Skip to main content

June 2016 High and Emerging Risk List

June 30, 2016

(Data as of December 31, 2015)

PDF of June 2016 Risk List

Risk List Process

We begin development of the Risk List by identifying areas of risk potentially faced by Ninth District financial institutions – see Table 1. Then we assess each risk for level of concern, level of exposure, and trend – see Table 2. Table 1 also summarizes all risks considered and shows the level of concern and level of exposure for the current period and two prior periods. The report includes trend data only for the current period. While there is a slight bias toward issues affecting SMBs, the process assesses risk exposure for all Ninth District banks and holding companies. 

Key risks and the related supervisory responses are summarized in order of risk severity. We also include brief discussions of risks that, although currently below the threshold for a complete write-up, have the potential to emerge as significant concerns in the near term or for which additional information is needed to assess the actual level of risk. Finally, we do not comment on risk dimensions that are not currently significant areas of concern. 


Table 1: Risk List table


Table 2: Risk List key


Summary of Key Risks

Cybersecurity Risk Red arrow

Cybersecurity risk remains high, with significant exposure and a stable trend. While risk remains high, institutions have been managing heightened current cybersecurity threats for some time so the trend is stable. Cybersecurity is the universe of technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access.

The high level of cybersecurity risk is a function of both the frequency and the potential severity of losses that lead to a control breakdown. While Distributed Denial of Service (DDoS) and other sophisticated network attacks continue to be prevalent, cyber criminals and activists have been targeting financial institutions with ransomware, a type of malware that typically encrypts data on a target machine and/or connected network. The malware is often introduced through an email attachment or clicking on a malicious web page or ad. Attackers then demand payment in order to release or unlock the files. 

Most Ninth District institutions continue to have a critical reliance on third parties for technology services. The trend of adopting cloud and virtualization technologies has increased this reliance. Examiners continue to cite issues at financial institutions that result from overreliance on third parties, without appropriate oversight. These issues lead to inadequate business continuity, disaster recovery performance, testing, and overall network resiliency.

Key Action Steps for Banks and Holding Companies

  • Institutions should provide staff with adequate job-specific training related to awareness of social engineering schemes and ransomware in order to reduce the likelihood of incidents.
  • Financial institutions should have established and tested incident response plans to react quickly if an incident were to occur.

Bank Secrecy Act/Anti-Money Laundering, and Office of Foreign Assets Control Risk Yellow arrow

BSA/AML and OFAC risk is elevated, with a significant exposure and an increasing trend. BSA/AML and OFAC risk is the risk of legal and compliance costs and reputational damage associated with failure to comply with BSA/AML and OFAC obligations. 

The regulatory agencies have released new rules that will have a significant impact on institutions’ BSA/AML compliance programs. The Financial Crimes Enforcement Network (FinCEN) issued final rules2  on May 11, 2016, to clarify and strengthen Customer Due Diligence (CDD) requirements. These rules contain explicit CDD requirements and include a new requirement to identify and verify the identity of beneficial owners of legal entity customers, subject to certain exclusions and exemptions. 

Separate guidance3  released on March 21, 2016, requires institutions to apply customer identification program (CIP) requirements to prepaid cards when they are reloadable or offer credit/debit features. 

BSA/AML risks have increased across the Ninth District. The legalization of marijuana in various states,4  in conflict with federal law,5  the potential development of marijuana businesses on tribal lands, recent issuance of guidance and rules related to CIP, and recent changes in CDD requirements have increased the requirements on banks. 

Additionally, as institutions have focused on growth and earnings, in some instances BSA programs have not kept pace.  As a result, we have seen an increase in violations cited for noncompliance with required elements of an effective BSA compliance program and key OFAC requirements.

