December 31, 2018
Financial Data as of September 30, 2018 (unless otherwise noted)
PDF of December 2018 Risk List
This report groups the risks that Ninth District banks face into five main categories, as shown in Table 1. Table 1 also shows risk subcategories that have elevated or high risk levels. These subcategories are discussed in the following pages. Appendix 1 provides a table with all subcategories of risk that we considered in our analysis.
Table 1
Risk level and current period trend1
| Risk | Current 12/31/2018 |
6/30/2018 | 12/31/2017 | |
|---|---|---|---|---|
| Credit Risk |
Acceptable
|
↔
|
Acceptable
|
|
| Agricultural Risk |
Elevated
|
↑
|
Elevated
|
Elevated
|
| Market and Liquidity Risk |
Elevated
|
↑
|
Acceptable
|
|
| Liquidity Risk |
Elevated
|
↑
|
Acceptable
|
Acceptable
|
| Operational Risk |
Elevated
|
↔
|
Elevated
|
|
| Cybersecurity Risk |
High
|
↔
|
High
|
High
|
| Legal and Compliance Risk |
Acceptable
|
↔
|
Acceptable
|
|
| Financial Risk |
Acceptable
|
↔
|
Acceptable
|
|
RISK LEVEL DEFINITIONS
|
High
|
Inherent risk reflects a current problem area or one likely to become a problem area in the next one to two years, that, if realized, would have a significant impact on institutions in terms of operating losses, rating downgrades, impediment to strategic goals (e.g., M&A), or failures. The supervisory approach requires specific supervisory action steps to control or mitigate the risk. | |
|
Elevated
|
Inherent risk reflects either a current problem area that has a less significant impact on institutions than a high-risk area, or an area that is potentially high impact but is less likely to develop in the next one to two years. The supervisory approach typically must be a modified approach to monitor, understand, or communicate the risk. | |
|
Acceptable
|
Inherent risk does not fulfill the definition of either high or elevated risk, and the current supervisory approach is sufficient to manage the risk. | |
| Trend | ↑ | Increasing |
| ↔ | Stable | |
| ↓ | Decreasing | |
Summary of Key Risks
Operational Risk – Cybersecurity 
Risk level: High
Cybersecurity risk remains high. The global threat continues to rise, quickly evolve, and become more challenging to detect and prevent, requiring constant vigilance. Although banks have proactively invested in a wide range of technology, processes, and partner solutions to actively prevent, detect, and react to these threats, examiners continue to find areas of weakness.
Key Areas of Concern
- End-Point Security – Weak controls over enterprise network access points, including such devices as smartphones, tablets, or laptops controlled by both the bank and third parties.
- Governance – Weak or nonexistent management information systems and oversight of cybersecurity risks.
- Infrastructure & Asset Management – Incomplete asset inventories and network scans.
- Operational Resilience – Failure to test incidence response plans and the bank’s ability to maintain system functions in the presence of internal or external changes or threats.
- Vulnerability and Patch Management – Failure to address application vulnerabilities through patches and upgrades and to validate remediation of known vulnerabilities.
- Cloud Security – Failure to adopt appropriate cloud computing data-security controls.
Key Action Steps for Banks and Holding Companies
- Continue to integrate cyber resilience into all aspects of their business, including training, technology, and evaluation of new business opportunities. Cyber resilience plans should be tested regularly.
- Focus on end-point security, including identification of and control over all network access points, such as employee and contractor mobile devices.
- Ensure that cyber risk assessments rank the risks and prioritize highest-risk items.
- Ensure that boards and senior management are conducting appropriate oversight of cybersecurity activities.
- Continue to prioritize third-party oversight and integration point controls.
- Continue to conduct employee cybersecurity training and testing.
- Continue to improve vulnerability and patch management programs.
- Take advantage of the FFIEC Cybersecurity Assessment Tool to help identify their risks and assess their level of cybersecurity preparedness.
Agricultural Credit Risk 
Risk Level: Elevated
Agricultural risk is elevated, with an increasing trend. Low commodity prices, combined with a relatively high level of inflexible operating costs, continue to limit cash flow for agricultural producers. Net farm income has fallen 50% over the last five years, forcing many producers to utilize working capital and equity in order to meet debt service requirements. As a result of the multi-year decline in income among producers, nearly all District banks with agricultural concentrations have carryover debt in their portfolios.
Beyond the ongoing producer cash-flow weaknesses, global events are increasing the level of risk posed to banks, including the following:
- Broad-based trade concerns continue to place downward pressure on commodity prices.
- Worldwide soybean market share concerns have evolved with China’s increasing soybean purchases from countries in South America. China previously purchased approximately 30% of the U.S. soybean crop.
- Political uncertainty is increasing agricultural sector risk. Although the 2018 Farm Bill passed in December 2018, the U.S. government shutdown in early 2019 – including the USDA and thereby the Farm Service Agency (FSA) – slowed the implementation of the 2018 Farm Bill. Additionally, the shutdown delayed renewals for borrowers with FSA guarantees. Any additional shutdowns would further complicate borrower renewals.
Key Action Steps for Banks and Holding Companies
- Loan officers need to closely monitor borrower cash-flow projections and discuss deviations and potential remedial steps with the borrower, including:
- An assessment of the long-term viability and financial strength of borrower operations.
- An assessment of operating efficiency, management strength, and management succession plans.
- If necessary, workout action plans with required action steps.
- Capital and strategic planning strategies should include and address agricultural concentration risk issues.
- Agricultural risks must be addressed in the liquidity and capital planning process to ensure processes are commensurate with the size and complexity of the institution.
