Essential Risk Assessments for Financial Institutions

Risk is inescapable in banking, but this doesn’t mean financial institutions can’t manage it more effectively. With the right risk assessments, FIs can better identify and control risk, taking the critical first step toward building a comprehensive risk management program. 

When used correctly, risk assessments empower bankers to surmount obstacles to realize their institution’s strategic objectives and larger goals. Are you ready to uncover potential threats and cut them off at the pass? Do you want to seize opportunities for growth? 

In this post, we’ll delve into the risk assessments your financial institution needs to create a powerful and sustainable banking business model.

Table of Contents

The Integrated Risk Management (IRM) frameworkBSA/AML/OFAC risk assessment
Fair lending risk assessment
Third-party risk assessment
New product or service risk assessment
Information Security risk assessment
Payment processor/ACH risk assessment
Identity Theft and Red Flag risk assessment
Remote Deposit Capture risk assessment
Digital banking risk assessment
The transformative power of integrated risk assessments

The Integrated Risk Management (IRM) framework

Before jumping into the types of risk assessments your FI should focus on, we need to define integrated risk management (IRM). IRM takes a holistic approach to risk, embedding risk governance policies into your procedures and practices. 

IRM covers your complete risk management ecosystem, including: 

• Operational Risk: Risks arising from the failure of people, processes, and systems 
• Transaction Risk: The risk of failing to deliver products and services as expected 
• Compliance Risk: Adherence to laws and regulations 
• Financial Risk: Credit, liquidity, and interest-rate risk   
• Third-Party Risk: The risk posed by vendor failure or inadequate service 
• Strategic risk: Failure to meet business goals 
• Reputation risk: The loss of consumer trust and public confidence 
• Cyber risk: The risk of failing to mitigate cyber threats and vulnerabilities 

Using an IRM framework, financial institutions prioritize the interplay and interconnectedness of different risk categories. Integrated risk management gives financial institutions the flexibility and adaptability to anticipate the impact of regulatory change, adjust their business model to various market conditions, regularly assess their processes and systems for any weaknesses, and much more. 

Related: Integrated Risk Management 101: What and Why

BSA/AML/OFAC risk assessment 

Bank Secrecy Act, Anti-Money Laundering, and Office of Foreign Assets and Control (BSA/AML/OFAC) risk assessments are designed to prevent financial crimes such as money laundering and help FIs avoid the legal penalties and reputational damage from funding the illicit activities of groups or countries. 

The FFIEC BSA/AML Exam Manual requires financial institutions to develop BSA/AML/OFAC compliance controls based on their products, services, customers, transactions, and geography. 

Does your financial institution have foreign correspondent accounts? Is your institution in or near a high-crime area where money laundering may be prevalent? Are you keeping track of countries prohibited from doing banking business in the U.S.? Do you engage in cannabis banking? 

Financial institutions need to develop and adjust BSA/AML/OFAC compliance controls based on risk assessments and independent audits of these controls. The penalties for failing to comply with these laws are too steep to ignore and may jeopardize the very existence of your institution. 

Ask yourself: 

• Are your BSA/AML/OFAC compliance controls commensurate with your risk profile? 
• Do you have an established system for filing Suspicious Activity Reports (SARs)? 
• How strong are your vendor controls if you outsource functions such as your Customer Identification Program (CIP)?

Related: The Four Pillars of a Strong BSA/AML Compliance Program 

Fair lending risk assessment 

Fair lending laws mandate that lenders cannot discriminate on the basis of race, ethnicity, national origin, gender, marital status, disability, or age. Laws such as the Equal Credit Opportunity Act (ECOA) and the Fair Housing Act (FHA) enshrine protections for these groups. 

The elements of your fair lending risk assessment include:  

Redlining: Under the Home Mortgage Disclosure Act (HMDA), financial institutions must gather, maintain, and report data on residential mortgage applications and originations to prove non-discrimination. 

Underwriting policies and practices: Does your FI have a written policy for pricing exceptions, loan terms, debt-to-income (DTI) ratios, loan-to-value (LTV) ratios, credit scoring, etc. that is consistent across groups? Do your lenders follow these policies, or do your underwriting practices inadvertently discriminate against one of the protected classes mentioned above? How do you monitor and report exceptions to your policy? 

Marketing: ECOA protections prohibit lenders from making statements or comments in their marketing strategies that might deter protected groups from applying for loan products or credit. For example, FIs must exercise particular caution when advertising on social media, as the algorithms used on these platforms may target specific groups and exclude others. Lenders must also ensure that their marketing efforts aren’t overly concentrated on select demographic groups or in certain geographic areas.  

