UMB Financial (UMBF) Risk Analysis

Technological changes continue to significantly impact the financial services industry. For example, the Company may be unsuccessful in deploying new technologies to strengthen its credit underwriting capabilities, enhance the effectiveness of its marketing efforts, enhance customer service, drive efficiencies in back-office functions or reduce fraud. The competitive mobile, e-wallet and tokenization spaces are expected to continue to bring risks and opportunities to digital banking business. The process of developing new products and services or enhancing the Company's existing products and services is complex, costly and uncertain. Difficulties or delays in the development, production, testing and marketing of new products or services may be caused by a number of factors including, among other things, operational, capital and regulatory constraints. The occurrence of such difficulties may affect the success of the Company's products or services. Developing unsuccessful products and services could result in financial losses as well as decreased capital availability. In addition, the new products and services offered may not be adopted by consumers or financial institution customers. Also, the success of a new product or service may depend upon the Company's ability to deliver it on a large scale, which may require a significant capital investment that it may not be in a position to make. If the Company is unable to successfully introduce and support new income-generating products and services while also managing expenses, it may impact its ability to compete effectively and materially adversely affect the Company's business, financial condition and results of operations.

The Company relies on a variety of measures to protect and enhance its intellectual property portfolio, including trademarks, trade secrets and restrictions on disclosure, and undertakes other measures to control access to and distribution of its proprietary and confidentiality information. However, such measures may not prevent misappropriation of the Company's proprietary or confidential information or infringement, misappropriation or other violations of its intellectual property rights. Additionally, the Company's competitors or other third parties may allege that the Company's systems, processes or technologies (or that the Company's use of its third-party service providers' systems, processes or technologies) infringe upon, misappropriate or otherwise violation their intellectual property rights. If the Company's intellectual property rights are infringed or misappropriated, or if the Company's competitors or other third parties prevail in any intellectual property-related litigation against the Company, the Company could suffer a competitive disadvantage, be prevented from using technology important to its business for which there may be no appropriate alternative technology available at a commercially reasonable price or at all, lose significant revenues, include significant license, royalty, technology development or other expenses, or pay significant damages, all of which could have a material adverse effect on the Company's business, financial condition and results of operations.

