We at Experian have been conducting a survey of visitors to our Red Flag guidelines microsite (www.experian.com/redflags). Some initial findings show that approximately 40 percent of those surveyed were "ready" by the original November 1, 2008 deadline.  However, nearly 50 percent of the respondents found the Identity Theft Red Flag deadline extension(s) helpful. For those of you that have not taken the survey, please do so.  We welcome your feedback.  

As most industry folks are aware, the FTC recently pushed out their Red Flags Rule enforcement deadline to August 1, 2009.  It is important to note, however, that this extension does not apply to the specific requirement that institutions with covered accounts detect and respond to address discrepancies related to consumer credit profiles.  The original November 1, 2008 deadline is, and has been, the line in the sand for this requirement.  I recommend that those institutions still working toward a compliant written and operational Identity Theft Prevention Program ensure that they have in place today a process to detect and respond to address discrepancies noted on credit profiles.

One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy.  A couple of common questions and answers to get us started: 1.  How do the credit reporting agencies display an address discrepancy? Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry. 2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested? Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly. In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report. Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change. A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.  

Back during World War I, the concept of “triage” was first introduced to the battlefield.  Faced with massive casualties and limited medical resources, a system was developed to identify and select those who most needed treatment and who would best respond to treatment.  Some casualties were tagged as terminal and received no aid; others with minimal injuries were also passed over.  Instead, medical staff focused their attentions on those who required their services in order to be saved.  These were the ones who needed and would respond to appropriate treatment.  Our clients realize that the collections battlefield of today requires a similar approach.  They have limited resources to face this mounting wave of delinquencies and charge offs.  They also realize that they can’t throw bodies at this problem. They need to work smarter and use data and decisioning more effectively to help them survive this collections efficiency battle. Some accounts will never “cure” no matter what you do.  Others will self-cure with minimal or no active effort. Taking the right actions on the right accounts, with the right resources, at the right time is best accomplished with advanced segmentation that employs behavioral scoring, bureau-based scores and other relevant account data. The actual data and scores that should be used depend on the situation and account status, and there is no one-size-fits-all approach.  

How is your financial institution/organization working to improve your collections work stream?What are some of your keys for collections efficiency?What tools do you use to manage your collections workflow?

What are your thoughts on the third extension to the Identity Theft Red Flags Rule deadline? Was your institution ready to meet Red Flag guidelines? 

In addition to behavioral models, collections and account management groups need the ability to implement collections workflow strategies in order to effectively handle and process accounts, particularly when the optimization of resources is a priority. While the behavioral models will effectively evaluate and measure the likelihood that an account will become delinquent or result in a loss, strategies are the specific actions taken, based on the score prediction, as well as other key information that is available when those actions are appropriate. Identifying high-risk accounts, for example, may result in strategies designed to accelerate collections management activity and execute more aggressive actions. On the other hand, identifying low-risk accounts can help determine when to take advantage of cost-saving actions and focus on customer retention programs.  Effective strategies also address how to handle accounts that fall between the high- and low-risk extremes, as well as accounts that fall into special categories such as first payment defaults, recently delinquent accounts and unique customer or product segments. To accommodate lenders with systems that cannot support either behavioral scorecards or strategies, Experian developed the powerful service bureau solution, Portfolio Management Package, which is also referred to as PMP. To use this service, lenders send Experian customer master file data on a daily basis. Experian processes the data through the Portfolio Management Package system which includes calculating Fast Start behavior scores and identifying special handling accounts and electronically delivers the recommended strategies and actions codes within hours. Scoring and strategy parameters can be easily changed, as well as portfolio segmentation, special handling options and scorecard selections. PMP also supports Champion Challenger testing to enable users to learn which strategies are most effective. Comprehensive reports suites provide the critical information needed for lenders to design strategies and evaluate and compare the performance of those strategies.  

  Does the rule list the Red Flags? The Identity Theft Red Flags Rule provides several examples of Red Flags in four separate categories: 1. alerts and notifications recieved from credit reporting agencies and third-party service providers; 2. the presentation of suspicious documents or suspicious identifying information;   3. unusual or suspicious account usage patterns; and 4. notices from a customer, identity theft victim or law enforcement.    

