June 30, 2017
Financial Data as of March 31, 2017 (unless otherwise noted)
Table 1 |
|||||||
| *Indicates change in level of concern. | |||||||
| 6/30/2016 | 12/31/2016 | 6/30/2017 | |||||
|---|---|---|---|---|---|---|---|
| Risk | Level of Concern | Exposure | Level of Concern | Exposure | Level of Concern | Exposure | Trend |
| Credit Risk | |||||||
| Commercial Real Estate Credit Risk |
Moderate
|
|
Moderate
|
|
Moderate
|
|
↑ |
| Commercial and Industrial Credit Risk |
Moderate
|
|
Moderate
|
|
Moderate
|
|
↔ |
| Agricultural Credit Risk |
Elevated
|
|
Elevated
|
|
Elevated
|
|
↑ |
| Energy Sector Credit Risk |
Elevated
|
|
Elevated
|
|
Moderate*
|
|
↓ |
| Consumer Credit Risk |
Moderate
|
|
Moderate
|
|
Moderate
|
|
↑ |
| Residential Real Estate Credit Risk |
Moderate
|
|
Moderate
|
|
Moderate
|
|
↔ |
| Other Real Estate Owned Risk |
Low
|
|
Low
|
|
Low
|
|
↔ |
| Investment Securities Credit Risk |
Moderate
|
|
Moderate
|
|
Moderate
|
|
↔ |
| Market and Liquidity Risk | |||||||
| Liquidity Risk |
Low
|
|
Low
|
|
Low
|
|
↔ |
| Interest Rate Risk |
Moderate
|
|
Moderate
|
|
Moderate
|
|
↓ |
| Operational Risk | |||||||
| Cybersecurity Risk |
High
|
|
High
|
|
High
|
|
↔ |
| Other IT Risk |
Moderate
|
|
Moderate
|
|
Moderate
|
|
↔ |
| Fraud and Internal Controls Risk |
Moderate
|
|
Moderate
|
|
Moderate
|
|
↔ |
| Legal and Compliance Risk | |||||||
| Bank Secrecy Act/Anti-Money Laundering/Office of Foreign Assets Control Risk |
Elevated
|
|
Elevated
|
|
Moderate*
|
|
↓ |
| Consumer Compliance Risk |
Elevated
|
|
Elevated
|
|
Elevated
|
|
↔ |
| Financial Risk | |||||||
| Earnings Risk |
Elevated
|
|
Elevated
|
|
Elevated
|
|
↔ |
Table 2 |
|||
| 1 For example, all institutions face some degree of liquidity risk and interest rate risk. The exposure level measures the proportion of institutions believed to face a moderate or higher level of risk. | |||
| Level of Concern Measures the District’s assessment of the risk area, considering: (1) Prospects that the risk will give rise to an adverse financial impact, (2) Immediacy of the risk, and (3) Potential for losses. The focus is on inherent risk in the absence of controls or risk mitigants an institution may have implemented. |
High
|
Current problem area, or one likely to become a problem area in the next 1 to 2 years, that, if realized, would have a significant impact on institutions in terms of operating losses, rating downgrades, or failures. | |
|
Elevated
|
Either a current problem area that has a less significant impact on institutions than a high-risk area, or an area that is potentially high impact but less likely to develop in the next 1 to 2 years. | ||
|
Moderate
|
A concern that is notable for some reason, but the impact is not likely to be significant in the near term. | ||
|
Low
|
Little to no risk of a significant adverse impact in the next 1 to 2 years. | ||
| Level of Exposure Measures the relative percentage of institutions believed to face current or likely exposure to the risk at an elevated level.1 |
Significant | Affects a substantial number of SMBs and holding companies. | |
| Moderate | Affects a meaningful but not significant percentage of SMBs and holding companies. | ||
| Low | Affects only a few SMBs and holding companies. | ||
| Trend | ↑ | Increasing | |
| ↔ | Stable | ||
| ↓ | Decreasing | ||
Risk List Process
We begin development of the Risk List by identifying areas of risk potentially faced by Ninth District financial institutions, as shown in Table 1. Then we assess each risk for level of concern, level of exposure, and trend, as shown in Table 2. Table 1 also summarizes each risk considered and shows the level of concern and level of exposure for the current period and two prior periods. The report includes trend data only for the current period. While there is bias toward issues affecting state member banks (SMB), the process assesses risk exposure for all Ninth District banks and holding companies.
