Washington Federal (WAFD) Risk Analysis

We are, from time to time, subject to claims and proceedings related to our operations. These claims and legal actions could include supervisory or enforcement actions by our regulators, criminal proceedings by prosecutorial authorities, or civil claims by our customers, former customers, contractual counterparties, and current and former employees. We may also face class action lawsuits for, among other things, alleged violations of employment, state wage and hour and consumer protection laws. These claims could involve large monetary demands, including civil money penalties or fines imposed by government authorities, and significant defense costs. If such claims and legal actions are brought, and are not resolved in a manner favorable to the Company, they could result in financial liability and/or reputational harm, which could have a material adverse effect on our financial condition and results of operations. Banking institutions are also increasingly the target of class action lawsuits, including claims alleging deceptive practices or violations of account terms in connection with non-sufficient funds or overdraft charges and violations of the Fair Labor Standards Act ("FLSA"). In 2022, the Bank paid $495,000 plus claims administrative expenses to settle a class action lawsuit related to allegations of improper assessments of overdraft and insufficient funds fees. In May 2024, we received court approval for the settlement of a class action claim related to alleged violations of the FLSA associated with claims for allegedly unpaid wages and overtime for certain of our non-exempt employees under which the Bank ultimately paid approximately $2.1 million. If another class action lawsuit is filed or determined adversely to us, or we were to enter into a settlement agreement in connection with such a matter, we could be exposed to monetary damages, reputational harm, or subject to limits on our ability to operate our business, which could have an adverse effect on our financial condition, and operating results.

Many competitors, including fintech companies, offer the same types of loan and deposit services that the Company offers. These competitors include national and multinational banks, other regional banks, savings associations, community banks, credit unions, fintechs, and other financial intermediaries. In particular, our competitors include national banks and major financial companies whose greater resources may afford them a marketplace advantage by enabling them to maintain numerous banking locations, launch new technologies and mount extensive promotional and advertising campaigns. The effective use of technology increases efficiency and enables financial institutions to better serve customers and to reduce costs. Many of our competitors have substantially greater resources to invest in technological improvements than we do. Our future success will depend, in part, upon our ability to address the needs of our clients by using technology to provide products and services that will satisfy client demands for convenience, as well as to create additional efficiencies in our operations. We may not be able to effectively implement new technology-driven products and services or be successful in marketing these products and services to our customers. In addition, the implementation of technological changes and upgrades to maintain current systems and integrate new ones may also cause service interruptions, transaction processing errors and system conversion delays and may cause us to fail to comply with applicable laws. There can be no assurance that we will be able to successfully manage the risks associated with our increased dependency on technology. Additionally, recent technological breakthroughs have made it possible for other non-traditional competitors to enter the marketplace and compete for traditional banking services. Increased competition within our geographic market area may result in reduced loan originations and deposits. Ultimately, competition from current and future competitors may affect our business materially and adversely.

The Bank's business activities and credit exposure are concentrated in real estate lending, in particular commercial real estate loans which are generally viewed as having more risk of default than residential real estate loans or certain other types of loans or investments. The market for real estate is cyclical and the outlook for this sector is uncertain. A downturn in the real estate market, accompanied by falling values and increased foreclosures would hurt our business because a large majority of our loans are secured by real estate. If a significant decline in market values occurs, the collateral for loans will provide decreasing levels of security. As a result, our ability to recover the principal amount due on defaulted loans by selling the underlying real estate will be diminished, and we will be more likely to suffer losses on defaulted loans. Because our loan portfolio contains commercial real estate loans with relatively large balances, the deterioration of these loans may cause a significant increase in our nonperforming loans which could result in a loss of earnings from these loans, an increase in the provision for loan losses, or an increase in loan charge-offs, any of which would have an adverse impact, which could be material, on our business, financial condition, and results of operations. We own real estate as a result of foreclosures resulting from non-performing loans. If other lenders or borrowers liquidate significant amounts of real estate in a rapid or disorderly fashion, or if the FDIC elects to dispose of significant amounts of real estate from failed financial institutions in a similar fashion, it could have an adverse effect on the values of the properties owned by the Company by depressing the value of these real estate holdings. In such a case, we may incur further write-downs and charge-offs, which could, in turn, adversely affect our business, financial condition and results of operations.

