Just Because You Can Does Not Mean You Should

Reputational RiskOperational RiskArtificial Intelligence
Written By Geoff Kreller

With recent moves to deregulate and streamline federal governance over financial institutions, several companies have significantly scaled back compliance departments and initiatives. Often, those reorganizations and layoffs also diminished the effectiveness of their enterprise risk departments. While compliance and legal risks set the boundaries for what a company can do, other risks limit activities to what we should do. To that end, we’ve outlined a few cases where significant risks continue to be present, even though the compliance risk (at least at the federal level) has been reduced.

1.       Reputational risk exists even if it isn’t called out in an examination.

Recently, most of the federal regulators have prohibited criticizing financial institutions on the basis of reputational risk[1][2]. However, that does not preclude your customers calling out your reputation (or that of a key partner) publicly. Data privacy breaches, data sharing practices, cultural misappropriation, and inappropriate social media posts by employees and executives are just some ways in which the public’s trust in a brand is tarnished or destroyed[3].

There may also be some higher risk enterprises, such as money service businesses (MSBs), betting agencies, and marijuana dispensaries that some financial institutions are unable to bank regardless of their reputation. It’s important to recognize the limitations of your cash and merchant services before enabling these businesses to open accounts at your organization.

It’s also important to consider the third parties that act as your agents, and whether they support the values and mission of your enterprise. Outsourced customer service, servicing and collections departments all have the capacity to enhance or tarnish your reputation by proxy. Periodically checking on their social media reputation is an important aspect of third-party oversight and monitoring.

2.       Conducting an impact analysis on new product proposals is critical to managing other risks.

The doctrine of disparate treatment came under heavy scrutiny after an April 2025 Executive Order[4], leading to the end of this standard’s use when there is no discriminatory intent[5]. For some institutions, this subsequently led to the notion that impact analyses no longer had value in the new product evaluation process. However, these analyses still have three critical purposes when independently performed by your risk team:

  • Identifying discriminatory intent, possibly through use of variables that intentionally proxy a prohibited basis (compliance risk)

  • Credibly challenging the expected net benefit of a new product proposal, in terms of its projected strategic value, potential timeline, associated costs and resource tradeoffs (strategic risk)

  • Noting unintended adverse outcomes, including those that cause specific sets of individuals or geographies to be underserved or impacted by the change, resulting in the loss of market share and opportunity (operational risk)

3.       Cryptocurrency and stablecoins have significant financial and operational risks.

Through regulatory frameworks such as the GENIUS Act, banks now have the ability to launch stablecoins (cryptocurrency tied to physical currency, such as the US dollar)[6]. While stablecoins greatly enhance the ability of financial institutions to settle transactions securely in real time through blockchain technology, banks are required to hold at least one dollar of reserves for every stablecoin issued (guaranteeing redemption). The strategic decisions on the both the size of the stablecoin portfolio and the institution’s reserve mix need to be regularly monitored, stress tested, and audited due to increased:

  • Liquidity risk to maintain value of reserves required in all circumstances

  • Operational risk caused by deposit volatility

  • Market risk resulting from signals of increased redemption activity (accelerated bank runs)

  • Complexity in matching assets to liabilities, limiting the maximum dollar threshold of loans that can be originated or held in portfolio

  • Concentration risks hidden from traditional deposit diversification indicators

4.       Poor artificial intelligence (AI) designs will expose your institution’s weaknesses.

With the federal government streamlining legislative barriers to AI adoption[7], many institutions have accelerated their implementation timeframes and scopes without creating the proper foundation to manage a tool with both enormous benefits and risks.

AI models can’t overcome poorly managed data, policies and processes, and those models often reinforce and exacerbate existing weaknesses in the institution. Examples include:

  • Credit policies that do not adequately capture variables associated to risk will lead to overrepresented or underrepresented interest rates of return (or denials on applications that could have been approved)

  • Poor quality data entered into predictive analyses that yields erroneous or misguided financial and budget projections

  • Procedures, process flows and templates used as training materials for an AI model or chatbots that contain gaps, errors, contradictions, and assumptions which result in incorrect information being conveyed to customers and employees

Our recent AI article highlighted that these models can develop systemic bias based on the foundational data provided, and the adage “bad data in, bad information out” is especially true in AI models. Because AI models don’t have any frame of reference besides the mountains of data on which it was trained, the AI model can inherit and reflect data bias and inaccuracies.

Further, AI models are susceptible to information security attacks, hallucinations (and pathological tendencies), and privacy breaches. When deploying such models, risk personnel should work across the institution with engineering, information security, customer service and other key functions to ensure these models operate (and continue to operate) as intended.

Summary

Just because we CAN do something doesn’t mean we should do so blindly. A $5 million wager with a 50% chance to win $25 million sounds great, unless your risk tolerance can’t afford the cost of losing. Compliance risk is only one of the risks meriting assessment in a new product proposal; institutions should also clearly define risk appetites and tolerances for operational, credit, reputational and financial risk.

Deregulation and streamlining federal governance will open doors to new opportunities; just make sure to look around and perform a full risk assessment (and establish your appetite for risk) before crossing these new frontiers.

Follow NAQF on LinkedIn for additional insights. For more information on how NAQF can help your organization with risk management, product risk assessments, or training, contact us at contact@naqf.org.


Article References

[1] https://www.fdic.gov/news/financial-institution-letters/2025/agencies-issue-proposal-prohibit-use-reputation-risk

[2] https://www.federalreserve.gov/newsevents/pressreleases/bcreg20250623a.htm

[3] https://www.enzuzo.com/blog/cancel-culture-examples

[4] https://www.whitehouse.gov/fact-sheets/2025/04/fact-sheet-president-donald-j-trump-signs-landmark-order-to-restore-equality-of-opportunity-and-meritocracy/

[5] https://www.nas.org/blogs/article/doj-does-away-with-disparate-impact-theory

[6] https://www.federalreserve.gov/econres/notes/feds-notes/banks-in-the-age-of-stablecoins-implications-for-deposits-credit-and-financial-intermediation-20251217.html

[7] https://www.whitehouse.gov/presidential-actions/2025/12/eliminating-state-law-obstruction-of-national-artificial-intelligence-policy/

Geoff Kreller
Next

FTC Reminder That Review Manipulation is Deceptive and Unfair