Flagstar Financial (FLG) Risk Analysis

At any given time, we and our subsidiaries are involved with a number of legal proceedings and regulatory investigations and examinations as a part of reviews conducted by regulators and other parties, which may involve banking, securities, consumer protection, employment, tort, and numerous other laws and regulations. The outcome of pending or threatened litigation, or of investigations or any other matters before regulatory agencies is uncertain, whether currently existing or commencing in the future, including with respect to any litigation, investigation or other regulatory actions related to (i) the business and disclosure practices of acquired companies, including our acquisition of Flagstar Bancorp and the purchase and assumption of certain assets and liabilities of Signature, (ii) the capital raise transaction we completed in March of 2024, (iii) our past material weaknesses in internal control over financial reporting, (iv) past cyber security breaches, and (v) recent events and circumstances involving Flagstar, including disclosures regarding credit losses, provisioning and goodwill impairment, and negative news and expectations about our prospects (and associated stock price volatility and changes). Proceedings or actions brought against us or our subsidiaries may result in judgments, settlements, fines, penalties, injunctions, business improvement orders, consent orders, supervisory agreements, ratings downgrades, restrictions on our business activities, revocations or non-renewals of required licenses, changes in FDIC deposit insurance premium assessments or other results adverse to us, which could materially and negatively affect our business. If such claims and other matters are not resolved in a manner favorable to us, they may result in significant financial liability and/or adversely affect the market perception of us and our products and services as well as impact customer demand for those products and services. Some of the laws and regulations to which we are subject may provide a private right of action that a consumer or class of consumers may pursue to enforce these laws and regulations. We are currently subject to stockholder class and derivative actions which seek significant damages and other relief and may be subject to similar actions in the future. Any financial liability or reputational damage could have a materially adverse effect on our business and, in turn, on our financial condition and results of operations. Claims asserted against us can be highly complicated and slow to develop, making the outcome of such proceedings difficult to predict or estimate early in the process. As a participant in the financial services industry, it is likely that we will be exposed to a high level of litigation and regulatory scrutiny relating to our business and operations. Although we establish accruals for legal or regulatory proceedings when information related to the loss contingencies represented by those matters indicates both that a loss is probable and that the amount of loss can be reasonably estimated, we do not have accruals for all legal or regulatory proceedings where we face a risk of loss. Due to the inherent subjectivity of the assessments and unpredictability of the outcome of legal and regulatory proceedings, amounts accrued may not represent the ultimate loss to us from the legal and regulatory proceedings in question. As a result, our ultimate losses may be significantly higher than the amounts accrued for legal loss contingencies. For further information, see Note 20 - Commitments and Contingencies.

The amount of income taxes we are required to pay on our earnings is based on federal, state, and local legislation and regulations. We provide for current and deferred taxes in our financial statements, based on our results of operations, business activity, legal structure, interpretation of tax statutes, assessment of risk of adjustment upon audit, and application of financial accounting standards. We may take tax return filing positions for which the final determination of tax is uncertain, and our net income and earnings per share could be reduced if a federal, state, or local authority were to assess additional taxes that have not been provided for in our consolidated financial statements. In addition, there can be no assurance that we will achieve our anticipated effective tax rate. Unanticipated changes in tax laws or related regulatory or judicial guidance, or an audit assessment that denies previously recognized tax benefits, could result in our recording tax expenses that materially reduce our net income.

Extraordinary events that are beyond our control, including, but not limited to, natural and other disasters, pandemics and health emergencies, geopolitical instabilities, terrorist activities, international hostilities, cannot be predicted and may impact our financial condition and results of operations. Our ability to conduct business may be adversely affected by such events due to the potential for disruptions to us or to third parties with whom we interact or upon whom we rely, including disruptions to our financial, accounting, data processing, backup or other operating or security systems and infrastructure. Our ability to mitigate the adverse consequences of such occurrences depends, in part, on our ability to anticipate the nature of any such event that might occur and on the preparedness of national or regional emergency responders or on the part of other organizations and businesses that we interact with, many of which we depend on but have limited or no control over.

