Key banking insights heading into 2025

Current trends in banking and cybersecurity 

• Digital transformation and cybersecurity: As organizations digitize their services, integrating advanced technologies like AI and machine learning enhances customer experience but also introduces new cybersecurity challenges. It's important to prioritize cybersecurity in the digital transformation strategy to avoid vulnerabilities. 
• AI and automation: AI is used both defensively and offensively in cybersecurity. Organizations use AI to detect and respond to threats quickly, while cybercriminals leverage AI for sophisticated attacks. Staying ahead in this AI arms race involves adopting AI tools proactively and training staff to recognize AI-driven threats. 
• Cloud security: With more banking services moving to the cloud, securing cloud-based systems is critical. This includes implementing robust encryption and access controls to protect sensitive data. A comprehensive cloud security strategy should include technology solutions and regular audits to maintain compliance. 
• Regulatory compliance: Regulatory bodies are increasingly focusing on cybersecurity, including adopting frameworks like the NIST cybersecurity framework. Compliance should be treated as a continuous improvement process to maintain resilience. 
• Third-party risk management: Reliance on third-party vendors introduces additional cybersecurity risks. Regular assessments and audits of third-party vendors and enforcing cybersecurity requirements in contracts are essential. 

 
Top five cyber risks heading into 2025: 

1. Ransomware: Banks are seeing increasing sophistication and demands with the emergence of ransomware-as-a-service. Implementing robust backup and recovery protocols, as well as proper education of employees can help mitigate risks.  
2. Cloud-based attacks: More banks are utilizing cloud-based software, increasing risks from misconfigurations and inadequate access controls in cloud environments. Organizations should conduct regular audits over cloud configurations as well as implement 24/7 monitoring to detect anomalies. 
3. Phishing and social engineering: We are seeing enhanced phishing attacks using AI and all it takes is one wrong click. Ensure your organization is doing proper training and utilizing multi-factor authentication.  
4. Third-party and supply chain vulnerabilities: Risks from vendor relationships and supply chain attacks. Organizations should perform regular assessments of vendor security practices including fourth parties.  
5. Insider threats: Whether malicious or accidental, these threats pose risk to organizations. Monitoring user activity and establishing policies can prevent risk. 

Assessing cybersecurity in a post-CAT world 

FFIEC announced that their Cybersecurity Assessment Tool – or CAT – will no longer be supported come August 31, 2025. By moving away from the CAT, the goal is that organizations can adopt frameworks that are continuing to evolve as fast as the threat landscape.  

There has been no concrete framework that is going to be enforced and, ultimately, the organizations are responsible for selecting the framework that best suits their needs. Some considerations include: 

• National Institute of Standards & Technology (NIST) cybersecurity framework  
• Cyber Risk Institute (CRI) cyber profile 2.0 
• Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Performance Goals (CPG) 

Key takeaways 

• Have established policies and procedures: Prioritize development of comprehensive incident Response plans, disaster recovery plans and business continuity plans. Make sure that these are communicated entity-wide and understood by all stakeholders who will be involved. Make sure to conduct regular testing of these plans.  
• Educate and upskill: Regular cybersecurity training for employees can help mitigate risks associated with social engineering and phishing attacks. 
• Invest in advanced security technologies: Organizations should invest in AI and machine learning tools to enhance threat detection and response capabilities. 
• Enhance third-party risk management: Implement rigorous vetting and monitoring processes for third-party vendors to ensure they adhere to security standards. 
• Regulatory readiness: Keep up-to-date with regulatory requirements and ensure compliance to avoid penalties and enhance overall security posture. 

Click here to get to know our services.

Going into 2025, hot topics include model validation, back-testing and stress-testing.  

• Model validation: A centralized model validation framework allows users to gain an understanding of commonalities and efficiencies between models, centralize common assumptions and data sources between models (examples include prepayment rates on ALM vs CECL), and analyze model risk management holistically for the institution rather than on a model-by-model basis. 
• Back testing: The goal of back-testing the CECL estimate is to test the adequacy of the CECL reserve calculation against the historical experience of either your bank or peer group banks. It is also important to back-test major assumptions such as prepayments and loss rates. 
• Stress-testing: Stress-testing assumptions allow you to gauge the volatility of the CECL estimate. When building a stress-testing framework, areas to focus on include prepayments, loss rates, and economic forecasts. 

Click here to get to know our services.

