Skip to main content

About Us

We serve the public by pursuing a growing economy and stable financial system that work for all of us.

What We Do

Who We Are

Work With Us

Overview & Mission

The Ninth District

Our History

Diversity & Inclusion

Tours

Contact Us

Region & Community

We examine economic issues that deeply affect our communities.

The Ninth District

Regional Economic Indicators

Community Development & Engagement

The Bakken Oil Patch

Beige Book

Research

We conduct world-class research to inform and inspire policymakers and the public.

Research Groups

Topics

Data & Reporting

Banking

We provide the banking community with timely information and useful guidance.

For Banks

Data & Reporting

Banking Topics

Contact Us

For Consumers

Large Bank Stress Test Tool

CDFIs

Banking in the Ninth archive

Policy

We explore policy topics that are important for advancing prosperity across our region.

Policy Topics

Monetary Policy

Racism & the Economy

Economic Research

Community Development & Engagement

  1. Home
  2. Banking
  3. Risk List

December 2020 Risk List

December 2020
Financial Data as of December 31, 2020 (unless otherwise noted)

PDF of December 2020 Risk List

Summary of December 2020 Risk Themes

The Federal Reserve Bank of Minneapolis’s Supervision, Regulation, and Credit (SRC) Division monitors the Ninth District for and collects information about current and emerging risks in banking. Based on the information gathered, SRC publishes a list of risks and the level of inherent risk they pose to the District’s financial institutions (see the full list in Appendix 1, “Risk Table”). Risks identified as noteworthy are considered to have high or elevated levels of risk. Due to the severity and trends associated with noteworthy risks, we will discuss District-specific concerns and best practices in this report. Risks labeled spotlight are risks with emerging issues or changes in the supervisory environment that may impact the District’s financial institutions. Spotlight risks are emerging and cannot be clearly dimensioned at this time or are currently less severe than noteworthy risks.

Risks Levels Defined

High – Inherent risk reflects a current problem area or one likely to become a problem area in the next one to two years, that, if realized, would have a significant impact on institutions in terms of operating losses, rating downgrades, strategic goal impediments (e.g., M&A), or failures. The supervisory approach requires specific supervisory action steps to control or mitigate the risk.

Elevated – Inherent risk reflects either a current problem area that has a less significant impact on institutions than a high-risk area, or an area that is potentially high impact but is less likely to develop in the next one to two years. The supervisory approach typically must be a modified approach to monitor, understand, or communicate the risk.

Acceptable – Inherent risk does not fulfill the definition of either high or elevated risk, and the current supervisory approach is sufficient to manage the risk.