Optimization is a very broad and commonly used term today and the exact interpretation is typically driven by one's industry experience and exposure to modern analytical tools. Webster defines optimize as: "to make as perfect, effective or functional as possible". In the risk/collections world, when we want to optimize our strategies as perfect as technology will allow us, we need to turn to advanced mathematical engineering. More than just scoring and behavioral trending, the most powerful optimization tools leverage all available data and consider business constraints in addition to behavioral propensities for collections efficiency and collections management. A good example of how this can be leveraged in collections is with letter strategies. The cost of mailing letters is often a significant portion of the collections operational budget. After the initial letter required by the Fair Debt Collection Practice Act (FDCPA) has been sent, the question immediately becomes: “What is the best use of lettering dollars to maximize return?” With optimization technology we can leverage historical response data while also considering factors such as the cost of each letter, performance of each letter variation and departmental budget constraints, while weighing the alternatives to determine the best possible action to take for each individual customer. n short, cutting edge mathematical optimization technology answers the question: "Where is the point of diminishing return between collections treatment effectiveness and efficiency / cost?"  

Currently, financial institutions focus on the existing customer base and prioritize collections to recover more cash, and do it faster. There is also a need to invest in strategic projects with limited budgets in order to generate benefits in a very short term, to rationalize existing strategies and processes while ensuring that optimal decisions are made at each client contact point. To meet the present challenging conditions, financial institutions increasingly are performing business reviews with the goal of evaluating needs and opportunities to maximize the value created in their portfolios.  Business reviews assess an organization’s capacity to leverage on existing opportunities as well as identifying any additional capability that might be necessary to realize the increased benefits. An effective business review covers the following four phases: Problem definition: Establish and qualify what the key objectives of the organization are, the most relevant issues to address, the constraints of the solution, the criteria for success and to summarize how value management fits into the company’s corporate and business unit strategies. Benchmark against leading practice: Strategies, processes, tools, knowledge, and people have to be measured using a review toolset tailored to the organization’s strategic objectives. Define the opportunities and create the roadmap: The elements required to implement the opportunities and migrating to the best practice should be scheduled in a phased strategic roadmap that includes the implementation plan of the proposed actions. Achieve the benefits: An ROI-focused approach, founded on experience in peer organizations, will allow analysis of the cost-benefits of the recommended investments and quantify the potential savings and additional revenue generated. A continuous fine-tuning (i.e. impact of market changes, looking for the next competitive edge and proactively challenge solution boundaries) will ensure the benefits are fully achieved. Today’s blog is an extract of an article written by Burak Kilicoglu, an Experian Global Consultant To read the entire article in the April edition of Experian Decision Analytics’ global newsletter e-news, please follow the link below: http://www.experian-da.com/news/enews_0903/Story2.html  

The Federal Trade Commission announced on April 30, one day before the intended May 1 Red Flags Rule enforcement deadline, a third extension of that deadline to August 1, 2009.  It's like showing up to class without your homework and the teacher is out sick that day….kind of.  The first extension from November 1, 2008 to May 1, 2009 seems to center on the general confusion among many market sectors around their level of coverage under the Identity Theft Red Flags Rule.  This latest delay seems to be a result of pushback from businesses with a lower risk of identity theft occurrences and a more "known" consumer base.So, it looks like we have at least three more months of preparation time.  This can be a good thing for all institutions regardless of their current Red Flag guidelines readiness status.  Those who scrambled to get a program in place now have time to fine tune it.  Those that were hoping for another extension have it.  Those who still question what their program should look like or if they are even covered can look forward to some more clarifying information out soon.Some key takeaways from the announcement:The FTC announcement does not impact other federal agency enforcement deadlines dating back to November 1, 2008.Specific to institutions that may have a perceived lower risk of identity theft, or businesses that generally know their customers personally, the Commission will be publishing more clarifying language and sample process (in the form of a template) to help those types of businesses comply with the Rule.Finally, this quote from the announcement sums it up:  “Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said. 