Because our profitability stems from our ability to attract deposits and originate loans, our continued ability to compete for depositors and borrowers is critical to our success. Our success as a competitor depends on a number of factors, including our ability to develop, maintain, and build long-term relationships with our customers by providing them with convenience, in the form of multiple branch locations, extended hours of service, and access through alternative delivery channels; a broad and diverse selection of products and services; interest rates and service fees that compare favorably with those of our competitors; and skilled and knowledgeable personnel to assist our customers by addressing their financial needs. External factors that may impact our ability to compete include, among others, the entry of new lenders and depository institutions in our current markets.

We face significant risks related to fraud, which could result in financial loss, expensive litigation, and damage to our reputation. Our organization is exposed to various types of fraud, including fraud or theft by colleagues or outsiders and unauthorized transactions. We rely heavily on information provided by clients and third parties, and misrepresentations in this information can lead to funding loans that do not meet our expectations or on unfavorable terms. We bear the risk of loss associated with misrepresentations, and it can be challenging to recover any monetary losses suffered. We have implemented various controls and security measures, but the failure of any of these controls could result in a failure to detect or mitigate fraud risks in a timely manner. We are committed to ongoing investments and attention to combat fraud and enhance our security measures to protect against these risks.

Our ability to attract and retain investors, customers, clients, and employees could be adversely affected by damage to our reputation resulting from various sources, including employee misconduct, litigation, or regulatory outcomes; failure to deliver minimum standards of service and quality; compliance failures; unintentional disproportionate assessment of fees to customers of protected classes; unethical behavior; unintended disclosure of confidential information; and the activities of our clients, customers, and/or counterparties. Actions by the financial services industry in general, or by certain entities or individuals within it, also could have a significantly adverse impact on our reputation. Our actual or perceived failure to identify and address various issues also could give rise to reputational risk that could significantly harm us and our business prospects, including failure to properly address operational risks. These issues include legal and regulatory requirements; consumer protection, fair lending, and privacy issues; properly maintaining customer and associated personal information; record keeping; protecting against money laundering; sales and trading practices; and ethical issues.

Communication and information systems are essential to the conduct of our business, as we use such systems, and those maintained and provided to us by third-party service providers, to manage our customer relationships, our general ledger, our deposits, and our loans. In addition, our operations rely on the secure processing, storage, and transmission of confidential and other information in our computer systems and networks. Although we, and entities we have acquired, take and have taken protective measures and endeavor to modify them as circumstances warrant, the security of our computer systems, software, and networks, as well as the security of the computer systems, software, and networks of certain of our service providers, have been, and may in the future be, vulnerable to breaches, unauthorized access, misuse, computer viruses, or other malicious code and cyber-attacks that have had and could have an impact on information security. With the rise and permeation of online and mobile banking, the financial services industry in particular faces substantial cybersecurity risk due to the type of sensitive information provided by customers. We, and our third-party service providers, have been and may in the future be subject to cybersecurity incidents, including those that involve the unauthorized access to customer information affecting other financial institutions and industry groups. Our systems and those of our third-party service providers and customers are regularly the subject of attempted attacks that are increasingly sophisticated, and it is possible that we or they could experience a significant event in the future that could adversely affect our business or operations. In addition, breaches of security have in the past and may in the future occur through intentional or unintentional acts by those having authorized or unauthorized access to our confidential or other information, or that of our customers, clients, or counterparties. Certain previously identified cyber incidents have resulted, and future such events could result, in the breach of confidential and other information processed and stored in our computer systems and networks. These events could cause interruptions or malfunctions in our operations or the operations of our customers, clients, or counterparties. Further, we may not know that an attack occurred until well after the event. Even after discovering an attempt or breach occurred, we may not know the extent of the impact of the attack for some period of time. This could cause us significant reputational damage or result in our experiencing significant losses. While we diligently assess applicable regulatory and legislative developments affecting our business, laws and regulations relating to cybersecurity have been frequently changing, imposing new requirements on us. In light of these conditions, we face the potential for additional regulatory scrutiny that will lead to increasing compliance and technology expenses and, in some cases, possible limitations on the achievement of our plans for growth and other strategic objectives. We may also be required to expend significant additional resources to modify our protective measures or investigate and remediate vulnerabilities or other exposures arising from operational and security risks, including expenses for third-party expert consultants or outside counsel. We are currently subject to litigation regarding cyber incidents, and we also may be subject to future litigation and financial losses that either are not insured against or not fully covered through any insurance we maintain or any third-party indemnification or insurance. We believe that the impact of any previously identified cyber incidents, including those subject to ongoing investigation and remediation, will not have a material financial impact on our financial condition or the results of our operations. In addition, we routinely transmit and receive personal, confidential, and proprietary information by e-mail and other electronic means. We have discussed, and worked with our customers, clients, and counterparties to develop secure transmission capabilities, but we do not have, and may be unable to put in place, secure capabilities with all of these constituents, and we may not be able to ensure that these third parties have appropriate controls in place to protect the confidentiality of such information. We maintain disclosure controls and procedures to ensure we will timely and sufficiently notify our investors of material cybersecurity risks and incidents, including the associated financial, legal, or reputational consequence of such an event, as well as reviewing and updating any prior disclosures relating to the risk or event. While we have established information security policies, procedures and controls, including an Incident Response Plan, to prevent or limit the impact of systems failures and interruptions, we may not be able to anticipate all possible security breaches that could affect our systems or information and there can be no assurance that such events will not occur or will be adequately prevented or mitigated by our policies, procedures and controls if they do.

