Abrigo

two people reviewing financials on a tablet

"The sky is falling!!" What credit risk managers should do

Financial institutions don't need to panic in the wake of recent headlines about credit risk. Instead, review credit risk ratings and strengthen loan review to ensure sound risk management.

A modern "Chicken Little" moment

When I was a kid, one of the stories that stuck with me was Chicken Little. After being hit on the head by an acorn, Chicken Little panics, shouting, “The sky is falling!” As he runs to warn others, each animal he meets joins in the chorus – until the whole group runs across a fox who offers his den for protection, which they gladly accept. The next morning, the only one left is a very full fox. (This is the traditional folk tale version, mind you, not the Disney animated film.)

The moral is clear: don’t jump to conclusions or spread panic based on incomplete information.

Strengthen credit analysis to manage exposure in dynamic business cycles.

Watch webinar

I recently read articles in both the Financial Times and the Wall Street Journal that sounded a lot like Chicken Little’s cries – this time about the U.S. banking system. The focus? Two isolated fraud cases at Western Alliance and Zions. CNBC even ran the headline: “This is not another Silicon Valley Bank: Traders bet these loan issues are not systemic.”

Really?

While it is understandable that there is concern over the cases of alleged large-dollar fraud (in the neighborhood of $140 million), the fact remains that these are loans made by two banks to the same borrower group that—at a full loss—represent less than 2% of capital for either bank. These are isolated situations, not systemic failures.

But in the words often attributed to Winston Churchill, “Never let a good crisis go to waste.” So instead of wringing our hands, what can financial institutions learn from this moment? I see two opportunities.

1. Rethink credit risk ratings

Most credit risk rating frameworks include a qualitative factor for the borrower’s “management.” Too often, the description of this factor is a vague label like “strong,” “adequate,” or “weak.” Let’s be honest – if management is “weak,” that’s not a rating. That’s a reason to say no.

A better approach is to evaluate governance rather than personality:

Is it a one-person operation or a team with independent oversight?
Are internal controls modern and robust, or is a single person still running the books using ledger paper or Excel files?
Are responsibilities and authorizations properly segregated to prevent fraud?

The same scrutiny should apply to how the institution governs its own transactions with borrowers:

Are multiple lenders involved in similar lending types?
Is there an intercreditor agreement in place?
Are collateral rights clearly defined in a default scenario?

Weak governance increases inherent risk and should be reflected in the risk rating. Institutions that adjust either governance factor downward as overall risk rises will get a truer picture of exposure.

More efficient loan review can help you gain deeper insights

Loan review software

2. Strengthen loan review

In my decades of experience in all aspects of commercial banking, fraud usually falls into two categories:

1. Bad actors from the start, or
2. Good people who make bad choices under stress.

The first tends to surface quickly; the second evolves as conditions deteriorate. An institution’s loan review group won’t always catch fraud directly, but it can and should highlight warning signs.

Some areas to focus on:

Borrower governance: As covered above.
Institutional governance: Repeated issues within specific lending segments (like construction or asset-based lending) may point to deeper problems.
Financial analysis: Watch for inconsistent cutoff dates, unexplained intercompany transactions, unrealistic projections, and “too-good-to-be-true” turnarounds.
Loan activity: Review utilization trends on lines of credit over 12–36 months. Investigate sudden changes. Run UCC-11 searches for overlapping collateral filings—especially on inventory. Even if it’s not fraud, multiple claims can cause liquidation chaos.

Loan review’s job isn’t to fix these issues, but it is responsible for identifying them and adjusting risk ratings accordingly. (That’s why “Special Mention” exists, after all.)

Noise doesn’t equal crisis

The lesson from Chicken Little still applies: don’t confuse noise for crisis. Sensational headlines may grab attention, but sound risk management depends on analysis, governance, and discipline – not panic.

Abrigo helps financial institutions stay grounded in data, governance, and sound analysis rather than headlines. We also have loan review solutions that help credit risk management professionals do their jobs more efficiently so they have more time for deep analysis. Reach out to our Advisory Services team to learn more, or visit Abrigo.com to explore solutions that help financial institutions manage risk and drive growth.

Webinar

Scaling credit risk oversight: Preparing loan review for enhanced prudential standards

Webinar

Risk rating: The cornerstone of credit risk management

Webinar

Unraveling risk rating: Making sense of your best early warning tool | Credit risk series

AI poses 3 main cybersecurity risks to banks & credit unions

Understand the specific AI-related risks and take action now to mitigate cybersecurity threats at your bank or credit union.

Key topics covered in this post:

The main cybersecurity risks tied to AI
Risk mitigation with data management & planning
Vendor due diligence for AI & internal training

AI can enhance operations and add risks

As artificial intelligence becomes more embedded in financial institutions’ daily operations, cybersecurity is both urgent and complex. AI offers enhanced capabilities for threat detection and incident response, but it also introduces new opportunities for cybercriminals to exploit cybersecurity vulnerabilities at a greater scale and speed.

This Cybersecurity Awareness Month is a good reminder for banks and credit unions to understand specific cybersecurity risks associated with AI so they can manage and mitigate them. Many mitigation strategies require applying the same fundamentals of diligence, oversight, and employee training to AI tools that institutions apply to other technology in their environment. Even so, financial institutions need to evaluate how AI fits into existing cybersecurity frameworks, reassessing the testing and oversight needed to protect data, evaluate vendors, and stay exam ready.

Watch the on-demand webinar, "Navigating AI risks: Policies, vendors, and compliance."

Watch now

What are the cybersecurity risks of AI?

Three main cybersecurity risks are associated with AI, according to a 2024 letter by the New York State Department of Financial Services (DFS) to the banking industry:

AI-enabled social engineering: AI has amplified traditional social engineering attacks, such as phishing. It can generate realistic audio, video, and text deep fakes that are highly personalized and sophisticated, making fraudulent activity appear alarmingly legitimate.
Faster and more advanced cyberattacks: Cybercriminals can use AI to scan and analyze vast amounts of data quickly, identifying and exploiting security vulnerabilities more efficiently than ever before. They can conduct reconnaissance, deploy malware, and exfiltrate nonpublic information (NPI) at an unprecedented rate.
Data misuse or theft involving sensitive information: The large datasets (often including NPI from institutional or customer data) used in AI models themselves represent new cybersecurity exposure. Threat actors are incentivized to target entities with substantial amounts of information, increasing the risk of data breaches.

Even though each of these risks is an extension of existing risks, they can undermine customer trust and institutional resilience, so the DFS letter’s messaging to state-regulated entities is nevertheless relevant for banks and credit unions across the country.

Risk mitigation with data management & planning

Financial institutions must treat AI not as an isolated innovation but as another layer of their cybersecurity environment that needs to be tested, documented, and governed.

Data encryption and management, risk assessment, response planning, and vendor due diligence are among the areas financial institutions should focus on when it comes to protecting against AI-related risks. Financial institutions will want to:

1. Revisit data management and encryption efforts

Central to protecting any kind of data financial institutions have in their systems is encryption of data both at rest and in transit. Encryption is vital to preventing unauthorized access and maintaining confidentiality, so financial institutions should verify encryption practices, irrespective of whether AI is in scope. Similarly, financial institutions should regularly assess security, privacy, and cyber resiliency as part of ongoing efforts to safeguard sensitive information, regardless of whether it is tied to AI models and tools. Technical controls and data governance are vital.

2. Update risk assessments, policies, and incident response plans

Institutions’ risk assessments should identify potential AI-related threats and implement appropriate controls. This includes regular reviews and updates to security policies and procedures. As AI tools are introduced, they need to be integrated into your institution’s cybersecurity and incident response plans. Review your current policies and determine whether they cover AI-related incidents, such as compromised models or data misuse.

If an AI model used for customer service were manipulated or “poisoned,” for example, your response plan should outline how to isolate it, communicate with affected parties, and analyze the event. Institutions should also consider how to maintain essential operations while that model is taken offline.

