Here is what we have this week filling up the Risk Queue! Treasury's regulatory reform agenda promises the most significant supervisory overhaul since 2008, plus critical AI governance gaps exposed, and transformational changes are sweeping through banking as America's largest institutions pivot from crypto skepticism to strategic embrace with joint stablecoin ventures.

-From Naeem, CEO & Founder - Risk On Q

In today's Risk Queue:

• CRE faces $60-125B losses, $1.5T refinancing wall

• Treasury unveils sweeping supervision, capital reforms

• GAO exposes AI oversight gaps amid 85% adoption surge

• Banks challenge SEC cyber disclosure rule weaponization

• FDIC Risk Review: Profits mask CRE crisis at 1.49%

• Major banks explore joint stablecoin defense strategy

• Deep dive: Evolving cybersecurity risk management strategies

Risk Headlines 

Risk Headlines

U.S. Banks see Profits Climb in First Quarter - source reuters.com

The FDIC's Q1 2025 banking industry report reveals a sector demonstrating resilience while navigating significant structural challenges, with profits climbing 5.8% to $70.6 billion primarily driven by noninterest income growth of 7%.

Key Points:

• Revenue Model Evolution: Banks are successfully generating profits through noninterest income while traditional lending activities stagnate, highlighting the importance of fee-based and trading revenues

• Commercial Real Estate Reckoning: CRE delinquencies at decade-high levels signal the beginning of a potentially significant credit cycle, with estimates of $60-125 billion in industry losses [3,4]

• Growth vs. Quality Trade-off: Anemic loan growth reflects either constrained demand or prudent underwriting standards as banks balance growth objectives with credit risk management

• Proactive Risk Management: Rising provision expenses despite currently favorable asset quality indicates banks are building reserves ahead of anticipated credit deterioration

_________________________________

Treasury’s Faulkender Calls for Reform to Supervision, Capital, Liquidity - source garp.org

Treasury Deputy Secretary Faulkender's comprehensive reform agenda represents the most significant regulatory realignment since the post-2008 crisis, signaling a fundamental shift from process-focused supervision to material risk assessment. The administration's three-pillar approach—supervision reform, capital modernization, and liquidity enhancement—directly addresses longstanding industry concerns.

Key Points:

• Regulatory Rebalancing: Movement from process-focused supervision to material risk assessment, with objective standards replacing subjective examiner judgment

• Capital Optimization: Selective adoption of international standards with independent validation, recognizing that one-size-fits-all approaches may not serve U.S. market conditions

• Liquidity Innovation: Recognition that existing liquidity frameworks may discourage lending during stress periods, contrary to their intended purpose

• Supervisory Accountability: Enhanced transparency and appeals processes to create more balanced examiner-bank relationships [1]

A.I. Risk / Technology Risk

Artificial Intelligence: Use and Oversight in Financial Services - source gao.gov

The GAO report reveals a fundamental tension between rapid AI innovation and regulatory preparedness across the financial services sector. While AI adoption is accelerating exponentially—from 45% in 2022 to an expected 85% by 2025—regulatory frameworks remain largely anchored in pre-AI era guidance and statutory authorities.

The report underscores that existing AI applications can amplify traditional financial services risks such as bias in lending, privacy breaches, and operational failures, while simultaneously introducing novel vulnerabilities like hallucinations in generative AI and sophisticated cyber threats.

The regulatory response has been mixed, with some agencies developing AI-specific guidance while others rely on existing frameworks, creating inconsistent oversight across the financial ecosystem.

_________________________________

Banking Groups ask SEC to Drop Cybersecurity Incident Disclosure Rule - source cointelgraph.com

The banking industry's petition to eliminate the SEC's cybersecurity disclosure rule highlights a fundamental conflict between transparency obligations and operational security effectiveness. The rule, requiring disclosure within four business days of determining materiality, has proven counterproductive by enabling criminal exploitation, interfering with law enforcement investigations, and creating premature liability exposure.

With documented evidence of ransomware groups weaponizing the disclosure requirements and companies like Coinbase facing $400 million in estimated costs plus multiple lawsuits after compliance, banks must immediately reassess their incident response protocols and disclosure strategies.

