Regulatory Compliance

By: Kari Michel On March 18th 2011 the Federal Reserve Board approved a rule amending Regulation Z (Truth in Lending) to clarify portions of the final rules implementing the Credit CARD Act of 2009. Specific to ability to pay requirements, the new rule states that credit card applications generally cannot request a consumer's "household income" because that term is too vague to allow issuers to properly evaluate the consumer's ability to pay. Instead, issuers must consider the consumer's individual income or salary. The new ruling will be effective October 2011. Given the new direction outlined in the latest rules, we've been hard at work on developing 2 income models to support these regulatory obligations and enhance the underwriting and risk assessment process - Income InsightSM and Income Insight W2SM.  Both income models estimate an individual’s income based on an individual credit report and can be used in acquisition strategies, account management review and collection processes.  Why two models? Income InsightSM estimates the consumer’s total income, including wages, investments, rentals and other income. Income Insight W2SM estimates wages only.  Check them out - and let us know what you think! We want to hear from you.

The next time a consumer asks about his or her credit score, consider it an opportunity. Recent changes to the Risk-Based Pricing (RBP) rule may provide new opportunities to strengthen relationships by educating consumers about what their credit scores mean, how they’re used, and how they can be improved. For many lenders and other businesses, this could be the first time they’ve had a chance to speak directly and openly with customers about their credit scores. The RBP rule is intended to improve financial literacy As we’ve discussed, the Risk-Based Pricing Rule was instituted in response to policymaker concerns that consumers were not being sufficiently informed of the impact that credit reports can have on their annual percentage rate (APR). Now, when a lender makes a credit decision based on a consumer credit report and does not offer the best possible rate, or denies credit, the RBP Rule requires lenders to notify the customer about the decision – through either an explanation of the rate offered or disclosing a credit score. New requirements take effect on July 21 RBP compliance is changing following recent passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Companies will now be required to provide all customers with a credit score within a Risk Based Pricing Notice, along with educational material. The new requirement is effective July 21, 2011. This is also the date when the new Bureau of Consumer Financial Protection (CFPB) is set to be fully operational. How to prepare for consumer questions about credit scores Experian offers a number of resources to help lenders answer consumer questions. Online resources, including the Ask Experian column and our extensive Credit Education section, provide fundamental information to help consumers better understand credit scores and credit reports. The Experian Credit Score Basics booklet, plus more than 20 other educational documents, are available electronically and formatted for easy printing and distribution. All documents, PowerPoint presentations, virtual seminars and education videos are available on a free mini-disk. Customized training and education is available The Experian Public Education team can also provide customized, live Internet-based training and education for our clients’ employees to help them effectively answer customer questions about credit reports and credit scores. For a free mini-disk or more information about training events, please contact Rod Griffin, Experian’s Director of Public Education, at 1 (972) 390-3528, or email clientcorner@experian.com. Take a moment to check out our Risk-Based Pricing microsite, too. Note: While Experian is happy to provide our observations related to the new Risk-Based Pricing Rule, please work with your own legal counsel to ensure that you comply with your obligations under the rule.

By: Staci Baker There has been a lot of talk in the news about the Dodd-Frank Act lately. According to the Dodd-Frank Resource Center of the American Financial Services Association (AFSA), “The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which passed on July 21, 2010, is unprecedented in magnitude, and will impact every sector of the financial services industry.”  The aim of the Act is to put measures in place that address the issues that led to the financial crisis. This is done by setting up new regulatory bodies, and limiting the dealings of banks and other financial institutions. For the purpose of this blog, I will focus on describing the new regulatory agencies.  The Bureau of Consumer Financial Protection (CFPB), is an independent watchdog housed within the Federal Reserve. The CFPB has the authority to “regulate consumer financial products and services in compliance with federal law.”[ii] They are responsible for the accuracy of information, hidden fees and deceptive practices for consumers from within the following industries – mortgage, credit cards and other financial products. The Financial Stability Oversight Council is “charged with identifying threats to the financial stability of the United States, promoting market discipline, and responding to emerging risks to the stability of the United States financial system.”ii Through the Treasury, this council will create a new Office of Financial Research, which will be responsible for collecting and analyzing data to identify and monitor emerging risks to the economy, and publish the findings in periodic reports.  These new regulatory agencies are critical to US business processes, as they will more closely monitor business practices, create new tighter legislation, and report findings to the public. The legislation that is created will decrease risk levels posed by large, complex companies, as well as address discrepancy that has been raised throughout the financial crisis.     What are your views of the Dodd-Frank Act? Do you believe this is the legislation needed to stem future financial crisis? If not, what would help you and your business?  

