Welcome back, the Risk Queue is covering congressional challenges to post-crisis oversight regulatory structures, Mastercard's autonomous AI payment agents, JPMorgan's warnings about collapsed security boundaries, and the Fed's concerns over persistent financial vulnerabilities.

-From Naeem, CEO & Founder - Risk On Q

In today’s Risk Queue:

• Bank supervision undermines tailoring requirements

• 24-hour trading risks flagged by Citadel

• Wells Fargo exits 12th consent order

• PCAOB fights SEC merger proposal

• Fed warns of market vulnerabilities

• JPMorgan reports SaaS security incidents

• Mastercard launches AI payment agents

• Non-Financial Risk Deep Dive

Risk Headlines 

Risk Headlines

10 Takeaways from the House Hearing on Regulatory Overreach - source bpi.com 

Key Points:

The hearing revealed a profound disconnect between legislative intent and regulatory implementation in banking supervision. While Congress established clear tailoring requirements in 2018, practical application has been undermined through opaque supervisory practices, subjective assessment criteria, and static thresholds that fail to account for economic reality.

These issues suggest a regulatory framework that has evolved beyond its legislative mandate in ways that reduce both economic efficiency and effective risk management. The testimony points toward reforms that would realign supervision with its core purpose: identifying and mitigating material financial risks that threaten institutional safety and soundness.

Banks that manage financial and non-financial risks rigorously can expect to rise above the regulatory scrutiny, as the aggregation of both accurately represents a bank’s risk profile.

_________________________________

Citadel Securities flags US regulator about 24-hour trading infrastructure risks - source reuters.com

Key Points:

Citadel Securities, a major market maker founded by Ken Griffin that trades approximately $570 billion daily, has sent the SEC a comprehensive 29-page letter containing regulatory proposals and concerns across equities, derivatives, treasuries, credit and digital assets.

A primary concern highlighted is the infrastructure risk associated with 24-hour trading initiatives being planned by major exchanges including Nasdaq, Cboe Global Markets, and ICE (NYSE operator). Citadel specifically warns that overnight trading needs "a clear regulatory framework, as well as market infrastructure to support it," and calls for "consistency around dates".

The letter raises significant concerns about "private rooms" or alternative trading systems with limited participants, stating these "raise a number of concerns that warrant regulatory scrutiny" and do not comply with fair access and transparency rules.

A.I. Risk / Technnology Risk

A.I. Risk / Technology Risk

JPMorgan's CISO Penned an Open Letter Expressing AI Risk Concerns - source jpmorgan.com

Key Points:

JPMorgan Chase has issued a striking warning that modern SaaS delivery models are creating dangerous concentration risk and undermining fundamental security architecture by prioritizing features over safety and dismantling traditional security boundaries.

Their CISO reveals the bank has already experienced multiple third-party security incidents requiring isolation of compromised providers, with threat actors actively targeting these trusted integration points. This creates unprecedented risk, particularly as AI and automation services rapidly proliferate.

_________________________________

Mastercard unveils Agent Pay, pioneering agentic payments technology to power commerce in the age of AI - source mastercard.com

Key Points:

Mastercard's launch of Agent Pay represents a significant evolution in payments by enabling AI agents to securely conduct transactions on behalf of consumers and businesses through enhanced tokenization technology.

By partnering with Microsoft, IBM, and major acquirers, Mastercard is positioning this as the foundation for an "agentic commerce future" where conversational AI can seamlessly execute purchases while maintaining bank centrality through tokenized credential integration that keeps issuers "at the forefront" with enhanced visibility and control.

• New tokenization technology enables AI agents to securely make payments on users' behalf

• Framework establishes critical guardrails through agent registration, consumer authorization controls, fraud protection, and transaction transparency mechanisms that help all parties identify AI-initiated payments

Regulatory News - Fines, Losses, & Rules

Regulatory News - Fines, Losses, & Rules

Wells Fargo Says CFPB Ended Compliance-Risk Consent Order - source pymnts.com

Key Points:

The Consumer Financial Protection Bureau (CFPB) has terminated a consent order related to Wells Fargo's compliance risk management program that was originally issued in 2018. This termination represents significant progress in Wells Fargo's regulatory remediation efforts, marking the 12th consent order closed by regulators since 2019 and the 6th since the start of 2025 alone.

Wells Fargo CEO Charlie Scharf specifically highlighted that this termination demonstrates they have "completed much of our common risk and control infrastructure work" that is also required by other outstanding consent orders.

_________________________________

PCAOB chair ‘deeply troubled’ by GOP Proposal to Fold Agency under SEC - source cfodive.com

Key Points:

The proposed elimination of the PCAOB represents a fundamental tension between regulatory consolidation and specialized oversight, raising critical questions about whether the accounting oversight functions that emerged from the Sarbanes-Oxley reforms would maintain their effectiveness if absorbed into the SEC's broader mandate.

This potential restructuring occurs at a time when PCAOB enforcement has been intensifying under current leadership, suggesting a clash between increased regulatory activity and political pushback, with significant implications for audit quality, investor protection, and market confidence should a multi-year transition period create oversight gaps.

