersecurity issues that examiners cite in the field are the result of overreliance on outside parties, without appropriate oversight of third parties and inadequate control/data center maturity. These issues can result in inadequate business continuity, disaster recovery performance, testing, and overall network resiliency. Many Ninth District institutions continue to have a substantial reliance on third parties for critical technology services, and the trend of adopting cloud and virtualization technologies is increasing this reliance. Distributed Denial of Service (DDoS) attacks and other web-based attacks on these third parties continue to occur at high rates.

While DDoS and other sophisticated network attacks are prevalent, direct data breaches at community banks are often the result of social engineering. It is important that banks provide adequate training to staff and test staff awareness. In addition, malware/viruses are maturing faster than defenses, meaning that organizations need to focus on and invest in ways to detect anomalies and respond to breaches that are inevitable.

Key Action Steps for Banks and Holding Companies

  • We encourage banks to use the recently published FFIEC cybersecurity self-assessment tool. Results of the self-assessment will help institutions identify their risks and determine their cybersecurity preparedness.
  • Whether within the organization or in assessing their vendors banks should focus on key cybersecurity risks, including:
    • Cybersecurity controls, especially detective controls such as routinely scanning IT networks for vulnerabilities and anomalous activity, and testing systems for their potential exposure to cyber-attacks.
    • Banks should ensure that their complaint functions have the capacity and the expertise to handle breach-related complaints.
  • Banks should provide staff with adequate job-specific training related to awareness of social engineering schemes in order to reduce the likelihood of occurrence.

Bank Secrecy Act/Anti-Money Laundering, and Office of Foreign Assets Control Risk Yellow arrow

BSA/AML and OFAC risk is elevated, with a significant exposure and an increasing trend. BSA/AML and OFAC risk is the risk of legal and compliance costs and reputational damage associated with failure to comply with BSA/AML and OFAC obligations.

BSA/AML and OFAC risks have increased across the Ninth District. The legalization of marijuana in various states, in conflict with federal law3 , and the potential for development of marijuana businesses on tribal lands have increased risk and broadened risk exposure. Additionally, BSA programs have not kept pace in some cases. As a result, examiners have seen an increase in violations cited for noncompliance with required elements of an effective BSA compliance program and key OFAC requirements.

Key Action Steps for Banks and Holding Companies

  • As banks consider new strategies, including acquisitions, they should proactively consider the impact of these strategies on their overall BSA/OFAC risk profile and what additional actions will be needed to appropriately mitigate new or elevated risks.
  • Banks, particularly those in or bordering states that have legalized marijuana and/or where Native American tribes are engaging in marijuana businesses, should:
    • Ensure that they are familiar with the FinCEN guidance.
    • Identify any covered customers.
    • File suspicious activity reports (SAR) as required.
    • Adequately incorporate marijuana-related risks into their risk assessment and overall compliance program.
  • Banks should ensure that they have established an effective OFAC compliance program that is commensurate with their risk profile, including the following actions:
    • Identify higher-risk areas.
    • Provide appropriate internal controls for screening and reporting.
    • Establish independent testing for compliance.
    • Designate a bank employee or employees to be responsible for OFAC compliance.
    • Establish training programs for appropriate personnel in all relevant areas of the bank.

    The OFAC compliance program can be addressed within the overall BSA policy and risk assessment, but it should be tailored to the risks of the institution.

Agricultural Credit Risk Yellow arrow

Agricultural credit risk is elevated, with a high exposure and an increasing trend. Agricultural credit risk consists of the direct and indirect credit risks related to agricultural producers and their communities.

The majority of Ninth District bank loan portfolios continue to be highly exposed to agriculture, which poses significant risk over the next year. Crop prices4  have declined to 2010 levels, which is straining borrower cash flow. Crop prices and other factors leading to the sharp increase in farmland values seen over the last several years have reversed. As a result, there is strong potential for a material decline in land prices, which will erode collateral positions during a period of reduced cash flow. Farm income for livestock producers also decreased in 2015. Dairy producers have also had an increasingly difficult year, as the price of Class III milk has fallen nearly 17% since late 2014, and poultry and swine producers are still recovering from their respective disease outbreaks.

Key Action Steps for Banks and Holding Companies

  • Banks should proactively monitor cash flow projections and seriously consider taking steps with borrowers who are likely to experience cash flow difficulties. Examples of prudent steps include obtaining outside guarantees, forward contracting of crop prices, use of crop insurance, adding loan covenants, and obtaining additional collateral.
  • Banks should monitor annual operating lines to understand what portion of the operating debt is attributed to each year (operating cycle) in order to effectively identify carryover debt. This will allow the bank to work with weaker borrowers at an early stage.
  • Banks should consider their agricultural concentration in the capital planning process to ensure capital adequacy against loan portfolio risk.

Interest Rate Risk Yellow arrow

Interest rate risk (IRR) is elevated, with a significant exposure and a stable trend. IRR is the risk that an investment's value will change due to a change in the absolute level of interest rates.

Some banks have invested in longer-term assets in order to increase yield, but this response has led to increased exposure in a rising rate environment. Several Ninth District banks have begun using swaps to hedge IRR for certain borrowers, which is a reasonable way to mitigate IRR but also increases the complexity of their balance sheet; this complexity must be captured by their risk management framework. Additionally, the significant inflow of deposits in recent years, especially nonmaturity deposits, has made it difficult to develop robust IRR modeling assumptions for rising rate scenarios.