Financial products and services have become increasingly technology driven. Our ability to meet the needs of our customers competitively, and in a cost-efficient manner, is dependent on our ability to keep pace with technological advances and invest in new technology as it becomes available. Many of our competitors have greater resources than we do and may be better equipped to invest in and market new technology-driven products and services. In addition, in cases where we rely on technology that is the product of third-party intellectual property, such technology may not be available to us on commercially reasonably terms or at all. Moreover, if another person or entity were deemed to own intellectual property rights that were infringed upon by our activities, we could be responsible for significant damages and be forced to incur significant expenses if we sought to continue to engage in these types of activities and may also be prevented from using technology important to our business for at least some period of time.

To a large degree, our success depends on our ability to attract and retain key personnel whose expertise, knowledge of our markets, and years of industry experience make them difficult to replace. Competition for skilled leaders in our industry can be intense, and we may not be able to hire or retain the people we would like to have working for us. The unexpected loss of services of one or more of our key personnel could have a material adverse impact on our business, given the specialized knowledge of such personnel and the difficulty of finding qualified replacements on a timely basis. Furthermore, our ability to attract and retain personnel with the skills and knowledge to support our business may require that we offer additional compensation and benefits that would reduce our earnings.

We outsource certain key aspects of our data processing to certain third-party providers. While we have selected these third-party providers carefully, we cannot control their actions. Our ability to deliver products and services to our customers, to adequately process and account for our customers' transactions, or otherwise conduct our business could be adversely impacted by any disruption in the services provided by these third parties; their failure to handle current or higher volumes of usage; or any difficulties we may encounter in communicating with them. Replacing these third-party providers also could entail significant delay and expense. Our third-party providers may be vulnerable to unauthorized access, computer viruses, phishing schemes, and other security breaches. Threats to information security also exist in the processing of customer information through various other third-party providers and their personnel. We may be required to expend significant additional resources to protect against the threat of such security breaches and computer viruses, or to alleviate problems caused by such security breaches or viruses. To the extent that the activities of our third-party providers or the activities of our customers involve the storage and transmission of confidential information, security breaches and viruses could expose us to claims, regulatory scrutiny, litigation, and other possible liabilities. These types of third-party relationships are subject to increasingly demanding regulatory requirements and oversight by federal bank regulators (the OCC, the FDIC and the CFPB). As a result, if our regulators conclude that we have not exercised adequate oversight and control over vendors and subcontractors or other ongoing third-party business relationships or that such third-parties have not performed appropriately, we could be subject to enforcement actions, including civil money penalties or other administrative or judicial penalties or fines, as well as requirements for consumer remediation. In addition, we may not be adequately insured against all types of losses resulting from third-party failures, and our insurance coverage may be inadequate to cover all losses resulting from systems failures or other disruptions to our banking services.