Bok Financial (BOKF) Risk Analysis

A pandemic or other health crisis could destabilize the financial markets and the general economy. Forced shutdowns or regulations limiting business could have an adverse effect on our customers, limiting their ability to satisfy obligations and limiting growth or demand for our loans and other services, which could affect our liquidity, financial condition, and results of operations.

BOK Financial's subsidiary bank may rely on other financial institutions and the Federal Home Loan Bank of Topeka as a significant source of funds. Our ability to fund loans, manage our interest rate risk, and meet other obligations depends on funds borrowed from these sources. The inability to borrow funds at market interest rates could have a material adverse effect on our operations. In addition, idiosyncratic factors, as well as other factors outside of BOK Financial's control, such as a general market disruption or an operational problem that affects third parties, could impair the Company's ability to access short-term funding or create an unforeseen outflow of cash due to, among other factors, draws on unfunded commitments or deposit attrition. Withdrawals of brokered or institutional deposits could require us to pay significantly higher interest rates on our retail deposits or on other wholesale funding sources, which would have an adverse impact on our net interest income and net income. Furthermore, changes to the FHLB's underwriting guidelines for wholesale borrowings or lending policies may limit or restrict our ability to borrow, and therefore could have a significant adverse impact on our liquidity. In the event of future turmoil in the banking industry or other idiosyncratic events, there is no guarantee that the U.S. government will invoke the systemic risk exception, create additional liquidity programs, or take any other action to stabilize the banking industry or provide liquidity. The Company's inability to monetize liquid assets or to access short-term funding or capital markets could constrain the Company's ability to make new loans or meet existing lending commitments and could ultimately jeopardize BOK Financial's overall liquidity and capitalization.

An increasing competitive factor in the financial services industry is the ability to attract and retain talented and diverse employees across several lines of business. The transition by many employers to remote work and work-from-home that occurred during the COVID-19 pandemic continues to influence the competition for talent. Employers, now less constrained by physical geography, particularly those in markets with elevated employee compensation, may increasingly compete for our employees.

We outsource a significant portion of our information systems, communications, data management, and transaction processing to third parties. We are heavily reliant on a single vendor for many of these functions. These third parties are sources of risk associated with operational errors, system interruptions or breaches, unauthorized disclosure of confidential information, and misuse of intellectual property. If the service providers encounter any of these issues, we could be exposed to disruption of service, reputation damages, and litigation risk that could be material to our business. Temporary outages driven by third-party operational failures do occur from time to time, and generally affect multiple financial institutions at the same time, or multiple industries, depending on the scope of services provided by that third party. The Company has experienced these types of outages, including with our largest service provider. Impacts related to such outages have been immaterial to the Company to date, but future outages could be longer and more impactful, which could be material to our operations and our financial condition.

At December 31, 2024, 13% of BOK Financial's total loan portfolio is comprised of loans to borrowers in the energy industry. The energy industry is historically cyclical, and prolonged periods of low oil and gas commodity prices could negatively impact borrowers' ability to pay. In addition, the Company does business in several major oil and natural gas producing states including Oklahoma, Texas, and Colorado. The economies of these states could be negatively impacted by prolonged periods of low oil and gas commodity prices resulting in increased credit migration to classified and nonaccruing categories, higher loan loss provisions and risk of credit losses from both energy borrowers and businesses and individuals in those regional economies.

We continue to evaluate and selectively deploy emerging technologies like AI, machine learning, and generative AI for incorporation into our business. The Company's use of AI and machine learning is subject to risks that algorithms and data sets are flawed or may be insufficient or contain biased information. The legal and regulatory environment relating to these emerging technologies is uncertain and rapidly evolving and includes regulatory schemes targeted specifically at AI as well as provisions in intellectual property, privacy, consumer protection, employment, and other laws applicable to the use of these technologies. These evolving laws and regulations could require changes in our implementation of these emerging technologies and increase our compliance costs and the risk of non-compliance. These same risks apply to our use of third-party service providers who are implementing these tools into the products or services they provide to us.

