Risk & Compliance Hot Topics: Top Banking Risks, CUNA/NAFCU Merger, Fintech Compliance Challenges

This month’s roundup of recent news and developments in the world of governance, risk, and compliance (GRC) for financial services includes:

• Key risks to banks in 2023
• CUNA/NAFCU merger
• SEC statement on risk assessment
• Compliance management challenges for fintechs

Let’s dive in:

FDIC releases 2023 Risk Review

On August 14, the Federal Deposit Insurance Corporation (FDIC) released its 2023 Risk Review, summarizing key risks in the banking industry. This year’s report includes a new section on crypto-asset risks, in addition to highlighting credit, market, operational, and climate-related risk categories.

The specific areas discussed in each risk category are as follows:

• Credit risk areas: agriculture, commercial real estate, consumer lending, energy, housing, leveraged lending and corporate debt, nonbank financial institution lending, small business lending
• Market risk areas: liquidity and deposits, net interest margins and interest rate risk
• Operational risk areas: cyber threats, illicit activity
• Climate-related risk areas: physical risks of severe weather and climate events

CUNA and NAFCU announce plans to merge

In August, the Credit Union National Association (CUNA) and the National Association of Federally-Insured Credit Unions (NAFCU) announced their intention to merge into one organization called America’s Credit Unions.

Reactions to the two trade associations merging vary, according to a CUToday survey, with industry leaders recognizing the benefits of a united voice for credit union advocacy, but also expressing concern over a lack of competition and checks and balances.

The merger is subject to approval from CUNA and NAFCU members, and the 60-day voting period opened on August 28.

A 16-person transition board of directors, with CUNA President Jim Nussle as the new association’s CEO, would helm the merger in the event of a successful vote. The proposed timeline plans for legal formation of the new organization in January 2024, with operations commencing by early 2025.

SEC warns against “troubling” risk assessment practices

On August 25, Paul Munter, chief accountant at the Securities and Exchange Commission (SEC), released a statement on the importance of comprehensive risk assessments.

Munter reminded auditors and management teams that “risk assessment processes are critical to the decisions regarding financial reporting and the effectiveness of internal control over financial reporting (ICFR).”

“Accordingly, we are troubled by instances in which management and auditors appear too narrowly focused on information and risks that directly impact financial reporting, while disregarding broader, entity-level issues that may also impact financial reporting and internal controls.”

“The crux of Munter’s remarks is that one-off incidents—i.e., a data breach—might not be part of traditional ICFR assessments but still could pose a significant impact to financial reporting,” Compliance Week reports. “The call for auditors to take on more responsibility in assessing such matters falls in line with increased pressure placed on the profession to serve as gatekeepers holding management accountable, most notably with the Public Company Accounting Oversight Board’s proposed standard updates to require auditors to enhance scrutiny toward potential instances of company noncompliance, including fraud.”

Benchmarking report finds fintechs struggling with compliance management

As regulators increase scrutiny over financial technology companies (fintechs) and bank-fintech partnerships, firms are struggling to keep up with compliance management.

Ninety-three percent (93%) of fintechs said it was challenging to meet regulatory requirements, and more than 60% paid at least $250K in fines for compliance violations in the past year, according to Alloy’s 2023 State of Compliance Benchmark Report.

“While a larger, well-established fintech may have a more developed compliance team, its challenges may center more around changes in regulatory requirements, reporting requirements, or managing the tools they use to manage their compliance program,” Tearsheet points out in a review of the report. “Whereas, earlier-stage fintechs that don’t yet have a compliance officer on staff or a complete team may struggle in the interpretation of various laws and regulations.”