CF Bankshares (CFBK) Risk Analysis

From time to time, we may be subject to claims or legal action from customers, employees or others. Financial institutions like the Company and CFBank are facing a growing number of significant class actions, including those based on the manner of calculation of interest on loans and the assessment of overdraft fees. Future litigation could include claims for substantial compensatory and/or punitive damages or claims for indeterminate amounts of damages. We are also involved from time to time in other reviews, investigations and proceedings (both formal and informal) by governmental and other agencies regarding our business. These matters also could result in adverse judgments, settlements, fines, penalties, injunctions or other relief. Like other large financial institutions, we are also subject to risk from potential employee misconduct, including non-compliance with policies and improper use or disclosure of confidential information. Substantial legal liability or significant regulatory action against us could materially adversely affect our business, financial condition or results of operations and/or cause significant reputational harm to our business.

We are subject to extensive federal, state and local taxes, including income, excise, sales/use, payroll, franchise, financial institutions tax, withholding and ad valorem taxes. Changes to tax laws could have a material adverse effect on our results of operations, fair values of net deferred tax assets and obligations of states and political subdivisions held in our investment securities portfolio. In addition, our customers are subject to a wide variety of federal, state and local taxes. Changes in taxes paid by our customers may adversely affect their ability to purchase homes or consumer products, which could adversely affect their demand for our loans and deposit products. In addition, such negative effects on our customers could result in defaults on the loans we have made and decrease the value of mortgage-backed securities in which we have invested.

Financial institutions are facing increasing scrutiny from customers, regulators, investors, and other stakeholders related to their environmental, social, and governance ("ESG") practices and disclosure. Investor advocacy groups, investment funds, and influential investors are also increasingly focused on these practices, especially as they relate to the environment, health and safety, diversity, labor conditions, and human rights. Increased ESG-related compliance costs for the Company as well as among our suppliers, vendors and various other parties within our supply chain could result in increases to our overall operational costs. Failure to adapt to or comply with regulatory requirements or investor or stakeholder expectations and standards could negatively impact our reputation, ability to do business with certain partners, access to capital, and the price of our common shares. New government regulations could also result in new or more stringent forms of ESG oversight and expanding mandatory and voluntary reporting, diligence, and disclosure.

We conduct our business operations primarily in Franklin, Cuyahoga, Hamilton, and Summit, Counties, Ohio, and in Marion County, Indiana, and make loans generally throughout Ohio and Indiana. Increased competition within these markets may result in reduced loan originations and deposits. Ultimately, we may not be able to compete successfully against current and future competitors. Many competitors offer the types of loans and banking services that we offer. These competitors include other savings associations, community banks, regional banks and money center banks. We also face competition from many other types of financial institutions, including finance companies, brokerage firms, insurance companies, credit unions, mortgage banks, fintechs and other financial intermediaries. Our competitors with greater resources may have a marketplace advantage enabling them to maintain numerous banking locations and mount extensive promotional and advertising campaigns. Additionally, financial intermediaries not subject to bank regulatory restrictions and banks and other financial institutions with larger capitalization have larger lending limits and are thereby able to serve the credit needs of larger clients. These institutions, particularly to the extent they are more diversified than we are, may be able to offer the same loan products and services that we offer at more competitive rates and prices. If we are unable to attract and retain banking clients, we may be unable to sustain current loan and deposit levels or increase our loan and deposit levels, and our business, financial condition and future prospects may be negatively affected.