We have significant investments in bank premises and equipment for our branch network as well as our retail work force and other branch banking assets. Advances in technology, as well as changing customer preferences for accessing our products and services, are requiring us to change our retail distribution strategy. As a result of the current market environment and customer behavior, we have undertaken a branch optimization strategy that has led to the closure, consolidation or sale of certain branches in our network. These actions could lead to losses on these assets or could adversely impact the carrying value of other long-lived assets and may lead to increased expenditures to renovate and reconfigure remaining branches or to otherwise further reform our retail distribution channel. In addition, any changes in our branch network strategy could adversely impact our business, financial condition or operations if it results in the loss of customers or deposits which we rely on as a low cost and stable source of funds for our loans and operations.

The high-profile bank failures of 2023 generated significant market volatility among publicly traded bank holding companies and, in particular, regional banks like the Company. These market developments also negatively impacted customer confidence in the safety and soundness of regional banks. While the Department of the Treasury, the FRB, and the FDIC took steps to ensure that depositors of the failed banks would have access to their deposits, including uninsured deposit accounts, there is no guarantee that such actions will be successful in restoring customer confidence in regional banks and the banking system more broadly. If other bank failures occur and financial institutions enter receivership or become insolvent in the future due to financial conditions affecting the banking system and financial markets, it could disrupt the financial services industry and customers may choose to maintain deposits with larger financial institutions or invest in higher yielding short-term fixed income securities, all of which could materially adversely impact the Company's liquidity, loan funding capacity, net interest margin, capital and results of operations. As a result of the bank failures, the FDIC imposed a special assessment to recoup losses to the deposit fund. If additional bank failures were to occur, we could face increased regulation of our industry, including increased compliance costs and limitations on our ability to pursue business opportunities; significantly higher Federal Deposit Insurance Corporation premiums or additional special assessments; adverse impacts on our stock price and volatility of our Common Stock; and increased competition for deposits due to a lack of consumer confidence in regional banks. If these conditions or similar ones continue to exist or worsen, we could experience continuing or increased adverse effects on our financial condition.

We or our third-party (or fourth party) vendors, clients or counterparties may develop or incorporate AI technology in certain business processes, services, or products. The development and use of AI presents a number of risks and challenges to our business. The legal and regulatory environment relating to AI is uncertain and rapidly evolving, both in the U.S. and internationally, and includes regulatory schemes targeted specifically at AI as well as provisions in intellectual property, privacy, consumer protection, employment, and other laws applicable to the use of AI. These evolving laws and regulations could require changes in our implementation of AI technology and increase our compliance costs and the risk of non-compliance. AI models, particularly generative AI models, may produce output or take action that is incorrect, that reflects biases included in the data on which they are trained, that results in the release of private, confidential, or proprietary information, that infringes on the intellectual property rights of others, or that is otherwise harmful. In addition, the complexity of many AI models makes it difficult to understand why they are generating particular outputs. This limited transparency increases the challenges associated with assessing the proper operation of AI models, understanding and monitoring the capabilities of the AI models, reducing erroneous output, eliminating bias, and complying with regulations that require documentation or explanation of the basis on which decisions are made. Further, we may rely on AI models developed by third parties, and, to that extent, would be dependent in part on the manner in which those third parties develop and train their models, including risks arising from the inclusion of any unauthorized material in the training data for their models and the effectiveness of the steps these third parties have taken to limit the risks associated with the output of their models, matters over which we may have limited visibility. Any of these risks could expose us to liability or adverse legal or regulatory consequences and harm our reputation and the public perception of our business or the effectiveness of our security measures.