• Specialized audit oversight versus regulatory consolidation represents key philosophical debate

• Transition risks could create significant gaps in accounting firm inspections; Historical accounting scandals provide cautionary context for regulatory changes

• Political objectives of reducing regulatory burden conflict with recent enforcement intensification

_________________________________

The Federal Reserve “Financial Stability Report for April 2025” - source federalreserve.gov

Key Points:

The April 2025 Financial Stability Report reveals a mixed landscape where underlying vulnerabilities persist despite resilient banking fundamentals. Elevated asset valuations, substantial CRE refinancing needs, and historically high hedge fund leverage create vulnerabilities that could be amplified by the rising risks to global trade, funding pressures, and market liquidity deterioration witnessed during early April's market volatility.

The system now faces the most significant test of its post-financial crisis reforms as it navigates potential headwinds from trade policy uncertainty, CRE refinancing needs, and the unwinding of leveraged positions established during periods of lower interest rates and volatility.

Geek Out On Risk Data

Risk Management

Managing Non-Financial Risk - riskonq.com

This week, we’re turning our attention to Non-Financial Risk. Last week, we wrapped up our deep dive into the various types of Financial Risk. Interestingly, the range of non-financial risks that banks must manage is even broader than their financial risks.

In this edition, we’ll define these non-financial risk types to deepen our understanding and explore how they fit into the broader risk management ecosystem within the financial sector.

Non-Financial Risk Management: Comprehensive Analysis for Financial Institutions

Non-Financial Risk (NFR) refers to risks not directly tied to financial market fluctuations or credit exposures. These risks arise from operational inefficiencies, strategic missteps, regulatory non-compliance, technological failures, or reputational damage. For financial institutions, effective NFR management is critical to safeguarding stability, ensuring regulatory compliance, and maintaining stakeholder trust.

1. Core Principles and Objectives

Definition:
NFR encompasses operational, compliance, reputational, strategic, cyber, and conduct risks. It is defined by its potential to disrupt business continuity, erode profitability, and harm institutional credibility1312.

Core Principles:

• Risk Prevention: Proactively identify vulnerabilities in processes, systems, and governance.

• Compliance: Align with regulations (e.g., Basel Accords, GDPR) to avoid penalties.

• Resilience: Build adaptive frameworks to withstand disruptions like cyberattacks or geopolitical shifts.

• Strategic Alignment: Integrate NFR into enterprise risk management (ERM) to align with business goals.

Distinct Types and Impacts:

Interconnection with Other Risks:

• Credit/Market Risks: NFR failures (e.g., operational errors) can exacerbate financial losses.

• Operational Risk: Overlaps with NFR in areas like IT failures or fraud.

• Reputational Risk: Often a consequence of NFR events like compliance breaches.

2. Financial Institution Context

Institutional Adaptations:

• Banks: Prioritize compliance risk (e.g., AML/KYC) and operational resilience.

• Investment Firms: Focus on strategic risks (e.g., M&A missteps) and cyber threats.

• Credit Unions: Emphasize conduct risk and community trust preservation.

Regulatory Influence:

• Basel Accords: Require capital reserves for operational risks.

• OCC/FED Guidelines: Mandate robust cyber risk frameworks and stress testing.

• GDPR/CCPA: Enforce strict data privacy controls.

Product-Specific Risks:

• Loans: Fraud risk in origination, compliance gaps in underwriting.

• Derivatives: Legal enforceability and counterparty risks.

• Digital Platforms: Cybersecurity vulnerabilities in fintech integrations.

Macroeconomic Factors:

• Geopolitical instability heightens compliance and operational risks.

• Technological advancements introduce cyber and third-party vendor risks.

3. Non-Financial Risk Management Strategies

Scoring & Rating Models:

• Internal Models: Scenario analysis and risk control self-assessments (RCSA) quantify exposures.

• External Ratings: Leverage benchmarks like ORX loss data for operational risk.

Monitoring & Reporting:

• Key Risk Indicators (KRIs): Track metrics like audit findings or incident frequency.

• Dashboards: Centralize data for board-level risk appetite monitoring.

Stress Testing & Diversification:

• Scenario Planning: Simulate cyberattacks or regulatory changes to test resilience.

• Portfolio Diversification: Mitigate concentration risks in geographies or products.

Technology & Analytics:

• AI/ML: Predict fraud, automate compliance, and optimize risk models.

• Blockchain: Enhance transparency in supply chains and contractual agreements.

Effectiveness & Limitations:

• Pros: Technology improves accuracy and speed; stress testing reveals hidden vulnerabilities.

• Cons: Overreliance on historical data limits forward-looking insights; AI models may introduce bias.

4. Measurement and Metrics Framework

6. Actionable Insights

Best Practices:

1. Integrate NFR into ERM: Align risk appetite with strategic goals.

2. Leverage AI/ML: Deploy tools for real-time risk detection and reporting.

3. Conduct Regular Stress Tests: Simulate black-swan events like pandemics.

4. Centralize Data: Use cloud platforms for unified risk dashboards.

Case Study:
A global insurer reduced compliance fines by 40% after implementing AI-driven contract analysis and centralized risk reporting.

Pitfalls to Avoid:

• Siloed Teams: Poor coordination between risk, compliance, and IT.

• Static Models: Overreliance on historical data without scenario updates.

• Underinvestment: Inadequate budgets for cybersecurity and staff training

_________________________________

Thank you for reading.

Naeem

p.s. Empower your colleagues with essential risk intelligence. Forward the Risk Queue newsletter—trusted by leading financial professionals. Subscribe here!