As part of our financial institution business, we collect, process and store sensitive consumer data by utilizing computer systems and telecommunications networks operated by both us and third-party service providers. Our necessary dependence upon automated systems to record and process transactions poses the risk that technical system flaws, employee errors, tampering or manipulation of those systems, or attacks by third parties will result in losses and may be difficult to detect. We have security and backup and recovery systems in place, as well as a business continuity plan, to ensure the computer systems will not be inoperable, to the extent possible. The Company also routinely reviews documentation of such controls and backups related to third-party service providers. Our inability to use or access these information systems at critical points in time could unfavorably impact the timeliness and efficiency of our business operations. In recent years, some banks have experienced denial of service attacks in which individuals or organizations flood the bank's website with extraordinarily high volumes of traffic, with the goal and effect of disrupting the ability of the bank to process transactions. Other businesses have been victims of ransomware attacks in which the business becomes unable to access its own information and is presented with a demand to pay a ransom in order to once again have access to its information. We could be adversely affected if one of our employees causes a significant operational break-down or failure, either as a result of human error or where an individual purposefully sabotages or fraudulently manipulates our operations or systems. We are further exposed to the risk that the third-party service providers may be unable to fulfill their contractual obligations (or will be subject to the same risks as faced by us). These disruptions may interfere with service to our customers, cause additional regulatory scrutiny and result in a financial loss or liability. We are also at risk of the impact of natural disasters, terrorism and international hostilities on our systems or for the effects of outages or other failures involving power or communications systems operated by others. Misconduct by employees could include fraudulent, improper or unauthorized activities on behalf of clients or improper use of confidential information. We may not be able to prevent employee errors or misconduct, and the precautions we take to detect this type of activity might not be effective in all cases. Employee errors or misconduct could subject us to civil claims for negligence or regulatory enforcement actions, including fines and restrictions on our business. In addition, there have been instances where financial institutions have been victims of fraudulent activity in which criminals pose as customers to initiate wire and automated clearinghouse transactions out of customer accounts. Although we have policies and procedures in place to verify the authenticity of our customers, we cannot assure that such policies and procedures will prevent all fraudulent transfers. We have implemented security controls to prevent unauthorized access to our computer systems, and we require that our third-party service providers maintain similar controls. However, the Company's management cannot be certain that these measures will be successful. A security breach of the computer systems and loss of confidential information, such as customer account numbers and related information, could result in a loss of customers' confidence and, thus, loss of business. We could also lose revenue if competitors gain access to confidential information about our business operations and use it to compete with us. While we maintain specific "cyber" insurance coverage, which would apply in the event of various breach scenarios, the amount of coverage may not be adequate in any particular case. Furthermore, because cyber threat scenarios are inherently difficult to predict and can take many forms, some breaches may not be covered under our cyber insurance coverage. Further, we may be impacted by data breaches at retailers and other third parties who participate in data interchanges with us and our customers that involve the theft of customer credit and debit card data, which may include the theft of our debit card personal identification numbers (PINs) and commercial card information used to make purchases at such retailers and other third parties. Such data breaches could result in us incurring significant expenses to reissue debit cards and cover losses, which could result in a material adverse effect on our results of operations. There can be no assurance that we will not suffer such cyber-attacks or other information security breaches or attempted breaches, or incur resulting losses in the future. Our risk and exposure to these matters remains heightened because of, among other things, the evolving nature of these threats, and our plans to continue to implement internet and mobile banking capabilities to meet customer demand. As cyber and other data security threats continue to evolve, we may be required to expend significant additional resources to continue to modify and enhance its protective measures or to investigate and remediate any security vulnerabilities. Our assets at risk for cyber-attacks include financial assets and non-public information belonging to customers. We use several third-party vendors who have access to our assets via electronic media. Certain cyber security risks arise due to this access, including cyber espionage, blackmail, ransom, and theft. As cyber and other data security threats continue to evolve, we may be required to expend significant additional resources to continue to modify and enhance our protective measures or to investigate and remediate any security vulnerabilities. All of the types of cyber incidents discussed above could result in damage to our reputation, loss of customer business, costs of incentives to customers or business partners in order to maintain their relationships, litigation, increased regulatory scrutiny and potential enforcement actions, repairs of system damage, increased investments in cybersecurity (such as obtaining additional technology, making organizational changes, deploying additional personnel, training personnel and engaging consultants), increased insurance premiums, and loss of investor confidence and a reduction in the price of our common shares, all of which could result in financial loss and material adverse effects on our results of operations and financial condition

Our success depends, in large part, on our ability to attract, retain, develop and motivate management and key employees. Competition for key employees is ongoing and we may not be able to attract or retain the key employees that we want or need in order to successfully execute our business. Additionally, the unexpected loss of services of any key employee could have an adverse effect on our business and financial results.