Board and senior management oversight are critical to these updates. Regular briefings on AI initiatives, ideally quarterly, help ensure that the use of AI aligns with the institution’s broader strategy and risk appetite. These discussions should include the results of any AI testing or model assessments, reinforcing accountability and transparency.

AI risk requires vendor due diligence & training

3. Strengthen due diligence and vendor oversight

For many institutions, AI arrives through third-party vendors. That means the focus should be on understanding how those tools are built and how they’re secured before implementation. The institution can offload implementation but not risk ownership.

When assessing AI vendors, request details about the specific models used and the data on which they were trained. If you’re using a large language model (LLM), ask whether training is ongoing and what safeguards exist for issues like prompt injection and hallucinations. Vendor contracts should reflect these considerations and include:

Disclosure of the model type and its training parameters
Limitations on using your institution’s data for further training
AI-specific security reporting
Prohibitions against sharing data with public or fourth-party models

You should also request results from AI-specific penetration testing, ideally following the OWASP Top 10 for LLMs, performed by qualified, independent assessors. That testing provides confidence that vendors are applying recognized security standards to their AI systems. Due diligence should be refreshed regularly, and of course, everything should be documented.

4. Expand training and ensure collaboration

Employees remain a key line of defense against cyber threats, and training should evolve alongside technology. Updating annual cybersecurity awareness programs to include examples of AI-driven phishing or deep-fake impersonations can make a real difference.

AI governance is also about collaboration. IT, compliance, audit, and risk management functions should work together to assess AI use cases and ensure controls are applied consistently. Internal audits can help verify that documentation, contracts, and policies are keeping pace with technology. Some institutions even run mock audits focused on AI governance to prepare for future regulatory exams.

5. Stay connected to peers and regulatory developments

The AI threat environment changes quickly. Staying connected to peers and industry organizations helps institutions remain informed and proactive. Groups such as FS-ISAC, RMA (now ProSight), and the ABA regularly share emerging threat information and best practices.

Monitoring regulatory updates is equally important. Even when guidance originates at the state level, such as from the DFS, it can offer useful direction for developing internal frameworks and ensuring readiness for broader oversight.

6. Balance innovation with security discipline

AI can enhance defenses when deployed carefully. Many vendors are now embedding AI into their existing cybersecurity tools, improving anomaly detection and response times. Institutions should evaluate these enhancements through the same lens as any other vendor solution: documentation, testing, and clear accountability.

Every new technology introduces risk. The institutions that will benefit most from AI are those that apply discipline and rigor to its adoption, verifying controls, maintaining strong governance, and documenting every step.

A structured approach for long-term success

AI is not a passing trend. It is another evolution in how financial institutions operate and protect themselves. By incorporating AI into existing cybersecurity frameworks through vendor management, board oversight, and ongoing education, institutions can stay secure while adapting to technological change and maintaining the trust of their customers, members, and regulators.

Get a free AI readiness checklist and other resources on Abrigo's AI Hub.

AI resources for bankers

Whitepaper

Technology, oversight, and the future of loan review

Whitepaper

AI and generative AI: A proactive, organized approach to adoption

Whitepaper

Rethink asset/liability management: From static snapshots to strategic forecasting

Steps to a successful SAR

In the world of anti-money laundering and countering the financing of terrorism (AML/CFT), few activities carry more regulatory weight than filing a suspicious activity report (SAR). But filing a SAR isn’t the final chapter—it’s one of many critical SAR process steps that financial institutions must execute consistently and defensibly.

Understanding the complete lifecycle of a SAR can help your institution strengthen compliance, improve reporting outcomes, and support law enforcement in identifying and preventing financial crime. From the initial alert to post-filing analysis, each step of the SAR process carries its own importance and regulatory expectations.

5 key takeaways for the SAR process

A SAR is more than paperwork: It’s a piece of financial intelligence that can help law enforcement disrupt criminal activity.
SAR process steps matter: Regulators expect each step—from alert to closure—to be clearly documented and repeatable.
Narrative quality impacts utility: Clear, well-structured reports make SARs actionable.
Filing isn’t the finish line: Institutions must reassess customer relationships and incorporate findings into risk assessments.
Effective SARs protect communities: By following strong processes, institutions safeguard more than just compliance—they protect the financial system and public trust.

Check out this SAR writing checklist for essential elements of a compelling SAR narrative.

Download

Step 1: Spotting red flags that initiate the SAR process

The SAR journey begins with a red flag—anomalous behavior or transaction patterns that suggest suspicious activity. Common examples include:

Structuring deposits to avoid currency transaction reports (CTRs)
Wire transfers inconsistent with the customer’s business profile
Rapid activity in dormant or low-volume accounts
Reluctance to provide required identification
Sudden shifts in geography or transaction type

Automated monitoring systems, particularly those enhanced by artificial intelligence, help institutions detect these red flags efficiently. Still, even the most advanced system can’t replace skilled staff. Institutions must train employees to recognize and escalate concerns without prematurely dismissing key indicators.

Step 2: Conducting a defensible investigation

Once a red flag is identified, compliance teams begin the next SAR process step: investigation. This involves gathering evidence, reviewing customer history, evaluating transaction context, and determining whether a SAR filing is warranted.

With real-time payment platforms like FedNow increasing alert volume and urgency, investigators are under pressure to work quickly without sacrificing quality. Institutions can optimize this step by:

Regularly tuning monitoring rules to reflect emerging typologies
Using robust case management systems to centralize documentation
Cross-training teams to ensure redundancy
Conducting AML staffing assessments to keep workloads manageable

The key is ensuring each investigation is both thorough and defensible—able to withstand examiner scrutiny at any time.

Step 3: Writing and filing a strong SAR

If the investigation results in reasonable suspicion, the institution has 30 calendar days to file a SAR—or 60 days if no suspect is identified. But meeting the deadline is only part of the requirement. The narrative must be useful to law enforcement.

Best practices for this step of the SAR process include:

Clearly answering the who, what, when, where, why, and how
Including specific transaction details (amounts, accounts, dates)
Avoiding acronyms or codes that aren’t widely understood
Using plain, professional language to improve clarity

Templates may help standardize formatting, but no two SARs are alike. Each narrative should be tailored to the facts of the case and reviewed for accuracy and completeness.

Step 4: Monitoring SARs after filing

Filing a SAR doesn’t close the case. Examiners often look closely at how institutions manage SARs after submission. Effective post-filing SAR process steps include:

Documenting the full investigative timeline and decision-making process
Showing evidence of supervisory reviews or escalations to the BSA Officer
Reassessing the customer relationship, including risk rating updates or account closure

SAR trends—whether based on volume, type, or customer geography—should feed back into your institution’s AML/CFT risk assessments. For example, multiple SARs tied to the same customer may point to a systemic vulnerability that needs to be addressed across lines of business.

Step 5: Using SARs to strengthen compliance and national security

The final SAR process step is often overlooked: leveraging SARs as a tool to enhance overall risk management and support law enforcement. A single well-filed SAR could play a pivotal role in investigations into human trafficking, elder exploitation, or terrorism financing.

Financial institutions can take steps to ensure SARs serve their broader compliance goals by:

Training investigators on emerging fraud and AML typologies
Incorporating SAR trends into enterprise risk frameworks
Leveraging advisory services during periods of high alert volume
Reassessing the effectiveness of current AML software and processes

Make each SAR step count

Every SAR tells a story, and every step in the SAR process helps ensure that story reaches the right audience, at the right time, in the right way. Whether your institution files ten SARs a month or a hundred, understanding and refining the SAR process steps can help support a safer financial ecosystem.

Would you like other articles like this in your inbox?

Webinar

Catching fraudsters: Federal insights to protect your institution and customers

Blog

AI cybersecurity risks: What they are and how financial institutions can mitigate them

Whitepaper

Nacha 2026 Fraud monitoring rules

Understanding stablecoins and their purpose

Stablecoins are digital assets designed to maintain a consistent value, often by pegging their price to a fiat currency like the U.S. dollar. By reducing the volatility typically associated with digital assets, stablecoins offer a bridge between traditional finance and cryptocurrency.

