Top Risk Areas for Internal Audit: Financial Services

As financial services industry professionals navigate complexities throughout the year ahead, internal audit functions will be pivotal in identifying and mitigating a spectrum of critical risks. Regulatory compliance remains a top priority, and it demands rigorous oversight to confirm adherence to evolving standards and prevent legal repercussions.

Simultaneously, credit risk management is essential as economic fluctuations affect borrower solvency and portfolio performance. Market volatility presents ongoing challenges that require agile strategies to adapt to changing conditions, and managing liquidity is crucial to sustaining stability amid financial uncertainty.

Furthermore, the rapid advancement of technology introduces opportunities and cybersecurity challenges that require vigilant monitoring and strategic implementation. The confluence of these risk categories underscores the vital role of internal audit in safeguarding organizational resilience and integrity within the financial services sector.

Regulatory compliance: Protecting consumers

Regulatory compliance remains a critical area of focus for the financial services industry. Organizations must address the many regulations covering fair lending and consumer protections, including the Fair Credit Reporting Act and overdraft protection programs. Maintaining compliance in these areas helps mitigate legal and financial risks and upholds consumer trust and competitive integrity.

Fair lending

With more than a dozen redlining enforcement actions in the previous 12-month period, including banks and credit unions of all sizes, fair lending remains high on the priority list for regulatory agencies. Financial services organizations and fintechs remain in the crosshairs of regulatory agencies due to a variety of consumer concerns and complaints that have arisen due to lack of a formal programs, deficient testing or monitoring, and data analysis exceptions. Organizations should conduct analysis of client loan application penetration and have an understanding of whether there is any potential redlining risk. An evaluation of the program pillars should be high on the priority list of compliance and risk officers.

Fair Credit Reporting Act

The accuracy of data reported to the credit reporting agencies is a continued focus for regulators, often prompted by consumer complaints. Inaccurate reporting to credit reporting agencies can have a direct impact on loan eligibility, the type of loan, and the amount of the loan. Many class-action lawsuits have been filed against financial services organizations based on these issues. 

Potential internal audit efforts for 2025:

• Focus on all aspects of fair lending programs, including governance, testing, monitoring, data analysis, and – if models are used for pricing and underwriting – model validation.
• Assess all aspects of reporting to the credit reporting agencies, including data accuracy, direct and indirect disputes, and reporting processes during loss mitigation and bankruptcy.

Credit: Asset quality and refinancing

The financial services industry faces heightened challenges in managing credit, asset quality, and refinancing risks in 2025. Increasing credit risks, as emphasized by recent regulatory reports, such as the fall 2024 Office of the Comptroller of the Currency’s “Semiannual Risk Perspective,” point to pressing concerns spurred by elevated interest rates, inflation, and economic softening. These factors pose significant challenges for borrowers, particularly those involved in commercial and industrial sectors, commercial real estate, and agriculture.

Various regulators have highlighted increasing credit risks over the last few years. Elevated interest rates and inflation have added strains, especially for borrowers who are refinancing debt that originated in periods with lower interest rates. Reduced commercial real estate values – which have been affected by lower demand and higher cap rates – add to these challenges.

Pockets of the economy that have experienced some softening (especially those dependent on general consumers) present some challenges to commercial and industrial borrowers, especially those that are highly leveraged. Agriculture borrowers also are beginning to face new problems, as values of many commodities remain flat or even decline.

Potential internal audit efforts for 2025:

• If the independent loan review function reports up through the third line (internal audit), focus on whether the process is built to match regulatory expectations and that the function provides an effective challenge.
• If the independent loan review function does not report up through the third line, assess if a third-party review of the loan review function is warranted.
• Given the evolving credit trends, determine if deeper credit administration audits, loan monitoring audits, or collateral-related audits should be considered.
• Make sure internal and external third-party loan review provides an effective challenge.
• Assess concentration risks, including monitoring, management, and reporting of concentrations.
• Evaluate, and potentially adjust, controls over risk rating.

