2024 Essential Guide to Risk Management for US Banks

In today's fast-paced world, where technology is advancing rapidly, and global dynamics are constantly changing, the risk management landscape for banks in the US is evolving at an unprecedented pace.

In this guide, we delve into the challenges, opportunities, and regulatory changes the banking sector faces in 2024 and provide practical insights and strategies for risk leaders to excel in risk management in this new regulatory era.

TL;DR (Too Long; Didn't Read)

• Managing non-financial risks, including digital, cybersecurity, and market risks, is critical for risk leaders.

• Risk leaders must stay vigilant due to rapidly evolving risks, exemplified by the collapse of Silicon Valley Bank (SVB).

• In 2024, banks will face major regulatory changes related to Basel III Endgame, small business lending, and personal financial data rights.

• Risk leaders need proactive strategies to keep ahead of industry changes like AI, digital security, and consumer protection.

• Choosing the right third-party provider is critical for compliance and customer trust.

Risk management in the new regulatory era

We live in a constantly changing world, which presents us with a multitude of challenges. From political upheavals to digital transformation, cybersecurity threats, environmental changes, and fluctuating markets, these factors impact us all, underscoring the need to be vigilant and adaptable.

Risk management traditionally categorises risks into five areas: strategic, operational, financial, legal/regulatory, and reputational. However, emerging risks are as diverse as the industries they affect, covering everything from geopolitical instability, technological advancements (such as AI, blockchain, and quantum computing), cybersecurity, climate change, and financial market fragility, among others.

For Chief Risk Officers (CROs), managing non-financial risks has become a critical part of their role, especially with the evolving regulatory environment and the growing dependence on third-party technology providers. A recent survey highlights this trend, revealing that CROs intend to dedicate more time in 2024 to monitor and mitigate non-financial risks, with cybersecurity (58%) and fraud and financial crime (42%) being their top priorities.

Despite the growing complexity, variety, and volume of risks, many are expected to manage these increased responsibilities, often with the same or even reduced budgets. So, how can they tackle this challenge? The answer lies in embracing innovation and rethinking traditional approaches. By leveraging AI and other technological advancements, rethinking ineffective practices, and collaborating with specialised third-party providers, CROs can find cost-effective and efficient solutions that significantly boost the overall efficacy of risk management processes.

Navigating the accelerating risk landscape

The collapse of Silicon Valley Bank (SVB) in March 2023 marked the most prominent US bank failure since the 2007–2008 financial crisis, serving as a stark reminder of how quickly situations can deteriorate in modern banking.

The rapid unravelling of SVB, driven by a crisis of confidence that led to $42 billion in client withdrawals within a few days, showcased the vulnerability of financial institutions to swift market shifts and changing customer behaviours.

This recent incident highlights the increasing speed at which risks can emerge and escalate. The shift towards digital banking and real-time transactions, while offering efficiency and convenience, also means that financial crises can unfold with alarming speed. Moreover, social media plays a critical role in shaping public perception and investor confidence. Information now spreads quickly through these channels, affecting customer decisions and, in turn, market stability.

The SVB collapse also sheds light on the broader impact of technology and globalisation on risk management. Technological advancements in the banking sector, including AI and blockchain, introduce new complexities and vulnerabilities, notably cybersecurity risks. The interconnected nature of today's global economy means that economic and political events can immediately affect local financial markets. This global interdependence requires a risk management approach that considers not only domestic factors but also international developments.

In response to these challenges, banks must operate with heightened vigilance and adaptability. The need for proactive risk assessment is more critical than ever, involving continuous monitoring and forecasting of potential market disruptions. Additionally, developing dynamic risk management strategies that can quickly adapt to changing circumstances is essential. This involves creating contingency plans for various scenarios, ensuring operational resilience, and maintaining effective stakeholder communication.

The ripple effect of regulatory shifts in the banking sector

The rules and regulations governing banking in the US have undergone significant changes in recent years, reshaping how banks operate and safeguard their customers.

