(Originally published in ABA Risk and Compliance, March/April 2026)
In 2026, banks face a number of key trends that will drive risks. Uncertainty and change management are key themes of this year’s risk outlook. Risk drivers include rapid technological and regulatory change, tariffs and trade tensions, inflation, interest rate volatility, mergers and acquisitions, increasing state enforcement and regulatory activity, and continued competition from non-bank financial institutions (NBFI). These risk drivers will have impacts across a spectrum of risk types, including operational, credit, market, liquidity, legal, and compliance risks. The increasing uncertainty may encourage banks to reevaluate their risk appetites.
Cybersecurity risk
Cyber risk is one of the hottest risk topics, encompassing traditional information security and financial crimes. Some industry experts predict that organized scam centers, synthetic identity fraud, and agentic AI will reshape the digital threat landscape in 2026.[1] On the cybersecurity front, agentic AI, shopping assistants, and other AI capabilities open new cyber attack paths and create the need for new security requirements. Third parties must also be considered as risk vectors, as links between systems with differing capabilities and regulatory requirements increase breach risk. Ransomware and extortion attacks are expected to continue, while social engineering and credential theft and stuffing remain the top cyber risk drivers.
When additional attack methods are combined with faster exploitation of vulnerabilities and weaknesses, information security teams will need to remain on their toes to respond rapidly. Information security teams will need to reduce exposure by implementing rapid patching[2] and verifying exposure and access[3] frequently. Corporate resilience will require immutable backups and ransomware recovery plans, as well as more typical business continuity planning. If your institution has not done so yet, implement phishing-resistant multifactor authentication (MFA),[4] tighter privilege controls, robust vendor information security requirements,[5],[6] and AI use policies.[7]
Additionally, internal audit teams should consider the requirements of the Institute of Internal Auditors’ Cybersecurity Topical Requirement, which are effective in February 2026 and establish minimum standards for assessing controls related to cybersecurity.[8]
Financial crimes risk
Financial crimes risk continues to evolve. Sophisticated fraud tactics, including synthetic identity and voice cloning, are increasing and enabled by the growth in artificial intelligence (AI), with more than 40 percent of detected fraud attempts involving AI.[9] Account takeover fraud is escalating sharply, primarily as a result of social engineering and consumer manipulation facilitated by advances in payment speed and digital technology. As one industry expert noted, “Fraudsters impersonate bank employees, spoof caller IDs, clone email domains, and increasingly deliver targeted phishing through sponsored ‘advertisements’ and AI generated personalized messaging. Victims are under the misguided belief they are protecting their accounts, when they are instead assisting fraudsters with unauthorized account access and fraudulent transactions.”[10]
Account takeover is not the only financial crimes risk facing banks. Money launderers are using synthetic identity accounts in addition to money mules to move illicit funds. [11] And banks should not forget about rising check fraud as they tackle fraud risk management. Despite declining check volume, check fraud remains elevated, with check fraud risk driven by sophisticated counterfeiting techniques and synthetic identity fraud.
Fighting financial crimes will require banks to enhance protections and leverage technology, including AI[12] and Hybrid Threat Finance (HTF),[13] in transaction monitoring to manage risks. Banks must have robust financial crimes risk assessments that incorporate today’s realities: faster payments, digital channels, and evolving sanctions and fraud typologies. Given the increased effectiveness of social engineering, customer education will be a critical tool in financial crimes mitigation, along with fraud detection and mitigation techniques. Implementation of NACHA’s new fraud prevention rules may require changes in processes and technology.[14] Balancing risks with customer experience adds complexity, as consumers demand both security and convenience and seem unwilling to sacrifice either for account security.
Credit risk
In 2026, banks will continue to face competition from nonbank lenders that will affect credit risk in multiple ways. First, competition from private credit, fintechs, and other nonbank lenders may compress credit margins. Increased competition, when combined with additional nonbank leveraged lending and the rescission of leveraged lending guidance by the OCC and FDIC may put pressure on credit standards. In addition, nonbank lending may deepen banks’ indirect exposures through fund finance, co-lending, and derivatives while increasing market opacity that reduces banks’ ability to monitor borrower exposure. Uneven regulatory treatment of banks and NBFIs encourages migration of risk out of the regulatory perimeter, only to return via counterparty risk.