By: Tom Hannagan As I'm preparing for traveling to the Baker Hill Solution Summit next week, I thought I would revisit the ideas of risk-based loan pricing. Risk Adjusted Loan Pricing – The Major Parts I have referred to risk-adjusted commercial loan pricing (or the lack of it) in previous posts. At times, I’ve commented on aspects of risk-based pricing and risk-based bank performance measurement,  but I haven’t discussed what risk-based pricing is -- in a comprehensive manner. Perhaps, I can begin to do that now, and in my next posts. Risk-based pricing analysis is a product-level microcosm of risk-based bank performance. You begin by looking at the financial implications of a product sale from a cost accounting perspective. This means calculating the revenues associated with a loan, including the interest income and any fee-based income. These revenues need to be spread over the life of the loan, while taking into account the amortization characteristics of the balance (or average usage for a line of credit). To save effort (and in providing good client relationship management), we often download the balance and rate information for existing loans from a bank’s loan accounting system. To “risk-adjust” the interest income, you need to apply a cost of funds that has the same implied market risk characteristics as the loan balance. This is not like the bank’s actual cost of funds for several reasons. Most importantly, there is usually no automatic risk-based matching between the manner in which the bank makes loans and the term characteristics of its deposits and/or borrowing. Once we establish a cost of funds approach that removes interest rate risk from the loan, we subtract the risk-adjusted interest expense from the revenues to arrive at risk-adjusted net interest income, or our risk-adjusted gross margin. We then subtract two types of costs. One cost includes the administrative or overhead expenses associated with the product. Our best practice is to derive an approach to operating expense breakdowns that takes into account all of the bank’s non-interest expenses. This is a “full absorption” method of cost accounting. We want to know the marginal cost of doing business, but if we just apply the marginal cost to all loans, a large portion of real-life expenses won’t be covered by resulting pricing. As a result, the bank’s profits may suffer. We fully understand the argument for marginal cost coverage, but have seen the unfortunate end-result of too many sales -- that use this lower cost factor -- hurt a bank’s bottom line. Administrative cost does not normally require additional risk adjustment, as any risk-based operational expenses and costs of mitigating operation risk are already included in the bank’s general ledger for non-interest expenses. The second expense subtracted from net interest income is credit risk cost. This is not the same as the bank’s provision expense, and is certainly not the same as the loss provision in any one accounting period.  The credit risk cost for pricing purposes should be risk adjusted based on both product type (usually loan collateral category) and the bank’s risk rating for the loan in question. This metric will calculate the relative probability of default for the borrower combined with the loss given default for the loan type in question. We usually annualize the expected loss numbers by taking into account a multi-year history and a one- or two-year projection of net loan losses. These losses are broken down by loan type and risk rating based on the bank’s actual distribution of loan balances. The risk costs by risk rating are then created using an up-sloping curve that is similar in shape to an industry default experience curve. This assures a realistic differentiation of losses by risk rating. Many banks have loss curves that are too flat in nature, resulting in little or no price differentiation based on credit quality. This leads to poor risk-based performance metrics and, ultimately, to poor overall financial performance. The loss expense curves are fine-tuned so that over a period of years the total credit risk costs, when applied to the entire portfolio, should cover the average annual expected loss experience of the bank. By subtracting the operating expenses and credit risk loss from risk-adjusted net interest income, we arrive at risk-adjusted pre-tax income. In my next post we’ll expand this discussion further to risk-adjusted net income, capital allocation for unexpected loss and profit ratio considerations.

1.       Portfolio Management – You should really focus on this topic in 2009.  With many institutions already streamlining the origination process, portfolio management is the logical next step.  While the foundation is based in credit quality, portfolio management is not just for the credit side.  2.       Review of Data (aka “Getting Behind the Numbers”) – We are not talking about scorecard validation; that’s another subject.  This is more general.  Traditional commercial lending rarely maintains a sophisticated database on its clients.  Even when it does, traditional commercial lending rarely analyzes the data.  3.       Lowering Costs of Origination – Always a shoe-in for a goal in any year!  But how does an institution make meaningful and marked improvements in reducing its costs of origination?  4.       Scorecard Validation – Getting more specific with the review of data.  Discuss the basic components of the validation process and what your institution can do to best prepare itself for analyzing the results of a validation.  Whether it be an interim validation or a full-sized one, put together the right steps to ensure your institution derives the maximum benefit from its scorecard. 5.       Turnaround Times (Response to Client) –Rebuild it.  Make the origination process better, stronger and faster.  No; we aren’t talking about bionics here -- nor how you can manipulate the metrics to report a faster turnaround time.  We are talking about what you can do from a loan applicant perspective to improve turnaround time. 6.       Training – Where are all the training programs?  Send in all the training programs!  Worry, because they are not here.  (Replace training programs with clowns and we might have an oldies song.)  Can’t find the right people with the right talent in the marketplace?  7.       Application Volume/Marketing/Relationship Management – You can design and execute the most efficient origination and portfolio management processes.   But, without addressing client and application volume, what good are they? 8.       Pricing/Yield on Portfolio – “We compete on service, not price.” We’ve heard this over and over again.  In reality, the sales side always resorts to price as the final differentiator.  Utilizing standardization and consistency can streamline your process and drive improved yields on your portfolio. 9.       Management Metrics – How do I know that I am going in the right direction?  Strategize, implement, execute, measure and repeat.  Learn how to set your targets to provide meaningful bottom line results. 10.    Operational Risk Management – Different from credit risk, operational risk and its management, operational risk management deals with what an institution should do to make sure it is not open to operational risk in the portfolio. Items totally in the control of the institution, if not executed properly, can cause significant loss. What do you think? As the end of April approaches, are these still hot topics in your financial institution?