Amidst these changes, a key focus has been cybersecurity. Agencies like the Cybersecurity and Infrastructure Security Agency (CISA) have played a leading role in strengthening the financial sector's defences against rising cyber threats. At the same time, the Consumer Financial Protection Bureau (CFPB) has advocated for consumer data protection by implementing stringent standards that align with the European Union's General Data Protection Regulation (GDPR).

This shift has forced banks to balance technological upgrades and strategic reforms. A critical aspect of this transition has been meeting enhanced cybersecurity standards, necessitating advanced security infrastructures and robust data protection measures. These adjustments have also ushered in a cultural shift, making customer privacy a top priority.

Meanwhile, monetary authorities like the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) tightened capital and liquidity requirements to equip banks to better withstand economic fluctuations. While intended to enhance stability, the move has impacted lending practices and investment strategies.

Additionally, the Financial Crimes Enforcement Network (FinCEN) has expanded its Anti-Money Laundering (AML) and Know Your Customer (KYC) guidelines. These revised guidelines now require stronger identity verification measures to combat financial crimes. The expanded AML and KYC directives led to an overhaul of customer onboarding processes, integrating more sophisticated identity verification technologies and altering the customer experience.

Alongside these federal regulatory changes, state-level initiatives such as the California Consumer Privacy Act (CCPA) have become increasingly important. This has prompted banks to invest significantly in compliance, risk management, and technology to navigate this new and challenging regulatory environment with increased diligence and innovation. Consequently, banks are increasingly collaborating with fintechs and third-party service providers to navigate the evolving regulatory landscape efficiently. This period has marked a transformative chapter in the banking sector, steering it towards greater resilience, transparency, and customer-centricity.

Key legislation and regulatory bodies for US banks

Regulatory changes to keep on your radar in 2024

Basel III Endgame (B3E)

In the wake of the 2007-2009 financial crisis, the banking world saw the introduction of Basel III. This set of reforms was designed to strengthen the banking sector's defence against economic shocks, sharpen risk management, and boost transparency. Basel III raised the standards for bank capital, liquidity, leverage, and risk management.

Now, we're entering Basel III Endgame (B3E) – the final chapter of this framework. B3E builds on the foundation laid by Basel III, bringing in more refinements to further solidify the banking sector's stability. Think of B3E as an advanced upgrade, enhancing principles of capital adequacy and risk management with new updates and requirements.

What you need to know:

• US regulators are eyeing July 2025 as the target for compliance, giving banks a window to adapt and implement these changes.

• B3E revises the calculation of risk-weighted assets (RWAs) – a bank's assets or off-balance-sheet exposures, weighted according to risk. While this reflects a more cautious approach to credit, market, and operational risks, it could lead to increased capital needs, particularly for bigger banks.

• A 'three-stack' capital framework will be a new addition in the US, possibly increasing capital demands for major US banks with added buffers and mandates.

• The proposed changes in B3E could impact the US Treasury and other key capital markets. Banks need to assess how increased capital requirements may affect their ability to support these markets and the broader financial system.

• Banks should evaluate B3E's implications on their operations and strategic planning. This may mean revamping technology, data systems, and operational processes to align with the new rules.

• B3E places greater emphasis on large, globally active banks, imposing more rigorous standards to address the systemic risks they pose.

B3E is a crucial stride towards a safer, more resilient banking industry. It calls for banks, especially the larger entities, to be proactive and strategic in their response. Staying informed and prepared is key to navigating these changes successfully.

Section 1071: Small Business Data Collection Act

Section 1071 of the Dodd-Frank Act, also known as the Small Business Data Collection Act, aims to enhance transparency and fairness in lending to small businesses, especially those owned by women, minorities, and LGBTQI+ individuals.

It amends the Equal Credit Opportunity Act (ECOA) and requires financial institutions to collect, maintain, and report data on small business credit applications. This effort seeks to support fair lending laws and understand the needs of these businesses.

