Regulatory Compliance

The cumulative effect of Basel III is expected to have a substantial impact on capital requirements. The total minimum regulatory capital will increase from 8 percent to 10.5 percent. For institutions that are considered "systematically important," an additional holding requirement may be imposed of up to 3.5 percent. Download our white paper to learn more about how your peers are reacting to Basel III and how Experian can help banks to optimize risk-weighted assets. Source: Creating value in challenging times: An innovative approach to Basel III compliance by Experian's Global Consulting Practice

By: Mike Horrocks This week, several key financial institutions will be submitting their “living wills” to Washington as part of the Dodd-Frank legislation.  I have some empathy for how those institutions will feel as they submit these living wills.  I don’t think that anyone would say writing a living will is fun.  I remember when my wife and I felt compelled to have one in place as we realized that we did not want to have any questions unanswered for our family. For those not familiar with the concept of the living will, I thought I would first look at the more widely known medical description.   The Mayo Clinic describes living wills as follows, “Living wills and other advance directives describe your preferences regarding treatment if you're faced with a serious accident or illness. These legal documents speak for you when you're not able to speak for yourself — for instance, if you're in a coma.”   Now imagine a bank in a coma. I appreciate the fact that these living wills are taking place, but pulling back my business law books, I seem to recall that one of the benefits of a corporation versus say a sole proprietorship is that the corporation can basically be immortal or even eternal.  In fact the Dictionary.com reference calls out that a corporation has “a continuous existence independent of the existences of its members”.  So now imagine a bank eternally in a coma. Now, I cannot avoid all of those unexpected risks that will come up in my personal life, like an act of God, that may put me into a coma and invoke my living will, but I can do things voluntarily to make sure that I don’t visit the Emergency Room any time soon.  I can exercise, eat right, control my stress and other healthy steps and in fact I meet with a health coach to monitor and track these things. Banks can take those same steps too.  They can stay operationally fit, lend right, and monitor the stress in their portfolios.   They can have their health plans in place and have a personal trainer to help them stay fit (and maybe even push them to levels of fitness they did not think they could reach).  Now imagine a fit, strong bank. So as printers churn, inboxes get filled, and regulators read through thousands of pages of bank living wills, let’s think of the gym coach, or personal trainer that pushed us to improve and think about how we can be healthy and fit and avoid the not so pleasant alternatives of addressing a financial coma.

The Consumer Financial Protection Bureau (CFPB) now has the ability to write and enforce 18 consumer protection laws that guide financial products and services. The new regulator has signaled the following issues as priorities: Clarity on how credit scores affect lender decisions: Beginning July 21, 2011, lenders were required to disclose the credit score that they used in all risk-based pricing notices and adverse action notices Shorter and simpler consumer disclosure forms: One of the first priorities is to make the terms and conditions associated with purchasing a mortgage or applying for a credit card shorter and clearer Enforcing the Fair Debt Collection Practices Act: The CFPB will enforce the Fair Debt Collection Practices Act and review current debt collector practices Learn more about the CFPB  

By: Staci Baker Just before the holidays, the Fed released proposed rules, which implement Sections 165 and 166 of the Dodd-Frank Act. According to The American Bankers Association, “The proposals cover such issues as risk-based capital requirements, leverage, resolution planning, concentration limits and the Fed’s plans to regulate large, interconnected financial institutions and nonbanks.” How will these rules affect you? One of the biggest concerns that I have been hearing from institutions is the affect that the proposed rules will have on profitability. Greater liquidity requirements, created by both the Dodd-Frank Act and Basel III Rules, put pressure on banks to re-evaluate which lending segments they will continue to participate in, as well as impact the funds available for lending to consumers.   What are you doing to proactively combat this? Within the Dodd-Frank Act is the Durbin Amendment, which regulates the interchange fee an issuer can charge a consumer. As I noted in my prior blog detailing the fee cap associated with the Durbin Amendment, it’s clear that these new regulations in combination with previous rulings will continue to put downward pressures on bank profitability. With all of this to consider, how will banks modify their business models to maintain a healthy bottom line, while keeping customers happy? Over my next few blog posts, I will take a look at the Dodd-Frank Act’s affect on an institution’s profitability and highlight best practices to manage the impact to your organization.