Key Action Steps for Banks and Holding Companies

  • Banks should consider strategies for adjusting balance sheets as rates begin to rise; a gradual increase, for instance, may be more appropriate than a +100 or +200 basis point shock.
  • Banks should evaluate whether:
    • Weaker borrowers are capable of cash flowing with increased interest rates.
    • Models address both on-balance-sheet and off-balance-sheet risk.
    • Management and the board understand key assumptions and weaknesses of IRR models.
    • Assumptions consider the impact of large deposits and surge deposits and their related betas, decay rates, and changes in the deposit mix.
    • Scenario analyses and stress tests are appropriate and identify exposure under a variety of rate environments and stress scenarios.

Consumer Compliance Risk Yellow arrow

Consumer compliance risk is elevated, with a moderate level of exposure and an increasing trend. Consumer compliance risk is the risk of financial loss, reputational damage, or consumer harm caused by failure to comply with consumer protection laws, internal policies, or principles of integrity and fair dealing.

New regulatory requirements, particularly those applicable to mortgage lending will require Ninth District financial institutions to devote significant resources to implementing changes. Earnings pressure, the new mortgage rules, and other regulatory changes will add further pressure on compliance risk management programs. Continued focus on fairness and consumer harm requires financial institutions to adapt compliance management programs to be more proactive and to assess risks relating to fairness and consumer harm.

Key Action Steps for Banks and Holding Companies

  • Banks should adapt compliance risk management programs, including monitoring resource levels to reflect new risks when engaging in new activities, or where existing programs are subject to new regulation. Greater compliance risk will likely exist in:
    • Banks with new compliance officers or programs that appear to operate with declining or limited resources.
    • Banks where compliance resources appear to be minimal or stressed.
    • Banks with high inherent risk from mortgage loans, credit cards, overdraft programs, and indirect lending programs or new products.

Earnings Risk Yellow arrow

Earnings risk is elevated, with moderate exposure and an increasing trend. For purposes of this risk list, earnings risk is being narrowly defined as risk relating to business strategy, such as mergers and acquisitions (M&A), and/or the potential for earnings volatility related to the overall strategy of an organization.

Analysis of applications activity since the beginning of 2012 shows steady expansionary activity in the District with a sharp increase in the first half of 2015, when 11 expansionary applications were filed, compared to 13 in all of 2014. Other activities show efforts by smaller organizations to grow and ultimately increase earnings, grow market share, and ensure continued viability.

Key Action Steps for Banks and Holding Companies

  • Banks should consider whether their current risk management infrastructure is sufficient to incorporate the expansion before expanding into new markets or activities. This analysis should include all financial risks, and other key risks such as BSA/AML and compliance risk.
  • Banks should ensure that they have an effective planning processes that incorporate planned changes; address planning, due diligence, and monitoring expectations; and identifies current and future management and staff needs. Banks engaging in new activities or markets should routinely monitor actual results to planned results.

Energy Sector Risk Yellow arrow

Energy sector risk is elevated, with low exposure and an increasing trend. Energy sector risk consists of the direct and indirect risks related to energy producers and their communities.

Ninth District energy sector risk is concentrated in the Bakken Formation in western North Dakota and eastern Montana. Oil activity decreased in 2015, after several years of rapid expansion. The slow-down in oil activity has started to filter through the region’s economy. Though most banks state that they have minimal primary exposure to oil activity, all are seeing some secondary and tertiary effects as oil field workers are either leaving the area or having their hours reduced. Many municipalities needed to expand their infrastructure during the recent boom time, and incurred debt in order to finance this expansion. The slowdown effects on area cities and their tax base are just beginning to surface.

Key Action Steps for Banks and Holding Companies

  • Banks should develop a strategy for monitoring their energy exposure and proactively work with borrowers experiencing stress.
  • Banks with exposure (loans or municipal securities) to the Bakken and other oil-dependent regions should monitor the secondary and tertiary effects, including understanding which cities are most reliant on oil revenue to meet their existing obligations (e.g., hold oil bonds).

Below-Threshold But Potentially Significant Risks

In addition to the key risks already discussed, there are other potentially significant risks that banks and holding companies should monitor, including the following:

  • Purchased Loans: Commercial and Industrial (C&I) Credit Risk is moderate, with moderate exposure and an increasing trend. C&I credit risk consists of the credit risks related to lending for nonagricultural businesses for purposes of working capital or capital expenditures. The volume of purchased C&I loans has increased in the Ninth District since the end of the credit crisis causing a rise in concentration levels:
    • 46% of reporting SMBs have participation volumes that exceed 25% of their capital.
    • 13% of reporting SMBs have participation volumes in excess of 100%.

    Along with rising concentration levels, the types of loans banks are purchasing further elevates concerns. At the national level, an increasing number of nonbanks are originating loans that often are purchased, or directly funded, by banks. Several of our SMBs have been active in these types of participations. Additionally, several SMBs have purchased portions of Shared National Credit loans. Given the size and complexity of these credits, it may be challenging for SMBs to employ the necessary resources to fully assess and monitor these large credits.

  • Investment Securities Risk is moderate, with moderate exposure and a stable trend. Investment securities risk is the risk of credit losses in the investment securities portfolio. Most credit exposure in Ninth District bank investment portfolios is to municipal bond issuers; however, we have noted two other increasing trends:
    • 24 District community banks, including four SMBs, reported interest rate swap positions as of the end of the second quarter.
    • District banks continue to have large and growing bank-owned life insurance exposures. Currently, 22 SMBs have concentrations that exceed 20% of tier 1 capital.


3BSA Expectations for Marijuana-Related Businesses” – Banking in the Ninth, June 2015

4 Crops most prevalent in the Ninth District include corn, soybeans, and wheat.