Table 1

Risk themes for December 2020

  Risk Current Level Trend Previous Level
Spotlight COVID-19 N/A N/A N/A
Individuals and businesses across the Ninth District have suffered financial losses because of the COVID-19 pandemic and related shutdowns. Exposed to these financial losses are the community and regional banks that finance those individuals and businesses. The Federal Reserve and federal and state governments responded to the crisis with a stream of emergency lending programs, changes to guidance, and government aid and relief. The response has helped borrowers make their loan payments and encouraged banks to be proactive with their accommodation programs and forbearance agreements. It has also allowed banks to replace the loss of revenue from loan payments and decreased loan demand with fees generated from high levels of mortgage refinancing and the processing of Paycheck Protection Program (PPP) requests. However, much of this aid, such as the PPP, was intended to be temporary or a one-time occurrence. Borrowers and their banks’ financial future and resilience through the pandemic are dependent on uncertain factors, which include the effectiveness of vaccine rollout, impact of variants/mutations of the virus, and additional government support.
Noteworthy Commercial Real Estate Credit High Increasing High
The economic shutdowns and social distancing requirements across the nation and the Ninth District have harmed most industries. However, the impact varies by type of industry and whether the business is located in an urban or rural area. Businesses that intersect with commercial real estate (CRE), such as retail, restaurants, and lodging, have been particularly hard hit. Persistent high unemployment levels will adversely impact multifamily and residential real estate (RRE) rental properties as rent payments drop due to nonpayment, evictions, and vacancies. The consequences of this fallout on CRE credit risk are diminished cash flows and a potential increase in problem borrowers, followed by a corresponding decrease in CRE values. Furthermore, the prospect of a prolonged economic downturn will test banks and their credit administration as banks grapple with longer workout strategies in an uncertain economy.
Agricultural Credit Elevated Stable Elevated
Agricultural credit risk remains elevated due to stable and historically high farmland values, extensive government support, strong production levels per acre, and improved capital levels at most agriculturally concentrated banks. The risk trend has stabilized since the previous report due to improvements in farm income and export markets; however, several risk factors still support the elevated risk rating. Prior to 2020, agricultural producers had endured multiple years of declining net income because of low commodity prices and inflexible operating costs. As a result, many producers used working capital and equity in order to meet debt requirements, which left many agriculturally concentrated banks with unprofitable borrowers and increasing carryover debt. Farm sector net income increased substantially in 2020, mostly fueled by government support resulting from the pandemic. Government support accounted for almost 40% of net farm income in 2020 – an unsustainable level of farm income that adds uncertainty to income levels going forward. Overall trade policy is still uncertain, but agricultural exports improved significantly in the second half of 2020, which has improved commodity prices in the near term.
Consumer Compliance Elevated Stable Elevated
The pandemic continues to place demands on existing compliance risk management systems of the District’s financial institutions. The adverse health effects and economic effects of the pandemic combine to present significant uncertainty and continued operational risks for institutions. Adhering to changes in guidance from government officials on pandemic management as well as adjusting to changing COVID-19 case numbers and staff availability requires frequent adaptation of processes and systems. While regulators continue to extend flexibility where appropriate, change management is often a primary responsibility of compliance, risk management, and audit staff, which carries resource and capacity implications. Access to banking services may be complicated by branch closures and increased reliance on electronic options. An institution’s ability to address consumer requests and complaints, as well as acting in good faith to comply with consumer protection laws and regulations, depends on staff availability and system capacity.
Cybersecurity High Stable High
The latest Finastra and SolarWinds breaches in 2020, accompanied by an elevated level of continued ransomware and phishing attacks, further confirms the high level of cybersecurity risk being experienced not only by banks but also by other major corporations. These breaches indicate high motivation for nefarious actors to continue to find security gaps in IT infrastructure of U.S. government and private organizations. However, we believe the current supervisory approach need not be modified to address the risk. The Reserve Bank will continue to reinforce the importance of maintaining a strong cybersecurity framework to state member banks (SMBs) through outreach efforts and IT examination activities.

Spotlight: COVID-19

Rationale: Individuals and businesses across the Ninth District have suffered financial losses because of the COVID-19 pandemic and related shutdowns. Exposed to these financial losses are the community and regional banks that finance those individuals and businesses. The Federal Reserve and federal and state governments responded to the crisis with a stream of emergency lending programs, changes to guidance, and government aid and relief. The response has helped borrowers make their loan payments and has encouraged banks to be proactive with their accommodation programs and forbearance agreements. It has also allowed banks to replace the loss of revenue from loan payments and decreased loan demand with fees generated from high levels of mortgage refinancing and the processing of PPP requests. However, much of this aid, such as the PPP, was intended to be temporary or a one-time occurrence. Borrowers and their banks’ financial future and resilience through the pandemic is dependent on uncertain factors which include the effectiveness of vaccine rollout, impact of variants/mutations of the virus, and additional government support.

District Concerns

The following is a high-level summary of the main areas that are of growing concern because of the pandemic.

NEW

Financial Resilience: While most banks have adapted well to the operational challenges brought on by the pandemic, financial resilience is less certain and largely dependent on the duration and intensity of the pandemic and continued government support. Due to the response from the Federal Reserve and the federal government, the financial consequences of the pandemic have yet to appear in bank balance sheets. Income statements show that many financial institutions benefited from the revenue generated from the PPP and the increased demand from customers looking to refinance their mortgages. In response to lower interest rates, most financial institutions also reduced their cost of funds, some to levels not seen since 2007 to 2013. However, with some government aid being temporary and the end of the pandemic indefinite, banks face an uncertain horizon regarding their credit and earnings risk. While the manner and magnitude of the financial outcome are uncertain, past financial crises have shown that, regardless of the risk, banks that fared the best in stressed environments had built strong levels of capital and put in place strong risk management practices. Banks with strong credit administration practices and a proactive board and senior management will better navigate and adapt their standards to an ever-evolving and uncertain economic outlook. Finally, banks with a greater amount of capital, adequate reserve for loan losses, and diversified earnings will not only have the cushion to absorb expected losses in the short run but also have the ability to work with their customers and hold on to assets that will remain viable in the long run.