Key risks and the related supervisory responses are summarized in order of risk severity. We also include brief discussions of risks that, although currently below the threshold for a complete write-up, have the potential to emerge as significant concerns in the near term or for which additional information is needed to assess the actual level of risk. Finally, we do not comment on risk dimensions that are not currently significant areas of concern.
Summary of Key Risks
Cybersecurity Risk 
Cybersecurity risk remains high, with significant exposure and a stable trend. Cybersecurity is the universe of technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access.
The high level of cybersecurity risk is a function of both the frequency and the potential severity of losses that could result from a control breakdown. Distributed Denial of Service (DDoS) attacks are occurring more often and evolving in sophistication and technique. Attackers continue to launch attacks leveraging massive botnets, including ones that utilize Internet of Things devices. Manufacturers of these devices will be slow to address the vulnerabilities, so mitigation defenses must continue to be strong and responsive.
The massive WannaCry cyberattack further demonstrates the threat of ransomware and a continued need to have strong processes in place for patching and hardening systems. While most ransomware is introduced by clicking on an attachment or a link, WannaCry was able to propagate across networks by exploiting a known Windows vulnerability. Microsoft had issued a “critical” security patch, but many organizations had not yet applied it. Financial institutions need to provide adequate training for staff, ensure effective patch management processes are in place, and have established and tested their incident response plans to react quickly if an incident were to occur.
The majority of Ninth District institutions outsource critical technology services. The trend of adopting cloud and virtualization technologies has increased this reliance on third parties. Examiners continue to cite issues in the field that result from overreliance on outsourcing without appropriate oversight, which emphasizes the need to fully understand and control risks related to newly implemented cloud and virtual networks. These issues lead to inadequacies in business continuity, disaster recovery performance, testing, and overall network resiliency.
Key Action Steps for Banks and Holding Companies
- Banks should ensure they have established and tested incident response plans and should consider including scenario testing with scenarios such as ransomware or DDoS attacks in their business continuity planning and disaster recovery plans (BCP/DR).
- Banks should provide staff with adequate job-specific training and resources related to awareness of social engineering schemes and ransomware in order to reduce the likelihood of successful attacks.
- Banks should also ensure strong controls are in place to monitor risks related to outsourcing and third-party relationships.
- Banks should ensure they have effective processes in place for timely patch management to protect against known vulnerabilities.
- Banks should fully understand the risks and required controls of any cloud or virtualization technology they have implemented or are considering.
Agricultural Credit Risk 
Agricultural credit risk is elevated, with a high exposure and a stable trend. Agricultural credit risk consists of the direct and indirect credit risks related to agricultural producers and their communities.
Prices for the District’s major crops remain depressed, resulting in marginal cash flow for many producers. Additionally, the increasing volume of grain in storage may put further downward pressure on crop prices. During the past couple of years, most crop-producing sections of the District have experienced exceptional yields, which have partially compensated for the low priced commodity environment. However, dry conditions across most of the District have put 2017 crop yields at risk, and we are beginning to see the effect of prolonged low commodity prices on banking conditions. While livestock prices remain well below their highs of 2014, they have improved slightly over the past six months, and most producers should now be comfortably above break-even.
Low commodity prices have also contributed to declining farmland values. Sales are slow, with most farmland sales resulting from estate activity. The greatest declines in land prices have been in the District’s crop-growing regions.
Key Action Steps for Banks and Holding Companies
- Institutions should carefully monitor cash flow projections and take prudent steps with borrowers when cash flow projections indicate difficulty. Actions taken by the bank should include consideration of the long-term viability and overall financial strength of the borrower, including borrower equity, operating efficiency, and outside debt.
- Institutions should ensure that their policies include guidelines for carryover debt, including establishing standards for acceptable structures when financing carryover debt.
- Institutions need to include their agricultural concentration risk in their liquidity and capital planning process to ensure adequacy relative to loan portfolio risk.
Consumer Compliance Risk 
Consumer compliance risk is elevated, with a moderate level of exposure and a stable trend. Consumer compliance risk is the risk of legal or regulatory sanctions, financial loss, consumer harm, or damage to reputation and franchise value caused by failure to comply with or adhere to consumer protection laws, regulations, or standards; or the institution’s own policies, procedures, code of conduct, and ethical standards.