- Carryover debt should be addressed either in policy form or in documented procedures. Refer to SR 11-14 for guidance related to carryover debt.
Market and Liquidity Risk (MLR) – Liquidity Risk
Risk Level: Elevated
Liquidity risk is elevated, with an increasing trend. The rising interest rate environment and higher loan demand have created competitive pressures, with District banks experiencing challenges in generating organic deposits. This has resulted in declining asset-based liquidity and increased reliance on funding from rate-sensitive or volatile sources. This trend is most pronounced at banks with higher loan concentrations, leading to layered risk.
Key Action Steps for Banks and Holding Companies
- Include contingency funding plans with meaningful early warning indicators tailored to the firm’s liquidity risk profile in board-approved liquidity management frameworks.
- Consider borrower long-term viability and overall financial strength, including equity, operating efficiency, and outside debt, when cash flow projections indicate debt servicing difficulty.
- Include concentration risk in liquidity and capital planning processes.
- Conduct stress tests to ensure that assumptions are appropriate and identify exposure under stress scenarios.
- Ensure that an independent party regularly reviews and evaluates the various components of the liquidity risk management process.
Watch List
Watch List risks remain acceptable, but we have observed emerging issues that warrant ongoing awareness.
Market & Liquidity Risk – Interest Rate Risk (IRR)
Banks have increased their reliance on funding from rate-sensitive sources due to competitive pressures for local deposits or as a lower-cost funding source. As banks have increased their exposure to rate-sensitive funds, underlying model assumptions have not always kept pace. Additionally, while IRR models show an opportunity to increase loan rates, that assumption is not always supported by the economic reality of weaker borrowers because increasing the rate may adversely impact the borrower’s ability to service debt. Management should ensure that assumptions are realistic and consistent with their evolving funding strategies and borrower capacity. The Market & Liquidity Risk Coordinator will continue to monitor banks with higher IRR profiles.
Legal & Compliance Risk – BSA/AML and OFAC Risk
Banks are currently managing several regulatory policy changes and rule requirements. The Small Business Administration (SBA) rules now prohibit banks from providing SBA-backed loans to businesses that directly or indirectly receive revenue from cannabis businesses. In other marijuana news, Upper Peninsula Michigan banks say they will continue to refrain from banking marijuana-related businesses after the successful November Michigan ballot initiative legalizing cannabis for adult recreational use. Examinations thus far show bankers successfully incorporating the new customer due diligence (CDD) beneficial owner requirements that became effective in May 2018 into their systems, policies, procedures, and training. The Risk Team will continue to monitor for compliance.
Legal & Compliance Risk – Consumer Compliance Risk
Risk management programs, including vendor, complaint, and change management programs, remain critical for effectively detecting, mitigating, and controlling consumer compliance risk. These programs should pay particular attention to the following:
- Fair lending controls over pricing discretion, policy exceptions, and other compliance risks.
- Fair lending and Community Reinvestment Act controls that require banks to serve low- and moderate-income and minority communities and not inappropriately exclude them from assessment areas.
- Home Mortgage Disclosure Act reporting controls.
- Mortgage loan origination and servicing activities controls.
- Unfair or deceptive acts or practices (UDAP) controls.
- Controls that ensure proactive management and accurate tracking of community development activities, where applicable.
Appendix 1 - Risk Table2
| Risk | Current 12/31/2018 |
6/30/2018 | 12/31/2017 |
|---|---|---|---|
| Credit Risk |
Acceptable
|
Acceptable
|
|
| Agricultural Risk |
Elevated
|
Elevated
|
Elevated
|
| Energy Sector Credit Risk |
Acceptable
|
Acceptable
|
Acceptable
|
| Commercial Real Estate Credit Risk |
Acceptable
|
Acceptable
|
Acceptable
|
| Commercial and Industrial Credit Risk |
Acceptable
|
Acceptable
|
Acceptable
|
| Consumer Credit Risk |
Acceptable
|
Acceptable
|
Acceptable
|
| Residential Real Estate Credit Risk |
Acceptable
|
Acceptable
|
Acceptable
|
| Investment Securities Credit Risk |
Acceptable
|
Acceptable
|
Acceptable
|
| Market and Liquidity Risk |
Elevated
|
Acceptable
|
|
| Liquidity Risk |
Elevated
|
Acceptable
|
Acceptable
|
| Interest Rate Risk |
Acceptable
|
Acceptable
|
Acceptable
|
| Operational Risk |
Elevated
|
Elevated
|
|
| Cybersecurity Risk |
High
|
High
|
High
|
| Other IT Risk |
Acceptable
|
Acceptable
|
Acceptable
|
| Fraud and Internal Controls Risk |
Acceptable
|
Acceptable
|
Acceptable
|
| Legal and Compliance Risk |
Acceptable
|
Acceptable
|
|
| BSA, AML & OFAC Risk |
Acceptable
|
Acceptable
|
Acceptable
|
| Consumer Compliance Risk3 |
Acceptable
|
Acceptable
|
Elevated
|
| Financial Risk |
Acceptable
|
Acceptable
|
|
| Earnings Risk |
Acceptable
|
Acceptable
|
Acceptable
|
Endnotes
1 Note that there are no historical ratings for the main risk categories captured in this table prior to 2018.
2 Note that there are no historical ratings for the main risk categories captured in this table prior to 2018.
3 Consumer compliance inherent risk, reflecting consumer compliance, fair lending, and the CRA, is at an acceptable level but continues to require robust risk management. The inherent risks have matured and are generally well known, and financial institution risk management has proven generally effective.