There are three primary types of stablecoins, each with its own structure and risk considerations:

Fiat-backed (collateralized)

These are the most common type of stablecoin. Each token is backed 1:1 by fiat currency or short-term government debt, with reserves typically held in regulated financial institutions. Transparency and regular audits are key components of trust in this model.

Examples: USDC, USDT (Tether), TrueUSD
Key traits:

Simple to understand and widely used
Considered lower risk, though reliant on issuer compliance and reserve verification

Crypto-backed

Backed by other cryptocurrencies such as ETH, these stablecoins are often over-collateralized to account for the price volatility of the underlying assets. Collateral is held in smart contracts rather than traditional banks.

Examples: DAI, sUSD
Key traits:

Decentralized structure
Increased complexity and risk due to market volatility and smart contract exposure

Algorithmic (non-collateralized)

These stablecoins use code, not reserves, to maintain price stability. Algorithms automatically expand or contract token supply based on market conditions. While the goal is price stability, this model remains largely experimental.

Examples: Frax (partially algorithmic), TerraUSD (defunct)
Key traits:

Offer decentralization
High risk and prone to failure during periods of stress

Other models to be aware of:

Commodity-backed: Pegged to assets like gold (e.g., Pax Gold)
Hybrid models: Combine multiple elements from the categories above to balance stability and decentralization

Understanding these categories can help financial institutions assess which stablecoins, if any, align with their risk tolerance, regulatory obligations, and long-term strategy.

Why financial institutions should care

Stablecoin’s steady value makes it a more practical option for everyday transactions than other cryptocurrencies, which are known for volatility. It combines the efficiency of blockchain technology, such as rapid settlement and lower transaction costs, with the financial stability that businesses and consumers expect from a medium of exchange.

In a historic move, the Senate Banking Committee recently passed a bipartisan stablecoin bill, known as the GENIUS Act. Signed into law in July, this law sets guidelines for stablecoin issuers and could make stablecoins common for digital payments and investments.

The legislation introduces a plan for regulating stablecoin use, requiring 1:1 backing in cash or U.S. Treasuries and giving the Federal Reserve supervisory authority over large issuers. State regulators would oversee smaller issuers, preserving their role in overseeing regional financial institutions. This legislation is the most concrete sign yet that policymakers are preparing to bring stablecoins into mainstream payments, and compliance expectations are quickly materializing.

Stablecoin has the ability to offer faster settlement, greater accessibility, and new customer engagement opportunities. Examples include cross-border transfers, payroll, merchant payments, and decentralized (DeFi) platforms. With acceptance on the rise, financial institutions should understand how these products may intersect with their operations and risks, particularly in payments and compliance.

Risks and opportunities for financial institutions

Stablecoin has emerged as a key focus in the digital asset space, offering a less volatile alternative to traditional cryptocurrencies. The stablecoin market grew to approximately $159 billion in 2024 and has surged to more than $255 billion this year. With U.S. lawmakers signaling support and growing adoption across both consumer and institutional channels, now is the time for financial institutions to assess how stablecoins could impact their digital payment strategies.

Connect with an expert

FinCEN guidance on Stablecoin regulation

The Financial Crimes Enforcement Network (FinCEN) considers stablecoin a type of convertible virtual currency (CVC). As such, any financial institution facilitating stablecoin transactions must comply with Bank Secrecy Act (BSA) requirements and implement anti-money laundering/countering the financing of terrorism (AML/CFT) measures. This includes customer due diligence, suspicious activity reporting, and transaction monitoring.

Fraud guidance

In its guidance, FinCEN has warned that digital assets, stable or not, can still be exploited for money laundering, sanctions evasion, and fraud. Financial institutions must be prepared to identify and mitigate these risks, particularly as digital payment methods become more integrated with traditional banking.

Key risks financial institutions should consider

As stablecoins move closer to mainstream use, they bring new risks that banks and credit unions must be ready to manage:

Liquidity pressure during high redemptions

Even stablecoins that are fully backed by reserves can face problems if customers lose confidence and try to cash out all at once. This kind of “run” can create short-term cash flow challenges for institutions holding or processing these assets.

Risk tied to third-party partners

Working with outside stablecoin issuers or fintech providers means relying on their financial health and operational practices. Institutions should carefully vet these partners and have clear agreements in place about who is responsible for safeguarding assets, processing redemptions, and managing risks.

Compliance uncertainty and reputation concerns

The rules around stablecoins are still developing. Moving too fast, or not fast enough, can put a financial institution at risk. Engaging in stablecoin activities without a strong compliance program could lead to regulatory issues or damage customer trust.

Challenges detecting financial crime

Some stablecoin transactions are harder to trace than traditional payments. Without the right tools and processes, institutions might miss signs of suspicious activity. To stay compliant, AML and fraud monitoring programs should be able to track and evaluate blockchain-based transactions effectively.

Stablecoin carries many of the same risks as other financial instruments, plus some new ones. From AML/CFT compliance to liquidity planning, community financial institutions must treat stablecoin not just as a trend, but as a potential risk area that should be analyzed and managed.

What financial institutions should do now

Financial institutions have an opportunity to proactively position themselves as innovators and trusted providers of secure digital services. Whether or not your institution is engaging directly with stablecoin, these actions will help strengthen your position:

Reassess your AML/CFT program: Ensure your risk assessment and AML/CFT compliance program can monitor for stablecoin risks, including identifying typologies related to stablecoin transactions.
Monitor federal and state developments: Stay informed on legislative updates, particularly as the Senate bill advances. Look for guidance from FinCEN, the OCC, the NCUA, and the Federal Reserve on expectations for banks and credit unions.
Engage internal stakeholders: Involve compliance, risk management, IT, and product development teams early. The more coordinated your approach, the better equipped you’ll be to assess opportunities and risks.
Build fintech risk assessment processes: If partnering with a fintech or stablecoin issuer, apply enhanced due diligence measures and ensure service-level agreements clearly define responsibilities around compliance, custody, and data security.
Educate your customers and your board: Help board members, executives, and customers understand how stablecoins work and the steps your institution is taking to protect their funds and data.

Looking ahead: Stability through preparation

Stablecoins have the potential to change how money moves, but they also bring new responsibilities for financial institutions. While this form of digital asset offers faster and more efficient payments, it also raises questions about oversight, risk, and readiness. With regulators beginning to set clearer expectations, now is the right time to get ahead of the curve. Banks and credit unions have succeeded by earning trust and adapting early, and preparing for stablecoin activity is a natural extension of that strength.

Stay ahead of stablecoin-related threats with proactive monitoring.

Webinar

Minimizing wire fraud risk: Strategies for faster payments and smarter defenses

Webinar

From exam room to boardroom: What regulators expect & boards need to know

Webinar

Under pressure: Mastering Financial Crime compliance in a changing landscape

AI adoption considerations

AI is becoming a valuable tool as credit unions adopt more advanced technology to serve their members and stay competitive. From streamlining operations to enhancing fraud detection and improving member experiences, AI can help credit unions keep pace with financial institutions while maintaining the personal touch. However, success depends on preparation.

This Abrigo article was originally published October 3, 2025 on CUInsight.com.

Proactive planning for introducing AI and machine learning

In a recent comment letter, America’s Credit Unions Director of Innovation and Technology, Andrew Morris, shared what credit unions need to continue successfully deploying AI. The letter notes that future AI action plans should:

Understand that many potential risks of using AI are not unique to AI itself, and many of these risks are already managed by current laws, regulations, or supervisory guidance.
Prioritize educating financial regulators about the practical applications of AI to prevent misunderstandings about the division of control between human and machine agents across different use cases.
Recognize that determining whether risks are material is especially important when evaluating AI systems. Without planning, the risks can outweigh the rewards.

Explore AI-powered, banker-controlled solutions from Abrigo

Learn more

10-step checklist for preparing to implement AI

Credit unions adopting AI must be strategic and thoughtful. This list offers a framework to help credit unions prepare for AI implementation that is secure, ethical, and aligned with their mission.