On the macroeconomic front, tariffs and energy costs raise input costs for U.S. manufacturers and retailers, which can stress credit quality in exposed sectors and regions. Should tariffs reduce trade volumes, trade- and logistics-dependent local economies may suffer. High housing and energy costs also contribute to the likelihood of a “higher for longer” inflation scenario, although rate cuts in late 2025 have moderated this risk somewhat. If inflation does not continue to moderate, it will erode real household income and stress household budgets. Interest rate volatility can be destabilizing to small and medium enterprises (SMEs). The net impact in the worst case scenario is decreased credit demand and increased credit risk. However, easing of monetary and fiscal policies, combined with an uptick in capital spending, could offset these pressures.
Key sectors to watch include commercial real estate, especially in office-heavy metropolitan areas, leveraged loans, small business credit, and sub- and near-prime consumer debt. Housing affordability may affect single- and multi-family housing lending, despite recent increases in mortgage and HELOCs balances.[15] To the extent wages and materials costs compress SME margins, borrowers will experience weakening debt service capabilities. This could drive an uptick in restructuring loans to borrowers in labor-intensive industries, such as hospitality, retail, and healthcare.
To manage risks, lender discipline will be critical. Greater dispersion of credit risk across sectors and geographies necessitate more robust market knowledge and ongoing credit monitoring. This is especially true for lenders with concentrations in exposed sectors.
Market and interest rate risk
Volatility in Treasury yields, credit spreads, and interest rates affects credit demand, securities portfolios, funding costs, and hedging strategies, as well as destabilizing net interest margins. Banks with large portfolios of fixed-rate securities or mortgages are exposed to duration and convexity risks. Should the Federal Reserve tighten the money supply and increase rates, a corresponding asset price correction can reduce the value of collateral pledged to banks, thereby increasing counterparty credit risk. Inflation-linked products, such as TIPS and inflation swaps, can amplify basis risk if models are improperly calibrated.
Liquidity and funding risk
Although the full impact of the Guiding and Establishing National Innovation for US Stablecoins Act (GENIUS Act) remains to be seen, the growth of cryptocurrencies and payment stablecoins will have far-reaching implications for liquidity and funding risks. Crypto competition for deposits will increase. As it does, the risk of potential contagion from crypto shocks will also increase.
Beyond crypto, competition from NBFIs and inflation fears may drive depositor migration from low-yield checking and savings accounts to higher yield products, increasing bank funding costs. Uninsured deposits face increasing competition from money market funds.
Regulatory risk
Regulatory uncertainty and change continue in 2026. At the federal level, the ongoing debate over tailoring of supervision for regional and community banks creates ambiguity regarding how aggressively these institutions must manage risks. Capital and stress testing requirements remain in flux. The Federal Reserve has proposed changes in its supervisory stress testing regime.[16] Basel III Endgame requirements are pending, and uncertainty regarding final capital charges for credit, trading, and operational risks remains. Financial crimes compliance modernization appears more likely. Regulatory and political Interest in debanking remains high.
Although federal banking regulators are refocusing on core financial risks,[17] there are significant increases in regulatory and enforcement activity at the state level. State and local agencies and attorneys general are initiating more investigations, with scopes ranging from redlining[18] to UDAAP,[19] and 22 state attorneys general have formed a consumer protection working group led by former CFPB Director Rohit Chopra. Several states have passed or are considering statutes or regulations governing privacy, consumer protection, community reinvestment, and AI. Potential responsibility for partner activities is a risk, especially with respect to fintechs and state law compliance. Colorado exercised its right to opt out of DIDMCA interest rate portability and California implemented several climate and emissions-related disclosure and risk management requirements affecting banks.
Technology, data, and model risk
AI and accompanying data and model risks will be among the biggest operational risk factors in 2026. Banks, along with other industries, are increasingly using AI for process automation and analytics. In the financial sector, misspecification of models driving AI-enabled transaction monitoring, chatbots, underwriting, and pricing offer both opportunities and risks. As AI usage increases, it is critical that model and data governance keeps pace with emerging technologies across all three lines of defense. Including upstream and downstream impacts from vendors and secondary markets will be crucial. Mortgage lenders should prepare for AI-related changes to the Freddie Mac Seller/Servicer Guide (Guide).[20] Beginning in March 2026, the Guide will require AI users to establish AI governance policies and procedures, indemnify Freddie Mac from liabilities resulting from AI usage, and disclose AI usage, safeguards, and risk mitigants upon request.
