Financial institutions’ regulatory outlook for 2024

The failures of several larger banks in early 2023 pushed regulators to propose several rules that, if finalized, would apply to larger financial institutions, primarily those with more than $100 billion in assets. At the same time, federal financial institution regulators also issued final guidance and proposals in October 2023 for other areas that will affect risk management and compliance efforts at organizations of all sizes. Regulators are expected to continue ramping up supervisory activities through 2024 around liquidity, third-party risk, anti-money laundering (AML), cybersecurity, and operational resilience.

Financial institutions find themselves navigating renewed challenges, particularly with liquidity risk and interest rate risk management. Competitive forces continue to press increased deposit rates amid sluggish loan growth that is keeping margins razor thin at most institutions.

In July 2023, the federal financial institution regulators issued an addendum to the longstanding “Interagency Policy Statement on Funding and Liquidity Risk Management.” The 2023 statement places a significant emphasis on contingency funding plans.

As regulators begin 2024 examinations, examiners will be closely monitoring financial institutions’ approaches to fortifying their liquidity positions and managing exposure to interest rate risk. In accordance with the 2023 guidance, organizations should be testing and confirming access to contingency funding sources as part of their broader liquidity risk management strategy.

The current environment has enhanced the importance of asset-liability committees (ALCOs) and risk committees in the reporting and monitoring of liquidity risk management strategies. Regulatory scrutiny has intensified in recent examinations, as indicated through some recent formal enforcement actions in which liquidity and asset-liability management are receiving heightened attention to confirm the effectiveness of risk mitigation measures. Further evidence of this focus on liquidity risk management has also been observed in remarks presented at recent regulatory speeches as well.

As financial institutions navigate the increasingly complex regulatory landscape, the spotlight remains firmly on third-party risk management. Financial institution regulators continue to refine their focus, driven by updated guidance that raises the bar for organizations to maintain robust and mature risk management programs throughout the entire life cycle of third-party relationships.

• Historical focus and banking regulatory milestones. Third-party risk management has been an emerging focus for regulators since the Office of the Comptroller of the Currency (OCC) and the Federal Reserve (Fed) issued separate guidance in 2013.
• Evolving expectations and continued challenges. Regulators are particularly focusing on fintech partnerships and banking as a service relationships.
• Key governance roles outlined. The updated 2023 interagency guidance that replaces the previous Fed and OCC guidance delineates crucial governance roles, necessitating an assessment of whether third-party relationships align with the banking organization's strategic goals and risk appetite in compliance with applicable laws and regulations.

In the complex financial institution regulatory landscape, the refined focus on Bank Secrecy Act (BSA) and AML compliance efforts unveils an environment shaped by ongoing investigations and heightened regulatory scrutiny.

The growing sophistication of financial crimes and money laundering schemes requires a proactive stance by financial institutions of all sizes to combat emerging threats. This requires financial institutions to continually enhance their systems and programs to fortify their defenses, recognizing the imperative of staying ahead in the battle against illicit activities.

As technology advances, the integration of artificial intelligence (AI) into financial systems makes compliance programs even more challenging. Regulators are closely monitoring the impact of AI on AML efforts, acknowledging the benefits of innovation coupled with the required risk management.

In navigating BSA and AML compliance, the convergence of technological advancements and regulatory updates underscores the strategic imperative for financial institutions. Staying ahead is not only a regulatory compliance requirement but a proactive risk management measure to safeguard the integrity of an organization and the broader financial system in the face of evolving threats.

Cybersecurity remains a critical joint effort among the agencies, as underscored by more than a decade of collaboration through the formation of the Cybersecurity and Critical Infrastructure Working Group by the Federal Financial Institutions Examination Council (FFIEC).

Even as financial institutions continually refine their capacity to allocate resources for preventing cyberattacks and bolster readiness to respond when such incidents occur, the evolving complexity of cybersecurity risk requires a nuanced understanding of each institution’s threat response capabilities.

While attention has traditionally focused on preventive controls, there is a growing emphasis on recovery capabilities and broader cyber resilience measures. In June 2023, the OCC updated its Cyber Supervision Work Program, highlighting the inadequacy of single-factor authentication and directing attention toward systems configurations, patch management, and incident response.

A cyber resilient organization, as outlined by the OCC, demonstrates the ability to adapt to both known and unknown crises, threats, adversities, and challenges. The update also covers guidance on the requirement for notification to the primary regulator, emphasizing transparency and communication in the event of a security incident. The FFIEC also updated the cybersecurity resource guide in November 2022 to include ransomware-specific resources.

Operational resilience and sustainability are growing areas of focus in the supervisory process, signaling a shift toward heightened attention on board oversight and strategic planning. Boards likely will be under increased attention to ensure institutions are setting the right tone at the top, adhering to risk tolerances, and providing credible challenges to management.

While “SR 20-24: Interagency Paper on Sound Practices to Strengthen Operational Resilience” has been in effect for larger banks (exceeding $250 billion), there has been a noteworthy expansion of discussions on operational resilience to include organizations well under that threshold. Regulators are engaging in conversations that incorporate elements of business continuity management, reflecting an industrywide effort to fortify operational frameworks and response capabilities.

In addition, the Federal Deposit Insurance Corp. issued proposed enhanced corporate governance standards in September 2023 that, if finalized, would substantially raise the bar for banks with more than $10 billion in assets.

AI is an emerging focus in the financial institution regulatory landscape, and it likely will gain more attention from regulators through the rest of 2024. Three key recent developments include:

• Insight on AI and bank supervision. A noteworthy contribution to the dialogue on AI in banking comes from the Federal Reserve Bank of Richmond, whose article sheds light on the evolving relationship between AI technologies and the supervisory processes within financial services organizations.
• CFPB guidance on AI in credit denials. The Consumer Financial Protection Bureau (CFPB) issued guidance in September 2023 specifically addressing the use of AI in credit denials. This guidance offers clarity and regulatory direction for employing AI algorithms in credit-related decisions.
• Executive order on AI standards. In October 2023, an executive order directed agencies to review and establish new standards for AI safety, security, and privacy. The order tasked the U.S. Department of the Treasury with producing a report on best practices to manage these risks, further emphasizing the regulatory commitment to the responsible and secure implementation of AI technologies.

As financial institution regulators continue to refine expectations regarding use of AI in banking, it is important that banks manage AI use in a safe, sound, and fair manner in accordance with existing supervisory guidance.

Outside of the safety and soundness spectrum, several key developments are emerging in the banking regulatory environment of consumer compliance.

Uncertainty likely will continue regarding the implementation timing of the CFPB small business lending data collection final rule, which is required under Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Several legal challenges and resulting injunctions providing a stay on the effective date remain in limbo until a Supreme Court final ruling, which is expected in spring 2024.

In addition, the CFPB issued the comprehensive October 2023 proposal on Section 1033, which introduces open banking considerations, reflecting a broader shift toward enhancing consumer control over their financial data. This proposal navigates the delicate balance between innovation and consumer protection, presenting financial institutions with new considerations in their compliance strategies.

Lastly, long-awaited Community Reinvestment Act modernization rules were issued by the Fed, OCC, and FDIC in October 2023, with initial reporting requirements targeted for 2027.