However, many banks have expressed concern about the complexity and cost implications of these new data collection and reporting requirements. Additionally, there are apprehensions that collecting extensive data may impact small business privacy and lead to a misleading representation of lending to underserved groups.

Despite industry hesitations, the Consumer Financial Protection Bureau (CFPB) has issued a final rule to implement this act, which includes various provisions that directly affect bank operations and customer interactions.

What you need to know:

• Banks, credit unions, and non-bank lenders issuing at least 100 small business loans annually must comply. This includes business loans, credit lines, business credit cards, and cash advances.

• For this regulation, a small business is defined as having annual revenues of $5 million or less.

• Financial institutions must collect and report information about small business loan applications, including ownership by minority, women, or LGBTQI+ groups.

• Businesses can self-identify, and lenderscan use this information without determining demographics themselves.

• Compliance timelines vary based on the number of small business loans a bank issues.

• Certain types of transactions and inquiries are not subject to data collection requirements. These include inquiries for pre-qualification, re-evaluation, extension and renewal requests, except for those requesting additional credit amounts.

• The rule has been designed to complement existing laws, such as the Community Reinvestment Act and the Home Mortgage Disclosure Act, to avoid duplicate reporting.

• Banks are required to ensure the accuracy, security, and confidentiality of the collected data, acknowledging the privacy risks to small businesses.

While Section 1071 is a step towards fairer small business lending, it will require banks to adapt their data collection and reporting practices while managing operational and privacy concerns.

Section 1033: Personal Financial Data Rights

Section 1033, also known as the Personal Financial Data Rights, is a pivotal part of the Dodd-Frank Wall Street Reform and Consumer Protection Act.

It's a cornerstone regulation in the movement towards open banking, giving consumers increased control over their financial data.

Driven by the Consumer Financial Protection Bureau (CFPB), Section 1033 aims to revolutionise the banking sector by boosting competition and fostering a more consumer-centric environment.

What you need to know:

• Consumers will have the right to access their financial data held by banks and other financial institutions and share it with authorised third parties. This is a fundamental step in open banking, enhancing consumers' ability to switch financial providers and widen their market choices.

• Financial institutions, now 'data providers', must ensure secure access to consumer financial data. They are responsible for the accuracy and protection of this data.

• Authorised third parties who can access customer information are limited in how they can use, collect, and keep consumer data, focusing only on what's necessary for the requested service.

• The proposed rule covers a wide range of financial products and services, particularly transaction data, account balances, and payment details, which are integral to open banking.

• The implementation of Section 1033 will occur in stages, with larger financial institutions facing these new requirements sooner than their smaller counterparts. Community banks and credit unions without a digital interface are exempt.

• While the proposal presents challenges, such as developing compliant data-sharing systems and ensuring data security, it also offers opportunities. Institutions can leverage these changes to innovate and provide better services in an open banking framework.

The CFPB plans to finalise the rule by the fall of 2024. Chief Risk Officers and financial institutions should actively prepare for these changes, particularly considering their role in the broader shift towards open banking.

Interagency Guidance on Third-Party Relationships: Risk Management Overview

In June 2023, the joint efforts of the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB), and the Federal Deposit Insurance Corporation (FDIC) culminated in the release of the Interagency Guidance on Third-Party Relationships: Risk Management.

This guidance represents a significant move towards standardising third-party risk management in the banking sector. It advocates for a nuanced approach that considers the size and complexity of banks and the nature of third-party relationships.

Risk leaders should be prepared for a more rigorous risk management process, particularly in high-risk scenarios, and understand the potential challenges for smaller banks and fintech partnerships. The guidance is a vital resource for navigating these new standards and ensuring compliance amidst operational and relational complexities.

What you need to know:

• Consolidating previous guidelines from the OCC, FRB, and FDIC, the guidance offers a harmonised approach for managing third-party risks, emphasising enhanced practices to meet elevated compliance standards.