Market: Interest rate risk

High interest rates through 2024, offset with rate cuts in the last part of the year, created a volatile environment for banks that affected their profitability and operational strategies. Managing interest rate risk is critical, as it affects everything from net interest margins to asset valuations and funding costs. 

The volatile economic environment in 2025 could increase uncertainty regarding interest rates and deposit stability. While dealing with higher interest rates in 2024, banks also faced higher costs of funding, an inverted yield curve, higher competition for deposits, and compressed net interest margins. Fluctuations in interest rates can have a significant impact on banks' profitability, asset valuations, and funding costs.

A bank’s net interest margin (NIM) is highly sensitive to changes in interest rates. When interest rates rise, banks can face challenges in maintaining their NIM as funding costs increase. Conversely, when interest rates decline, banks can experience compression in their NIM due to lower loan yields. Further, banks often have a maturity mismatch between their assets and liabilities. Changes in interest rates can lead to repricing mismatches if interest rates on assets and liabilities reset at different times.

Additionally, banks often hold complex financial instruments, such as derivatives and structured products, which are sensitive to changes in interest rates. These instruments can introduce additional risks and complexities in managing interest rate risk.

Despite the recent rate cuts, the relative high interest rates combined with the credit issues previously noted might affect the creditworthiness of borrowers and the performance of loan portfolios, which potentially could lead to higher default rates.

Potential internal audit efforts for 2025:

• Focus on updating the enterprisewide internal audit risk assessment and assessing the impact of interest rate risk across the audit universe.
• Conduct an asset liability management (ALM) audit. Determine when the audit was last performed, what prior issues or findings were noted, and whether any outstanding regulatory issues persist.
• Assess the last time the ALM model was validated. Determine if there have been changes to the model functionality that could require more frequent validation.
• Verify that model assumptions are consistent with bank budgets and strategy.
• Ensure that management is periodically reevaluating that guardrails are still appropriate for size, capital position, and risk tolerance of the bank.
• Assess the bank’s scenario analysis and stress-testing practices related to interest rate risk. Determine if appropriate scenarios are used, whether stress testing is comprehensive, and how the results are considered within the decision-making process. Further, consider if contingency funding plans and actions are implemented in response to stress-test results.

Liquidity: Funding sources

In financial services, effective liquidity risk management is critical as regulatory bodies enforce stringent requirements to maintain stability amid market volatility. With the landscape for 2025 projected to remain uncertain due to potential economic shocks and geopolitical tensions, banks must strategically manage their liquidity positions to withstand stress events and minimize systemic risks.

Regulatory authorities are placing increased emphasis on liquidity risk management in the banking sector. Banks are required to comply with stringent liquidity regulations, such as liquidity coverage ratio and net stable funding ratio, which aim to ensure banks maintain sufficient liquidity buffers to withstand stress events.

Meanwhile, financial markets are expected to remain volatile and uncertain in 2025. Economic shifts, global political developments, and other unforeseen events can quickly disrupt funding markets and affect banks' liquidity positions.

The interconnected nature of financial markets and financial services organizations can amplify liquidity risks. A liquidity crisis in one organization or market can quickly spread to others, leading to systemic risks, as happened in March 2023. Banks need to maintain diversified funding sources to reduce reliance on a single funding channel.

Potential internal audit efforts for 2025:

• Verify that banks have robust liquidity risk management frameworks in place to meet regulatory requirements.
• Assess the diversity and stability of funding sources, such as customer deposits, wholesale funding, and access to funding markets.
• Review the bank's liquidity position, including the availability of liquid assets and the ability to meet funding obligations under stressed conditions.
• Evaluate cash flow projections and stress testing.
• Determine the last time the liquidity model was validated and if there have been changes to the model functionality that might require more frequent validation.
• Assess the availability and usability of backup funding sources, such as lines of credit or access to central bank facilities. Review the stress testing of contingency funding plans and the adequacy of liquidity buffers, and evaluate exposure to counterparty risk, concentration risk, and systemic risks to mitigate the potential contagion effects of liquidity disruptions.