Define your AI goals and governance structure

Credit unions adopting AI should have clear strategic objectives that align with their business goals — whether that’s improving risk management, modernizing member service, or gaining efficiency in operations. Before committing to new technologies, establish a cross-functional AI governance committee that includes stakeholders from compliance, data analytics, legal, technology, and business units. This group should oversee all AI use cases, maintain a model inventory, and ensure that high-risk models are reviewed regularly.

Build AI literacy across your credit union

Successful AI adoption depends on widespread understanding. Train staff at all levels on core AI concepts like machine learning, predictive analytics, and generative AI. Credit unions adopting AI should consider offering ongoing AI literacy programs to help team members understand how AI will be used and their roles in oversight and implementation.

Identify use cases and track ROI

Prioritize high-value, low-risk pilot projects that deliver tangible benefits. Whether it’s automating document classification, enhancing fraud detection, or reducing underwriting time, each AI use case should include defined outcomes and an ROI plan. Credit unions adopting AI must continuously measure performance and adjust based on results and risk evaluations.

Prepare for evolving regulatory expectations

Credit unions adopting AI should prepare for compliance with future expectations from the NCUA, CFPB, and other agencies. Begin by documenting AI governance activities, cybersecurity protocols, and risk assessments. Simulate internal audits to assess regulatory readiness and include AI discussions in board meetings to ensure oversight at the highest level.

Vet and manage third-party AI vendors

Ask for detailed information on how models are trained, what data is used, and what security protocols are in place. Review contracts for audit rights, breach notification clauses, and usage restrictions. Credit unions planning to utilize AI tools from vendors must confirm that these tools are covered under the vendor’s SOC 2 report and that they comply with privacy laws like GLBA and CCPA.

Prioritize explainability and ethical use

Document how each model is developed, trained, tested, and validated. Pay special attention to high-risk models, such as those used in credit decisions or fraud alerts. Select models that balance performance with transparency, ensure inputs and outputs are logged, and conduct regular bias audits to maintain fairness and trust.

Strengthen data privacy and cybersecurity controls

AI adds new layers of complexity to cybersecurity. Ensure sensitive member data is encrypted and cannot be used for unauthorized model training. Ask vendors how they defend against adversarial threats such as prompt injection or model manipulation. Update your incident response plan to include new risks introduced by AI systems.

Establish generative AI usage policies

Credit unions adopting AI should restrict the use of generative tools to institution-approved platforms and specify the types of data that can be input into these systems. Provide guidance on what constitutes appropriate use and require staff to review AI-generated content for accuracy and compliance before use in member communications or decision-making.

Plan for member communication and transparency

Inform members when AI is being used in ways that impact them — especially in areas like credit underwriting or fraud prevention. Offer clear opt-out options where possible, and make sure members know there’s still a human in the loop. Credit unions adopting AI should also set clear service level agreements for AI-driven tools that interact directly with members.

Invest in long-term innovation planning

AI is not a one-time investment. Create a roadmap that aligns with long-term business goals and supports responsible experimentation while maintaining regulatory compliance and ethical standards. Track the ROI of AI initiatives over time, and make adjustments based on results, risks, and changing member needs.

See how Abrigo's small business origination software helps lenders get loan decisions and funding faster.

Learn more

Whitepaper

Technology, oversight, and the future of loan review

Whitepaper

AI and generative AI: A proactive, organized approach to adoption

Webinar

Preparing bankers for AI: Change management in practice

Reducing friction with equipment leasing software

Financial institutions in the equipment finance space are rethinking how work gets done. Whether you’re an independent finance company originating leases or a bank purchasing them, modern tools offer a smarter way to manage the leasing lifecycle. Here are three key areas where technology can help eliminate manual work and drive results.

Rethinking manual processes

While customer-facing technology in financial services has advanced rapidly, many equipment finance firms still rely on paper-based or fragmented systems behind the scenes. In a space where deals are complex and assets are high-value, manual processes can create bottlenecks that limit growth and introduce risk. The right equipment leasing software can help streamline operations, reduce reliance on spreadsheets, and give teams more time to focus on strategy.

Streamline now, scale later with Abrigo and IFSLeaseworks

Learn more

Digitize the borrower journey

Delaying banking tech purchases can leave banks and credit unions flat-footed when operational demands or risks surge. For finance companies originating leases, digitizing the borrower journey brings efficiency and consistency to a traditionally paper-heavy process. From structuring terms to collecting applications and evaluating credit, equipment leasing software like IFSLeaseWorks allows firms to move away from disparate systems and spreadsheets.

Digital portals, automated documentation collection, and embedded workflows help reduce the risk of errors and improve turnaround times, allowing staff more time to focus on strategy. These tools also create a more streamlined experience for the lessee—whether they’re acquiring construction equipment, medical devices, or agricultural machinery.

For banks purchasing leases, digitizing documentation intake and analysis helps standardize what is often a manual, fragmented process and sets the foundation for more consistent decisioning.

Automate middle- and back-office workflows

Once a lease is originated—or purchased—the work of managing it begins. Billing, collections, asset servicing, and end-of-term decisions all carry operational and compliance risk when handled manually. Purpose-built equipment leasing software helps automate these middle- and back-office processes.

Automation supports consistency and scale, especially as portfolios grow. For originators, that means fewer manual touchpoints across servicing and asset management. Ideally, automated lease purchase decision software works in tandem with an institution’s existing loan software. For instance, Abrigo’s Lease Purchase Decisioning solution embeds underwriting workflows, templates, and credit analysis directly within the Sageworks platform. It helps institutions evaluate individual lease purchases efficiently, particularly those already using Sageworks.

Harness data and reporting for growth

Manual processes don’t just slow banks down, they obscure the big picture. Teams need real-time visibility and banking intelligence across the pipeline. Whether you’re tracking lease performance, analyzing asset values, or monitoring portfolio trends, modern reporting capabilities are essential.

With equipment leasing software, firms gain access to centralized data warehouses and dashboards that support strategic planning. This visibility becomes increasingly important as interest rates shift and competition increases.

Banks that purchase leases also benefit from consistent data capture during underwriting. Standardized inputs and outputs not only support compliance and audit readiness but also enhance the institution’s ability to analyze portfolio performance and allocate capital with confidence.

Stop relying on spreadsheets

Manual, disconnected systems aren’t built for scale. Whether your firm originates equipment leases or your bank is purchasing them as investments, equipment leasing software can reduce friction, improve consistency, and make your operation more nimble.

By digitizing the borrower experience, automating workflows, and leveraging your data, your organization can position itself for sustainable growth in the year ahead.

Find out how Abrigo reduces origination costs and lending inefficiencies.

Learn more

Webinar

Mastering the analysis of long-term credit

Webinar

Considerations in the analysis of short-term credit

Webinar

Building a data-driven lending strategy: Actionable steps for real results

New timelines for small business loan data collection and reporting

The Consumer Financial Protection Bureau (CFPB) 1071 rule was originally effective in 2023, but section 1071 compliance dates have been extended. The 1071 compliance dates are for collecting and reporting data on small business loan activities.

You might also like this one-page summary of key dates and deadlines for complying with the 1071 rule.

DOWNLOAD

This post was updated to reflect new compliance deadlines finalized by the CFPB on Oct. 2, 2025.

Final rule

As they do with any new requirement, financial institutions want to know when the CFPB 1071 rule is effective and when they must begin collecting and reporting data on their small business lending activities.

The effective date of the Consumer Financial Protection Bureau’s (CFPB) new rule was August 29, 2023. However, compliance deadlines and related deadlines for reporting the data collected about small business loan applications are tiered. This staggering of compliance deadlines requires the small business lenders originating the most transactions to begin reporting data earlier than less active small business lenders.

In addition, court cases and changes to the rule have delayed compliance dates, in much the same way compliance with the current expected credit loss (CECL) model was delayed by several actions.

