Flushing Financial (FFIC) Risk Analysis

Foreclosure proceedings face increasing delays. While we cannot predict the ultimate impact of any delay in foreclosure sales, we may be subject to additional borrower and non-borrower litigation and governmental and regulatory scrutiny related to our past and current foreclosure activities. Delays in foreclosure sales, including any delays beyond those currently anticipated could increase the costs associated with our mortgage operations and make it more difficult for us to prevent losses in our loan portfolio.

We collect, process, store, share, disclose and use information from and about our customers, plan participants and website and application users, including personal information and other data. Any actual or perceived failure by us to comply with our privacy policies, privacy-related obligations to customers or third parties, data disclosure and consent obligations or privacy or security-related legal obligations may result in governmental enforcement actions, litigation, or public statements critical of us. Such actual or perceived failures could also cause our customers to lose trust in us, which could have an adverse effect on our business. Restrictions on data collection and use may limit opportunities to gain business insights useful to running our business and offering innovative products and services. We are subject to numerous federal, state, and international regulations regarding the privacy and security of personal information. These laws vary widely by jurisdiction. Applicable regulations include the NYDFS 23 NYCRR Part 500 Cybersecurity Requirements for Financial Services Companies, Gramm-Leach-Bliley Title V Subtitle A- Safeguards Rule, FDIC Part 364 Appendix B- Interagency Guidelines Establishing Information Security Standards and other regulations. See "Regulation – Cybersecurity." Similar legislation continues to be enacted around the world with requirements and protections specific to data security requirements, notification requirements for data breaches, the right to access personal data and the right to be forgotten. For example, the Federal Reserve and the FDIC require a banking organization to notify its primary federal regulator within 36 hours after identifying a "computer-security incident" that the banking organization believes in good faith could materially disrupt, degrade or impair its business or operations in a manner that would, among other things, jeopardize the viability of its operations, result in customers being unable to access their deposit and other accounts, result in a material loss of revenue, profit or franchise value, or pose a threat to the financial stability of the United States.

Our operating results are affected by national, regional and local economic and competitive conditions, including changes in market interest rates, the strength of the local economy, government policies and actions of regulatory authorities. Adverse economic conditions can result in borrowers defaulting on their loans or withdrawing their funds on deposit at the Bank to meet their financial obligations. A decline in the local, regional or national economy or the New York City metropolitan area real estate market could adversely affect our financial condition and results of operations, including through decreased demand for loans or increased competition for good loans, increased non-performing loans and credit losses resulting in additional provisions for credit losses and for losses on real estate owned. Many factors could require additions to our allowance for credit losses in future periods above those currently maintained. These factors include, but are not limited to: (1) adverse changes in economic conditions and changes in interest rates that may affect the ability of borrowers to make payments on loans, (2) changes in the financial capacity of individual borrowers, (3) changes in the local real estate market and the value of our loan collateral, and (4) future review and evaluation of our loan portfolio, internally or by regulators. The amount of our allowance for credit losses at any time represents good faith estimates that are susceptible to significant changes due to changes in appraisal values of collateral, national and local economic conditions, prevailing interest rates and other factors. See "Business - General - Allowance for Credit Losses" in Item 1 of this Annual Report. These same factors could cause delinquencies to increase for the mortgages which are the collateral for the mortgage-backed securities we hold in our investment portfolio. Combining increased delinquencies with liquidity problems in the market could result in a decline in the market value of our investments in privately issued mortgage-backed securities. There can be no assurance that a decline in the market value of these investments will not result in other-than-temporary impairment charges in our financial statements.

Atmospheric concentrations of carbon dioxide and other greenhouse gases have increased dramatically since the industrial revolution, resulting in a gradual increase in average global temperatures and an increase in the frequency and severity of weather patterns and natural disasters.  These trends are expected to continue in the future and have the potential to impact nearly all sectors of the economy to varying degrees. We cannot predict the long-term impacts of climate change, but we will continue to monitor new developments in the future. Potential impacts may include the following: - Changes in temperatures and air quality may adversely impact the health, welfare, economic and other prospects of customers in our target markets.  For example, increases in the level of pollution and airborne allergens in local industrial areas may cause an increase in upper respiratory and cardiovascular diseases. Such impacts may adversely change the long-term prospects for the communities we serve and the investing and banking services these communities seek. - Climate change may impact asset prices, as well as general economic conditions. For example, rising sea levels may lead to decreases in real estate values in at-risk areas. Additionally, government policies to slow climate change (e.g., setting limits on carbon emissions) may have an adverse impact on sectors such as utilities, transportation and manufacturing. Changes in asset prices may impact the value of our fixed income, real estate and commercial mortgage investments. Although we seek to manage our investment risks by maintaining a diversified portfolio and monitor our investments on an ongoing basis, allowing us to adjust our exposure to sectors and/or geographical areas that face severe risks due to climate change, there can be no assurances that our efforts will be successful.