Branch locations and operations: Are you offering equitable banking services to all the consumers in your geographically defined assessment area? Do your branches in low-to-moderate income (LMI) and majority-minority census tracts have similar hours and offer the same products and services as those in higher-income, majority-white neighborhoods? 

These are only a few of the issues financial institutions must consider when assessing fair lending risk. With the introduction of 1071, fair lending risk assessments and reporting requirements will require even more effort.

Third-party risk assessment 

Last year’s Interagency Guidance on Third-Party Relationships: Risk Management highlights the importance of vendor risk assessments. While the guidance applies to banks, credit unions, and other financial entities will find it a valuable tool for assessing third-party risk.  

The four pillars of managing third-party risk are: 

1. Risk Management 
2. The Relationship Lifecycle (Planning, Due Diligence, Contract Negotiation, Ongoing Monitoring and Termination) 
3. Governance (Oversight/accountability, independent reviews, and documentation/reporting) 
4. Supervisory Reviews of Third-Party Relationship

A vendor risk assessment should answer the following questions: 

Operational resiliency: Is your vendor able to deliver services and products consistently? Do you have an airtight contract with provisions and service-level expectations that hold them accountable for providing services and products as expected? What might prevent them from meeting these expectations? What are the economic consequences if they fail to meet expectations? 

Cybersecurity measures: Does your vendor have a SOC? Is this report sufficient to ensure that a vendor has adequate cybersecurity controls? Does your FI need additional cyber monitoring for certain vendors? 

Compliance standards: Does your vendor comply with relevant regulations and laws? Do they meet industry compliance standards? Remember that your financial institution is responsible for any compliance violations from third-party vendors.  

Vendor risk management must be a part of your broader risk management program. There is no one-size-fits-all approach for every vendor. FIs must tailor their third-party risk assessments based on the criticality of the vendor, and its access to their core systems and legally protected consumer data under the Gramm-Leach-Bliley Act (GLBA). 

New product or service risk assessment 

When financial institutions change their existing line of products or services, their risk profile changes as well. An FI may offer a completely new service, such as wealth management, or enhance an existing service. 

Banking leadership should develop a strategic risk assessment to improve the chances of success for any new product or service launch.  

Some of the factors FIs should consider: 

Consumer demand for new products and services: Financial institutions must understand how a new business venture aligns with consumer demand. Did a vendor call a board member and “pitch” them on a new banking product? Do your peer institutions have similar products? Do your consumers actually want this product or service? 

Complexity of the product or service: Innovative products or services typically cost more. How much will your FI spend as product features evolve and compliance risk increases? Established products, such as remote deposit capture, may have a greater chance of success because it’s easier to determine compliance costs. Cutting-edge crypto-related services may be harder to price accurately.  

Employee training and experience with a product or service: Can your employee successfully sell a new product or service to consumers? If not, how much will you have to spend on training them? Will you need to hire new staff with experience with a product or service?  

Many of the strategic risks of introducing new products or services involve costs and marketability. You know your consumers best, and it’s vital you don’t jump headfirst into a launch that leaves a poor impression. You must also have the IT systems and equipment to support a new product or service. Does your new venture align with your infrastructure capabilities?  

There are other considerations as well. For instance, concerns about how products and services will impact your institution’s adherence to fair lending or unfair, deceptive, or abusive acts or practices (UDAAP) must be taken into account.

Information Security risk assessment

Your Information Security risk assessment centers on mitigating the harm from data breaches and other cyber vulnerabilities. The landscape for cyberattacks against financial institutions has changed considerably in recent years. Most criminals that operate in this space today use social engineering tactics to gain access to your systems. 

Financial institutions should focus their attention on the following: 

• Training staff to identify phishing schemes and other common tactics of cybercriminals 
• Regularly testing IT systems for vulnerabilities and making software patches as necessary 
• Monitoring the cyber defenses of your third-party vendors 

Data breaches that leak protected consumer information are a significant regulatory compliance risk under GLBA. 

Even if a cyber breach doesn’t put you in regulatory hot water, it can cause problematic operational disruptions and reputational damage. Just ask the 60 credit unions whose customers couldn’t access their online banking accounts and bill pay after a ransomware attack against a third-party vendor about these operational and reputational harms.

Payment processor/ACH risk assessment

The essential elements of vendor risk management are at play in payment processor relationships (risk assessments, due diligence, and third-party oversight). 

The ACH network is incredibly convenient, enabling financial institutions to quickly distribute and settle electronic credit and debit entries in consumer accounts. But with rapid transmittal and a high volume of transactions, ACH also presents elevated risks. 