NEW

Commercial Lending in At-Risk Industries: Current economic conditions, adversely impacted by the pandemic, have affected nearly all industries. However, some industries, such as restaurants, hospitality, and retail stores, have suffered more severe consequences, including more frequent shutdowns and subsequent closings. In addition, these industries can be negatively impacted because of their geographic location. In other words, the adverse credit-quality impacts due to the pandemic are not felt evenly throughout loan portfolios. Much depends on the condition of specific local economies. Although granular loan data is often unavailable, broader indicators – such as overall market conditions, labor pool, and local unemployment data – can be indicators of possible at-risk industries within a bank’s portfolio. While commercial credit risk in the District continues to be highest in CRE loans and requires its own distinct analysis, the crisis could impact all segments of a bank’s commercial loan portfolio, particularly the loans in at-risk industries and in geographic areas with extended business shutdowns or where the impacts of market stimulus have waned. Banks with concentrations not only in CRE but also in commercial and industrial (C&I) loans are potentially more exposed to these at-risk industries.

Safe and Sound Practices

Financial institutions can help mitigate the impact of the pandemic with the following safe and sound practices:

NEW

Financial Resilience: Financial institutions should use the upcoming months as an opportunity to augment their capital levels and adequately reserve for losses. Banks should reconsider planned dividends and stock redemptions/buybacks, and analyze current capital levels by stressing their loan portfolio. Financial institutions should consider one-time effects of government programs and impacts of the pandemic when considering strategic planning, capital planning, and forecasting/budgeting. Additionally, before entering new markets or offering a new product or service, financial institutions should assess the risks and costs and ensure that appropriate policies, procedures, and limits are established. Financial institutions should analyze any new initiatives against their strategic and capital plans.

NEW

Commercial Lending in At-Risk Industries: Financial institutions should understand the risks and exposures associated with at-risk industries as the risk/exposure relates to specific segments of their loan portfolio (e.g., C&I, non-owner-occupied loans, and owner-occupied loans). For instance, by identifying industry concentrations within their CRE and even C&I portfolios, banks are in a better position to understand the underlying impacts on cash flows and collateral values within a particular industry. This understanding can aid bankers in adopting safe and sound loan modifications if the sale of collateral is necessary for those borrowers under severely stressed circumstances due to the pandemic.

Commercial Real Estate Risk – High

Rationale: The economic shutdowns and social distancing requirements across the nation and the Ninth District have harmed most industries. However, the impact varies by type of industry and whether the business is located in an urban or rural area. Businesses that intersect with CRE, such as retail, restaurants, and lodging, have been particularly hard hit. Persistent high unemployment levels will adversely impact multifamily and residential real estate (RRE) rental properties as rent payments drop due to nonpayment, evictions, and vacancies. The consequences of this fallout on CRE credit risk are diminished cash flows and a potential increase in problem borrowers, followed by a corresponding decrease in CRE values. Furthermore, the prospect of a prolonged economic downturn will test banks and their credit administration as banks grapple with longer workout strategies in an uncertain economy.

District Concerns

The following is a high-level summary of the main areas of CRE credit risk in our District.

NEW

CRE Concentrations: CRE loans (owner-occupied, non-owner-occupied, and multifamily properties) account for more than 30% of Ninth District SMBs’ total loan portfolios. Most SMBs likely have encountered some level of adverse impact to their CRE portfolios since the onset of the pandemic in March 2020. Many have experienced significant increases in the need for loan modifications. While any CRE loan type could be adversely impacted by the pandemic, income-producing CRE remains at most risk due in part to having tenants in at-risk industries. While multifamily CRE in general has stabilized given stimulus and eviction forbearance, housing markets are diverse. Banks approaching or exceeding the CRE concentration threshold levels identified in SR 07-1, “Interagency Guidance on Concentrations in Commercial Real Estate,” should be heightening their risk-mitigation practices as conditions within their lending market(s) warrant.