Other Real Estate Owned (OREO) updates 

• Almost non-existent for several banks for the past few years, but in the current banking environment we expect to see an uptick within 2025.  
• Keep an eye out for state appraisal values, unreasonable discounts or selling costs being applied to appraised values and lack of support for current values included in appraisals. 

Goodwill 

• If your bank is trading near or below tangible book value, this may impact the qualitative assessment being performed. A quantitative impairment test would be needed if the future value of the reporting unit is less than the carrying amount in the qualitative assessment. 
• Reminder that if you have goodwill impairment or close to impairment, be sure to consider other accounts that need to be evaluated for impairment such as deferred tax assets and any other intangibles on the books 

The Financial Accounting Standards Board (FASB) is finally slowing down with its issuing of accounting standards, which is nice to give everyone a little reprieve after CECL. Two issued Accounting Standards Updates (ASU): 

• ASU 2023-09: Establishes new income tax disclosure requirements in addition to modifying and eliminating certain existing requirements. Applicable to all entities subject to ASC 740. Public Business Entities (PBE) must apply guidance to annual periods beginning after Dec.15, 2024 (2025 for calendar-year-end PBEs). All other entities one year later (annual periods beginning after Dec. 15, 2025) 
• ASU 2024-03: Requires more information about a PBEs expenses by requiring additional detail on expenses reported in the income statement. This is only applicable for public business entities. ASU applies prospectively, with an option to use retrospective application. Entities are required to comply beginning with financial statements for fiscal years beginning after Dec. 15, 2026, and interim periods beginning after Dec.15, 2027 – early adoption permitted. However, there is a proposed update that was due for comments Dec. 10 to amend the effective date to clarify that all PBEs are required to adopt the guidance in annual reporting periods beginning after Dec. 15, 2026, and interim periods with annual reporting periods beginning after Dec.15, 2027. 

Proposed ASUs: 

• Intangibles: A proposal to address the diversity in practice in determining when to begin capitalizing software costs. This proposed ASU would replace the current project-stage-based framework with a principles-based approach, under which entities would capitalize internal-use software costs incurred after 1) management has authorized and committed to funding the project, and 2) the “probable-to-complete” threshold is met. Under this proposal, FASB is expecting that more software development costs could be expensed as incurred. This is open for comments through the end of January. 

Click here to get to know our services.

The main threats affecting financial institutions heading into 2025 include: 

• Cybersecurity: In 2024 we saw an increase in sophistication of cyber-attacks, including ransomware and financial crimes. For more information on how to better protect your institution, check out our cybersecurity section of this article.  
• Fraud and financial crimes (AML): There has been an uptick in deepfakes. Consider focusing on key risk factors and enhancing internal training. Is your organization prepared for the sophistication from bad actors? 
• Technology advancement / artificial intelligence (AI): As AI is being advanced into more technology and applications, banks need to establish proper governance and oversight into how AI may be introduced and monitored. 
• Operating model (talent / operating costs): Since COVID-19 we have seen challenges in talent retention, cost optimization and understanding the return of investment from digital investments.  
• Deposit / concentration risk: In 2025 we suggest a continued focus on managing large deposits, funding sources and how volatile they are. 
• Treasury / Asset Liability Management (ALM): With interest rate sensitivity, we are seeing an impact on margins and the need for effective ALM strategies. 

Going into 2025 your bank should consider: 

• Enhancing the frequency and robustness of your risk assessments 
• Developing and implement a governance framework for AI and data analytics  
• Monitoring and adapting to the changing regulatory requirements, specifically those in AML and liquidity risk. Below you will find the current trends for regulatory examinations.  

Focus areas for regulatory examinations for banks heading into 2025:  

• Liquidity risk 
• Credit risk 
• Third-party risk 
• Consumer compliance 
• AI governance 

Click here to get to know our services.

Lessons learned from TB Bank: TB Bank’s recent and ongoing AML woes reiterate the importance of a culture of compliance and the serious implications for both banks and employees of banks that fail to comply with AML regulations. Key considerations for banks include: 

• Ensuring AML departments are not siloed, and AML Officers have sufficient resources and authority. Training for all employees regarding internal policies and procedures. 
• Implement effective governance controls to stay ahead of regulatory expectation as there are consequences for non-compliance. 

Financial technology (fintech) industry update: Banks that work with fintech companies need to focus on sound third party risk management fundamentals.  

• Reviewing the contracts: Make sure your organization understands roles and responsibilities, who "owns" the ultimate customer and what AML activities the Fintech is on the hook for.  
• Activity monitoring: Banks need to monitor these activities. Banks should review the fintech's AML risk assessment and program, understand how customer due diligence, risk rating, and transaction monitoring are conducted, and agree on the mechanism for suspicious activity reporting. 
• Implement a robust training program: Ensure employees are participating in training and all results of independent testing are reviewed and followed up on. 