In the ordinary course of its business, the Company collects, stores, and transmits sensitive, confidential, or proprietary data and other information, including intellectual property, business information, funds-transfer instructions, and the personally identifiable information of its customers and employees. The secure processing, storage, maintenance, and transmission of this information is critical to the Company's operations and reputation, and if any of this information were mishandled, misused, improperly accessed, lost, breached, held hostage or stolen, or if the Company's operations were disrupted, the Company could suffer significant financial, business, reputational, regulatory, or other damage. Failures or errors in, or breach of the Company's systems or networks, or those of its third-party service providers or their third-party service providers (collectively, third party service providers), or the Company's counterparties, may expose the Company to litigation, disclosure requirements, remediation costs, increased costs for security measures, loss of revenue, regulatory scrutiny, governmental investigation and/or other actions, and other potential liability. For example, despite security measures, the Company's or its third-party service providers' information technology and infrastructure may be breached or rendered inaccessible due to a variety of factors, including from infrastructure changes or failures, introductions of new functionality, human or software errors, service failures, operational and technological outages, capacity constraints, loss or theft of assets, natural disasters, terrorist attacks, power outages, data breaches, cyber-attacks, denial of service attacks, hacking, ransomware and other computer viruses or malware, or acts of misconduct through pretext calls, electronic phishing or other means, and, as a result, an unauthorized party may obtain access to the Company's or its customers' confidential, proprietary, personal, or sensitive data. These risks and uncertainties are rapidly evolving and increasing in complexity, and the Company's failure to effectively mitigate them could negatively impact its business and operations. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently or may be designed to remain dormant until a predetermined event, and often are not recognized until launched against a target, the Company or its third-party service providers may be unable to anticipate or detect these techniques or implement adequate preventative or remedial measures. Though it is difficult to determine what harm may directly result from any specific interruption or data breach, any failure to maintain performance, reliability, security, and availability of the Company's network infrastructure and the information processed thereby may harm the Company's brand, its ability to retain existing customers and attract new customers, and its ability to operate. Risks and exposures related to cybersecurity attacks, particularly for financial institutions, are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats and the expanding use of technology-based products and services by the Company, its third-party service providers, and its customers. The Company can provide no assurances that the safeguards it or its third-party service providers have in place or may implement in the future will prevent all unauthorized infiltrations or breaches and that the Company will not suffer losses related to a security breach in the future, which losses may be material. As noted above, third-party service providers also present a source of risk to the Company if their own security measures or other systems or infrastructure were to be breached or subject to another cybersecurity incident, rendered inaccessible or interrupted, experience an outage, downtime or degradation in service, or otherwise fail or experience adverse conditions (including conditions which interfere with the Company's access to and use of such third-party services). The Company's ability to monitor its third-party service providers' cybersecurity practices is inherently limited. Although the agreements that the Company has in place with its third-party service providers generally include requirements relating to privacy, data protection and data security where and as appropriate, the Company cannot guarantee that such agreements will prevent a cyber incident impacting the Company's systems or information or enable it to obtain adequate or any reimbursement from its third-party service providers in the event the Company should suffer any such incidents. In addition, due to applicable laws and regulations or contractual obligations, the Company may be held responsible for cyber incidents attributed to its third-party service providers as they relate to the information shared with them. Likewise, a cyber-attack, hacking incident, or other security breach affecting the business community, the markets, or parts of them may cycle or cascade through the financial system and adversely affect the Company or its service providers or counterparties. Many of these risks and uncertainties are beyond the Company's control. Any failure, attempted or successful data breach or other cybersecurity incident or significant disruption in the Company's information technology infrastructure, or those of the Company's third-party service providers, could lead to transaction delays, compromised cybersecurity or data, inability to access critical services, and a failure to comply with applicable laws, regulations and standards governing financial transactions, data privacy, and cybersecurity. The consequences of such disruptions could be severe, resulting in financial losses, identity theft, loss of consumer trust, regulatory fines, monetary damages or other penalties or fines as well as a tarnished reputation among customers, partners and other third parties, any of which could adversely affect the Company's business, results of operations, financial condition and future prospects. Although the Company believes it has appropriate measures in place to help manage the risk, there can be no guarantee that its efforts will be effective in preventing a material loss event. Even when an attempted cyber-attack, hacking incident or other security breach is successfully avoided or thwarted, the Company may need to expend substantial resources to avoid such breach, may be required to take actions that could adversely affect customer satisfaction or behavior, and may be exposed to reputational damage. Despite the Company's efforts to safeguard the integrity of systems and controls and to manage third-party risk, the Company may not be able to anticipate or implement effective measures to prevent all security breaches or all risks to the sensitive, confidential, or proprietary information that it or its service providers or counterparties collect, store, or transmit. In some cases, the Company may not be able to identify the cause or causes of these performance problems immediately or in short order, and may face difficulties detecting, mitigating, remediating, and otherwise responding to any such issues.

The Company is involved from time to time in a variety of judicial, alternative-dispute, and other proceedings arising out of its business or operations. Additionally, the Company may incur costs in connection with the defense or settlement of any shareholder or stockholder lawsuits filed in connection with the acquisition of HTLF. The Company establishes reserves for claims when appropriate under generally accepted accounting principles, but costs often can be incurred in connection with a matter before any reserve has been created. The Company also maintains insurance policies to mitigate the cost of litigation and other proceedings, but these policies have deductibles, limits, and exclusions that may diminish their value or efficacy. Despite the Company's efforts to appropriately reserve for claims and insure its business and operations, the actual costs associated with resolving a claim may be substantially higher than amounts reserved or covered. Substantial legal claims, even if not meritorious, could have a detrimental impact on the Company's business, results of operations, and financial condition and could cause reputational harm.