The U.S. Senate passed legislation recently that would exempt certain businesses from complying with the Red Flags Rule.  Sponsored by Senator John Thune (R-SD), the bill (S. 3987) creates an exception to the Red Flags Rule for businesses that do not advance funds to a customer. The bill would, for example, redefine the term “creditor” as currently described under the Red Flags Rule guidelines, to apply only to those businesses who advance funds to, or on behalf of, a customer, and based upon an obligation to repay those advanced funds.  The legislation also still provides the Federal Trade Commission with authority to require certain organizations to comply with the Red Flags Rule. The legislation now moves to the U.S. House of Representatives, where the chamber must approve the bill before the end of the year in order for the bill to become law.  This may alleviate many businesses in industries such as law practices, healthcare providers (particularly solo practitioners), and perhaps some service providers in telecommunications and utilities.  However, it is likely that many businesses in the utilities space will still fall under Red Flags Rule enforcement given their accessing of consumer credit profiles in many of their application processing procedures.  Again, one has to wonder what the original intent of the Red Flags Rule was.  If it was to protect consumers from identity theft and other fraud schemes via a robust identity theft prevention program, then vastly narrowing the businesses under which potential enforcement applies seems counter-productive.  The advancement of funds or not doesn’t necessarily add to or reduce risk of fraud, as much as the actual obtainment of accounts and services with identity information…regardless of industry.  More to follow…

In my last entry I mentioned how we’re working with more and more clients that are ramping up their fraud and compliance processes to ensure Red Flag compliance. But it’s not just the FACT Act Identity Theft Program requirements that are garnering all the attention.  As every financial institution is painfully aware, numerous compliance requirements exist around the USA PATRIOT Act and Know Your Customer, Anti-Money Laundering, e-Signature and more. Legislation for banks, lenders, and other financial services organizations are only likely to increase with President Obama’s appointment of Elizabeth Warren to the new Bureau of Consumer Financial Protection. Typically FI’s must perform due diligence across more than one of these requirements, all the while balancing the competing pressures of revenue growth, customer experience, fraud referral rates, and risk management. Here’s a case where we were able to offer a solution to one client’s complex needs.  Recently, we were approached by a bank’s sales channel that needed to automate their Customer Information Program (CIP). The bank’s risk and compliance department had provided guidelines based on their interpretation of due diligence appropriate for CIP and now the Sales group had to find a tool that could facilitate these guidelines and decision appropriately. The challenge was doing so without a costly custom solution, not sacrificing their current customer service SLA’s, and being able to define the criteria in the CIP decisioning rather than a stock interpretation. The solution was to invest in a customer authentication product that offered flexible, adaptable “off the shelf” decisioning along with knowledge based authentication, aka out of wallet questions. The fact that the logic was hosted reduced costly and time consuming software and hardware implementations while at the same time allowing easy modification should their CIP criteria change or pass and review rates need to be tweaked. The net result? Consistent customer treatment and objective application of the CIP guidelines, more cross selling confidence, and the ability to refer only those applicants with fraud alerts or who did not meet the name, address, SSN, and DOB check for further authentication.