NEW

Income-Producing CREs: Cash flows from income-producing CRE, especially non-owner-occupied properties, could be adversely impacted. While stimulus packages and modifications have lessened some asset quality concerns, the long-term viability for many types of income-producing CRE (e.g., hotel/motel lodging) is less certain. For these and other currently troubled CRE borrowers, longer-term strategies by both the bank and borrower may be needed to ensure the borrower’s continued viability.

NEW

Collateral Values: While overall CRE values are stable, there are real estate (RE) value declines for those income-producing CRE properties exposed to industries at risk. In addition, business closures, tenant evictions, and other industry-specific adverse impacts could impede future property cash flows, resulting in additional value declines. While each CRE sector (i.e., retail, office, warehouse, multifamily) faces common RE risks, not all sectors have been impacted the same way by the pandemic; and for those that have, not all sectors adversely impacted carry over from one geographic area to another.

NEW

Credit Administration: Since the initial economic shutdowns in March 2020, regulators continue to support bankers’ efforts in executing prudent short- and long-term workout strategies. Some challenges remain, such as borrowers who are unable to provide timely financial statements, are reporting financial performance with continued weakness in their repayment ability, and/or are operating in an industry that raises concern for their long-term viability. These and other challenges remain for bankers, including identifying if these borrowers’ businesses can survive long term. With these challenges likely to continue for some borrowers through 2021, we encourage bankers to continue to be proactive with workout plans for their borrowers. While many borrowers may just need short-term relief that is offered through legislation and within regulatory guidance, other borrowers may need to have more robust workout plans.

Safe and Sound Practices

Financial institutions can help mitigate CRE credit risk with the following safe and sound practices:

NEW

CRE Concentrations: Financial institutions should understand the risks and exposures associated with the composition of their loan portfolio. Further stratification of the loan portfolio, such as by industry and geographic location, can help banks identify more effective workout strategies that can often apply to borrowers within a specific sector.

NEW

Income-Producing CREs: Financial institutions are encouraged to understand all sources of cash flows, including projected cash flows, for their borrowers. For instance, understanding how various stimuli have supported the business, how their borrowers expect to mitigate risk exposures and restore cash flows, and the reasonableness and reliability of any projected cash flows will aid in structuring any needed workout plans.

NEW

Collateral Values: Financial Institutions are encouraged to understand the key inputs affecting income-producing RE values – specifically, rental rates, major expenses, historical/projected occupancy levels, debt load, supply of local inventory, and cap rates – which are primary inputs that will impact RE values.

NEW

Credit Administration: Per interagency guidance, financial institutions are encouraged to prudently work with all of their borrowers, and especially those adversely impacted by the pandemic. However, banks should not abandon their internal risk rating process and credit fundamentals.

Agricultural Credit Risk – Elevated

Rationale: Agricultural credit risk remains elevated due to stable and historically high farmland values, extensive government support, strong production levels per acre, and improved capital levels at most agriculturally concentrated banks. The risk trend has stabilized since the previous report due to improvements in farm income and export markets; however, several risk factors still support the elevated risk rating. Prior to 2020, agricultural producers had endured multiple years of declining net income because of low commodity prices and inflexible operating costs. As a result, many producers used working capital and equity in order to meet debt requirements, which left many agriculturally concentrated banks with unprofitable borrowers and increasing carryover debt. Farm sector net income increased substantially in 2020, mostly fueled by government support resulting from the COVID-19 pandemic. Government support accounted for almost 40% of net income in 2020 – an unsustainable level of farm income that adds uncertainty to income levels going forward. Overall trade policy is still uncertain, but agricultural exports improved significantly in the second half of 2020, which has improved commodity prices in the near term.

District Concerns

The following is a high-level summary of the main areas of agricultural credit risk in the Ninth District.