Key Points:

• Transparency requirements designed to protect investors are inadvertently enabling criminal exploitation and undermining the security they aim to enhance

• The tight disclosure timeline interferes with incident response protocols, law enforcement coordination, and internal investigation processes

• Rapid disclosure requirements increase litigation exposure and settlement costs while providing incomplete information to markets

• Documented cases of ransomware groups using disclosure requirements as additional extortion tools demonstrate unintended consequences of the regulatory framework

Regulatory News - Fines, Losses, & Rules

Regulatory News - Fines, Losses, & Rules

FDIC: 2025 Risk Review of the Banking Sector - source fdic.org

The banking sector remains fundamentally sound, but persistent market and credit risks—especially in CRE, private credit, and consumer lending—require proactive management. Community banks, while resilient, are more vulnerable to sector-specific downturns. The rapid expansion of private credit introduces new systemic risks, and cyber threats demand continued investment in operational resilience.

Key Points:

The structural evolution suggests a fundamental shift in credit intermediation, with banks potentially becoming utilities providing liquidity infrastructure rather than primary credit originators.

• Disintermediation Evolution: Banks transitioning from direct lenders to liquidity providers for competitors

• Risk Concentration: Indirect exposure through credit lines creates systemic transmission channels

• Market Convergence: PC loan characteristics increasingly resemble traditional bank products

• Structural Protection: Senior secured positions provide downside protection but concentration risk

  

_________________________________

Big Banks Explore Venturing Into Crypto World Together With Joint Stablecoin - source wsj.com

The exploration of a joint stablecoin by America's largest banks—JPMorgan Chase, Bank of America, Citigroup, and Wells Fargo—represents a defensive strategic response to the existential threat posed by the rapidly expanding crypto ecosystem, particularly as the GENIUS Act creates regulatory clarity for stablecoin issuance.

This consortium approach, leveraging existing infrastructure through Early Warning Services (Zelle operator) and the Clearing House, signals a fundamental shift from crypto skepticism to strategic engagement as banks face the prospect of massive deposit outflows and transaction disintermediation.

Key Points:

• Deposit Defense Strategy: Banks recognize that widespread stablecoin adoption could "siphon away the deposits and transactions they handle," particularly if big tech companies enter the market

• Regulatory Timing Advantage: The GENIUS Act's advancement provides the regulatory framework needed for banks to compete legally in the stablecoin space

• Infrastructure Leverage: Utilizing existing payment networks (Zelle, Clearing House) creates immediate competitive advantages over crypto-native competitors

• Market Share Protection: With stablecoin market cap growing from $205 billion to $245 billion this year, banks must act quickly to prevent further market erosion

Geek Out On Risk Data

Risk Management

Managing Cybersecurity Risk: A Key Subset of Non-Financial Risk - riskonq.com

This week, we’re turning our attention to Cybersecurity Risk. Last week, we dove into Model Risk, a Non-Financial Risk type. As we continue to expand the range of non-financial risk types, the scope of non-financial risks that banks must manage is even broader than their financial risks.

We will continue our focus on non-financial risk types to deepen our understanding and explore how they fit into the broader risk management ecosystem within the financial sector.

Cybersecurity Risk Management: Comprehensive Analysis for Financial Institutions

What Is Cybersecurity Risk?

Cybersecurity risk refers to the potential for financial loss, operational disruption, or reputational damage due to failures in information systems, breaches of data confidentiality, integrity, or availability, and attacks exploiting vulnerabilities in digital infrastructure. For financial institutions, these risks are particularly acute given their reliance on digital systems and the sensitive nature of the data they handle.

How Does It Differ From or Interact With Other Risks?

• Operational Risk: Cyber incidents can disrupt business processes, leading to operational failures.

• Reputational Risk: Data breaches can erode customer trust and damage brand reputation.

• Compliance Risk: Failure to adhere to cybersecurity regulations can result in legal penalties.

• Strategic Risk: Inadequate cybersecurity can hinder strategic initiatives, such as digital transformation.

Why Is It Important for Financial Institutions Today?

• Increasing Threat Landscape: Financial institutions are prime targets for cyberattacks due to the valuable data they possess.

• Regulatory Pressure: Compliance with regulations like GLBA, FFIEC guidelines, and GDPR is mandatory.

• Digital Transformation: The shift to digital banking increases exposure to cyber threats.

• Third-Party Risks: Dependence on third-party vendors introduces additional vulnerabilities.

Key Risk Categories or Sources

1. Phishing and Social Engineering: Manipulative tactics to deceive employees into revealing sensitive information.

2. Malware and Ransomware: Malicious software that can disrupt operations or demand ransom payments.

3. Insider Threats: Employees or contractors who intentionally or unintentionally compromise security.

4. Third-Party Vulnerabilities: Security weaknesses in vendor systems that can be exploited.

5. Advanced Persistent Threats (APTs): Prolonged and targeted cyberattacks aimed at stealing data or surveilling activities.