In the case of 1071, a Texas judge originally stayed compliance deadlines pending a Supreme Court ruling over the constitutionality of CFPB funding. Following the Supreme Court's decision in favor of the CFPB on that issue, however, the agency extended the 1071 rule’s compliance deadlines. The CFPB issued a final rule outlining the new 1071 compliance dates and filing deadlines as follows:

Compliance Tier	Original Date (2023 Final Rule)	2024 Interim Rule	New Date (2025 Interim Rule)	First Filing Deadline
Tier 1 (highest-volume)	October 1, 2024	July 18, 2025	July 1, 2026	June 1, 2027
Tier 2 (moderate-volume)	April 1, 2025	January 16, 2026	January 1, 2027	June 1, 2028
Tier 3 (smallest-volume)	January 1, 2026	October 18, 2026	October 1, 2027	June 1, 2028

Source: CFPB

How to stay ahead of compliance

Despite the seemingly long runway to prepare, it's not too early to get a handle on the new requirements and how they will affect a bank or credit union. With the changes, many financial institutions face the most significant data collection and reporting effort in nearly 50 years. Given this scope, lenders need to begin assessing now how and when they will comply.

Abrigo has helped hundreds of bank and credit union staff members learn more about 1071 and how to prepare for it. Webinars, podcasts, and whitepapers provide tips for capturing small business loan data, storing it, and reporting it to the CFPB to comply with the required timelines. In addition, Abrigo's small business loan origination software can automate 1071 data collection and reporting.

Below are details on important dates for 1071 compliance, which financial institutions must comply, and what the changes involve.

Which FIs must comply

Before discussing 1071 compliance dates, it’s helpful to understand the rule’s goals and which financial institutions it affects.

The final rule implements section 1071 of the Dodd-Frank Act by amending the Equal Credit Opportunity Act (ECOA), or Regulation B (Reg B). The CFPB small business lending data collection regulations are being included as subpart B of Reg B and aim to support and enforce the fair lending requirements. CFPB intends the data collected by lenders on each small business credit application to shed light on potential disparate treatment in loan terms, especially related to minority-owned small business applicants, including women-owned small businesses. Reporting on the data is also expected to help identify small business owners’ needs and credit opportunities. A CFPB compliance aid lists 81 data fields for information lenders must collect and report.

Which lenders are counted as “covered financial institutions” in the 1071 rule?

The rule outlines that any company or organization engaged in lending activities is covered.

Each reporting tier and its associated deadline is determined by the number of covered transactions to small businesses that a lender originated in each of two years, whether it's 2022 and 2023, or 2023 and 2024, or 2024 and 2025.

In fact, to be subject to the rule’s requirements at all (i.e., be considered a “covered financial institution”), a company or organization must have originated at least 100 covered credit transactions in each of the two years it selects.

What is a covered transaction

The CFPB generally describes it as a request for any of the following:

Loans
Lines of credit
Credit cards
Merchant cash advances
Credit products used for agricultural purposes

Requests for additional credit on an existing loan are not counted as originations for the purpose of determining a covered financial institution.

Defining "application" for a covered transaction

For data collection and reporting, financial institutions must track applications they receive for covered transactions, as opposed to solely tracking originations. What is an application under the CFPB 1071 rule? It is an oral or written request for a covered credit transaction that is made following the procedures used by a financial institution for the type of credit requested. This means that lenders must track data not only related to approved and booked credit but also applications that are any of the following:

Withdrawn
Incomplete
Denied
Approved by the lender but not accepted by the applicant

A re-evaluation, extension, or renewal request on an existing business account is excluded from the definition of covered applications as long as the request seeks no additional credit. Inquiries and prequalification requests are also excluded.

How a lender defines an application as incomplete or withdrawn can vary from financial institution to institution, noted Abrigo Senior Advisor Paula King, CPA, who is already working with financial institutions to plan for and prepare 1071 reporting.

The CFPB “has left it up to financial institutions as to where you feel the cutoff is for an incomplete application” or a withdrawn application, she said. Regardless of how the bank or credit union defines these application resolutions, the lender should spell it out in the loan policy, King added. Loan policies should also clarify how a counteroffer by the lender will be treated.

Which credit transactions are excluded from 1071?

Several types of transactions are excluded from the CFPB’s requirements to report on applications. Among those considered excluded transactions:

Letters of credit
Trade credit (i.e., financing arrangements such as accounts receivable with a business providing goods or services)
Public utilities credit
Securities credit
Incidental credit defined in Regulation B as exempt (e.g., not payable in more than four installments; not subject to finance charge)
Factoring
Leases
Consumer-designated credit used for business/ag purposes, such as taking out a home equity line of credit or charging business expenses on their personal credit cards
Purchases of originated covered credit transactions
Applications with potential HMDA and section 1071 overlap: CFPB does not require reporting under section 1071 (transactions would only be reportable under HMDA)

A final component of the rule that is useful in understanding the various deadlines for 1071 reporting is the CFPB’s description of what constitutes a small business. An applicant or borrower is considered a small business if it is a business (including agricultural) that had $5 million or less in gross annual revenue for its preceding fiscal year before applying.

Would you like to stay up to date on CFPB 1071 implementation?

This means that in addition to banks and credit unions, other lenders subject to the rule’s mandates are finance companies, online lenders, Community Development Financial Institutions (CDFIs), government lenders, and nonprofit lenders.

Three deadlines for tracking, reporting data

The earliest reporters are those that have originated at least 2,500 small business loans. These financial institutions must begin data collection in July 2026 and continue through the end of the year, based on the CFPB's timeline. The data collected needs to be reported by June 1, 2027. For following years, lenders must collect data for the full year and report it by the following June 1.

The second tier of deadlines covers financial institutions with at least 500 covered originations during the relevant two-year period. This group of small business lenders must begin collecting data on Jan. 1, 2027, and they must report data collected for the entire year by June 1, 2028.

The last group of lenders required to collect and report data on small business loan applications is financial institutions with at least 100 covered originations. These banks, credit unions, and other lenders have to begin collecting data on Oct. 1, 2027, and they are required to report the data by June 1, 2028.

The CFPB produced an info sheet with more details and examples of how financial institutions collect data and comply with the small business lending rule.

In this document, the bureau notes that if an institution determines it’s not required to comply with the rule initially, it must nevertheless determine in subsequent years whether it must, based on whether it originates at least 100 covered originations in each of the two calendar years immediately preceding the year in question. The document was written before the Supreme Court ruling that prompted the extension of the compliance dates for 1071, so it's likely to include outdated deadlines.

Abrigo can help you navigate 1071 deadlines and compliance. In addition to our 1071 resource page for lenders, which has updated information to help prepare for the new requirements, Abrigo’s Loan Origination Software already has all required data fields in a borrower-facing collection form, access to pre-built reports, and the ability to export for CFPB reporting. Your financial institution can comply with 1071 while streamlining the origination process and ongoing customer management while working with a trusted partner of 2,400 institutions. Talk to a specialist to learn more.

CFPB small business data collection

Read practical tips for banks and credit unions to manage their 1071 rule data collection processes efficiently so they can stay ahead of deadlines and avoid compliance problems.

You might also like this webinar, "Answering your top CFPB 1071 compliance questions."

WATCH

This article was updated to reflect the Oct. 2, 2025, final rule published by the Consumer Financial Protection Bureau to extend the original deadlines to those set out in its June 18, 2025, interim final rule.

Banks and credit unions prepare

The Consumer Financial Protection Bureau’s (CFPB) small business data collection rule, often referred to as the 1071 rule, is set to be the most significant effort of data collection and reporting for financial institutions in nearly 50 years. Banks and credit unions must prepare to meet the rule’s requirements by understanding what data must be collected, when it needs to be collected, and how to streamline the process to ensure compliance.

This article describes the scope of the CFPB small business lending data regulations and offers practical tips for banks and credit unions to manage their data collection processes efficiently. Understanding the rule and preparing adequately will help your financial institution stay ahead of deadlines and avoid compliance problems.

Rule covers all lenders

The CFPB’s small business data collection rule implements Section 1071 of the Dodd-Frank Act, which directs the bureau to collect certain demographic data from small business lenders. The primary goal of the federal rule is to facilitate fair lending enforcement and identify the credit needs of women- and minority-owned businesses.