NEW

Composition of Farm Income: According to the U.S. Department of Agriculture (USDA), overall agriculture sector net farm income in 2020 is forecast to increase $36.0 billion to $119.6 billion, a 43% increase from 2019. Direct government farm payments will account for $46.5 billion of net farm income, almost 40%. Cash receipts for all commodities are expected to decrease approximately 1%, which is the lowest value since 2016. Although some commodity prices improved in the second half of 2020, the elevated prices and unprecedented government support do not mitigate years of losses, nor do they mitigate the continued market volatility caused by the pandemic, uncertain trade policy, and a new Executive branch administration.

Commodity and Food Market Disruptions: The early stages of the pandemic greatly disrupted supply chains, processing plants, and consumer behaviors. The disruptions created considerable uncertainty in market behavior, further exacerbating fragile commodity prices and worsening a bleak outlook for the farm sector. Throughout 2020, the USDA announced significant ad hoc support for producers, totaling over $46 billion in direct payments to farmers and ranchers impacted by the commodity and food market disruptions. As the pandemic evolves, the commodity and market disruptions appear to lead to less volatility, given more knowns than unknowns. However, recent news of COVID-19 mutations are a cause for additional concern if the new risks are not mitigated quickly.

Trade Policy (Formerly Foreign Tariffs): There is continued uncertainty regarding the Phase One trade agreement with China, given the export data and the January 2021 Presidential administration changes. Analysts expect some type of revisit to the initial trade agreement between the two countries, which could change the agricultural purchase targets currently in the agreement. For agricultural producers, the ongoing trade dispute may be more problematic in the long term than short term, given current channels of government support – e.g., Market Facilitation Program (MFP), Multiple Peril Crop Insurance (MPCI), Farm Service Agency (FSA), Small Business Administration (SBA), and Chapter 12 bankruptcy. Through the first 11 months of 2020, China's purchases were only at 76% (U.S. exports) or 62% (Chinese imports) of their year-to-date targets of covered agricultural products.

Loan Delinquencies: The most recent data (Q3 2020) suggests that delinquency rates on agricultural loans at agricultural banks continue to rise. The rolling four-quarter average of the median nonperforming loan ratio at agricultural banks continues to rise steadily, but the ratio is still less than 2%.

Farm Producer Financials – Carryover Debt: Prior to COVID-19, many Ninth District agriculturally concentrated banks had some borrowers who were unprofitable and had carryover debt. In these cases, borrowers expired working capital and utilized equity capital (generally farmland) to continue operating. Prior to the ad hoc direct government farm payments throughout 2020, we expected the pandemic to further amplify these concerns, given the continued commodity price weaknesses, volatility in commodity markets, and uncertain trade policy. In addition, the COVID-related shutdowns, and the resulting economic recession that decreased off-farm income this year, tightened monthly cash flow even further. Discussions with bankers indicate a strengthening of working capital positions for agricultural borrowers; however, one year of improved financials does not sufficiently mitigate continued years of weak financial performance and increased carryover debt.

Safe and Sound Practices

Financial institutions can help mitigate agricultural credit risk with the following safe and sound practices:

NEW

Farm Income, Market Disruptions, and Trade Policy: Financial institutions should discuss the COVID-19 impact in their annual inspections and regular conversations with agriculture producers. Loan officers should work with borrowers to restructure loans when appropriate and consider participating in government-sponsored programs. Loan officers should also closely monitor requests for COVID-19-related loan modifications and payment deferrals. During this time, loan officers should discuss the following with borrowers:

  • An assessment of the borrower’s current cash-flow projections, including the impact of any lost off-farm income, government program payment changes, disrupted supply chains, and revised marketing plans.
  • An assessment of the long-term viability and financial strength of borrower operations, given the likelihood of reductions to the elevated levels of direct government farm payments.
  • An assessment of operating efficiency, management strength, and management succession plans.
  • If necessary, repayment plans with required action steps.

Loan Delinquencies: Financial institutions, especially those with significant concentrations, should consider reducing dividends, stock redemptions, and buybacks as part of their capital planning process. Other strategies may include using other loss-absorbing facilities, such as FSA guarantees, or obtaining additional collateral from weaker borrowers. Strategies can also include indirect loss mitigation, such as robust cash-flow analysis, enhanced collateral inspection, and strong monitoring practices for loans with carryover debt.