Our liquidity is critical to our ability to operate our business.  Our primary sources of liquidity are deposits, both retail deposits from our branch network including our Internet Branch and brokered deposits, as well as borrowed funds, primarily wholesale borrowing from the FHLB-NY. Additionally, we have unsecured lines of credit with other commercial banks. Funds are also provided by the repayment and sale of securities and loans.  Our ability to obtain funds are influenced by many external factors, including but not limited to, local, regional and national economic conditions, the direction of interest rates and competition for deposits in the markets we serve.  Additionally, changes in the FHLB-NY underwriting guidelines may limit or restrict our ability to borrow effectively. A decline in available funding caused by any of the above factors could adversely impact our ability to originate loans, invest in securities, meet our expenses, or fulfill our obligations such as repaying our borrowings or meeting deposit withdrawal demands.

We depend upon our ability to process, record, and monitor our client transactions on a continuous basis.  As client, public and regulatory expectations regarding operational and information security have increased, our operational systems and infrastructure must continue to be safeguarded and monitored for potential failures, disruptions and breakdowns.  Our business, financial, accounting and data processing systems, or other operating systems and facilities, may stop operating properly or become disabled or damaged as a result of a number of factors, including events that are wholly or partially beyond our control. For example, there could be electrical or telecommunications outages; natural disasters such as earthquakes, tornadoes, hurricanes and floods; disease pandemics; events arising from local or larger scale political or social matters, including terrorist acts; and, as described below, cyber-attacks.  Although we have business continuity plans and other safeguards in place, our business operations may be adversely affected by significant and widespread disruption to our physical infrastructure or operating systems that support our business and clients. Information security risks for financial institutions have generally increased in recent years in part because of the proliferation of new technologies, the use of the internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, terrorists, activists, and other external parties.  Threat actor organizations are becoming more formal and now frequently include specialized "departments" within an organization.  These "departments" may act together to sell access to interested parties, which install malware and infiltrating data.  This increases cybersecurity risk as indicators of an attack may spread across multiple detection platforms and originate from disparate sources.  Our business relies on our digital technologies, computer and email systems, software, and networks to conduct its operations.  In addition, to access our products and services, our clients may use personal smartphones, tablet PC's, personal computers and other devices that are beyond our control systems.  Although we have information security procedures and controls in place, our technologies, systems, and networks, and our clients' devices, may become the target of cyberattacks or information security breaches that could result in the unauthorized release, gathering, monitoring, misuse, loss, or destruction of our or our clients' confidential, proprietary, and other information, or otherwise disrupt our or our clients' or other third parties' business operations.  We may be subject to increasingly more risk related to cybersecurity for our Internet Branch as we expand our suite of online direct banking products, acquire new or outsource some of our business operations, expand our internal usage of web-based products and applications, and otherwise attempt to keep pace with rapid technological changes in the financial services industry. We rely on external infrastructure, proprietary information technology and third-party systems and services to conduct business, including customer service, marketing and sales activities, customer relationship management, producing financial statements and technology/data centers.  In addition, we store and process confidential and proprietary business information on both company-owned and third-party and/or vendor managed systems, including cloud service providers.  We increasingly rely on the internet in order to conduct business and may be adversely impacted by outages in critical infrastructure such as electric grids, undersea cables, satellites or other communications used by us or our third parties. This reliance includes consumer access to the internet and communications systems due to more work taking place outside of corporate locations.  A security breach in the systems of our third-party service providers can create a gateway for unauthorized access to our network, potentially compromising the integrity and confidentiality of our data and systems.  The failure of our or any third party's information technology, infrastructure or other internal and external systems, for any reason, could disrupt our operations, result in the loss of business and adversely impact our profitability. Any compromise of the security of our or any third party's systems that results in the disclosure of personally identifiable customer or employee information could damage our reputation, deter customers from purchasing or using our products and services, expose us to litigation, increase regulatory scrutiny and require us to incur significant technical, legal and other expenses.  We may also be adversely impacted by successful cyberattacks of our partners, third-party vendors and others in our supply chain with whom we conduct business or share information. Financial services companies are regularly targeted by cyber criminals, resulting in unauthorized access to confidential information, theft of funds from online accounts, disruption or degradation of service or other damage.  These attacks may take a variety of forms, including web application attacks, denial of service attacks, ransomware, other malware, and social engineering, including phishing.  As automation and machine intelligence technologies progress, attackers are adopting this technology to speed up their reconnaissance and attacks while reducing their costs.  This improved efficiency and tooling means that a lower-skilled adversary is able to perform more attacks at a higher complexity level than in the past.  Economic and political instability offers a fertile ground for adversaries to recruit new talent.  This could be either people looking for financial gains amid job losses and high inflation, politically motivated actors driven by state conflicts or internal political unrest, or other personal reasons. In addition, the reengineering and reuse of prior attack methodologies is made easier by advances in these technologies. Information security incidents may also occur due to the failure to control access to, and use of, sensitive systems or information by our workforce.  Employee risk exposure remains high as cybersecurity awareness training must be continuously refined and updated as technology advances and threat actors become increasingly more sophisticated.  Additionally, there is a potential increase in this threat due to the increase in remote work.  The failure of our controls (such as policies, procedures, security controls and monitoring, automation and backup plans) designed to prevent, or limit the effect of, failure, inadvertent use or abuse could result in disruptions or breaches beyond our control.  Although to date we have not experienced any material losses relating to cyber-attacks or other information security breaches, there can be no assurance that we will not suffer such losses in the future.  Our risk and exposure to these matters remains heightened because of the evolving nature of these threats. As a result, cyber security and the continued development and enhancement of our controls, processes and practices designed to protect our systems, computers, software, data and networks from attack, damage or unauthorized access remain a focus for us.  As technology evolves, we can increase our ability to detect and prevent cyber-attacks through automation and the implementation of security controls which leverage machine learning and artificial intelligence.  As threats continue to evolve, we may be required to expend additional resources to continue to modify or enhance our protective measures or to investigate and remediate information security vulnerabilities.  Additionally, information security vulnerabilities can pose increased cyber-risk as they can be combined and chained together more easily with machine learning technology. Disruptions or failures in the physical infrastructure or operating systems that support our business and clients, or cyberattacks or security breaches of the networks, systems or devices that our clients use to access our products and services could result in significant legal and financial exposure, client attrition, regulatory fines, penalties or intervention, reputational damage, reimbursement or other compensation costs and/or additional compliance costs, a loss of confidence in the security of our systems, any of which may not be covered by insurance and could materially and adversely affect our financial condition or results of operations. Operational risks, including risks associated with Flushing Bank's dependence on its operational systems, its ability to maintain appropriately staffed workforces and the competence, integrity, health and safety of its employees, are of primary concern.  The legal and regulatory risks related to safeguarding personal information and the harm that could be caused by a successful cyber-attack affecting Flushing Bank are proactively monitored and addressed according to current regulations and bank policies.  Additionally, Flushing Bank monitors and addresses risks associated with its risk management framework and its models and estimations with monthly reports to the board of directors.  Flushing Bank coordinates these activities to ensure that potential adverse effects of failing to comply with heightened regulatory and other standards for the oversight of the cyber and risk management programs are significantly reduced.

