The Federal Deposit Insurance Corporation (“FDIC”) published its annual Risk Review this past Monday, providing an overview of banking conditions for 2022 through early 2023. The FDIC started providing Risk Reviews to the marketplace in 2019, at which point it focused upon key risks in two categories – credit risk and market risk. However, in the 2022 Risk Review, the FDIC also covered operational risks as well as credit risks and market risks, with a particular focus on cyber threats and illicit activities, and addressed climate-related financial risk as well. This year’s Risk Review adds a fifth category of risks presenting challenges to the banking system: crypto-asset-related markets and activities, which the FDIC included largely due to the “failure of three large banking institutions in March and May” of this year.
Characterizing the response of the banking industry to the three bank failures as “resilient,” the FDIC nevertheless warns that “banking conditions [remain] stressed and vulnerable to additional adverse market developments.” Specifically, the biggest factors overall involve higher interest rates, high inflation, recession concerns and weaker overall economic conditions in 2023. In terms of credit risks, asset qualities remained favorable, but there are some weak spots, particularly with respect to stress on commercial real estate due to “structural decline in office demand and weak rent growth”; consumer loan past-due rates rising for credit cards and auto loans; a sharp slowdown in corporate debt issuance; and small business lending declining resulting from high inflation, labor market shortages and the winding down of lending under the Paycheck Protection Program. According to the FDIC, “Market risks were primarily related to the effects of higher interest rates. Deposit outflows along with high levels of unrealized losses could [continue to] pressure liquidity for some banks” in the remainder of 2023.
In terms of cyber risks, the FDIC points to risks to banks as a result of ransomware attacks as well as to cyber attacks on critical infrastructure such as banks that have doubled in the last year, according to the Microsoft Digital Defense Report from November 2022. The cyber portion of the Risk Review also focuses on the intersection between cyber events and anti-money laundering (“AML”) efforts, emphasizing the importance for banks to obtain beneficial ownership information for all of their customers and encouraging limited use of third parties to perform AML services. Moreover, climate-related risks were observed as being ongoing, with the FDIC commenting that it recognizes that bank risk management practices are evolving and that the FDIC is “expanding efforts to understand climate-related financial risk in a thoughtful and measured manner that emphasizes a risk-based approach and collaboration with other supervisors and the industry.”
Finally, the 2023 Risk Review included a new section addressing crypto-asset risk and states that due to crypto-asset sector volatility in the past year, several vulnerabilities in the banking system were exposed, including “possible contagion risk.” Specifically, “[s]ome of the key risks associated with crypto-assets and crypto-asset sector participants include those related to fraud, legal uncertainties, misleading or inaccurate representations and disclosures, risk management practices exhibiting a lack of maturity and robustness and platform and other operational vulnerabilities.” In response to the risk posed by crypto-assets, the FDIC pointed to several actions it has taken itself (including Financial Institution Letter 016-2022 requiring banks to inform the FDIC of crypto-related activities, the updated rule regarding the availability of deposit insurance, and enforcement actions taken against more than 85 entities that were misrepresenting the nature, extent or availability of deposits insurance), as well as actions taken by the FDIC in conjunction with other federal banking agencies, especially the joint statement in January 2023 on crypto-asset risks to banking organizations and the joint statement in February 2023 on “Liquidity Risks to Banking Organizations Resulting from Crypto-Asset Market Vulnerabilities.” Concluding that crypto-assets present novel and complex risks that are difficult to fully assess, the FDIC states that it “continues to closely monitor crypto-asset-related exposures of banking organizations” and that it “will issue additional statements related to engagement by banking organizations in crypto-asset-related activities.”