Welcome back to the Risk Queue!

Wells Fargo's nine-year, $10+ billion journey from scandal to asset cap freedom demonstrates the true cost of risk management failures. Meanwhile, housing markets deteriorate, agentic AI deployment accelerates across financial services, even as third-party dependencies multiply systemic vulnerabilities. Also, the CFPB's unprecedented regulatory rollback!

-From Naeem, CEO & Founder - Risk On Q

In today's Risk Queue:

• Wells Fargo escapes asset cap after nearly a decade of Regulatory pressure

• Pending home sales collapse 6.3% as mortgage rates exceed 6.9%

• Agentic AI creates 60% research gains but amplifies operational risks

• AI software engineering offers 30-55% productivity revolution

• Third-party risk management evolves with AI-driven monitoring tools

• Global regulatory fragmentation complicates 2025 compliance landscape

• CFPB revokes 70 guidance documents

Risk Headlines 

Risk Headlines

Wells Fargo Escapes Regulatory Asset Cap Freeze, Three CEOs, Billions in Regulator Fines and Lawsuits, Nearly A Decade to Fix Risk - source reuters.com

Wells Fargo's journey from the 2016 fake accounts scandal to the 2025 asset cap removal represents one of the most comprehensive risk management failures and transformations in modern banking history, requiring nine years, over $10 billion in penalties, and three CEO transitions to achieve regulatory rehabilitation. Link to the overview of the bank's years-long effort to address its regulatory woes:

Key Points:

• 2016-2025 reveals over a dozen consent orders cleared and multiple leadership changes orchestrated to achieve regulatory rehabilitation.

• Total penalties exceeded $10 billion across multiple settlements ($185M initial, $3B criminal/civil, $3.7B CFPB), demonstrating the enormous cost of cultural and compliance failures.

• Three CEO transitions (Stumpf → Sloan → Scharf) shows how much change and impact were required inside the firm

• While constrained, competitors expanded dramatically: JPMorgan (+$2T), Bank of America (+$1T), PNC (+$200B), creating substantial market share erosion requiring aggressive catch-up strategies.

_________________________________

Pending Home Sales Slump as Mortgage Prices Weigh  - source wsj.com 

The April 2025 pending home sales collapse, falling 6.3% against economist expectations of only 1.0%, signals deeper housing market deterioration driven by persistently high mortgage rates above 6.9% that are expected to remain elevated through 2026. This creates significant systemic risk for the banking sector, where over 60 major institutions now face excessive commercial real estate exposures exceeding 300% of equity capital, while troubled debt restructuring has tripled to $18 billion across the industry.

A.I. Risk / Technology Risk

As Agentic AI Fast-Tracks in Financial Services, Accountability and Risk Becomes Key - source consultancy.com

This agentic AI development represents a watershed moment in financial technology evolution, fundamentally altering the relationship between human oversight and system autonomy in ways that challenge core banking principles.

Key Points:

• Regulatory Framework Urgency - The EU AI Act considers agentic systems "high-risk" with stricter obligations for transparency, explainability, and continuous human oversight, while financial institutions must prepare for compliance frameworks that don't yet exist for autonomous AI systems.

• Operational Risk Amplification - Agentic AI introduces unique risks including goal misalignment, tool misuse, and dynamic deception, where systems could misinterpret client risk appetites or bypass controls through unintended action sequences.

• Competitive Advantage Window - Early adoption demonstrates 60% increase in research consumption while cutting task completion times by 30%, with over 90% of AI interactions focused on high-value analytics creating significant first-mover advantages for institutions that implement responsibly.

• Human Capital Transformation - Agentic AI may reduce roles in data entry, compliance, investment, asset management and auditing, requiring massive reskilling initiatives while freeing talent for strategic activities.

• Trust and Accountability Imperative - The autonomous nature of AI agents demands "compliance by design" approaches with real-time monitoring systems, as delegation capability represents the critical inflection point for AI value creation in financial services.

_________________________________

AI Can Help Banks Unleash a New Era of Software Engineering Productivity - source deloitte.com

AI-powered software engineering represents a fundamental transformation in banking technology capabilities, offering both massive productivity gains and strategic competitive advantages that make immediate adoption essential for a firm’s survival.