The growth of AI and increasing cybersecurity concerns increase pressure on legacy systems. Significant capital outlays for system modernization may be needed to compete with NBFIs and take advantage of technological innovations.
Conclusion
To summarize, 2026 will be a year of change requiring robust risk management and diligent risk monitoring. Predicted merger and acquisition activity may exacerbate risk exposures, including credit concentrations and technology risks. New fraud typologies and money laundering capabilities could present enterprise-wide risks, losses, and erosion of customer trust. Lastly, AI is a game changer with far-reaching effects across the risk spectrum. Now is the time to invest in talent and technology, build agile frameworks, and prioritize digital transformation. Banks must remain on guard and maintain robust risk management systems during this period of heightened uncertainty.
About the author
Lynn Woosley is a Managing Director with Asurity Advisors and a member of the Editorial Advisory Board for ABA Risk and Compliance magazine. Lynn has more than 30 years of risk management experience in both financial services and regulatory environments. She is an expert in consumer protection, including fair lending, fair servicing, community reinvestment, and UDAAP. Before joining Asurity Advisors, Lynn led the fair banking practice for an advisory firm. She has also held multiple leadership positions, including Senior Vice President and Fair and Responsible Banking Officer, within the Enterprise Risk Management division of a top 10 bank. Prior to joining the private sector, Lynn served as Senior Examiner and Fair Lending Advisory Economist at the Federal Reserve Bank of Atlanta. Connect with Lynn at lwoosley@asurity.com.
[1] https://www.morningstar.com/news/pr-newswire/20260102io55481/new-year-new-threats-cyber-experts-break-down-5-digital-dangers-in-2026
[2] https://ithandbook.ffiec.gov/it-booklets/architecture-infrastructure-and-operations/vi-operations/vib-it-operational-processes/vib3-vulnerability-and-patch-management/
[3] https://ithandbook.ffiec.gov/it-booklets/architecture-infrastructure-and-operations/vi-operations/via-operational-controls/via3-identity-and-access-management/
[4] https://ithandbook.ffiec.gov/it-booklets/development-acquisition-and-maintenance/iv-common-development-acquisition-and-maintenance-risk-topics/ivf-secure-operating-environments/
[5] https://www.bis.org/bcbs/publ/d577.htm
[6] https://www.occ.gov/news-issuances/news-releases/2024/pub-third-party-risk-management-guide-for-community-banks.pdf
[7] Banks may choose to incorporate AI into their broader model risk management framework. If developing a separate AI risk management framework, the NIST AI Risk Management Framework may be a useful guide. https://www.nist.gov/itl/ai-risk-management-framework
[8] https://www.theiia.org/en/standards/2024-standards/topical-requirements/cybersecurity/
[9] https://magazines.aba.com/rcmag/library/item/january_february_2026/4311943
[10] https://asurityadvisors.com/the-new-era-of-account-takeover-fraud-what-banks-must-do-now/
[11] https://fedpaymentsimprovement.org/wp-content/uploads/sif-synthetic-money-mules.pdf
[12] https://verafin.com/2026/01/aml-trends-technology-2025-turning-insights-into-action/
[13] HTF Academic Whitepaper, Version 2. Hybrid Threat Finance™ (HTF™) research whitepaper, 2025. Offers an academic and theoretical foundation for HTF, comparing it to traditional three-stage AML models and demonstrating its expanded application across the financial crime lifecycle.
[14] https://www.nacha.org/news/new-nacha-rules-new-fraud-compliance-responsibilities-all-organizations-sending-ach-payments, https://www.nacha.org/sites/default/files/2022-09/9.22%20Risk%20Management%20Framework.pdf
[15] https://www.newyorkfed.org/microeconomics/hhdc
[16] https://www.federalreserve.gov/newsevents/pressreleases/bcreg20251024a.htm
[17] https://www.fdic.gov/news/press-releases/2025/agencies-issue-proposal-focus-supervision-material-financial-risks, https://www.federalreserve.gov/newsevents/speech/bowman20260107a.htm
[18] https://mayor.baltimorecity.gov/news/press-releases/2025-11-18-mayor-brandon-m-scott-baltimore-city-solicitor-and-baltimores-office
[19] https://oag.ca.gov/news/press-releases/attorney-general-bonta-issues-warning-small-banks-and-credit-unions-surprise#:~:text=Today’s%20letter%20was%20sent%20to,%2C%E2%80%9D%20said%20Attorney%20General%20Bonta.