Our success depends, in large part, on our ability to retain and attract key personnel.  We face intense competition from commercial banks, savings banks, savings and loan associations, mortgage banking companies, insurance companies, finance companies and credit unions. As a result, it could prove difficult to retain and attract key personnel. The inability to hire or retain key personnel may result in the loss of customer relationships and may adversely affect our financial condition or results of operations.

We face intense and increasing competition both in making loans and in attracting deposits. Our market area has a high density of financial institutions, many of which have greater financial resources, name recognition and market presence than us, and all of which are our competitors to varying degrees. Particularly intense competition exists for deposits and in all of the lending activities we emphasize. Our competition for loans comes principally from other commercial banks, savings banks, savings and loan associations, mortgage banking companies, insurance companies, finance companies and credit unions. Management anticipates that competition for mortgage loans will continue to increase in the future. Our most direct competition for deposits historically has come from savings banks, other commercial banks, savings and loan associations and credit unions. In addition, we face competition for deposits from products offered by brokerage firms, insurance companies and other financial intermediaries, such as money market and other mutual funds and annuities. Consolidation in the banking industry and the lifting of interstate banking and branching restrictions have made it more difficult for smaller, community-oriented banks, such as us, to compete effectively with large, national, regional and super-regional banking institutions. Our Internet Branch provides us with access to consumers in markets outside our geographic branch locations. The internet banking arena exposes us to competition with many larger financial institutions that have greater financial resources, name recognition and market presence than we do.