The Company is dependent on its technological ability to process, record, and monitor a large number of customer transactions and store and protect a significant amount of sensitive customer information. Our customers' use of our internet-based services, and our customer and regulatory expectations regarding operational and information security and reliability have increased over time. We face compliance risks and costs relating to the data privacy laws existing in multiple jurisdictions. Congress and the legislatures of states in which we operate regularly consider legislation that would impose more stringent data privacy requirements resulting in increased compliance costs. Cybersecurity risks for financial institutions have increased significantly in recent years in part because of the proliferation of new technologies, the increased use of the internet and mobile technologies to conduct financial transactions, and the increased sophistication and ever changing cyberattack techniques used by organized crime, hackers, terrorists, hostile foreign governments, and other external parties to obtain confidential customer information and misappropriate customer funds, and may disrupt operations through Ransomware. Such parties may seek to gain access to our systems directly or use equipment or security passwords belonging to employees, customers, third-party services providers, or other users of our systems. Accordingly, our operational systems and infrastructure must continue to be safeguarded and monitored for potential failures, disruptions, breakdowns, and cyber attacks. Our business, financial, accounting, data processing systems, and other operating systems and facilities may stop operating properly or become disabled as a result of a number of factors that may be wholly or partially beyond our control. In addition to cyber attacks, there could be sudden increases in customer transaction volume, electrical or telecommunications outages, extended disruptions in operations or technology, natural disasters, pandemics, and events arising from political or social matters, including terrorist attacks. Third parties with whom we do business or that facilitate our business activities including exchanges, clearing houses, financial intermediaries, or vendors that provide services or security solutions for our operations, could also be sources of operational or information security risk to the Company including breakdowns or failures of their own systems, capacity constraints, or cyber attacks. Cybersecurity risk management programs are expensive to maintain and will not protect the Company from all risks associated with maintaining the security of customer data from external and internal intrusions, disaster recovery and failures in controls used by our vendors. A material breach of customer data security or operational or system failure may negatively impact our business reputation and cause a loss of customers, result in increased expense to contain the event and/or require that we provide credit monitoring services for or reimburse affected customers, result in regulatory fines, penalties or intervention, or result in litigation, all of which could have a materially adverse effect on our results of operations and financial condition. Although to date we have not experienced any material losses relating to cyber attacks or other information security breaches or operational failures, there can be no assurance that we will not suffer such losses in the future. Attempts to compromise our cybersecurity are regular and frequent. Our risk and exposure to these matters remains heightened, and as a result the continued development and enhancement of our controls, processes and practices designed to protect and facilitate the recovery of our systems, computers, software, data and networks from attack, damage or unauthorized access remains a high priority for us. As an additional layer of protection, we have purchased network and privacy liability risk insurance coverage. Our cybersecurity insurance may not provide sufficient coverage in the event of a breach or may not be available in the future on acceptable terms.

BOK Financial and BOKF, NA are subject to banking laws and regulations that limit the type of acquisitions and investments that we may make. In addition, certain permitted acquisitions and investments are subject to prior review and approval by banking regulators, including the Federal Reserve, OCC, and FDIC. Banking regulators have broad discretion on whether to approve proposed acquisitions and investments. In deciding whether to approve a proposed acquisition, federal banking regulators will consider, among other things, the effect of the acquisition on competition; the convenience and needs of the communities to be served, including our record of compliance under the Community Reinvestment Act; and our effectiveness in combating money laundering. They will also consider our financial condition and our future prospects, including projected capital ratios and levels; the competence, experience, and integrity of our management; and our record of compliance with laws and regulations. Regulatory authorities may change their interpretation of these statutes and regulations, including the OCC, our primary regulator, and the CFPB, our regulator for certain designated consumer laws and regulations. Violations of laws and regulations could limit the growth potential of BOK Financial's businesses. As we grow in asset size to above $50 billion, increases in regulatory expectations and requirements could result in additional compliance and capital costs and regulatory risk. Political developments, including recent Federal executive and legislative changes, add additional uncertainty to the implementation, scope and timing of changes in the regulatory environment for the banking industry and for the broader economy. We expect the current presidential administration will seek to implement a regulatory reform agenda that is notably different than that of the prior administration, impacting rule-making, supervision, examination, and enforcement priorities of the federal banking agencies. Concern regarding government policies such as federal budgetary matters, including the debt ceiling or prolonged stalemates leading to total or partial governmental shutdowns, may also have adverse economic consequences and create the risk of economic instability or market volatility, with potential negative consequences to our business and financial performance. Additionally, changes in fiscal, monetary, or regulatory policy, including as a result of labor shortages, wage pressures, supply chain disruptions, tariffs, and higher inflation, could increase our compliance costs and adversely affect our business operations and results of operations. Federal budget deficit concerns and the potential for political conflict over legislation to raise the U.S. government's debt limit may increase the possibility of a default by the U.S. government on its debt obligations, related credit-rating downgrades, or an economic recession in the United States. Many of our investment securities are issued by the U.S. government and government agencies and sponsored entities. As a result of uncertain domestic political conditions, including potential future federal government shutdowns, the possibility of the federal government defaulting on its obligations for a period of time due to debt ceiling limitations or other unresolved political issues, investments in financial instruments issued or guaranteed by the federal government pose liquidity risks. In connection with prior political disputes over U.S. fiscal and budgetary issues leading to the U.S. government shutdown in 2011, S&P lowered its long term sovereign credit rating on the U.S. from AAA to AA+. On August 1, 2023, Fitch Ratings announced its decision to downgrade the U.S. long-term credit ratings from AAA to AA+, but maintained the country credit ceiling at AAA. A further downgrade, or a downgrade by other rating agencies, as well as sovereign debt issues facing the governments of other countries, could have a material adverse impact on financial markets and economic conditions in the U.S. and worldwide.