By: Staci Baker On September 12, 2010, the new Basel III rules were passed in Basel, Switzerland. These new rules aim to increase the liquidity of banks over the next decade, thereby mitigating the risk of bank failures and mergers that transpired during the recent financial crisis. Currently, banks must maintain capital reserves of 4% on their balance sheet to account for enterprise risk. Starting January 1, 2013, banks will be required to progressively increase their capital reserves, known as tier 1 capital, to 4.5%. By the end of 2019, this reserve will need to be 6%.  Banks will also be required to keep an emergency reserve, or “conservation buffer,” of 2.5%. What does this mean for banks? And, what are some tools that banks can use in assessing credit risk? By increasing capital reserves, banks will be more stable in times of economic hardship. The conservation buffer is meant to help absorb losses during times of economic stress, which means banks will be in a better position to maintain economic progress in the most challenging economic circumstances. The capital reserve designated by the Group of Governors and Heads of Supervision is the minimum requirement each bank will be held to. Each bank will need to assess their current risk levels, and run stress tests to ensure they are in a good financial position, and are able to sustain strong financial health during a failing economy. Stress tests should be run for different time intervals, which will allow lenders to assess future losses and to plan capital satisfactoriness accordingly. This type of credit risk analysis is possible through applications such as Moody’s CreditCycle Plus, powered by Experian, that allow for stress testing, and profit and loss forecasting.  These applications will measure future performance of consumer credit portfolios under various economic scenarios, measured against industry benchmarks. ______________ Bank for International Settlements, 9/12/10, http://bis.org/press/p100912.htm

By: Wendy Greenawalt The final provisions included in The Credit Card Act will go into effect on August 22, 2010. Most lenders began preparing for these changes some time ago, and may have already begun adhering to the guidelines. However, I would like to talk about the provisions included and discuss the implications they will have on credit card lenders. The first provision is the implementation of penalty fee guidelines. This clause prohibits card issuers from charging fees that exceed the consumer’s violation of the account terms. For example, if a consumer’s minimum monthly payment on a credit card account was $15, and the lender charges a $39 late fee, this would be considered excessive as the penalty is greater than the consumers’ obligation on that account. Going forward, the maximum fee a lender could charge in this example would be $15 or equal to the consumers obligation. In addition to late fee limitations, lenders can no longer charge multiple penalty fees based on a single late payment,  other account term violations or fees for account inactivity.  These limitations will have a dramatic impact on portfolio profitability, and lenders will need to account for this with all accounts going forward. The second major provision mandates that if a lender increased a consumer’s annual interest rate after January 1, 2009 due to credit risk, market conditions, or other factors, then the lender must maintain reasonable methodologies and perform account reviews no less than every 6 months. If during the account review, the credit risk, market conditions or other factors that resulted in the interest rate increase have changed, the lender must adjust the interest rate down if warranted. This provision only affects interest rate increases and does not supply specific terms on the amount of the interest rate reduction required; so lenders must assess this independently to determine their individual compliance requirements on covered accounts. The Credit Card Act was a measure to create better policies for consumers related to credit card accounts and overall will provide greater visibility and fair account practices for all consumers. However, The Credit Card Act  places more pressure on lenders to find other revenue streams to make up for revenue that was previously received when accounts were not paid by the due date, fees and additional interest rate income were generated. Over the next few years, lenders will have to find ways to make up this shortcoming and generate revenue through acquisition strategies and/or new business channels in order to maintain a profitable portfolio. http://www.federalreserve.gov/newsevents/press/bcreg/20100303a.htm

Well, in my last blog, I was half right and half wrong.  I said that individual trade associations and advocacy groups would continue to seek relief from Red Flag Rules ‘coverage’ and resultant FTC enforcement.  That was right.  I also said that I thought the June 1 enforcement date would ‘stick’.  That was wrong. Said FTC Chairman Jon Leibowitz, “Congress needs to fix the unintended consequences of the legislation establishing the Red Flag Rule – and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift.  As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.” I think the key words here are ‘unintended consequences’.  It seems to me that the unintended consequences of the Red Flag Rules reach far beyond just which industries are covered or not covered (healthcare, legal firms, retailers, etc).  Certainly, the fight was always going to be brought on by non-financial institutions that generally may not have had a robust identity authentication practice in place as a general baseline practice.  What continues to be lost on the FTC is the fact that here we are a few years down the road, and I still hear so much confusion from our clients as to what they have to do when a Red Flag compliance condition is detected.  It’s easy to be critical in hindsight, yes, but I must argue that if a bit more collaboration with large institutions and authentication service providers in all markets had occurred, creating a more detailed and unambiguous Rule, we may have seen the original enforcement date (or at least one of the first or second postponement dates) ‘stick’. At the end of the day, the idea of mandating effective and market defined identity theft protection programs makes a lot of sense.  A bit more intelligence gathering on the front end of drafting the Rule may, however, have saved time and energy in the long run.  Here’s hoping that December 31st ‘sticks’…I’m done predicting.  