Under this rule, any entity engaged in lending activities is required to collect and report demographic data during the application process. This includes not just banks and credit unions but also finance companies, online lenders, Community Development Financial Institutions (CDFIs), government lenders and nonprofit lenders. The only lenders excluded from these requirements are those that originated fewer than 100 covered credit transactions in each of the two calendar years preceding their compliance date. Requests for additional credit tied to an existing loan do not count as originations when determining whether an institution is covered.

The rule requires that lenders collect and report data for all small business credit applications from any business with $5 million or less in gross annual revenue its preceding fiscal year. Credit transactions covered by the rule include applications or requests for:

Loans

Lines of credit

Credit cards

Merchant cash advances

Credit products used for agricultural purposes

Refinancings where existing debt is satisfied and replaced by a new obligation for the same borrower

Who must file when

Lender deadlines for 1071 compliance are initally determined by the volume of small business loans originated in each of the calendar years 2022 and 2023 or in 2023 and 2024 or in 2024 and 2025. Abrigo has a one-pager summarizing the 1071 data collection and reporting deadlines. Here’s a general overview of when different types of lenders must begin data collection, based upon their origination thresholds and the final rule published Oct. 2, 2025:

Lenders that originate at least 2,500 small business loans in each of the years must start collecting data on covered applications by July 1, 2026.

Lenders that originate at least 500 covered loans in each of the years must begin data collection by Jan. 1, 2027.

Lenders that originate at least 100 small business loans in each of the years must collect application data starting Oct. 1, 2027.

Stay up to date with CFPB small business lending data collection requirements.

To prepare for these deadlines, lenders may begin gathering the otherwise protected demographic information one year before their official collection deadline. This head start can help institutions ensure timely compliance and address any challenges in advance.

20+ pieces of data

Banks, credit unions, and other creditors will need to collect more than 20 pieces of data for each application and report this data to the CFPB each year. The data points cover a wide range of details related to the credit transaction, the business’s attributes, and demographic data.

Some of the key 1071 data points required include:

Application date and method (in person, telephone, online, mail)
Credit type, including the product type (term loan, line, credit card, etc.), guarantee type (personal, SBA, USDA, etc.), and loan term (in months)
Purpose of the credit (e.g., purchase, working capital, construction, etc.)
Amount applied for
Action taken on the application (originated, denied, withdrawn, etc.) and date of action
Amount approved or originated
Denial reasons (e.g., business characteristics, cash flow, collateral)
Pricing details (interest rate, origination charges, broker fees, initial annual charges, additional cost for merchant cash advances, and prepayment penalties)
Census tract number. This information should represent the address where loan proceeds will be applied, the address of the applicant’s headquarters or main office, or another address associated with the applicant
Gross annual revenue. Financial institutions may reuse previously collected gross annual revenue figures when the data was collected within the same calendar years as the covered application
NAICS code
Number of workers and time in business
Business ownership status (such as minority, women, LGBTQI+)
Number of principal owners and ethnicity, race, and sex/gender of principal owners 1-4. This data must be reported based only on information provided by the applicant (i.e., no reporting based on visual observation)

Importantly, the CFPB mandates that lender data collection processes shouldn’t discourage applicants from providing their demographic information. Financial institutions will want to make data collection processes as easy as possible for applicants to encourage participation.

The first filing dates for reporting the small business lending data under the final rule published Oct. 2, 2025, are as follows:

Highest volume lenders (Tier 1): June 1, 2027
Moderate volume lenders (Tier 2): June 1, 2028
Smallest volume lenders (Tier 3): June 1, 2028

Existing data and processes

Given the scope of effort needed to collect and report data by the CFPB deadlines, some financial institutions are already taking action. In fact, if you are a tier 1 lender and have to comply beginning July 1, 2026, we recommend beginning your testing now to give you at least nine months of testing.

For those who may feel overwhelmed by the tasks ahead, the following steps can help organize and streamline the data collection process:

Understand the rule and related requirements. Make sure others involved in lending are familiar with the 1071 small business lending data regulations and the specific requirements for CFPB small business data collection.
Review existing data collection practices. Identify what data is already being collected and where gaps exist. Some data may be available within the financial institution’s systems, while other data points will need to be obtained from applicants.
Assess current systems currently used for data collection and reporting. Determine whether these can be leveraged for 1071 data collection and whether new or updated systems are needed.
Assess the current lending process (i.e., how information is gathered). This assessment likely will require reviewing the institution’s credit culture if certain required data points are missing from the current application process.

Technological solutions for efficient 1071 data collection

Automation can play a critical role in streamlining CFPB small business data collection. Software solutions designed for data collection and analysis can help lenders focus on the borrowers and winning deals while ensuring compliance with the 1071 small business lending data regulations. These tools can also make it easier to review and submit the information to the CFPB efficiently. Abrigo’s product team worked with the CFPB throughout the rulemaking process and has built 1071 compliance into its loan origination platform and its small business loan origination software.

While ease of data access is important, in general, if the institution doesn't employ the firewall exception, CFPB prohibits underwriters or any employee responsible for the disposition or “making a determination” on an application from accessing certain demographic data. Abrigo’s software integrates 1071 compliance features such as built-in firewalls and user permission controls to help maintain non-biased lending and compliant reporting.

Streamline 1071 data collection. See how Abrigo can help.

Get a demo

Preparing for regulatory changes

While organizing the data collection process is crucial, it’s also important for financial institutions to take broader steps to prepare for these regulatory changes. These include educating staff, revising policies and procedures, and considering more standardized pricing and fee structures to align with the 1071 small business lending data regulations.

Department coordination

Preparing for regulatory changes

Compliance with the 1071 small business lending data regulations will require coordination across multiple departments. To mitigate risks associated with non-compliance, financial institutions should:

Create a formal project plan and timeline for compliance efforts.

Plan for the training of all relevant staff involved in data collectors, reporting, and underwriting.

Establish consistent lending processes to promote data accuracy and compliance.

Consider the formality of the current borrower application process and identify any culture changes needed.

Automate processes to reduce manual errors and speed processes.

Develop internal controls, including those that validate and test the data collected.

Track and report exceptions, particularly those related to pricing, fees, and loan structures.

Some financial institutions will need to formalize their small business loan application process. Others may decide to balance small business relationship lending with a risk-based pricing model to mitigate unintended disparate treatment among lenders and branches.

For institutions facing challenges or staff resource constraints, engaging experienced consultants can help. CFPB 1071 consultants can establish reporting and monitoring processes and recommend any needed policy changes.

The CFPB’s 1071 small business lending data regulations represent a momentous change in how financial institutions must collect and report data. By understanding the requirements, preparing in advance, and leveraging technology, banks and credit unions can navigate the changes with compliance. Start planning now to make sure your institution is ready for a smooth data collection process under the 1071 rule.

See how Abrigo's small business origination software and its 1071 readiness advisory engagement helps lenders meet the CFPB 1071 requirements.

Learn more

Webinar

Smarter lending: Tactics to streamline small business loan operations

Whitepaper

Get ready to ramp up small business lending: Do this, not that

Whitepaper

Ahead of the curve: A banker’s podcast episode 1 – CFPB 1071 and CFPB 1033 update

Marijuana safe banking in 2025: Will rescheduling bring relief for financial institutions?

Financial institutions have monitored the progress of federal marijuana legislation for years, yet meaningful change has remained out of reach. While speculation around marijuana legislation continues to grow, financial institutions remain in the challenging position of navigating the gap between expanding state-level legalization and ongoing federal prohibition. This regulatory gray area presents heightened AML/CFT, reputational, and operational risk. With a decision on federal rescheduling expected soon, financial institutions are asking: Will it bring marijuana safe banking?

Rescheduling marijuana: Progress, but not a green light

In May 2024, after a review by the U.S. Department of Health and Human Services, the Drug Enforcement Agency issued a proposed rule that would reclassify marijuana from a Schedule I narcotic to Schedule III under the Controlled Substances Act (CSA). This historic shift would recognize its medical use and remove its classification alongside drugs like heroin and LSD.