The current and anticipated effects of climate change continue to attract political and social attention. Climate changes present physical and transition risks to BOK Financial, both of which could change over time. Physical risks relate to the harm of people or property arising from acute, climate-related disaster events such as hurricanes or tornadoes, as well as longer-term chronic phenomena such as higher average temperatures. Physical risks specific to BOK Financial include: - Increases in extreme weather events could damage or destroy the property of BOK Financial or its customers, disrupting operations and causing significant expenditures. - Significant damages to real properties securing our loans could cause the value of the loan portfolio to contract. Borrowers may be unable to make payments on loans increasing delinquency rates and average loan loss severity. - Wide-ranging weather disasters, including but not limited to, long periods of drought and rising sea levels, could result in an economic downturn and a decline in market conditions. Liquidity risks could arise as operational needs change for both BOK Financial and its customers. - We may not have adequate insurance coverage for some potential natural, catastrophic climate change-related events. Transition risks relate to stresses arising from the shifts in regulatory policies, consumer or business sentiment, or technologies required to limit climate change. Efforts by U.S. Congress, state legislatures, and federal and state regulatory agencies to advance legislative and regulatory initiatives respecting climate change fluctuate with changes in elected officials and may be inconsistent, making compliance costly and challenging. Transition risks specific to BOK Financial include: - Compliance, operating, maintenance, and remediation costs may require a significant amount of expenditure. - BOK Financial's credit portfolios include carbon-intensive industries, which could be adversely impacted by the transition to a low-carbon economy. BOK Financial has a long-standing relationship with the energy industry, and the local economies within BOK Financial's geographical footprint have a concentration in energy-related industries. The regulatory impacts on the energy industry could lead to sharp changes in the values of certain assets or liabilities, increase costs, hinder financial results, and shrink the industry. These changes could have a significant effect on the general economic conditions within our footprint. - Reputational risk may increase with conflicting opinions of stakeholders, including shareholders, customers, and employees, on climate risk. On March 6, 2024, the SEC adopted new climate-related disclosure rules for U.S. public companies and foreign private issuers. These rules introduce extensive disclosure requirements, increasing reporting costs, risks, and complexity. Challenges include short compliance timelines, interpretive issues, legal liabilities, and global regulatory overlaps. In the midst of legal challenges, the SEC voluntarily stayed implementation of these rules.

Banking is a competitive business. BOK Financial competes actively for loan, deposit, and other financial services business in the southwest region of the United States. BOK Financial's competitors include a large number of small and large local and national banks, savings and loan associations, credit unions, trust companies, broker-dealers and underwriters, as well as many financial and non-financial firms that offer services similar to those of BOK Financial. Large national financial institutions have substantial capital, technology, and marketing resources. Such large financial institutions may have greater access to capital at a lower cost than BOK Financial does, which may adversely affect BOK Financial's ability to compete effectively. BOK Financial has expanded into markets outside of Oklahoma, where it competes with a large number of financial institutions that have an established customer base and greater market share than BOK Financial. With respect to some of its services, BOK Financial competes with non-bank companies that are not subject to regulation. The absence of regulatory requirements may give non-banks a competitive advantage. The increasingly competitive environment is in part a result of changes in regulation, changes in technology and product delivery systems, and the accelerating pace of consolidation among financial service providers. Our success depends on our ability to respond to the threats and opportunities of financial technology innovations. Developments in "fintech" and crypto-currencies have the potential to disrupt the financial industry and change the way banks do business. Investment in new technology to stay competitive could result in significant costs and increased cybersecurity risk. Our success depends on our ability to adapt to the pace of the rapidly changing technological environment, which is important to retention and acquisition of customers.

Attempts to commit fraud, including but not limited to, card fraud, check fraud, electronic fraud, wire fraud, social engineering, and phishing attacks, are becoming increasingly more sophisticated and may go undetected by the systems and procedures we have in place to monitor our operations. We have experienced, and may experience again in the future, losses incurred due to customer, employee, or third-party fraud and theft. These losses may be material, negatively affect our results of operations, financial condition or prospects, and may lead to significant reputational risks and other effects. We continue to invest in fraud prevention in the form of people and systems designed to prevent, detect, and mitigate the customer and financial impacts.