Risk & Compliance Hot Topics: AI Risk & Security, Climate Risk Management, Banking as a Service

This month’s roundup of recent news and developments in the world of governance, risk, and compliance (GRC) for financial services includes the following topics:

• AI risk and security
• Climate-related financial risk management
• CUNA/NAFCU merger approved
• Banking as a service (BaaS)

Let’s dive in:

AI risk and security management emerges as top technology trend for 2024

Last month, Gartner announced its list of the top 10 strategic technology trends for 2024, with “AI trust, risk, and security management” ranking at number one.

“The democratization of access to AI has made the need for AI Trust, Risk and Security Management (TRiSM) even more urgent and clear,” Gartner stated in a press release. “Without guardrails, AI models can rapidly generate compounding negative effects that spin out of control, overshadowing any positive performance and societal gains that AI enables.”

On October 30, President Biden issued an executive order establishing new standards for AI safety and security, directing regulatory agencies to “consider using their full range of authorities to protect American consumers from fraud, discrimination, and threats to privacy and to address other risks that may arise from the use of AI, including risks to financial stability, and to consider rulemaking, as well as emphasizing or clarifying where existing regulations and guidance apply to AI.” [See Sec. 8(a)]

The order also directs banking regulators to address artificial intelligence risks in financial services, as the ABA Banking Journal explains:

“The order encourages agencies to use their authority to address financial stability risks posed by AI. It directs the Treasury Department to submit a report within 150 days on best practices for financial institutions to manage cybersecurity risks posed by AI. It also urges the CFPB and federal housing regulators to ensure AI isn’t used to discriminate in appraisals and lending.”

Banking regulators release guidance for climate-related financial risk management

On October 24, the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Office of the Comptroller of the Currency (OCC) issued interagency guidance for managing climate-related financial risk at large financial institutions with at least $100 billion in assets.

A summary provided by the FDIC states that:

“The final guidance contains high-level principles covering six areas: governance; policies, procedures, and limits; strategic planning; risk management; data, risk measurement, and reporting; and scenario analysis. Additionally, the final principles describe how climate-related financial risks can be addressed in the management of traditional risk areas.”

For smaller firms not covered by the guidance, one legal analysis encourages institutions to keep up with regulatory activity and industry developments in this area and be proactive about considering future strategy and risk management requirements.

“While many financial institutions are not yet covered by the new Interagency guidance, institutions of all shapes and sizes should anticipate increased focus on climate risk and sustainability issues. In time, there may be a waterfall of these principles to smaller institutions. Given the sense of urgency expressed by several regulators, including the OCC and CFPB, we may expect these concepts to be incorporated in some manner going forward, whatever an institution’s profile. We also can expect various states and other agencies to continue to develop climate-risk related rules, such as the recent California Climate-Related Financial Risk Act (SB261) and the pending SEC rules, which Commissioner Gensler recently discussed at the U.S. Chamber’s Center for Capital Markets Competitiveness.”

CUNA and NAFCU members approve merger

On November 2, the Credit Union National Association (CUNA) and National Association of Federally-Insured Credit Unions (NAFCU) announced that their members voted to approve a merger between the two associations, forming a single entity called America’s Credit Unions. The new organization will be legally formed on January 1, 2024.

The vote was unanimous, with 94 percent of CUNA members and 86 percent of NAFCU members voting in favor of the merger.

Banking as a Service (BaaS) “bonanza”: bank–fintech partnerships invite regulatory scrutiny

Financial institutions that partner with fintechs to offer banking-as-a-service (BaaS) programs are facing increased regulatory scrutiny, Banking Dive reports.

Bank executives and other industry leaders are taking note. Gilles Gade, CEO of New Jersey–based Cross River Bank, predicted that 2024 will be a “bonanza” year for fintech partnerships during a speech at the Money 20/20 conference in late October. Cross River Bank provides BaaS programs for payments, fintech, and crypto firms.

“The banks need help to regulate the fintechs. That help is not going to come from the regulators,” Gade warned. “And we know all too well that if we stop in our tracks, innovation will fall behind the rest of the world, we won’t be competitive anymore, and those consumers are going to go elsewhere. … we need to basically enable the banks to accelerate the path towards being in compliance.”

He speaks from experience, as Cross River Bank was ordered by the FDIC earlier this year to correct “unsafe and unsound” fair lending practices after a consumer compliance examination. The bank was barred from entering any new third-party partnerships without the prior approval.

“While all banks need to expect heightened regulatory attention to interest rate risk and solvency, fintech partner banks must prepare for a particularly hard scrub,” Konrad Alt, partner at financial services advisory firm Klaros Group, told Banking Dive. With enforcement actions on the rise, institutions that provide banking services for fintechs must bolster their compliance posture and improve oversight of third-party partnerships.