In August 2025, the Trump administration confirmed reviewing the rescheduling proposal, with a final decision expected soon. President Trump acknowledged conflicting perspectives, stating, “I’ve heard great things having to do with medical [use]... and bad things having to do with just about everything else.”

But even if marijuana is rescheduled, it will remain federally regulated. For financial institutions, this means the 2014 FinCEN guidance remains in effect. Rescheduling may reduce stigma, but it does not equate to legalization and doesn’t resolve the core banking challenges.

What this means for financial institutions and their clients

The conflict between state legalization and federal prohibition puts banks and credit unions in a difficult position. Many serve communities with growing marijuana-related businesses (MRBs) that need access to basic financial services. Yet without federal protection, offering those services remains risky and complex.

The compliance burden is significant for institutions choosing to bank MRBs or exposed indirectly through ancillary clients, like landlords, vendors, or service providers. Enhanced due diligence and robust ongoing monitoring remain critical components of a sound marijuana safe banking program.

Clients, meanwhile, face limited access to financial services. The result is often increased reliance on cash, which raises fraud, theft, and money laundering risks. To stay compliant and prepared, institutions must take a risk-based approach that addresses marijuana exposure through policies, staffing, and controls tailored to current and emerging threats.

Has the SAFE Banking Act passed?

Amid these challenges, the Secure and Fair Enforcement (SAFE) Banking Act continues to generate attention and bipartisan support but remains stalled, primarily due to a packed Congressional schedule. Intended to give banks and credit unions safe harbor when serving state-legal MRBs, the Act has passed the U.S. House seven times but has never cleared the Senate.

With its most recent iteration, the SAFER Banking Act (S.2860) remains pending in the Senate. In July 2025, a majority of state attorneys general sent a letter to Congressional leaders in support of passing federal protections for banks that do business with marijuana companies. “We write today in support of the SAFER Banking Act of 2025,” the letter read. “It is increasingly critical to move cannabis commerce into the regulated banking system.”

What the Act would mean for financial institutions

The SAFE Banking Act does not legalize marijuana or remove it from Schedule I. However, it would change the operational risk landscape by protecting financial institutions that serve compliant MRBs from federal penalties, asset forfeiture, or loss of deposit insurance.

The Act would also support AML/CFT efforts by reducing cash-only business models and enabling better transaction monitoring. Senator Jeff Merkley (D-Oregon) described the issue clearly in his Senate Committee testimony: “There is nothing like a cash economy to facilitate money laundering.”

Cash-heavy operations are more vulnerable to violent crime and harder for law enforcement to monitor. Without auditable financial records, marijuana-related activity remains in the shadows. Allowing electronic transactions would enable institutions to detect suspicious patterns better, file more accurate SARs, and bring marijuana-related funds into the oversight of the financial system.

Marijuana safe banking today

Despite legalization in most states, the vast majority of MRBs still lack access to traditional financial services. FinCEN SAR data shows that only about 830 U.S. banks and credit unions currently serve this market.

This forces many MRBs to operate in cash, limiting their ability to secure loans, build credit, or expand. For financial institutions, even those not intentionally serving the marijuana industry, this gap increases the risk of unknowingly onboarding or servicing indirectly connected customers.

Supporters of the SAFE Banking Act emphasize that the issue isn’t just about access but also about public safety. The Act would not only help institutions manage risk but also enhance community safety by integrating more marijuana funds into transparent, monitored systems. It would also protect the ecosystem of businesses that support MRBs, like landlords, law firms, and payroll providers.

Staying on top of fraud is a full-time job. Let our Advisory Services team help when you need it.

Connect with an expert

A regulatory turning point

The Act remains a pivotal opportunity to bring federal alignment to a rapidly growing state-legal market. While past efforts have failed, increasing public support and the burden placed on financial institutions may eventually force action.

Still, banks and credit unions cannot afford to wait. Whether an institution chooses to serve MRBs or not, updating AML/CFT programs to reflect marijuana-related risks is a regulatory expectation—not a future suggestion. That includes documenting board-approved positions on MRBs in risk appetite statements.

Marijuana exposure

Even institutions not actively banking marijuana businesses may have exposure through third-party relationships. Property managers, security firms, consultants, and others may be closely tied to MRBs—making strong customer due diligence (CDD) and ongoing monitoring critical.

Recommended next steps:

Perform a staffing assessment to ensure your teams can meet marijuana-related compliance demands.
Update CDD and enhanced due diligence (EDD) processes to identify high-risk accounts.
Revisit your BSA/AML risk assessment to include scenarios related to rescheduling, legalization, and continued regulatory ambiguity.

Prepare for what’s next

Despite growing support, marijuana legislation remains uncertain. Financial institutions can’t afford to wait for clarity. Instead, they must take a proactive, risk-based approach to marijuana-related compliance today.

Whether your institution plans to bank MRBs, avoid them entirely, or prepare for future opportunities, strong internal controls, updated policies, and a mature AML/CFT program are essential. Regulators expect institutions to identify and mitigate marijuana-related risk—regardless of what happens on Capitol Hill.

The marijuana industry isn’t waiting for Congress to act, and neither should your institution. By planning and documenting your approach, you can stay compliant, protect your reputation, and remain ready for whatever comes next.

Find out how Abrigo Fraud Detection stops check fraud in its tracks.

fraud detection software

Webinar

Minimizing wire fraud risk: Strategies for faster payments and smarter defenses

Webinar

From exam room to boardroom: What regulators expect & boards need to know

Webinar

Under pressure: Mastering Financial Crime compliance in a changing landscape

Discounted cash flow or WARM for the allowance?

Two commonly deployed approaches for the allowance for credit losses under CECL are the discounted cash flow model and the remaining life methodology, also called WARM. How do you know when to select which?

This article covers these key topics:

What is the discounted cash flow method for CECL?
When to use DCF for the allowance
Explaining the remaining life method
A framework for CECL model selection

CECL's flexibility is both a strength and a responsibility

Since its adoption in ASU 2016-13, the current expected credit loss (CECL) model has introduced a forward-looking approach to estimating credit losses. The guidance intentionally avoids prescriptive formulas, empowering financial institutions to choose from a variety of acceptable methodologies for calculating the allowance for credit losses:

Discounted cash flow (DCF)
Remaining life (also known as the weighted average remaining life methodology, WARM, or WARL)
Roll-rate
Probability of default/loss given default (PD/LGD)
Vintage analysis

Work with advisors who have helped hundreds of financial institutions implement and manage CECL.

Connect with an expert

However, with this flexibility comes the responsibility for financial institutions to align their chosen methodology with portfolio characteristics, data capabilities, and risk management practices.

Two of the most commonly deployed approaches to CECL are the discounted cash flow model and the remaining life methodology. This guide unpacks the strengths and challenges of both. It offers a practical decision framework to help community financial institutions make defensible, scalable choices as they select, or transition to, an approach that aligns with their unique situation and supports defensibility and operational efficiency.

What is the discounted cash flow method?

The DCF method estimates credit losses by projecting future contractual cash flows, applying assumptions for prepayments, defaults, and recoveries, and discounting those expected loan-level cash flows back to present value using the effective interest rate (EIR) as defined by the FASB.

As ASC 326-20-30-4 says, “The allowance for credit losses shall reflect the difference between the amortized cost basis and the present value of expected cash flows.”

How it works

The discounted cash flow methodology, in essence, uses contractual schedules adjusted for prepayments to estimate future balances by month. This is extraordinarily helpful when adhering to ASC 326-20-30-6, which instructs institutions to model “expected credit losses over the contractual term of the financial asset(s).”

ASC 326-20-30-6 also says “ An entity shall consider prepayments as a separate input in the method or prepayments may be embedded in the credit loss information.” Speaking from experience, it’s neither an easy nor fun task to defend changing expected lives due to changes in prepayment speeds in varying rate environments when prepayments are “embedded in the credit loss.”

This approach, whether discounted or undiscounted, offers the opportunity to eliminate a life assumption, which is the most difficult and material assumption to support in a remaining life model (described below).