Key Points:

• Productivity revolution: 30-55% efficiency gains across software development, creating transformational competitive advantages

• Legacy system liberation: AI-powered tools solving decades-old technical debt and COBOL modernization challenges

• Workforce transformation: Addressing critical skills shortages while upskilling existing talent for AI-augmented development

• Strategic investment imperative: Massive capital deployment ($107.8B annually) requiring immediate AI integration for competitive survival

Regulatory News - Fines, Losses, & Rules

Regulatory News - Fines, Losses, & Rules

CFPB Revokes Guidance in Sweeping Rollback of Agency Policies and Priorities  - source morganlewis.com

The Consumer Financial Protection Bureau (CFPB) has undertaken a dramatic policy reversal, revoking nearly 70 guidance documents while simultaneously dismissing 18 federal court cases and vacating four settlements. This represents the largest single regulatory rollback in the agency's history.

The agency has explicitly shifted its enforcement priorities away from nonbank financial services toward traditional banking institutions, while maintaining aggressive pursuit of mortgage lending, consumer reporting, and debt collection violations.

Critically, the CFPB has declared its own Open Banking Rule "unlawful" and seeks its vacation, creating unprecedented regulatory uncertainty in digital financial services.

Key Points:

• Regulatory Burden Reduction: 67 guidance documents withdrawn, reducing compliance complexity but creating interpretation gaps

• Enforcement Refocus: Priority shift from nonbanks to banks, with mortgage lending designated as highest enforcement priority

• Market Uncertainty: Some helpful industry guidance eliminated alongside problematic overreach policies

• Litigation Dismissals: 18 pending federal cases dismissed, 4 settlements vacated, reducing immediate enforcement pressure

• Digital Banking Impact: Open Banking Rule declared unlawful, affecting fintech partnerships and data sharing strategies

_________________________________

2025 Global Financial Services Regulatory Outlook - source ey.com

The 2025 regulatory landscape presents unprecedented complexity through increasing fragmentation of global standards, with policymakers prioritizing national interests over international cooperation across Basel 3.1 implementation, AI governance, and digital asset regulation.

Financial institutions face immediate operational challenges from new resilience standards targeting third-party technology dependencies, enhanced consumer protection requirements demanding demonstrable good outcomes, and intensified supervisory focus on risk management remediation following the 2023 banking crisis.

Geek Out On Risk Data

Risk Management

Managing Third Party Risk: A Key Subset of Non-Financial Risk - riskonq.com

This week, we’re turning our attention to Third-Party Risk. Last week, we dove into Cybersecurity Risk, a Non-Financial Risk type. As we continue to expand the range of non-financial risk types, the scope of non-financial risks that banks must manage is even broader than their financial risks.

We will continue our focus on non-financial risk types to deepen our understanding and explore how they fit into the broader risk management ecosystem within the financial sector.

Third-Party Risk Management: Comprehensive Analysis for Financial Institutions

Defining Third-Party Risk Management

Third-party risk management (TPRM) is the systematic process of identifying, assessing, and mitigating risks arising from an institution’s reliance on external entities to deliver products, services, or technologies. Unlike traditional vendor management, TPRM encompasses all third-party relationships—including suppliers, contractors, fintech partners, and subcontractors (fourth parties)—and addresses multidimensional risks such as cybersecurity breaches, regulatory non-compliance, and supply chain disruptions819. 

For financial institutions, TPRM is not merely a compliance exercise but a strategic capability that safeguards reputation, ensures business continuity, and maintains stakeholder trust.

Differentiation from Related Risk Domains

While TPRM intersects with other risk categories, its unique characteristics demand specialized frameworks:

• Operational Risk: TPRM focuses specifically on failures originating from external partners, whereas operational risk broadly includes internal process inefficiencies.

• Cybersecurity Risk: Third-party breaches often serve as entry points for attacks, but TPRM also addresses non-technical risks like contractual non-performance.

• Compliance Risk: Regulatory penalties for third-party misconduct (e.g., GDPR violations by cloud providers) require TPRM programs to integrate legal and regulatory monitoring.

Key Risk Categories in Third-Party Relationships

Vendor and Supplier Risk

Financial institutions engage vendors for core functions like payment processing, cloud storage, and customer analytics. Risks include:

• Data Security Gaps: A 2025 PwC survey found that 37% of financial firms experienced breaches via third-party APIs, highlighting vulnerabilities in shared systems.

• Financial Instability: The collapse of a key SaaS provider could disrupt lending operations, necessitating liquidity buffers and contingency plans.

Outsourcing Risk

Regulators increasingly treat outsourcing as a high-risk activity, particularly when involving critical operations. The European Banking Authority (EBA) mandates that banks retain accountability for outsourced functions, requiring granular contract terms and audit rights. For example, a U.S. regional bank faced $2.1 million in penalties after its offshore call center violated telemarketing laws, underscoring the need for cross-border compliance audits.