Implementation challenges with new mortgage lending requirements, pressures on compliance resources, enhanced fair lending oversight, and growth in higher-risk consumer products, such as indirect auto lending, are all driving increased risk. The Truth in Lending Act – Real Estate Settlement Procedures Act Integrated Disclosures (TRID) rule added significant complexity to the mortgage loan closing process, and now requires banks to monitor the effectiveness of their implementation processes. This complexity strained compliance resources at some institutions during implementation and increases the risk that other compliance areas did not or will not receive appropriate levels of oversight. New and complex regulatory changes continue, most notably for banks subject to the Home Mortgage Disclosure Act, potentially compounding strain on compliance resources.
Other challenges driving the consumer compliance risk level include staff changes, integration of compliance programs, and areas subject to heightened regulatory focus. Many institutions face significant challenges in hiring and retaining compliance staff with appropriate expertise. In particular, current strong compliance officers may be difficult to replace if they retire or leave for other reasons. Heightened focus on fair lending means financial institutions must ensure their compliance management programs appropriately evaluate and respond to fair lending risks associated with the bank’s products and markets. Additionally, expanded indirect lending in some institutions requires greater oversight and controls to ensure that loan prices do not reflect discrimination based on a prohibited basis category. Other areas of heightened regulatory focus include incentive compensation and sales practices.
Key Action Steps for Banks and Holding Companies
- Institutions should adapt compliance risk management programs, including monitoring resource levels, to reflect new risks when engaging in new activities or when existing programs are subject to new regulations. Greater compliance risk will likely exist in:
- Institutions with new compliance officers or programs that appear to operate with declining or limited resources.
- Institutions where compliance resources appear to be minimal or stressed.
- Institutions with high inherent risk from mortgage loans, credit cards, overdraft programs, and indirect lending programs or new products.
- Institutions, particularly those classified as intermediate small banks under Community Reinvestment Act (CRA), should review their CRA strategies and how they manage CRA to ensure that their lending and community development activities meet their CRA obligation.
- Institutions should monitor the effectiveness of their TRID implementation.
Below-Threshold But Potentially Significant Risks
In addition to the key risks already discussed, there are other potentially significant risks that banks and holding companies should monitor, including the following:
-
Bank Secrecy Act/Anti-Money Laundering, and Office of Foreign Assets Control Risk. While examiners continue to issue a high number of supervisory findings related to BSA, these findings have been significantly less severe than those issued in earlier years. So far, District banks have avoided certain riskier activities, such as banking of tribal marijuana activities, and the majority of District banks do not provide services to marijuana-related businesses.
While most banks satisfactorily manage their BSA/AML programs, several rule changes may be challenging for community banks going forward. Specifically, the new guidance and rules related to the Customer Identification Program (CIP) for prepaid cards and strengthening the customer due diligence (CDD) requirements by requiring the identification and verification of beneficial owners will have a significant impact on most banks. The Division’s BSA coordinator and assistant coordinator should be directly involved in outreach efforts related to these enhanced expectations, and they will continue to provide updates as the Federal Reserve System develops clearer action plans and expectations for banks.
- Commercial Real Estate (CRE) Credit Risk. While overall CRE concentrations in the District remain lower than levels observed prior to the last recession, CRE concentrations have been rising in some District institutions. Additionally, several banks have increased lending through purchase of loans. Because of increasing risk, supervisory reviews for institutions with significant CRE concentrations will use expanded CRE concentration procedures to ensure banks are complying with risk management expectations for CRE lending.
- Other Credit Concentrations. While credit quality indicators2 generally do not suggest significant adverse trends, several SMBs have concentrations in specific credit types well into the 90th percentile for district peers. SMBs should remain vigilant in maintaining prudent credit risk management practices and be mindful of existing regulatory guidance as they manage their credit concentrations and overall credit risk.
- Interest Rate Risk (IRR): Most institutions meet supervisory expectations for managing IRR and generally appear reasonably positioned for gradual rate changes. The level of deposits from listing and brokered sources indicates that institutions have started to use wholesale funding to augment balance sheets after two interest rate increases following the prolonged low-rate environment. The inflow of nonmaturity deposits continues to challenge the development of robust IRR modeling assumptions. Therefore, it is important for management to review the funding mix while challenging historical assumptions and model results. Among other things, bankers should consider whether:
- Weaker borrowers with variable rate loans will be capable of cash flowing with higher interest rates.
- Models adequately address both on-balance-sheet and off-balance-sheet risk.
- Assumptions consider the impact of large deposits and surge deposits and their related betas, decay rates, and changes in the deposit mix.
- Aggregate limits are warranted for deposits from wholesale sources, such as listing and brokered services.
Endnotes
2Not including agricultural credit risk which is addressed separately.