• The implementation challenges and compliance vary with bank size, with smaller banks likely finding the new requirements more stringent.

• Federal Reserve Governor Michelle W. Bowman has noted that the guidance might pose particular challenges for community banks, necessitating clear, tailored risk management expectations.

• Banks are encouraged to adopt comprehensive risk management practices, especially for high-risk or critical third-party activities. This includes managing third-party risks throughout the entire relationship lifecycle, including planning, due diligence, contract negotiation, ongoing monitoring, and termination.

• The guidance recognises the complexities and costs of onboarding, particularly affecting bank-fintech partnerships. It calls for more explicit guidelines in managing third-party relationships, especially beneficial for smaller banks.

Preparing for the future

It is important to track how the rules and regulations are changing. Recently, much attention has been given to areas such as artificial intelligence (AI), digital security, and consumer protection. AI is now integral to risk assessment and fraud detection, but concerns about its ethical use and transparency exist.

In a recent joint statement, the Consumer Financial Protection Bureau (CFPB), United States Department of Justice (DOJ), Federal Trade Commission (FTC), and Equal Employment Opportunity Commission (EEOC) highlighted how AI tools can be used to 'turbocharge fraud and automate discrimination'. The statement reiterated their commitment to upholding America's core principles of fairness, equality, and justice as AI becomes more common.

Similarly, digital security is now a fundamental expectation from both regulators and customers rather than just a checkbox exercise. Being proactive in these areas not only ensures compliance but also helps to build trust and gain a competitive edge.

The regulatory landscape is constantly changing as technology advances and society evolves. To stay ahead, it's important to keep up-to-date with these changes. This means engaging regularly with industry forums, regulatory bodies, and other sectors to identify emerging trends. For instance, the growing focus on data privacy in other industries may indicate forthcoming banking regulations in this area. Being aware of these changes allows you to proactively adjust your strategies rather than reacting to them after the fact.

Collaborating with the right third-party provider

One of the most important aspects of risk management is selecting the right third-party provider for identity verification. This decision is not just an operational choice but also a strategic partnership critical for navigating the complexities of compliance and maintaining trust with customers.

Unfortunately, many organisations find it challenging to differentiate between solutions in a saturated market, highlighting the need for a more thorough and nuanced approach to vendor selection.

Traditionally, vendor evaluation was straightforward and often consisted of a simple trial of the solution in a proof of concept (POC). Nowadays, the selection process requires consideration of a broader range of factors. These factors include the vendor’s orchestration capabilities, pricing, ease of implementation, compliance with regulations, and the efficiency of the user experience (UX).

With regulations constantly evolving, your chosen provider must not only comply with current standards but also possess the foresight and agility to adapt to future changes. The ideal partner should have advanced technological capabilities such as AI, machine learning, and biometric verification, which are crucial in combating sophisticated fraud. However, it is important to maintain a balance between these technological capabilities and a strong commitment to data security and privacy to safeguard customers under all circumstances.

Collaborating with a third-party provider is not just about compliance and technology; it is also about seamless integration, scalability, and improving customer experience. The provider's solution must smoothly integrate with the bank's existing systems and be capable of adapting to the bank's growth. In today's digital era, customer experience is crucial. The identity verification process, although strict, should be user-friendly, reducing friction and boosting customer confidence.

Selecting an appropriate third-party provider for identity verification requires weighing various factors. A perfect collaboration enhances a bank's ability to combat fraud, maintains adherence to regulatory standards, and reinforces customer confidence while also aligning with the bank's growth objectives and strategies.

The banking industry is currently facing a rapidly changing risk environment and is expected to undergo significant regulatory changes in 2024. These regulatory changes, such as the Basel III Endgame, the Small Business Data Collection Act, and Personal Financial Data Rights, pose a challenge to banks as they strive to balance compliance with innovation. Banks need to ensure customer-centricity while safeguarding against a variety of risks. As the regulatory landscape evolves, risk leaders must remain agile, well-informed, and collaborative to manage these changes effectively.