Companies are facing increased scrutiny from customers, regulators and other stakeholders with respect to their environmental, social and governance (ESG) practices and disclosures. Institutional investors, and investor advocacy groups, in particular, are increasingly focused on these matters, and expectations in many of these areas can vary widely. For example, certain federal and state laws and regulations related to ESG issues may include provisions that conflict with other laws and regulations, which may increase the Company's costs or limit the Company's ability to conduct business in certain jurisdictions. In particular, there is an increasing number of state-level anti-ESG initiatives in the United States that may conflict with other regulatory requirements or the Company's various stakeholders' expectations. Such divergent, sometimes conflicting, views on ESG-related matters increase the risk that any action or lack thereof by the Company on such matters will be perceived negatively by some stakeholders. In addition, increased ESG related compliance costs could result in increases to the Company's overall operational costs. Failure to adapt to or comply with regulatory requirements or investor or stakeholder expectations and standards, and fluctuations in or conflicts among these standards, could negatively impact the Company's reputation, ability to do business with certain partners, and its stock price. New government regulations could also result in new or more stringent forms of ESG oversight and expanding mandatory and voluntary reporting, diligence, and disclosure. In addition to regulatory and investor expectations on environmental matters in general, the current and anticipated effects of climate change are creating an increasing level of concern for the state of the global environment. As a result, political and social attention to the issue of climate change has increased. In recent years, governments across the world have entered into international agreements to attempt to reduce global temperatures, in part by limiting greenhouse gas emissions. The United States Congress, state legislatures and federal and state regulatory agencies have proposed and advanced numerous legislative and regulatory initiatives seeking to mitigate the effects of climate change. These agreements and measures may result in the imposition of taxes and fees, the required purchase of emission credits, and the implementation of significant operational changes, each of which may require the Company to expend significant capital and incur compliance, operating, maintenance and remediation costs. Given the lack of empirical data on the credit and other financial risks posed by climate change, it is impossible to predict how climate change may impact the Company's financial condition and operations; however, as a banking organization, the physical effects of climate change may present certain unique risks to the Company. For example, weather disasters, shifts in local climates and other disruptions related to climate change may adversely affect the value of real properties securing the Company's loans, which could diminish the value of the Company's loan portfolio. Such events may also cause reductions in regional and local economic activity that may have an adverse effect on the Company's customers, which could limit the Company's ability to raise and invest capital in these areas and communities, each of which could have a material adverse effect on the Company's financial condition and results of operations.

The Company faces intense competition in each of its business segments and in all of its markets and geographic regions, and the Company expects competitive pressures to intensify in the future-especially in light of recent legislative and regulatory initiatives, technological innovations that alter the barriers to entry, current economic and market conditions, and government monetary and fiscal policies. Competition with financial-services technology companies, or technology companies partnering with financial-services companies, may be particularly intense, due to, among other things, differing regulatory environments. See "Competition" in Part I, Item 1 of this report. Competitive pressures may drive the Company to take actions that the Company might otherwise eschew, such as lowering the interest rates or fees on loans or raising the interest rates on deposits in order to keep or attract high-quality customers. These pressures also may accelerate actions that the Company might otherwise elect to defer, such as substantial investments in technology or infrastructure. The Company has certain businesses that utilize wholesale models which can lead to customer concentrations for those businesses that, if negatively impacted by new entrants, competitive pressures, or consolidations, could affect the Company's fee income. Whatever the reason, actions that the Company takes in response to competition may adversely affect its results of operations and financial condition. These consequences could be exacerbated if the Company is not successful in introducing new products and other services, achieving market acceptance of its products and other services, developing and maintaining a strong customer base, or prudently managing expenses. See risk below "The financial services industry is rapidly evolving and the Company may not be successful in introducing new products or services on a large scale in response to these changes."