The third parties performing operational services for the Company are subject to risks similar to those faced by the Company relating to cybersecurity, breakdowns or failures of their own systems, or misconduct of their employees. Like many other community banks, CFBank also relies, in significant part, on a single vendor for the systems which allow CFBank to provide banking services to CFBank's customers, for which the systems are maintained on CFBank's behalf by this single vendor. One or more of the third parties utilized by us may experience a cybersecurity event or operational disruption and, if any such event does occur, it may not be adequately addressed, either operationally or financially, by such third party. Further, the operations of our third-party vendors could fail or otherwise become delayed. Certain of these third parties may have limited indemnification obligations to us in the event of a cybersecurity event or operational disruption, or may not have the financial capacity to satisfy their indemnification obligations. Financial or operational difficulties of a third party provider could also impair our operations if those difficulties interfere with such third party's ability to serve the Company. If a critical third-party provider is unable to meet the needs of the Company in a timely manner, or if the services or products provided by such third party are terminated or otherwise delayed and if the Company is not able to develop alternative sources for these services and products quickly and cost-effectively, our business could be materially adversely effected. Additionally, regulatory guidance adopted by federal banking regulators addressing how banks select, engage and manage their third-party relationships, affects the circumstances and conditions under which we work with third parties and the cost of managing such relationships.

The DIF maintained by the FDIC to resolve bank failures is funded by fees assessed on insured depository institutions. The costs of resolving bank failures increased for a period of time and decreased the DIF. The FDIC collected a special assessment in 2009 to replenish the DIF and also required a prepayment of an estimated amount of future deposit insurance premiums. In October 2022, the FDIC adopted a final rule increasing the assessment rate from three basis points to five basis points beginning with the first quarterly assessment period of 2023. If the costs of future bank failures increase, the deposit insurance premiums required to be paid by CFBank may also increase. The FDIC recently adopted rules revising its assessments in a manner benefiting banks, such as CFBank, with assets totaling less than $10 billion. There can be no assurance, however, that assessments will not be changed in the future.

Our success depends to a significant extent upon local and national economic and political conditions, as well as governmental fiscal and monetary policies. Conditions such as inflation, recession, unemployment, changes in interest rates, fiscal and monetary policy, an increasing federal government budget deficit, the failure of the federal government to raise the federal debt ceiling and/or possible future U.S. government shutdowns over budget disagreements, slowing gross domestic product, tariffs, a U.S. withdrawal from or significant renegotiation of trade agreements, trade wars, and other factors beyond our control may adversely affect CFBank's deposit levels and composition, the quality of investment securities available for purchase, demand for loans, the ability of CFBank's borrowers to repay their loans, and the value of the collateral securing loans made by CFBank. The ongoing political turmoil and military conflict in Ukraine and the Middle East are likely to result in substantial changes in economic and political conditions for the U.S. and the remainder of the world. Disruptions in U.S. and global financial markets, and changes in oil production and supply in the Middle East and Russia, also affect the economy and stock prices in the U.S., which can affect our earnings and/or capital, as well as the ability of our customers to repay loans. ? Because we have a significant amount of real estate loans, decreases in real estate values could adversely affect the value of property used as collateral and our ability to sell the collateral upon foreclosure. Adverse changes in the economy may also have a negative effect on the ability of our borrowers to make timely repayments of their loans, which would have an adverse impact on our earnings and cash flows. Moreover, our market activities are concentrated in the following counties: Franklin County through our office in Columbus, Ohio (formerly located in Worthington, Ohio until March 1, 2023); Delaware County through our Polaris office in Columbus, Ohio; Cuyahoga County through our office in Woodmere, Ohio and our Ohio City office in Cleveland, Ohio; Hamilton County through our offices in Blue Ash, Ohio and our Red Bank office in Cincinnati, Ohio; Summit County through our office in Fairlawn, Ohio; and Marion County, Indiana through our office in Indianapolis. Our success depends on the general economic conditions of these areas, particularly given that a significant portion of our lending relates to real estate located in these regions. Therefore, adverse changes in the economic conditions in these areas could adversely impact our earnings and cash flows.

Natural disasters, including severe weather events of increasing strength and frequency due to climate change, acts of war or terrorism, and other adverse external events could have a significant impact on our ability to conduct business or upon third parties who perform operational services for us or our customers. Such events could affect the stability of our deposit base, impair the ability of borrowers to repay outstanding loans, impair the value of collateral securing loans, cause significant property damage, result in lost revenue or cause us to incur additional expenses.

While we generally invest in securities issued by U.S. government agencies and sponsored entities and U.S. state and local governments with limited credit risk, certain investment securities we hold possess higher credit risk since they represent beneficial interests in structured investments collateralized by residential mortgages, debt obligations and other similar asset-backed assets. Even securities issued by governmental agencies and entities may entail risk depending on political and economic changes. Regardless of the level of credit risk, all investment securities are subject to changes in market value due to changing interest rates, implied credit spreads and credit ratings.?