Fourth-Party and Nth-Party Risk

Fourth parties—subcontractors engaged by primary vendors—introduce opaque risks. In 2024, a major investment firm discovered that its AI-driven trading platform relied on a fourth-party data vendor with inadequate anti-money laundering (AML) controls, necessitating a costly remediation program. Institutions now use blockchain-enabled supply chain mapping tools to visualize nth-party dependencies in real time.

Technology Service Provider (TSP) Risk

Cloud providers, API aggregators, and blockchain networks pose unique challenges:

• Concentration Risk: Overreliance on a single cloud infrastructure (e.g., AWS or Azure) amplifies systemic risk, as seen during the 2024 AWS East outage that halted trading for 14 fintechs.

• Algorithmic Bias: Regulators are scrutinizing third-party AI models used in credit scoring; the OCC’s 2024 guidance requires validation of algorithmic fairness metrics.

Regulatory Frameworks Governing TPRM

U.S. Regulatory Landscape

• OCC Bulletin 2013-29: Establishes lifecycle-based TPRM standards for national banks, emphasizing due diligence, contract oversight, and stress testing.

• Federal Reserve SR 13-19: Focuses on outsourcing risks, mandating board-level reporting and concentration risk limits for critical vendors.

• FDIC FIL 23029 (2023): Expands the definition of “third parties” to include non-contractual partners like open banking API providers, requiring enhanced monitoring.

Global Standards and Directives

• EU Digital Operational Resilience Act (DORA): Effective January 2025, DORA mandates ICT third-party risk assessments, exit strategies, and multi-vendor redundancy for financial entities.

• EBA Outsourcing Guidelines: Require EU banks to maintain registers of all outsourcing arrangements, conduct on-site audits of third parties, and ensure data localization compliance.

• APRA CPS 230: Australia’s 2024 standard imposes operational risk capital charges for poor TPRM practices, linking vendor risk to capital adequacy.

The TPRM Lifecycle: From Due Diligence to Offboarding

Risk-Based Due Diligence

Leading institutions use AI-powered platforms to automate vendor screenings, analyzing 120+ risk indicators across financial health, litigation history, and cyber posture310. For high-risk vendors (e.g., core banking processors), onsite audits and penetration testing are mandatory. A tiered approach categorizes vendors as critical, high, medium, or low risk, allocating resources proportionally.

Contractual Safeguards and SLAs

Modern TPRM contracts embed:

• Right-to-Audit Clauses: Enabling unannounced inspections of vendor facilities.

• Liability Allocations: Requiring vendors to cover 150% of breach-related costs in critical sectors.

• Performance Bonds: Held in escrow to ensure continuity during vendor transitions.

Continuous Monitoring and AI-Driven Analytics

Real-time monitoring tools track vendor performance metrics, regulatory changes, and threat intelligence feeds. For example, machine learning models predict vendor bankruptcy risks with 89% accuracy by analyzing earnings calls and supply chain delays1217. Behavioral analytics now flag insider threats at third parties by detecting anomalous data access patterns.

Termination and Transition Planning

Regulators increasingly demand “living” exit plans updated quarterly. A top 10 U.S. bank reduced transition costs by 40% using blockchain smart contracts to automate data repatriation and service handovers.

Emerging Trends Reshaping TPRM

AI and Predictive Risk Analytics

Generative AI tools now draft vendor risk reports, benchmark contracts against regulatory templates, and simulate breach scenarios. In 2025, 62% of banks will deploy AI to monitor third-party communications for compliance red flags, cutting manual reviews by 70%.

Cryptographic Assurance and Zero-Trust Architectures

Quantum-resistant encryption and tokenized access controls minimize third-party data exposure. A European bank reduced phishing attacks by 83% after implementing hardware security modules (HSMs) for vendor authentication.

Actionable Insights for Financial Institutions

Strategic Recommendations

1. Adopt a Three-Lines-of-Defense Model: Embed TPRM into frontline business units, risk management teams, and internal audit.

2. Invest in Unified GRC Platforms: Integrate vendor risk data with ERM systems for holistic reporting.

3. Conduct War-Gaming Exercises: Simulate third-party cyberattacks and supply chain failures to test resilience.

Case Study: AI-Driven Vendor Monitoring

A multinational bank avoided $50 million in potential fines by deploying NLP tools to analyze 12,000 vendor contracts for non-compliant terms, achieving 98% remediation within six months.

Conclusion and Future Directions

As third-party ecosystems grow in complexity, financial institutions must transition from reactive compliance to proactive risk intelligence. The convergence of AI, regulatory tech, and cryptographic verification will define next-generation TPRM frameworks.

_________________________________

Thank you for reading.

Naeem

p.s. Empower your colleagues with essential risk intelligence. Forward the Risk Queue newsletter—trusted by leading financial professionals. Subscribe here!