Like other lenders, the Company faces the risk that its customers will not repay their loans. A customer's ability and willingness to repay can be adversely affected by decreases in the income of the borrower or increases in their payment obligations to other lenders, whether as a result of a job loss, higher debt levels or rising cost of servicing debt, inflation outpacing wage growth, or by restricted availability of credit generally. The Company may fail to quickly identify and reduce its exposure to customers that are likely to default on their payment obligations, whether by closing credit lines or restricting authorizations. The Company's ability to manage credit risk also is affected by legal or regulatory changes (such as restrictions on collections, bankruptcy laws, minimum payment regulations and re-age guidance), competitors' actions and consumer behavior, and depends on the effectiveness of its collections staff, techniques and models. Rising credit losses or leading indicators of rising credit losses (such as higher delinquencies, higher rates of nonperforming loans, higher bankruptcy rates, lower collateral values, elevated unemployment rates or changing market terms) may require the Company to increase its allowance for credit losses, which would decrease its profitability if it is unable to raise revenue or reduce costs to compensate for higher credit losses, whether actual or expected. In particular, the Company faces the following risks in this area: - Missed payments: Customers may fail to make required payments on time and may default or become delinquent. Loan charge-offs (including from bankruptcies) are generally preceded by missed payments or other indications of worsening financial conditions for the Company's customers. Historically, customers are more likely to miss payments during an economic downturn, recession, periods of high unemployment, or prolonged periods of slow economic growth. Customers might also be more likely to miss payments if the payment burdens on their existing debt grow due to rising interest rates, or if inflation outpaces wage growth. - Incorrect estimates of expected credit losses: The credit quality of the Company's loan portfolios can have a significant impact on its earnings. The Company allows for and reserves against credit risks based on an assessment of expected credit losses in its loan portfolios. This process, which is critical to the Company's financial condition and results of operations, requires complex judgments, including forecasts of economic conditions. The Company may underestimate its expected credit losses and fail to hold an allowance for credit losses sufficient to account for these credit losses. Incorrect assumptions could lead to material underestimations of expected credit losses and an inadequate allowance for credit losses. See risk below "The Company's selection of accounting methods, assumptions, and estimates could impact its financial statements and reported earnings."- Inaccurate underwriting: The Company's ability to accurately assess the creditworthiness of its customers may diminish, which could result in an increase in credit losses and a deterioration of returns. - Insufficient asset values: The collateral the Company has on secured loans could be insufficient to compensate it for credit losses. When customers default on their secured loans, the Company attempts to recover collateral where permissible and appropriate. However, the value of the collateral may not be sufficient to compensate the Company for the amount of the unpaid loan, and the Company may be unsuccessful in recovering the remaining balance from our customers. Decreases in real estate and other asset values adversely affect the collateral value for the Company's commercial lending activities. Borrowers may be less likely to continue making payments on loans if the value of the property used as collateral for the loan is less than what the borrower owes, even if the borrower is still financially able to make the payments. In that circumstance, the recovery of such property could be insufficient to compensate the Company for the value of these loans upon a default. - Geographic and industry concentration: The regional economic conditions in any particular region may affect the demand for the Company's products and services as well as the ability of its customers to repay their commercial real estate loans and the value of the collateral securing these loans. An economic downturn or prolonged period of slow economic growth in, or a catastrophic event or natural disaster that disproportionately affects a particular region in which the Company is more heavily concentrated could have a material adverse effect on the performance of the Company's commercial real estate loan portfolio and its results of operations.

The performance and value of the Company's business could be negatively impacted by any reputational harm that it may suffer. This harm could arise from negative publicity outside of its control or its failure to adequately address issues arising from its own conduct or in connection with the financial-services industry generally. Financial services companies are highly vulnerable to reputational damage when they are found to have harmed customers, particularly retail customers, through conduct that is seen as illegal, unfair, deceptive, abusive, manipulative, or otherwise wrongful. Risks to the Company's reputation could arise in any number of contexts-for example, cyber incidents and other security breaches, mergers and acquisitions, lending or investment-management practices, actual or potential conflicts of interest, failures to prevent money laundering, corporate governance, and unethical behavior and practices committed by Company employees or competitors in the financial services industry. In addition, the speed with which information spreads through news, social media and other sources, including on the internet, means that negative information about the Company can rapidly have a broadly adverse impact on its reputation. This is true whether or not the information is accurate. Once information has gone viral, it can be difficult to counter it effectively, either by correcting inaccuracies or communicating remedial steps taken for actual issues. The potential impact of negative information going viral and the ease with which customers transact means that material reputational harm can result from a single discrete or isolated incident.

Skilled employees are the Company's most important resource, and competition for talented people is intense. Even though compensation is among the Company's highest expenses, it may not be able to locate and hire the best people, keep them with the Company, or properly motivate them to perform at a high level. Recent scrutiny of compensation practices, especially in the financial-services industry, has made this only more difficult. In addition, some parts of the Company's business are particularly dependent on key personnel, including investment management, asset servicing, and commercial lending. If the Company were to lose and find itself unable to replace these personnel or other skilled employees, including as a result of the acquisition of HTLF, or if the competition for talent drove its compensation costs to unsustainable levels, the Company's business, results of operations, and financial condition could be negatively impacted.