Your ACH risk assessment should focus on: 

Fraud: Unauthorized debits from consumer accounts 

Settlement Errors: Transactions may not be processed with the accurate amount 

Insufficient Funds: The risk that originators may be unable to cover the transaction 

Compliance Issues: FIs that use the ACH network must comply with rules established by NACHA – the Electronic Payments Association (formerly known as the National Automated Clearing House Association). 

Financial institutions are responsible for implementing internal controls and account monitoring to detect and resolve ACH transfer fraud. The Federal Reserve Board’s Regulation E gives consumers 60 days to report unauthorized ACH account debits for resolution.

Identity Theft and Red Flag risk assessment

Millions of Americans are victims of identity theft each year. Under laws established by the Federal Trade Commission (FTC), financial institutions and creditors are responsible for detecting the warning signs (or Red Flags) of identity theft. 

FIs need a written Identity Theft Prevention Program. They must also follow through with practices that identify fraudulent account activity. 

An Identity Theft/Red Flag risk assessment should include: 

• Policies for the collection of documentation and proof of the identity of consumers opening accounts 
• Procedures for monitoring suspicious activity in new or existing accounts, such as the immediate withdrawal of large sums of money or rapid fund transfers between accounts 
• Attention to alerts, notifications, and warnings from credit reporting agencies or fraud detection providers 

The FTC mandates that a FI’s Identity Theft risk assessment must be updated regularly based on an institution’s history with identity theft, changes in the type of accounts offered, and other factors.

Remote Deposit Capture risk assessment 

Many financial institutions use Remote Deposit Capture (RDC) technology, allowing consumers to deposit checks on their smartphones. 

A risk assessment for RDC should focus on the following: 

Legal and Compliance Risk: FIs must assess the legal risks associated with clearing and settling RDC deposits, including timeframe and availability of funds, third-party clearance systems (ACH), and BSA compliance. 

Operational Risks: Faulty technology, ineffective procedures, and poor employee training can lead to processing inaccuracies. 

Vendor Risk: If institutions outsource RDC to a vendor, they often assume legal and regulatory accountability for a third party’s performance. 

Although electronic payments have surged and are the primary payment method for many, some consumers and many businesses continue to write physical checks. Physical check fraud is on the rise. Experts put the total cost of this crime for FIs at $24 billion in 2023 – nearly doubled from five years ago. RDC makes this fraud much easier to commit. Criminals steal checks from residential mailboxes and “wash” them to remove the name of the legitimate recipient.

Financial institutions must be aware of this, implementing policies and procedures to curb the deposit of stolen checks, whether physically or digitally.

Digital banking risk assessment 

Digital banking services and products offered by financial institutions continue to grow. Digital banking includes online banking, mobile banking, peer-to-peer lending (P2P, and more.  As more FIs enter relationships with fintech firms and other technology service providers (TSPs) to attain or retain a competitive advantage, the risks multiply. 

A risk assessment for digital banking should evaluate the following: 

Cybersecurity Threats: Real-time cyber monitoring of third-party partners has become an imperative rather than a nice-to-have. You want to be the first to know if there’s potential trouble with a TSP’s cybersecurity system and controls. 

Potential Compliance Issues: Unfortunately, most TSPs focus less on compliance than innovation. A Virginia bank once acclaimed for its banking-as-a-service (BaaS) prowess learned this lesson the hard way when its partners failed to meet BSA/AML compliance requirements. 

Operational Risks: FIs need to vet TSPs thoroughly to ensure they can meet expectations for the delivery of products and services. 

The brave new world of digital banking presents community banks, credit unions, and other financial entities with opportunities and challenges. Financial institutions should not shy away from growing their deposit base and revenue by adding digital products and services, but they must do so with deliberation and a thoughtful process for assessing risk.

The transformative power of integrated risk assessments

Financial institutions make poor decisions when they lack accurate data on risk. Risk assessments only work if they deliver a repeatable process for evaluating risk across your institution. 

The goal of risk assessments is not to eradicate risk but to understand your institution’s exposure to it. The information gathered from risk assessments gives banking leaders the insight they need to enhance their institutions' safety and soundness while enabling them to take full advantage of opportunities. 

The assessments above categorize specific risks, but the idea is to understand risk holistically. Individual risk assessments are the first step in building a risk-aware banking culture. Financial institutions must move from quantifying singular risks to creating an integrated approach to risk management. By integrating risk assessments on a single platform, FIs can transform risk from a liability into something that works to their benefit.

Wondering How to Build a Stronger Risk Management Program? Check out our webinar: "Decoding Risk: IRM, GRC and Everything in Between"