Carryover Debt: Financial institutions should address carryover debt either in policies or in documented procedures that consider the strong risk management practices detailed in SR 11-14, “Supervisory Expectations for Risk Management of Agricultural Credit Risk.”

Consumer Compliance Risk – Elevated

Rationale: The pandemic continues to place demands on existing compliance risk management systems of the District’s financial institutions. The adverse health effects and economic effects of the pandemic combine to present significant uncertainty and continued operational risks for institutions. Adhering to changes in guidance from government officials on pandemic management as well as adjusting to changing COVID-19 case numbers and staff availability requires frequent adaptation of processes and systems. While regulators continue to extend flexibility where appropriate, change management is often a primary responsibility of compliance, risk management, and audit staff, which carries resource and capacity implications. Access to banking services may be complicated by branch closures and increased reliance on electronic options. An institution’s ability to address consumer requests and complaints, as well as acting in good faith to comply with consumer protection laws and regulations, depends on staff availability and system capacity.

District Concerns

The following is a list of the main areas of consumer compliance risk in our District, as well as a high-level summary of the reasons for concern.

NEW

Fair Lending: Financial institutions may face additional exposure to fair lending risk because of the pandemic. The potential for disparate treatment and impact exists as institutions establish criteria to modify loan terms, reduce interest rates, waive fees, or process credit requests. The operational changes necessary as a result of the pandemic may make it difficult for some institutions to follow a consistent approach when offering accommodations or providing assistance to borrowers or applicants, which may disproportionately affect a prohibited basis group.

NEW

Loan Origination and Servicing: Loan origination and servicing operations in many financial institutions must simultaneously manage increased activity and significant change as they manage programs to accommodate customers experiencing financial hardship and prepare for increased delinquencies. Many District institutions report record volumes of RRE lending activity, which may strain operational capacity and risk management systems for some. Ongoing revisions to investor guidelines and federal loan program requirements necessitate change management resources for lenders and servicers to train staff, update systems, and adapt processes. Pandemic-related operational and staffing adjustments require ongoing attention and may impact the effectiveness of existing processes and practices designed to reduce risk. While participation in modification programs and borrower requests for accommodations currently are relatively low in the District, significant economic uncertainty exists, and many institutions expect increases in delinquencies.

NEW

Capacity of Risk Management Systems: Many conditions present during the pandemic – including operational changes, earnings pressures, novel loan programs, and weak economic conditions – bring demanding challenges for compliance risk management programs that are also experiencing shifting staff availability and altered work arrangements. Tracking, implementing, and monitoring change management is a primary responsibility of compliance, risk management, and audit personnel. Operational changes, such as telecommuting, staff reassignments, hiring freezes, and rotational office access, may limit the ability to complete software updates, audits, and other routine risk management activities for some institutions. While loan delinquency rates remain generally low, most financial institutions predict increases, which may impact personnel and financial resources. Risk may also increase because existing vendor risk management systems may not function normally or may have reduced capacity.

NEW

Customer Access: In order to manage the spread of the virus, financial institutions temporarily closed offices, in many cases to comply with state and local government requirements applicable to a wide variety of businesses. With some branch lobbies closed and increased reliance on electronic banking, telephone calls, and service by appointment, the institutions’ customers may have a more difficult time obtaining access when needed, particularly customers with limited internet service, mobility, or resources. Banks may struggle to respond to customer service requests timely and thoroughly because of limited staff availability and challenges in accessing needed information and systems, both of which may be reduced by necessary operational changes. Diminished access carries the potential for increased risk of disparate or unfair treatment of the bank’s customers.

Safe and Sound Practices

Financial institutions can help mitigate consumer compliance risk by following the sound practices described for each area of concern.

NEW

Fair Lending: Essential components of fair lending risk management include consistent application of policies and procedures, transparent communication of available options to all, and tracking and monitoring credit outcomes and complaints. Financial institutions can mitigate the risk of disparate treatment and impact by ensuring consistency in all aspects of lending and servicing, including credit availability, application procedures, lending standards, and modification processing. To reduce the potential for adverse impacts, any limits on eligibility for or access to products or credit terms should be evaluated from a fair lending perspective prior to implementation. Clear procedures and ongoing training reduce discrimination risk by ensuring that borrowers and applicants are neither treated differently nor discouraged at any point in the lending process, from inquiry to collections.