Key Action Steps for Banks and Holding Companies

  • As institutions consider new strategies, including acquisitions, they should proactively consider the impact of these strategies on their overall BSA/OFAC risk profile and what additional actions they will need to take to appropriately mitigate new or elevated risks.
  • Institutions should review CIP requirements to ensure that policy, procedures, and processes comply with guidance related to prepaid cards.  Institutions should review their current CDD program to ensure compliance with requirements in preparation for the May 11, 2018, compliance deadline.
  • Institutions should ensure that they have established an effective OFAC compliance program, including the following actions:

    o Identify higher-risk areas. 

    o Provide appropriate internal controls for screening and reporting.

    o Establish independent testing for compliance. 

    o Designate a bank employee or employees to be responsible for OFAC compliance.

    o Establish training programs for appropriate personnel in all relevant areas of the bank.
  • Institutions can address the OFAC compliance program within the overall BSA policy and risk assessment, and they should tailor it to the risks of the institution. 

Agricultural Credit Risk Yellow arrow

Agricultural credit risk is elevated, with a high exposure and an increasing trend. Agricultural credit risk consists of the direct and indirect credit risks related to agricultural producers and their communities. The majority of Ninth District bank loan portfolios continue to be highly exposed to agriculture, posing significant risk over the next year. Crop prices6  remain well below the highs reached in 2012, resulting in marginal cash flow for many producers. Positive cash flow for livestock producers is also at risk. As of June 2016, market-ready livestock prices have dropped significantly from their peaks in 2014. Dairy producers are also less profitable, as the price of Class III milk has fallen moderately in the last year. 

Depressed commodity prices have begun to affect farmland prices.. Lesser-quality farmland has had some price corrections over the last year, and higher-quality farmland is beginning to exhibit some weakness. 

Key Action Steps for Banks and Holding Companies

  • Institutions should carefully monitor cash flow projections and take prudent steps with borrowers when cash flow projections indicate potential difficulty. Actions taken by the bank should consider the long-term viability and overall financial strength of the borrower, including borrower equity, operating efficiency, and outside debt. 
  • Institutions should include their agricultural concentration in the capital planning process to ensure capital adequacy against loan portfolio risk. 

Consumer Compliance Risk Yellow arrow

Consumer compliance risk is elevated, with a moderate level of exposure and an increasing trend. Consumer compliance risk is the risk of legal or regulatory sanctions, financial loss, consumer harm, or damage to reputation and franchise value caused by failure to comply with or adhere to consumer protection laws, regulations, or standards; or the institution’s own policies, procedures, code of conduct, and ethical standards.

Implementation challenges with new mortgage lending requirements, pressures on compliance resources, enhanced fair lending oversight, and growth in higher-risk consumer products, such as indirect auto lending, are all driving increased risk. The Truth in Lending Act – Real Estate Settlement Procedures Act Integrated Disclosures (TRID) rule added significant complexity to the mortgage loan closing process and contributed to some vendor implementation delays and challenges. This complexity strained compliance resources at some institutions during implementation and increased the risk that other compliance areas did not receive appropriate levels of oversight.

Many institutions also face significant challenges in hiring and retaining compliance staff with appropriate expertise. In particular, current strong compliance officers may be difficult to replace if they retire or leave for other reasons. Heightened focus on fair lending means financial institutions must ensure their compliance management programs appropriately evaluate and respond to fair lending risks associated with the bank’s products and markets. Finally, expanded indirect lending in some institutions requires greater oversight and controls to ensure that loan prices do not reflect discrimination based on a prohibited basis category.

Key Action Steps for Banks and Holding Companies

  • Institutions should adapt compliance risk management programs, including monitoring resource levels, to reflect new risks when engaging in new activities or when existing programs are subject to new regulations. Greater compliance risk will likely exist in:
    • Institutions with new compliance officers or programs that appear to operate with declining or limited resources.
    • Institutions where compliance resources appear to be minimal or stressed.
    • Institutions with high inherent risk from mortgage loans, credit cards, overdraft programs, and indirect lending programs or new products.

Earnings Risk Yellow arrow

Earnings risk is elevated, with moderate exposure and a stable trend. For purposes of this risk list, we define earnings risk as risk relating to bad outcomes from business strategy, such as new product/service offerings, mergers and acquisitions (M&A), and/or the potential for earnings volatility related to the overall strategy of an organization. 