By: Kari Michel The Federal Reserve’s decision to permit card issuers to use income estimation models to meet the Accountability, Responsibility, and Disclosure (CARD) Act requirements to assess a borrower’s ability to repay a loan makes good sense. But are income estimation models useful for anything other than supporting compliance with this new regulation? Yes; in fact these types of models offer many advantages and uses for the financial industry. They provide a range of benefits including better fraud mitigation, stronger risk management, and responsible provision of credit. Using income estimation models to understand your customers’ complete financial picture is valuable in all phases of the customer lifecycle, including: • Loan Origination – use as a best practice for determining income capacity • Prospecting – target customers within a specific income range • Acquisitions – set line assignments for approved customers • Account Management – assess repayment ability before approving line increases • Collections – optimize valuation and recovery efforts One of the key benefits of income estimation models is they validate consumer income in real time and can be easily integrated into current processes to reduce expensive manual verification procedures and increase your ROI. But not all scoring models are created equal. When considering an income estimation model, it’s important to consider the source of the income data upon which the model was developed. The best models rely on verified income data and cover all income sources, including wages, rent, alimony, and Social Security. To lean more about how income estimation models can help with risk management strategies, please join the following webinar: Ability to pay:  Going beyond the Credit CARD on June 8, 2010. http://www.bulldogsolutions.net/ExperianConsumerInfo/EXC1001/frmRegistration.aspx?bdls=24143    

By: Kari Michel What is Basel II?  Basel II is the international convergence of Capital Measurement and Capital Standards. It is a revised framework and is the second iteration of an international standard of laws. The purpose of Basel II is to create an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operations risk banks face.  Basel II ultimately implements standards to assist in maintaining a healthy financial system. The business challenge The framework for Basel II compels the supervisors to ensure that banks implement credit rating techniques that represent their particular risk profile.  Besides the risk inputs (Probability of Default (PD), Loss Given Default (LGD) and Exposure at Default (EAD)) calculation, the final Basel accord includes the “use test” requirement which is the requirement for a firm to use an advanced approach more widely in its business and met merely for calculation of regulatory capital. Therefore many financial institutions are required to make considerable changes in their approach to risk management (i.e. infrastructure, systems, processes, data requirements).  Experian is a leading provider of risk management solutions -- products and services for the new Basel Capital Accord (Basel II).  Experian’s approach includes consultancy, software, and analytics tailored to meet the lender’s Basel II requirements.  

A recent New York Times (1) article outlined the latest release of credit borrowing by the Federal Reserve, indicating that American’s borrowed less for the ninth-straight month in October. Nested within the statistics released by the Federal Reserve were metrics around reduced revolving credit demand and comments about how “Americans are borrowing less as they try to replenish depleted investments.” While this may be true, I tend to believe that macro-level statements are not fully explaining the differences between consumer experiences that influence relationship management choices in the current economic environment. To expand on this, I think a closer look at consumers at opposite ends of the credit risk spectrum tells a very interesting story. In fact, recent bank card usage and delinquency data suggests that there are at least a couple of distinct patterns within the overall trend of reducing revolving credit demand: • First, although it is true that overall revolving credit balances are decreasing, this is a macro-level trend that is not consistent with the detail we see at the consumer level. In fact, despite a reduction of open credit card accounts and overall industry balances, at the consumer-level, individual balances are up – that’s to say that although there are fewer cards out there, those that do have them are carrying higher balances. • Secondly, there are significant differences between the most and least-risky consumers when it comes to changes in balances. For instance, consumers who fall into the least-risky VantageScore® tiers, Tier A and B, show only 12 percent and 4 percent year-over-year balance increases in Q3 2009, respectively. Contrast that to the increase in average balance for VantageScore F consumers, who are the most risky, whose average balances increased more than 28 percent for the same time period. So, although the industry-level trend holds true, the challenges facing the “average” consumer in America are not average at all – they are unique and specific to each consumer and continue to illustrate the challenge in assessing consumers' credit card risk in the current credit environment. 1 http://www.nytimes.com/2009/12/08/business/economy/08econ.html  

Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time") offers institutions a viable strategy for balancing the following competing forces and pressures: • Compliance – the need to ensure each transaction is approved only when compliance requirements are met; • Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions; • Risk mitigation – the need to minimize fraud exposure at the account and transaction level. A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling. Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.  