In fact, in order to support the remaining life input, one must run cash flows adjusted for prepayments, which begs the question – why not just stop there? As an added opportunity, forward-looking amortization schedules, interest income, and periodic expected loss all provide a strong foundation from which to manage. After all, it is the language of banking.

Armed with this kind of output, estimating future balances is accurate, which can allow for production budgeting. Loan-level detail on interest income that considers the default probability is also helpful in its own right. Lastly, timing-specific loss estimates make backtesting, monitoring, and scenario analysis feasible.

When to use DCF for CECL

Financial institutions have a number of considerations when selecting a CECL methodology. If using the discounted cash flow model is a possibility, remember that the methodology is best suited for specific situations.

These include the following:

While the discounted cash flow method works for nearly all loan types, it’s best for loan portfolios with contractual obligations extending beyond a year.
When an institution wants to quantify the impact of an economic forecast
When an institution wants to quantify the impact of a prepayment speed input
When an institution has loan-level fair market value adjustments resulting from an acquisition or whole loan purchase
When an institution prefers loan-level modeling and/or loan-level auditability
When industry or peer data is necessary or helpful

Pros

Some advantages of calculating the allowance using the discounted cash flow methodology include that it:

Is highly flexible, granular, and precise
Accurately reflects timing of losses, recoveries, and prepayments
Natively integrates reasonable and supportable forecasts
Supports layering of external or peer-derived inputs where internal data is sparse

Cons

Banks and credit unions have found that some of the challenges tied to using DCF are that it:

Requires detailed loan-level data (e.g., cash flow schedules, EIR, risk ratings)
Involves a heavier computing power burden

What is the remaining life method?

The remaining life method estimates losses using historical annualized loss rates and then applies those losses to balances using some form of life-of-loan assumption. Adjustments for prepayment speed changes, current conditions, and reasonable and supportable forecasts are usually estimated and applied through qualitative overlays or adjusting a life-of-loan input.

When to use it

Some of the reasons a financial institution might select WARM for the allowance for credit losses include:

When an institution is seeking an expedient
Comfortable with qualitative factors for forecasting and prepayment changes
Limited access to loan-level data or modeling capacity
As a transitional methodology

Pros

The remaining life method has the following qualities that might cause a bank or credit union to choose this methodology:

Easy to implement and maintain
No need for extensive historical or loan-level data
Easily understandable and auditable
Widely used and regulator-accepted for community institutions

Cons

Some of the feedback we’ve gotten about why financial institutions might not want to select WARM includes:

Difficult to support in changing rate environments (prepayment speed changes)
Loss timing is not explicitly modeled
Limited flexibility for dynamic economic forecasts
Assumes flat distribution of risk across remaining life
May misstate risk for longer-duration or prepayment-sensitive assets

Choosing the right method: A practical decision framework

Making a choice of CECL methodology involves many factors. Below is a simplified framework to help guide your selection.

Both methods are fully compliant with CECL, but DCF offers better alignment with forward-looking credit risk modeling. The remaining life method offers an alternative for institutions prioritizing ease of implementation over support and defensibility.

Documentation and validation best practices

Regardless of the method used, institutions should:

Document method selection rationale, tying it to portfolio characteristics
Clearly define all inputs, assumptions, and external data sources
Perform annual CECL model validations or revalidations whenever portfolios materially change
Monitor and backtest model performance
Retain version control for model updates and assumption changes
Align CECL methodology with internal ALM, stress testing, and strategic planning frameworks where possible

Aligning methodology with institutional maturity

There is no universally “right” method for CECL compliance—only the method best aligned with your institution’s size, systems, staffing, and risk complexity.

Start with WARM if you're prioritizing ease of implementation and are comfortable re-implementing later as you grow or experience changes in rates or economy.
Evolve toward DCF as your institution builds stronger data pipelines, economic forecasting capabilities, and strategic modeling needs.
DCF provides not only more refined allowance estimates but also enhanced insight into credit risk behavior. These can enable better pricing, strategy, and capital planning.

Abrigo has guided hundreds of financial institutions through CECL implementation, tailoring the process to their unique goals and operational realities. Whether adopting a simplified model like remaining life, or ready to unlock the full potential of loan-level DCF modeling, Abrigo's allowance solutions and CECL advisors can help you navigate every step—from methodology selection and model validation to reporting and examiner readiness.

Listen to an on-demand webinar about CECL model governance to be ready for your next audit.

Listen now

Webinar

Regulatory expectations: What you need to know now

Webinar

Scaling credit risk oversight: Preparing loan review for enhanced prudential standards

Webinar

Looking for Valuant? You are in the right place!

Looking for DiCOM? You are in the right place!

Looking for TPG Software? You are in the right place!

"The sky is falling!!" What credit risk managers should do

A modern "Chicken Little" moment

Strengthen credit analysis to manage exposure in dynamic business cycles.

1. Rethink credit risk ratings

More efficient loan review can help you gain deeper insights

2. Strengthen loan review

Noise doesn’t equal crisis

Scaling credit risk oversight: Preparing loan review for enhanced prudential standards

Risk rating: The cornerstone of credit risk management

Unraveling risk rating: Making sense of your best early warning tool | Credit risk series

AI poses 3 main cybersecurity risks to banks & credit unions

AI can enhance operations and add risks

Watch the on-demand webinar, "Navigating AI risks: Policies, vendors, and compliance."

What are the cybersecurity risks of AI?

Risk mitigation with data management & planning

AI risk requires vendor due diligence & training

Get a free AI readiness checklist and other resources on Abrigo's AI Hub.

Technology, oversight, and the future of loan review

AI and generative AI: A proactive, organized approach to adoption

Rethink asset/liability management: From static snapshots to strategic forecasting

Steps to a successful SAR

5 key takeaways for the SAR process

Check out this SAR writing checklist for essential elements of a compelling SAR narrative.

Make each SAR step count

Would you like other articles like this in your inbox?

Catching fraudsters: Federal insights to protect your institution and customers

AI cybersecurity risks: What they are and how financial institutions can mitigate them

Nacha 2026 Fraud monitoring rules

Understanding stablecoins and their purpose

Why financial institutions should care

Risks and opportunities for financial institutions

FinCEN guidance on Stablecoin regulation

Fraud guidance

Key risks financial institutions should consider

Liquidity pressure during high redemptions

Risk tied to third-party partners

Compliance uncertainty and reputation concerns

Challenges detecting financial crime

What financial institutions should do now

Looking ahead: Stability through preparation

Minimizing wire fraud risk: Strategies for faster payments and smarter defenses

From exam room to boardroom: What regulators expect & boards need to know

Under pressure: Mastering Financial Crime compliance in a changing landscape

AI adoption considerations

Proactive planning for introducing AI and machine learning

Explore AI-powered, banker-controlled solutions from Abrigo

10-step checklist for preparing to implement AI

See how Abrigo's small business origination software helps lenders get loan decisions and funding faster.

Technology, oversight, and the future of loan review

AI and generative AI: A proactive, organized approach to adoption

Preparing bankers for AI: Change management in practice

Reducing friction with equipment leasing software

Rethinking manual processes

Streamline now, scale later with Abrigo and IFSLeaseworks

Digitize the borrower journey

Automate middle- and back-office workflows

Harness data and reporting for growth

Find out how Abrigo reduces origination costs and lending inefficiencies.

Mastering the analysis of long-term credit

Considerations in the analysis of short-term credit

Building a data-driven lending strategy: Actionable steps for real results

New timelines for small business loan data collection and reporting

You might also like this one-page summary of key dates and deadlines for complying with the 1071 rule.

Takeaway 1

Takeaway 2

Takeaway 3

Effective dates & compliance dates for rule 1071

How to stay ahead of compliance

What are the goals of 1071?

Which lenders are counted as “covered financial institutions” in the 1071 rule?

What is a covered transaction

Defining "application" for a covered transaction

Which credit transactions are excluded from 1071?

Would you like to stay up to date on CFPB 1071 implementation?

Tiers determined by transaction volume

CFPB small business data collection

You might also like this webinar, "Answering your top CFPB 1071 compliance questions."