Innovation, employee experience and evolving consumer preferences are changing the financial services landscape. This includes the way financial products and services are delivered. Many banks and credit unions are exploring ways in which third-party relationships may help address the changing landscape, while others are looking to new or innovative technologies that can increase efficiencies, grow their reach and improve competitiveness.
No matter what your organization’s approach is, there’s a new level of scrutiny that you need to apply.
Clearly, you must be sure that you’re not doing something that introduces too much risk that could put your long-term viability in jeopardy. However, it doesn’t mean you shouldn’t pursue opportunities. Risk management shouldn’t be the department that says no, but rather the function that enables successful execution with the emerging risk universe in mind.
It’s not unlike what mothers tell their kids: “Just be good.” That simple instruction can be applied to pretty much everything you do, including managing risk:
- Be good at identifying and monitoring emerging risks whether brand new, evolving or even well-known.
- Be good at making sure your leadership team understands the risk impact, likelihood, velocity and time horizon of each risk.
- Be good at developing and implementing actionable controls to mitigate the risk.
- In other words, just be good and things typically go right.
So, where should you begin? What are those emerging risks that you should have your eye on?
While each financial institution has its own unique risk footprint, here are five risk categories and loss trends that most likely should be on your radar in 2022.
Risk 1: Ransomware
To begin, cyber risk and ransomware has to be top of mind. The growing frequency and severity of ransomware attacks is concerning — as six and seven-figure demands have become routine.
The fact that ransomware attackers have been telling victims that they must pay the ransom, and that the attackers can steal as well as encrypt data, isn’t a new phenomenon. But the possibility that sensitive data might be revealed is potentially more damaging to your reputation than any disruption caused by the malware.
Keep an Eye Out:
Having employees work from home is a great option, but remote work can add many unforeseen security risks.
In addition, threat actors are indifferent to who pays them as long as they are getting paid. Their focus appears to be a disproportionate problem for smaller and mid-market organizations. 72.1% of ransomware attacks occurred on companies with less than 1,000 employees according to Coveware’s Quarterly Ransomware Report (February 2021). This fits the organizational make-up of many community financial institutions, so it is wise to be on the lookout.
Further, remote work has opened the door for additional cyber risk. Remote work has highlighted weak security measures, employees not following proper cybersecurity protocol, and inconsistent risk monitoring. While there’s no foolproof way of preventing ransomware attacks from occurring, it can be avoided with the right security, risk management procedures and prepared employees.
Risk 2: Weak Authentication
Another significant risk also has fraudsters clinging to the cloak of anonymity with fraud and scams through online channels. These fraudsters will most likely continue to exploit weak authentication methods involving fraudulent instructions, business email compromise, loan processing and online account enrollment. These losses have been significant and quite often request large wire transfers which can lead to big paydays for fraudsters.
In one scheme, consumers are targeted in a Zelle/peer-to-peer (P2P) payment fraud using a sophisticated scam to defeat two-step authentication, which leverages the use of one-time passcodes. People are being scammed into providing online banking usernames and passcodes resulting in unauthorized electronic fund transfers from their banking accounts via Zelle/P2P. These losses can escalate really fast due to the potentially large number of members or customers targeted on a single day over the course of consecutive days. One credit union fraud loss went over $2.5 million!
Digital banking fraud can rapidly get out of hand. One credit union had a P2P scam loss of over$2.5 million
Managing these risks requires a layered security program. The use of multifactor authentication alone for online banking is not sufficient to protect consumer accounts. Layered security controls at different points in the transaction process can regulate authentication risks so that if one control is defeated, another one exists that can help prevent unauthorized transactions. Deploying an out-of-band authentication method for online banking enrollment through websites is a growing practice. In fact, it’s considered a “must have” control to help mitigate these risks.
Risk 3: Smash & Grab Attacks
Automated Teller Machines (ATM) and Interactive Teller Machines (ITM) have become a staple in the digital culture. These machines offer a significant convenience with direct access to cash transactions. And, when many lobbies were closed or restricted during the pandemic, criminals shifted their focus to these machines, but in an unexpected way.