NEW

Loan Origination and Servicing: Effective compliance programs require proactive monitoring and regular modification to accommodate ongoing changes in compliance risk, the organization, and its environment. Financial institutions, especially those with significant or increased origination volume or servicing portfolios, may need to adjust existing internal controls, policies and procedures, and risk monitoring and management information systems to adequately mitigate compliance risk. The ongoing operational challenges presented by the pandemic require a change management process that includes robust oversight and thorough monitoring to be effective. When volume is higher than normal or changes are numerous, adjustments to the frequency or scope of regular audits and monitoring may be necessary to detect and resolve errors promptly.

NEW

Capacity of Risk Management Systems: Compliance risk management resources should be sufficient to maintain compliance and reflect the financial institution’s size, complexity, and risk profile. During times of significant change and uncertainty, institutions should take steps to assess compliance risk, evaluate capacity, and remedy deficiencies, prioritizing areas that may lead to consumer harm and systemic violations. As institutions face increased earnings pressures and consider cost-savings measures, assessing current compliance management risks and the resources needed to manage those risks is a practical step prior to considering any reductions.

NEW

Customer Access: Ensuring products and services are readily accessible to customers and communities is essential for banks to meet community credit and banking needs. An important element of complaint monitoring and customer service efforts is to continually evaluate accessibility – particularly for vulnerable consumers, small businesses, and small farms – so the institution can address any access issues timely. Routinely assessing customer access may be done formally, such as by monitoring call volumes and wait times, or informally, such as through periodic status updates from employees.

Cybersecurity Risk – High

Rationale: The latest Finastra and SolarWinds breaches in 2020, accompanied by an elevated level of continued ransomware and phishing attacks, further confirms the high level of cybersecurity risk currently being experienced by not only banks but also other major corporations. These breaches indicate high motivation for nefarious actors to continue to find security gaps in the IT infrastructure of U.S. government and private organizations. However, we believe the current supervisory approach need not be modified to address the risk. The Reserve Bank will continue to reinforce the importance of maintaining a strong cybersecurity framework to SMBs through outreach efforts and IT examination activities.

District Concerns

The following is a high-level summary of the main areas of cybersecurity risk in our District.

Operational Resilience: In response to social distancing requirements, institutions have activated their business continuity and pandemic plans and have moved their operations to employees’ homes. As a result of the sudden switch to a remote workforce, banks are facing an uptick in email-based threats, endpoint-security gaps, and other cybersecurity threats. Additionally, due to shortage of equipment, some banks allowed employees to use their personal computers to access their bank’s network, which is not a good practice. The continued increase in cyberattacks has heightened the importance of regular pandemic business continuity planning/disaster recovery (BCP/DR), incident response plan testing, robust patching, and employee training.

Third-Party Risk Management: The SolarWinds breach also indicated the importance of identifying critical vendors and verifying that security controls are in place for data at the third party. A majority of organizations within the Ninth District have some sort of outsourcing agreement with a third party; therefore, it is critical that organizations have a clear understanding of the type of data the third party is accessing and what controls the vendor has in place to protect that data. With more cloud migration, banks need to continue to strengthen their risk management of third-party vendors, such as due diligence, ongoing monitoring, and participating in business continuity testing with third-party vendors. Even before the pandemic, a number of firms had outsourced critical operations to third parties and migrated to cloud-based platforms, but many financial institutions have been concerned about having the technical expertise necessary to ensure the vendors have satisfactory controls related to confidentiality, integrity, and availability of data. However, the work-from-home arrangements have led banks to hasten their migration to the cloud.

Employee Training: The current pandemic poses a challenge for banks to provide quality information training that contains content commensurate with the current remote working environment. Employee awareness and diligence related to information security remains a primary means to prevent and detect cybersecurity issues. Employees must also be trained in handling confidential information while working remotely, including what information can be printed at home.