Cybersecurity, and the continued development and enhancement of controls, processes, and practices designed to protect customer information, systems, computers, software, data, and networks from attack, damage, or unauthorized access remain a priority for the Company. As cybersecurity threats continue to evolve, we may be required to expend additional resources to continue to enhance, modify, and refine our protective measures against these evolving threats. We are continuously enhancing and expanding our digital products and services to meet customer and business needs with desired outcomes. These digital products and services often include storing, transmitting, and processing confidential customer, employee, financial, and business information. Due to the nature of this information, and the value it has for internal and external threat actors, we, and our third-party service providers, continue to be subject to cyber-attacks and fraud activity that attempts to gain unauthorized access, misuse information and information systems, steal information, disrupt or degrade information systems, spread malicious software, and other illegal activities. We believe we have robust preventive, detective, and administrative safeguards and security controls to minimize the probability and magnitude of a material event. However, if we are unable to maintain them, we may fall victim to a material adverse cybersecurity event. Because the tactics and techniques used by threat actors to bypass safeguards and security controls change frequently, and often are not recognized until after an event has occurred, we may be unable to anticipate future tactics and techniques, or to implement adequate and timely protective measures. We are subject to additional risk with respect to third-party vendors that process or handle personal and financial data of our customers, partners, suppliers or employees. These third-party vendors may themselves use other vendors to store or process our data, which further elevates our risk exposure. Our third-party vendors have been, and may in the future be, subject to security incidents, including those caused by computer viruses, malware, ransomware, phishing attempts, social engineering, hacking or other means of unauthorized access. Control failures of security measures managed by our third-party service providers could cause us to suffer damage to our reputation and could require us to incur substantial expenses, which could have a materially adverse effect on our business, financial condition, and results of operations. To date, we have no knowledge of a material cyber-attack or other material information security incident affecting the systems we operate and control. However, our risk and exposure to these matters remains heightened because of, among other things, the evolving nature of these threats, the continuation of a remote or hybrid work environment for our employees and service providers, and our plans to continue to implement and expand digital banking services, expand operations, and use third-party information systems that includes cloud-based infrastructure, platforms, and software. Recent instances of attacks specifically targeting banks and financial services businesses indicate that the risk to our systems remains significant. We, and our third-party providers, are regularly the subject of attempted attacks and the ability of the attackers and the method of their attacks continues to grow in sophistication. Threat actors, including nation state attackers, could also use artificial intelligence for malicious purposes, increasing the frequency and complexity of their attacks. Potential threats to our technologies, systems, networks, and other devices, as well as those of our employees, third party vendors, and other third parties with whom we interact, include Distributed Denial of Service ("DDoS") attacks, computer viruses, hacking, malware, ransomware, credential stuffing, phishing, and other forms of social engineering. Such cyber-attacks and other security incidents are designed to lead to various harmful outcomes, such as unauthorized transactions against our customers' accounts, unauthorized or unintended access to confidential information, or the release, gathering, monitoring, disclosure, loss, destruction, corruption, disablement, encryption, misuse, modification or other processing of confidential or sensitive information (including personal information), intellectual property, software, methodologies or business secrets, disruption, sabotage or degradation of service, systems or networks, or other damage. These threats may derive from, among other things, error, fraud or malice on the part of our employees, insiders, or third parties or may result from accidental technological failure. Any of these parties may also attempt to fraudulently induce employees, service providers, customers, partners or other third-party users of our systems or networks to disclose confidential or sensitive information (including personal information) in order to gain access to our systems, networks or data or that of our customers, partners, or third parties with whom we interact, or to unlawfully obtain monetary benefit through misdirected or otherwise improper payment. A cyber-attack or other security incident on the systems we operate and control could cause us to suffer damage to our reputation, result in productivity losses, require us to incur substantial expenses, including response costs associated with investigation and resumption of services, remediation expenses costs associated with customer notification and credit monitoring services, increased insurance premiums, regulatory penalties and fines, and costs associated with civil litigation, any of which could have a materially adverse effect on our business, financial condition, and results of operations. We also face additional costs when our customers become the victims of cyber-attacks. For example, various retailers have reported that they have been the victims of a cyber-attack in which large amounts of their customers' data, including debit and credit card information, is obtained. Our customers may be the victims of phishing scams, providing cyber criminals access to their accounts, or credit or debit card information. In these situations, we incur costs to replace compromised cards and address fraudulent transaction activity affecting our customers, as well as potential increases to insurance premiums for policies we may maintain to cover these losses. Both internal and external fraud and theft are risks. If confidential customer, employee, monetary, or business information were to be mishandled or misused, we could suffer significant regulatory consequences, reputational damage, and financial loss. Such mishandling or misuse could include, for example, if such information were erroneously provided to parties who are not permitted to have the information, either by fault of our systems, employees, or counterparties, or if such information were to be intercepted or otherwise inappropriately taken by third parties, or if our own employees abused their access to financial systems to commit fraud against our customers and the Company. These activities can occur in connection with activities such as the origination of loans and lines of credit, ACH transactions, wire transactions, ATM transactions, and checking transactions, and result in financial losses as well as reputational damage. Operational errors can include information system misconfiguration, clerical or record-keeping errors, or disruptions from faulty or disabled computer or telecommunications systems. Because the nature of the financial services business involves a high volume of transactions, certain errors, which may be automated or manual, may be repeated or compounded before they are discovered and successfully rectified. Because of the Company's large transaction volume and its necessary dependence upon automated systems to record and process these transactions, there is a risk that technical flaws, tampering, or manipulation of those automated systems, arising from events wholly or partially beyond its control, may give rise to disruption of service to customers and to financial loss or liability. The occurrence of any of these risks could result in a diminished ability for us to operate our business, additional costs to correct defects, potential liability to clients, reputational damage, and regulatory intervention, any of which could adversely affect our business, financial condition and results of operations.