As I wrote in my previous posting, a key Red Flags Rule challenge facing many institutions is one that manages the number of referrals generated from the detection of Red Flags conditions.  The big ticket item in referral generation is the address mismatch condition. Identity Theft Prevention Program I’ve blogged previously on the subject of risk-based authentication and risk-based pricing, so I won’t rehash that information.  What I will suggest, however, is that those institutions who now have an operational Identity Theft Prevention Program (if you don’t, I’d hurry up) should continue to explore the use of alternate data sources, analytics and additional authentication tools (such as knowledge-based authentication) as a way to detect Red Flags conditions and reconcile them all within the same real-time transaction. Referral rates Referral rates stemming from address mismatches (a key component of the Red Flags Rule high risk conditions) can approach or even surpass 30 percent.  That is a lot.  The good news is that there are tools which employ additional data sources beyond a credit profile to “find” that positive address match.  The use of alternate data sources can often clear the majority of these initial mismatches, leaving the remaining transactions for treatment with analytics and knowledge-based authentication and Identity Theft Prevention Program. Whatever “referral management” process you have in place today, I’d suggest exploring risk-based authentication tools that allow you to keep the vast majority of those referrals out of the hands of live agents, and distanced from the need to put your customers through the authentication wringer.  In the current marketplace, there are many services that allow you to avoid high referral costs and risks to customer experience.  Of course, we think ours are pretty good.  

While the FACT Act’s Red Flags Rule seems to capture all of the headlines these days, it’s just one of a number of compliance challenges that banks, credit unions, and a myriad of other institutions face on a daily basis.  And meeting today’s regulatory requirements is more complicated than ever.  Risk managers and compliance officers are asked to consider many questions, including: 1. Do FACTA Sections 114 and 315 apply to me? 2. What do I have to do to comply? 3. What impact does this have on the customer’s experience? 4. What is this going to cost me in terms of people and process? Interpretation of the law or guideline – including who it applies to and to whom it does not - varies widely.  Which types of businesses are subject to the Red Flags Rule?  What is a “covered account?”  If you’re not sure, you’re not alone - it’s a primary reason why the Federal Trade Commission (FTC) continues to postpone enforcement of the rule, while this healthy debate continues. And by the way, FTC – it’s almost November 1st…aren’t we about due for another delay? But we’re not talking about just protecting consumers from identity theft and reducing fraud and protecting themselves using the Identity Theft Prevention Program. The USA Patriot Act and “Know Your Customer” requirements have been around much longer, but there are current challenges of interpretation and practical application when it comes to identifying customers and performing due diligence to deter fraud and money laundering.  Since Customer Identification Programs require procedures based on the bank’s own “assessment of the relevant risks,” including types of accounts opened, methods of opening, and even the bank’s “size, location, and customer base,” it’s safe to say that each program will differ slightly – or even greatly. So it’s clear there’s a lack of specificity in the regulations of the Red Flags Rule which cause heartburn for those tasked with compliance…but are there some common themes and requirements across the two?  The short answer is Yes.  In my next post, I’ll talk about the elements in common and how authentication products can play a part in addressing both.  

There were always questions around the likelihood that the August 1, 2009 deadline would stick.  Well, the FTC has pushed out the Red Flag Rules compliance deadline to November 1, 2009 (from the previously extended August 1, 2009 deadline). This extension is in response to pressures from Congress – and, likely, "lower risk" businesses questioning their being covered under the Red Flag Rule to begin with (businesses such as those related to healthcare, retailers, small businesses, etc). Keep in mind that the FTC extension on enforcement of Red Flag Guidelines does not apply to address discrepancies on credit profiles, and that those discrepancies are expected to be worked TODAY.  Risk management strategies are key to your success. To view the entire press release, visit: http://www.ftc.gov/opa/2009/07/redflag.shtm