“Smash and grab” style attacks — typically using stolen heavy-duty trucks with chains, construction type vehicles, equipment, and even explosives to rip apart the ATM or ITM to gain access to cash canisters — are causing havoc at an alarming rate. These attacks can cause financial loss and property damage over $100,000 in minutes in addition to impacting financial institution operations and the communities they serve.
Risk 4: Slips, Trips & Falls
Even a seemingly minor workplace or employee incident may result in expensive claims cost or even legal action. In fact, slips, trips and falls are a significant cause of workplace injuries resulting in 48% of all Workers Compensation claims and 55% of the total incurred loss dollars in credit unions, according to the Credit Union Workers Compensation Safety Council from The Hartford and CUNA Mutual Group. Surprisingly, both volume and severity of credit union slip, trip and fall claims are about 20 basis points higher than others within the banking industry, according to loss data.
Unsafe behaviors and conditions such as uneven or wet/icy surfaces, lighting, clutter and stairs are prime factors. Additionally, the absence of safety alertness, can lead to these types of injuries. A short lapse of attention or distraction — think checking cell phones, being in a hurry, walking with arms full, not using designated walkways and wearing sunglasses inside — are common distractions.
Work injuries can be expensive with costs of injury treatment, investigating accidents, implementing corrective measures, training replacement employees and dealing with lost productivity. It really adds up quickly.
Risk 5: Class Action Lawsuits
From a litigation perspective, if your organization hasn’t been impacted by one of these losses or class actions yet, there is a good chance you’ll be hit with one. And, if you’ve already been hit, there’s still a chance you could be impacted by another.
One big target for these lawsuits is overdraft/NSF fees, which continue to be a sore spot for consumers. In fact, consumer advocacy groups have targeted overdraft programs — often referred to as courtesy pay or overdraft privilege programs — and the disproportionate impact the programs have on certain consumers.
Additionally, law firms are sending demand letters threatening a lawsuit (or filing a lawsuit) against community financial institutions alleging customers were improperly assessed overdraft and/or NSF fees. The monetary exposure can be significant with a seven-figure exposure not being unusual with the impact of the statute of limitations for each state. The allegations include:
- Improperly charged multiple NSF fees on the same transactions (refers to incoming debits that are returned multiple times by the institution).
- Improperly assessed overdraft fees on debit card transactions posting to accounts when funds were previously set aside when preauthorization holds were placed.
- Overdraft fees were improperly assessed using the “available” balance rather than the “actual” or ledger balance, and the institution failed to accurately describe this in its agreements/disclosures.
- A newer development has plaintiff attorneys targeting Reg E’s Model A-9 opt-in form for paying overdrafts on ATM and one-time debit card transactions. They claim that the language on this form is ambiguous on how financial institutions assess overdraft fees on these transactions and therefore fails to comply with Reg E requirements. They target the first sentence — “An overdraft occurs when you do not have enough money in your account to cover a transaction, but we pay it anyway.”
Class action lawsuits against banks and credit unions due to deficiencies in collection letters continue to be successfully brought forward by plaintiff attorneys. Specifically, Notice of Disposition (commonly referred to as notices of intent to sell collateral) and Notice of Deficiency sent after the collateral has been sold are the letters and notices targeted. Lack of detail in these notices is being scrutinized.
These lawsuits often require banks and credit unions to waive remaining deficiency balances, return payments toward deficiency balances, return 10% of the principal amount of the original debt and pay statutory damages.
Keep Ahead by Rethinking Protection
The above five risk categories and trends are just the beginning of what should be on your institution’s radar. Other risks such as active assailant situations, business resiliency, employment practices, employee fatigue, remote work, vendor/fintech due diligence and cryptocurrency are among the many others that should be considered when rethinking your protection.
Remember, when risk management is effective, typically nothing bad happens. But, if you’re blindsided by a problem, your reputation takes the hit. Don’t let not knowing which emerging risks are around the corner take the blame. Be good!