Vulnerability and Patch Management: Financial institutions continue to find it difficult to prioritize, test, and install an escalating volume of software patches needed to address vulnerabilities and prevent security incidents, which resulted in an increase of outsourcing to TSP/MSPs (Technology Service Providers/Managed Service Providers). However, outsourcing does not relieve the board from responsibility. Unaddressed backlogs compound the problem.

Safe and Sound Practices

Financial institutions can help mitigate cybersecurity risk with the following safe and sound practices:

Operational Resilience: BCP/DR, incident response, and pandemic plans should be up-to-date and regularly tested to ensure employees are aware of steps to be taken in case of an operational interruption. Additionally, financial institutions should conduct BCP/DR testing regularly with critical vendors. Only bank-approved devices should be allowed to access the bank’s network. Computers outside of bank ownership and control are not patched by the MSP and should be considered compromised and untrustworthy. Should an employee’s PC be compromised with a specific strain of malware, it could transmit copies of itself inside the bank’s network with harmful effect.

Third-Party Risk Management: Responsibility for providing satisfactory oversight of outsourced relationships remains with the board and senior management. Financial institutions should continue to identify critical vendors and to ensure critical vendors have satisfactory BCP/DR, incident response plans, and appropriate security controls in place. Contracts with vendors should include a set of standard baseline security requirements, which can be based on industry best practices. Financial institutions need to ensure that contracts require vendors to stay in compliance with data privacy requirements. Organizations should regularly validate that the vendor is meeting the requirements set in the initial contract and the service level agreement. Organizations cannot assume that unusual outbound network traffic is benign, even when sourced to a trusted application, and it should be reviewed with skepticism.

Vendors need to tune their detection algorithms to account for the very real possibility of malicious actions from trusted applications, and enterprises need to update their monitoring tactics to watch for anomalies where they typically haven’t focused as much before, such as their network management software.

Traditional network security best practices can also lessen the likelihood of a SolarWinds-style data exfiltration, namely, network segmentation and perimeter firewall policies that restrict application traffic to preapproved domains.

Third-Party Risk Management: Appropriate ongoing monitoring of existing relationships and due diligence of potential vendors are keys to a satisfactory vendor risk management program. In addition, DLP (data loss prevention) monitoring should be in place, particularly with third parties.

Employee Training: Financial institutions should continue to conduct regular employee information security training, as well as cybersecurity training and testing, commensurate with the IT environment of the institution. In the current pandemic, banks should carry out virtual training for team members to educate them on what to do in the event of a cyberattack and what potential risks they should watch out for, such as suspicious emails and malware.

Vulnerability and Patch Management: Financial institutions should continue to improve their vulnerability and patch management programs. Board and senior management should engage in regular network penetration testing in order to validate network resilience. In addition, vulnerability scanning should be performed regularly to explore potential points of exploitation and potential security issues on a network. Financial institutions should promptly remediate identified problems.

Appendix 1 – Risk Table

Risk Winter*
12/31/2020		 Summer
6/30/2020		 Winter
12/31/2019
Credit Risk High High Acceptable
Agricultural Credit Risk Elevated Elevated Elevated
Commercial Real Estate Credit Risk High High Acceptable
Investment Securities Credit Risk Acceptable Acceptable Acceptable
Liquidity Risk Acceptable Acceptable Elevated
Interest Rate Risk Acceptable Acceptable Acceptable
Cybersecurity Risk High High High
BSA, AML, & OFAC Risk Acceptable Acceptable Acceptable
Consumer Compliance Risk Elevated Elevated Acceptable

* Level classifications are described as follows:

High – Inherent risk reflects a current problem area or one likely to become a problem area in the next one to two years, that, if realized, would have a significant impact on institutions in terms of operating losses, rating downgrades, strategic goal impediments (e.g., M&A), or failures. The supervisory approach requires specific supervisory action steps to control or mitigate the risk.
Elevated – Inherent risk reflects either a current problem area that has a less significant impact on institutions than a high-risk area, or an area that is potentially high impact but is less likely to develop in the next one to two years. The supervisory approach typically must be a modified approach to monitor, understand, or communicate the risk.
Acceptable – Inherent risk does not fulfill the definition of either high or elevated risk, and the current supervisory approach is sufficient to manage the risk.