New administration and the potential impacts: Although it is expected that the Trump administration may reduce the regulatory burden for banks and even consolidate or eliminate banking regulators, AML regulatory expectations are not expected to decrease. As a safety and soundness area of concern, banks who are considering M&A should be especially mindful of ensuring their programs are up to par and have solid regulatory exam results. 

Financial Crimes Enforcement Network (FinCEN) has published a Notice of Proposed Rulemaking reinforcing the importance of risk assessment as part of an AML program and incorporation of the FinCEN National Priorities. Trump is also expected to have a more crypto friendly stance. Ensure your organization has robust policies, procedures and controls specific to crypto. Additionally, implement training programs to stay current on the evolving landscape and money laundering typologies. 

Click here to get to know our services.

While the Fed’s rate cuts are positive for the overall consumer lending landscape and provide a means to combat inflation, they are not the sole driver for the movement of mortgage interest rates. Mortgage rates are anticipated to dip below 6% in 2025, but other factors such as employment, wage increases and other general economic factors will contribute to how much and how quickly rates decline. 

With lower mortgage interest rates, the relatively stagnant refinance market will start to reopen, particularly for loans originated during the latter half of 2022 through 2024. Gradual increases in new and existing housing stock will provide a lift to the purchase market, which is expected to grow to $2.3 trillion in 2025, up from $1.79 trillion in 2024. 

Current industry struggles: 

• Affordability remains a concern, with housing sales prices continuing to climb, along with rising costs in homeowner’s insurance premiums and property taxes.  
• Fluctuations in origination and servicing volumes historically bring upticks in quality defects. 
• Digital verifications and other automated tools will play a key role in providing repurchase risk protection to lenders.  
• The potential for fraud remains a concern for the industry. Lender and vendor diligence from originator and quality control personnel is key. 

Outlook on servicing for 2025: 

• Mortgage delinquencies may rise moderately if the economy begins to slow, or because of the rising homeownership costs (insurance, taxes, HOA fees, etc.), however, the Government-sponsored enterprise (GSE), Federal Housing Administration (FHA) and Veterans Affairs (VA) all provide servicers the flexible workout tools needed to help delinquent borrowers remain in their homes.  
• The potential privatization of Fannie Mae and Freddie Mac would create additional market competition amongst private investors.  
• Servicers will need to continue to adopt customer-facing technologies such as AI and chatbots to meet their service levels to borrowers. 

Click here to get to know our services.

With a business-friendly administration taking the helm in January, an extension of the Tax Cuts and Jobs Act tax provisions may be more likely. A budget reconciliation act is expected within the first few months of the new presidential term. Bank management and boards should continue to plan for tax changes to speed decision making, whether in the area of M&A or shareholder taxation. 

Click here to get to know our services.

Key takeaways and decisions from 2024:

• Tax Cuts and Jobs Act: With a business-friendly administration taking the helm in January, an extension of the Tax Cuts and Jobs Act tax provisions may be more likely. Several provisions are set to expire at the end of 2025, including individual tax rates and the 20% Section 199A business income deduction, which will significantly impact S Corporation shareholders. 
• Corporate tax rate: The current 21% corporate tax rate is permanent, but President Trump proposes a 15% rate for companies producing products in America. 
• Credits expiring: New markets tax credit, Work Opportunity tax credit and Family Leave Act credit are set to expire at the end of 2025.
• M&A planning: Consideration of the expiration of higher estate tax limits and the impact on exit strategies. 
• Bonus depreciation: Phasing down from 60% in 2024 to 40% in 2025, affecting the timing of depreciation deductions and pricing on asset acquisitions. 
• Software development costs: Trump intends to bring back immediate expensing of these costs, which are currently capitalized and deducted over 5 to 15 years. 

Ease of enactment:

• Congressional majority: The new administration's majority may limit veto power, but negotiation will be required. A proposed tax bill is expected before April 30th, aiming to pass within the first 100 days. 
• Revenue raisers: Potential changes in excise tax rates on stock buybacks or the corporate tax rate to balance the budget. 

Planning considerations for 2025:

• Entity optimization: Evaluate potential tax entity and treatment optimization based on future tax rates. 
• Deferred tax asset modeling: Use tax functions to model financial statement impacts of potential tax law changes.

Click here to get to know our services.