By: Staci Baker Just before the holidays, the Fed released proposed rules, which implement Sections 165 and 166 of the Dodd-Frank Act. According to The American Bankers Association, “The proposals cover such issues as risk-based capital requirements, leverage, resolution planning, concentration limits and the Fed’s plans to regulate large, interconnected financial institutions and nonbanks.” How will these rules affect you? One of the biggest concerns that I have been hearing from institutions is the affect that the proposed rules will have on profitability. Greater liquidity requirements, created by both the Dodd-Frank Act and Basel III Rules, put pressure on banks to re-evaluate which lending segments they will continue to participate in, as well as impact the funds available for lending to consumers.   What are you doing to proactively combat this? Within the Dodd-Frank Act is the Durbin Amendment, which regulates the interchange fee merchants are charged. As I noted in my prior blog detailing the fee cap associated with the Durbin Amendment, it’s clear that these new regulations in combination with previous rulings will continue to put downward pressures on bank profitability. With all of this to consider, how will banks modify their business models to maintain a healthy bottom line, while keeping customers happy? Over my next few blog posts, I will take a look at the Dodd-Frank Act’s affect on an institution’s profitability and highlight best practices to manage the impact to your organization.

By: Mike Horrocks Earlier this week, my wife and I were discussing the dinner plans for Thanksgiving.  The yams, cranberries, and pumpkin pies were purchased and the secret family recipes were pulled out of the cupboard.  Everything was ready…we thought.  Then the topic of the turkey was brought up.  In the buzz of work, family, kids, etc., both of us had forgotten to get the turkey.   We had each thought the other was covering this purchase and had scratched if off our respective lists.  Our Thanksgiving dinner was at risk!  This made me think of what best practices from our industry could be utilized if I was going to mitigate risks and pull off the perfect dinner.  So I pulled the page from the Basel Committee on Banking Supervision that defines operational risk as "the risk of loss resulting from inadequate or failed internal processes, people, systems or external events” and I have some suggestions that I think work for both your Thanksgiving dinner and for your existing loan portfolios. First, let’s cover “inadequate or failed processes”.  Clearly our shopping list process failed.   But how are your portfolio management processes?  Are they clearly documented and can they be implemented throughout the organization?  Your processes should be as well communicated and documented as the “Smashed Yam Bake” recipe or you may be at risk. Next, let focus on the “people and systems”.    People make mistakes – learn from them, correct them, and try to get the “systems” to make it so there are fewer mistakes.  For example, I don’t want the risk of letting the turkey cook too long, so I use a remote meat thermometer.  Ok, it is a little geeky; however the turkey has come out perfect every year.    What systems do you have in place to make your quarterly reviews of the portfolio more consistent and up to your standards?  Lastly, how do I mitigate those “external events”?  Odds are I will be able to still get a turkey tonight.  If not, I talked to a friend of mine who is a chef and I have the plans for a goose.   How flexible are your operations and how accessible are you to the subject matter experts that can get you out of those situations?  A solid risk management program takes into account unforeseen events and can make them into opportunities. So as the Horrocks family gathered in Norman Rockwell like fashion this Thanksgiving, a moment of thanks was given to the folks on the Basel committee.  Likewise in your next risk review, I hope you can give thanks for the minimized losses and mitigated risks.  Otherwise, we will have one thing very much in common…our goose will be cooked.

This is last question in our five-part series on the FFIEC guidance on what it means to Internet banking, what you need to know and how to prepare for the January 2012 deadline.   Q: How are organizations responding? Experian estimates that less than half of the institutions impacted by this guidance are prepared for the examinations.   Many of the fraud tools in the marketplace, particularly those that are used to authenticate individuals were deployed as point-solutions.  Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, “layered” approach that the guidance is seeking. _____________ This is the last of our five-part series but we're happy to answer more questions as we know you need to know how to prepare for the January 2012 deadline.    

This is fourth question in our five-part series on the FFIEC guidance and what it means Internet banking. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline.  If you missed parts 1-3, there's no time to waste, check them out here: Go to question one: What does “multi-factor” authentication actually mean? Go to question two: Who does this guidance affect?  And does it affect each type  of credit grantor/ lender differently? Go to question three: What does “layered security” actually mean? Today's Q&A: What will the regulation do to help mitigate fraud risk in the near-term, and long-term? The FFIEC’s guidance will encourage financial institutions to re-examine their processes. The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system by exposing vulnerabilities in the way we exchange goods, services and currencies. It is important that members of the financial services community understand their role in protecting our economy from fraud. Fraud is not the result of a static set of tactics employed by criminals. Fraud tactics evolve constantly and the tools that combat them have to evolve as well.   Considering the impact that technology is having on commerce, it is more important than ever to review the processes that we once thought made our businesses “safe.” The architecture and flexibility of fraud prevention “capabilities” is a weapon unto itself. The guidance provides a perspective on why it is important to be able to understand the risk and to respond accordingly. At the end of the day, the guidance is less about a need to take a specific action---and more about the “capability” to recognize when those actions are needed, and how they should be structured so that high-risk actions are met with strong and sophisticated defenses. _____________ Look for part five, the final in our series tomorrow. 