Analysis of applications activity since the beginning of 2012 shows steady expansionary activity in the District.7  The first half of 2016 has already seen 12 expansionary applications, compared to 13 in all of both 2014 and 2015. Other activities also show efforts by smaller institutions to grow and ultimately increase earnings, grow market share, and ensure continued viability. As these institutions introduce new products /services, there is risk that the institution’s risk management framework may not keep pace, exposing the institution to greater long-term risk.

Key Action Steps for Banks and Holding Companies

  • Institutions should ensure that they have an effective planning process that incorporates planned changes; address planning, due diligence, and monitoring expectations; and identify current and future management and staff needs. Institutions’ boards should monitor how actual results compare to planned results when discussing acquisitions or new products/services.

Energy Sector Risk Yellow arrow

Energy sector risk is elevated, with low exposure and a stable trend. Energy sector risk consists of the direct and indirect risks related to energy producers and their communities. 

Ninth District energy sector risk is concentrated in the Bakken Formation in western North Dakota and eastern Montana. After several years of rapid expansion, oil activity decreased in 2015 and early 2016. The slow-down in oil activity has started to filter through the region’s economy, causing a $1 billion state spending gap. Although recent reports indicate that some Bakken firms are hiring again, significant uncertainty remains. Most Institutions state that they have minimal primary exposure to oil activity, but many are seeing some secondary and tertiary effects after oil field workers left the area or had their hours reduced. Many municipalities needed to expand their infrastructure during the recent boom time, and the slowdown effects on area cities and their tax base are just beginning to surface.

Key Action Steps for Banks and Holding Companies

  • Institutions with material exposures to the energy sector should develop a strategy for monitoring their energy exposure and proactively work with borrowers experiencing stress. 











    2016 (1/1 - 6/30)


  • Institutions with exposure (loans or municipal securities) to the Bakken and other oil-dependent regions should monitor the secondary and tertiary effects, including understanding which cities are most reliant on oil revenue to meet their existing obligations (e.g., they hold oil bonds).

Below-Threshold But Potentially Significant Risks

In addition to the key risks already discussed, there are other potentially significant risks that banks and holding companies should monitor, including the following:

  • Commercial Real Estate (CRE) Credit Risk: While overall CRE concentrations in the District remain lower than levels observed prior to the last CRE downturn, CRE concentrations have been rising in many institutions. Several banks also have increased lending through purchase of loans. Because of increasing risk, supervisory reviews for institutions with significant CRE concentrations will use expanded procedures to ensure banks are complying with risk management expectations for CRE lending.8 
  • Credit Risk Administration: While current credit quality indicators do not identify any significant adverse trends in specific credit lending spaces,9  credit risk management practices are of concern. Regulators have identified weakened credit risk management practices, most often resulting from a competitive lending landscape, low interest rate environment, and/or expense cutting efforts. SMBs should remain vigilant in maintaining prudent credit risk management practices and be mindful of existing regulatory guidance as they manage their institutions’ overall credit risk.

  • Interest Rate Risk (IRR): Most institutions meet supervisory expectations for managing IRR and generally appear reasonably positioned for gradual rate changes. However, the prolonged low rate environment combined with the significant inflow of deposits in recent years, especially nonmaturity deposits, has made it difficult to develop robust IRR modeling assumptions. Therefore, it is important for management to challenge historical assumptions.

    • Key items for firms to evaluate include:
    • Whether weaker borrowers would be capable of cash flowing with increased interest rates.
    • Models address both on-balance-sheet and off-balance-sheet risk.
    • Management and the board understand key assumptions and weaknesses of models.
    • Assumptions consider the impact of large deposits and surge deposits and their related betas, decay rates, and changes in the deposit mix. 
    • Scenario analyses and stress tests are appropriate and identify exposure under a variety of rate environments and stress scenarios.  


2The final rules became effective on July 11, 2016; however, banks have until May 11, 2018, to comply.

3 SR 16-7, Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Cards. 

4 Including Michigan, Minnesota, and Montana.

5 Federal Controlled Substance Act of 1970.

6 Crops most prevalent in the Ninth District include corn, soybeans, and wheat.

7 Ninth District Post-Crisis Expansionary Applications

8SR Letter 15-17: Statement on Prudent Risk Management for Commercial Real Estate Lending

9 Not including Agricultural Credit risk, which is addressed separately.