We rely extensively on the successful and uninterrupted functioning of information technology and telecommunications systems to conduct our business. This includes internally developed systems, internally managed systems, outsourced systems provided by third-party service providers, internet facing digital products and services, mobile technologies and the on-going operational maintenance of each service. Any disruptions, failures, or inaccuracies of these systems, including changes and improvements, could result in our inability to service customers, manage operations, manage risk, meet regulatory obligations, or provide timely and accurate financial reporting which could damage our reputation, result in loss of customer business, subject us to regulatory scrutiny, or expose us to civil litigation and possible financial liability. In many instances, the Company's products and services to customers are dependent upon third-party service providers, who provide necessary, or critical, services and support. Any disruption of such services, or an unplanned termination of a third-party license or service agreement related thereto, could adversely affect our ability to provide necessary products and services for our customers. In recent years, we have made a significant ongoing investment to enhance our technological capabilities with the objectives of enhancing customer experience, growing revenue, and improving operating efficiency. There is a risk that these investments may not provide the anticipated benefits and/or will prove significantly more costly and time consuming to produce. If this occurs, we may see a loss of customers, and our financial results and ability to execute on our strategic plan may be adversely impacted.

If a key employee or a substantial number of employees depart or become unable to perform their duties, it may negatively impact our ability to conduct business as usual. Unanticipated departures, including in connection with acquisition activity, such as our recent acquisition of Luther Burbank, might require us to divert resources from other areas of our operations, which could create additional stress for other employees, including those in key positions. The loss of qualified and key personnel, or an inability to continue to attract, retain and motivate key personnel could adversely affect our business and consequently impact our financial condition and results of operations.

The FDIC insures deposits at FDIC-insured financial institutions, including the Bank. The FDIC charges insured financial institutions premiums to maintain the Deposit Insurance Fund ("DIF") at a specific level. Historically, unfavorable economic conditions increased bank failures and these additional bank failures decreased the DIF. Extraordinary growth in insured deposits during the first and second quarters of 2020 caused the ratio of the DIF to total insured deposits to fall below the current statutory minimum of 1.35%. In order to restore the DIF to its statutorily mandated minimums, the FDIC significantly increased deposit insurance premium rates, including the Bank's, resulting in increased expenses. The revised assessment rate schedules became effective January 1, 2023, and were applicable to the first quarterly assessment period of 2023 (i.e., January 1 through March 31, 2023, with an invoice payment date of June 30, 2023). In November 2023, the FDIC approved a final rule to impose a special assessment to recover the losses to the deposit insurance fund resulting from the closures of Silicon Valley Bank and Signature Bank. Beginning in the first calendar quarter of 2024, the FDIC began collecting the special assessment and it is expected to continue collecting the special assessment for a total of eight quarters. The FDIC may further increase the assessment rates or impose additional special assessments in the future to restore and then steadily increase the DIF. FDIC insurance premiums could increase in the future in response to similar declining economic conditions. A material increase in the Bank's FDIC premiums could have an adverse effect on its business, financial condition and results of operations.