  This is third question in our five-part series on the FFIEC guidance and what it means Internet banking.  If you missed the firstand second question, you can still view - our answer isn't going anywhere.  Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: Who does this guidance affect? And does it affect each type of credit grantor/ lender differently? The guidance pertains to all financial institutions in the US that fall under the FFIEC’s influence. While the guidance specifically mentions authenticating in an on-line environment, it’s clear that the overall approach advocated by the FFIEC applies to authentication in any environment. As fraud professionals know, strengthening the defenses in the on-line environment will drive the same fraud tactics to other channels. The best way to apply this guidance is to understand its intent and apply it across call centers and in-person interactions as well. _____________ Look for part four of our five-part series tomorrow.  If you have a related question that needs an answer, submit in the comments field below and we'll answer those questions too.  Chances are if you are questioning something, others are too - so let's cover it here!  Or, if you would prefer to speak with one of our Fraud Business Consultants directly, complete a contact form and we'll follow up promptly.  

This is second question in our five-part series on the FFIEC guidance and what it means Internet banking.  If you missed the first question, don't worry, you can still go back.  Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: What does “multi-factor” authentication actually mean?    “Multi- Factor” authentication refers to the combination of different security requirements that would be unlikely to be compromised at the same time. A simple example of multi-factor authentication is the use of a debit card at an ATM machine.   The plastic debit card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication. Even if the customer loses their card, it (theoretically) can’t be used to withdraw cash from the ATM machine without the PIN. _____________ Look for part three of our five-part series tomorrow.

This first question in our five-part series on the FFIEC guidance and what it means Internet banking.  Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: What does “layered security” actually mean?   “Layered” security refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases. Consider a customer who logs onto an on-line banking session to execute a wire transfer of funds to another account. The layers of security applied to this activity might resemble: 1.       Layer One- Account log-in. Security = valid ID and Password must be provided 2.       Layer Two- Wire transfer request. Security= IP verification/confirmation that this PC has been used to access this account previously. 3.       Layer Three- Destination Account provided that has not been used to receive wire transfer funds in the past. Security= Knowledge Based Authentication Layered security provides an organization with the ability to handle simple customer requests with minimal security, and to strengthen security as risks dictate.  A layered approach enables the vast majority of low risk transactions to be completed without unnecessary interference while the high-risk transactions are sufficiently verified. _____________ Look for part two of our five-part series tomorrow. 

With the most recent guidance newly issued by the Federal Financial Institutions Examination Council (FFIEC) there is renewed conversation about knowledge based authentication. I think this is a good thing.  It brings back into the forefront some of the things we have discussed for a while, like the difference between secret questions and dynamic knowledge based authentication, or the importance of risk based authentication. What does the new FFIEC guidance say about KBA?  Acknowledging that many institutions use challenge questions, the FFIEC guidance highlights that the implementation of challenge questions can greatly impact efficacy of its usefulness. Chances are you already know this.  Of greater importance, though, is the fact that the FFIEC guidelines caution on the use of less sophisticated systems and information that can be easily guessed or obtained from an Internet search, given the amount of information available.    As mentioned above, the FFIEC guidelines call for questions that “do not rely on information that is often publicly available,” recommending instead a broad range of data assets on which to base questions.  This is an area knowledge based authentication users should review carefully.  At this point in time it is perfectly appropriate to ask, “Does my KBA provider rely on data that is publicly sourced”  If you aren’t sure, ask for and review data sources.  At a minimum, you want to look for the following in your KBA provider:     ·         Questions!  Diverse questions from broad data categories, including credit and noncredit assets ·         Consumer question performance as one of the elements within an overall risk-based decisioning policy ·         Robust performance monitoring.  Monitor against established key performance indicators and do it often ·         Create a process to rotate questions and adjust access parameters and velocity limits.  Keep fraudsters guessing! ·         Use the resources that are available to you.  Experian has compiled information that you might find helpful: www.experian.com/ffiec Finally, I think the release of the new FFIEC guidelines may have made some people wonder if this is the end of KBA.  I think the answer is a resounding “No.”  Not only do the FFIEC guidelines support the continued use of knowledge based authentication, recent research suggests that KBA is the authentication tool identified as most effective by consumers.  Where I would draw caution is when research doesn’t distinguish between “secret questions” and dynamic knowledge based authentication, which we all know is very different.   