Financial Institution Context

Institution Type | Primary Exposure Areas

• Retail Banks: Online banking platforms, ATM networks, mobile apps.

• Investment Firms: Trading systems, client data repositories.

• Insurance Companies: Policyholder databases, claims processing systems.

• Fintechs: APIs, cloud-based services, mobile applications.

Most Affected Products/Services:

• Online and mobile banking services

• Payment processing systems

• Customer relationship management platforms

• Cloud-based financial services

Regulatory Environment

Key U.S. Regulatory Agencies:

• Federal Financial Institutions Examination Council (FFIEC): Provides cybersecurity assessment tools and guidelines.

• Office of the Comptroller of the Currency (OCC): Oversees national banks' cybersecurity practices.

• Securities and Exchange Commission (SEC): Regulates cybersecurity disclosures for public companies.

• Consumer Financial Protection Bureau (CFPB): Ensures consumer data protection in financial services.

Global Frameworks to Watch:

• ISO/IEC 27001: International standard for information security management systems.

• NIST Cybersecurity Framework: Provides a policy framework of computer security guidance.

• Basel Committee on Banking Supervision: Offers principles for operational resilience, including cybersecurity.

Risk Management Strategies

Traditional Approaches:

• Firewalls and Antivirus Software: Basic defense mechanisms against known threats.

• Security Policies and Procedures: Guidelines for employee behavior and system usage.

• Regular Audits and Assessments: Periodic evaluations of security posture.

Modern Tools & Technologies:

• Security Information and Event Management (SIEM): Real-time analysis of security alerts.

• Endpoint Detection and Response (EDR): Tools for detecting and investigating suspicious activities on endpoints.

• Zero Trust Architecture: Security model that requires strict identity verification for every person and device.

• Artificial Intelligence and Machine Learning: Advanced analytics for threat detection and response.

Emerging Trends & Innovation

• Cloud Security: Ensuring secure migration and operation in cloud environments.

• Cybersecurity Mesh Architecture (CSMA): A flexible, modular approach to security.

• Extended Detection and Response (XDR): Integrated security incident detection and response across multiple layers.

• Regulatory Technology (RegTech): Leveraging technology to meet compliance requirements efficiently.

Measurement & Monitoring

Key Metrics & Indicators:

• Mean Time to Detect (MTTD): Average time taken to identify a security incident.

• Mean Time to Respond (MTTR): Average time taken to respond to a security incident.

• Number of Detected Incidents: Total security incidents identified over a period.

• Compliance Scores: Evaluation against regulatory requirements and standards.

Governance Frameworks:

• Three Lines of Defense Model: Distinct roles for management, risk/compliance, and internal audit.

• Cybersecurity Risk Committees: Dedicated groups overseeing cybersecurity strategy and risk management.

Actionable Insights & Best Practices

✅ Success Factors:

• Employee Training: Regular awareness programs to prevent social engineering attacks.

• Incident Response Planning: Established procedures for responding to security incidents.

• Vendor Risk Management: Assessing and monitoring third-party security practices.

• Continuous Monitoring: Real-time surveillance of systems for potential threats.

⚠️ Common Pitfalls:

• Complacency: Underestimating the evolving nature of cyber threats.

• Insufficient Resources: Lack of investment in cybersecurity tools and personnel.

• Poor Communication: Inadequate reporting and information sharing across departments.

• Delayed Patch Management: Failure to promptly address known vulnerabilities.

Real-World Example

A regional bank experienced a ransomware attack that encrypted critical customer data. Due to a lack of proper backups and an incident response plan, the bank had to pay a substantial ransom to regain access. Post-incident analysis revealed outdated systems and inadequate employee training as contributing factors. The bank has since overhauled its cybersecurity infrastructure, implemented regular training sessions, and established a comprehensive incident response strategy.

📌 Bottom Line

Cybersecurity risk management is not a one-time effort but an ongoing commitment. Financial institutions must stay vigilant, adapt to emerging threats, and foster a culture of security awareness. By integrating robust cybersecurity practices into their operations, they can protect their assets, maintain customer trust, and ensure regulatory compliance.

_________________________________

Thank you for reading.

Naeem

p.s. Empower your colleagues with essential risk intelligence. Forward the Risk Queue newsletter—trusted by leading financial professionals. Subscribe here!