As I’m sure you are aware, the Federal Financial Institutions Examination Council (FFIEC) recently released its, "Supplement to Authentication in an Internet Banking Environment" guiding financial institutions to mitigate risk using a variety of processes and technologies as part of a multi-layered approach. In light of this updated mandate, businesses need to move beyond simple challenge and response questions to more complex out-of-wallet authentication.  Additionally, those incorporating device identification should look to more sophisticated technologies well beyond traditional IP address verification alone. Recently, I contribute to an article on how these new guidelines might affect your institution.  Check it out here, in full:  http://ffiec.bankinfosecurity.com/articles.php?art_id=3932 For more on what the FFIEC guidelines mean to you, check out these resources - which also gives you access to a recent Webinar.

By: Staci Baker In my last post about the Dodd-Frank Act, I described the new regulatory bodies created by the Act. In this post, I will concentrate on how the Act will affect community banks. The Dodd-Frank Act is over 3,000 pages of proposed and final rules and regulations set forth by the Consumer Financial Protection Bureau (CFPB). For any bank, managing such a massive amount of regulations is a challenge, but for a median-size bank with fewer employees, it can be overwhelming. The Act has far reaching unintended consequences for community banks.  According to the American Bankers Association, there are five provisions that are particularly troubling for community banks: 1.       Risk retention 2.       Higher Capital Requirements and Narrower Qualifications for Capital 3.       SEC’s Municipal Advisors Rule 4.       Derivatives Rules 5.       Doubling Size of the Deposit Insurance Fund (DIF) In order meet new regulatory requirements, community banks will need to hire additional compliance staff to review the new rules and regulations, as well as to ensure they are implemented on schedule. This means the additional cost of outside lawyers, which will affect resources available to the bank for staff, and for its customers and the community. Community banks will also feel the burden of loosing interchange fee income. Small banks are exempt from the new rules; however, the market will follow the lowest priced product. Which will mean another loss of revenue for the banks. As you can see, community banks will greatly be affected by the Dodd-Frank Act. The increased regulations will mean a loss of revenues, increased oversight, additional out-side staffing (less resources) and reporting requirements. If you are a community bank, how do you plan on overcoming some of these obstacles?

By: Staci Baker The Durbin Amendment, according to Wikipedia, gave the Federal Reserve the power to regulate debit card interchange fees. The amendment, which will have a profound impact on banks, merchants and anyone who holds a debit card will take effect on October 1, 2011 rather than the originally announced July 21, 2011, which will allow banks additional time to implement the new regulations. The Durbin Amendment states that card networks, such as Visa and Mastercard, will include an interchange fee of 21 cents per transaction, and must allow debit cards to be processed on at least two independent networks. This will cost banks roughly $9.4 billion annually according to CardHub.com. As stipulated in the Amendment, institutions with less than $10 billion in assets are exempt from the cap. In preparation for the Durbin Amendment, several banks have begun to impose new fees on checking accounts, end reward programs, raise minimum balance requirements and have threatened to cap transaction amounts for debit card transactions at $50 to $100 in order to recoup some of the earnings they are expected to lose. These new regulations will be a blow to already hurting consumers as their out of wallet expenses keep increasing. As you can see, The Durbin Amendment, which is meant to help consumers, will instead have the cost from the loss of interchange fees passed along in other forms. And, the loss of revenue will greatly impact the bottom line of banking institutions. Who will be the bigger winner with this new amendment - the consumer, merchants or the banks? Will banks be able to lower the cost of credit to an amount that will entice consumers away from their debit cards and to use their credit cards again? I think it is still far too soon to tell. But, I think over the next few months, we will see consumers use payment methods in a new way as both consumers and banks come to a middle ground that will minimize risk levels for all parties. Consumers will still need to shop and bankers will still need their tools utilized. What are you doing to prepare for The Durbin Amendment?