The debate continues in the banking industry -- Do we push the loan authority to the field or do we centralize it (particularly when we are talking about small business loans)? A common argument for sending the loan authority to the field is the improved turnaround time for the applicant. However reality is that centralized loan authority actually provides a decision time almost two times faster than those of a decentralized nature.  The statistics supporting this fact are from the Small Business Benchmark Study created and published by Baker Hill, a Part of Experian, for the past five years. Based upon the 2008 Small Business Benchmark Study, those institutions with assets of $20 billion to $100 billion used only centralized underwriting and provided decisions within 2.5 days on average. In contrast, the next closest category ($2 billion to $20 billion in assets) took 4.4 days. Now, if we only consider the time it takes to make a decision (meaning we have all the information needed), the same disparity exists.  The largest banks using solely centralized underwriting took 0.8 days to make a decision, while the next tier ($2 billion to $20 billion) took an average 1.5 days to make a decision.  This drop in centralized underwriting usage between these two tiers was simply a 15 percent change. This means that the $20 billion to $100 billion banks had 100% usage of centralized underwriting while the $2 billion to $20 billion dropped only to 85% usage. Eighty-five percent is still a strong usage percentage, but it has a significant impact on turnaround time. The most perplexing issue is that the smaller community banks are consistently telling me that they feel their competitive advantages are that they can respond faster and they know their clients better than bigger, impersonal banks.  Based upon the stats, I am not seeing this competitive advantage supported by reality.  What is particularly confusing is that the small community banks, that are supposed to be closest to the client, take twice as long overall from application receipt to decision and almost three times as long when you compare them to the $20 billion to $100 billion category (0.8 days) to the $500 million to $2 billion category (2.2 days). As you can see - centralized underwriting works.  It is consistent, provides improved customer service, improved throughput, increased efficiency and improved credit quality when compared to the decentralized approach.   In future blogs, I will address the credit quality component.

I was recently asked in a comment, "What do we have to do to become compliant?" Great question.  There is not a single path to compliance when it comes to Red Flags compliance.  Effectively, an institution that has covered accounts under the Rule must implement both a written and operational Identity Theft Prevention Program.    The Red Flags Rule requires financial institutions and creditors to establish and maintain a written Program designed to detect, prevent and mitigate identity theft in connection with their covered accounts. The Program is a self-prescribed system of checks and balances that each financial institution and creditor implements to reach compliance with the Red Flags Rule. The goal of the provisions is to drive organizations to put into place a system that identifies patterns, practices and forms of activities that indicate the possible existence of identity theft. The provisions are not designed to steer the market to a “one size fits all” compliance platform. In essence, how businesses choose to meet the requirements will depend on the business size, operational complexity, customer transaction processes and risks associated with each of these characteristics.   A compliant Program must contain reasonable policies and procedures to address four mandatory elements: Identifying Red Flags applicable to covered accounts and incorporating them into the Program Detecting and evaluating the Red Flags included in the Program Responding to the Red Flags detected in a manner that is appropriate to the degree of risk they pose and Updating the Program to address changes in the risks to customers, and to the financial institution’s or creditor’s safety and soundness, from identity theft  The Red Flags Rule includes 26 illustrative examples of possible Red Flags financial institutions and creditors should consider when implementing a written Program. While implementation of any predetermined number of the 26 Red Flag examples is not mandatory, financial institutions and creditors should consider those that are applicable to their business processes, consumer relationships and levels of risk.   The Red Flags Rule requires financial institutions and creditors to focus on identifying Red Flags applicable to their account opening activities, existing account maintenance, and new activity on an account that has been inactive for two years or more. Some mandatory requirements include: Keeping a current, written Identity Theft Prevention Program that contains reasonable policies and procedures to identify, detect and respond to Red Flags, and keeping the Program updated Confirming that the consumer reports requested from consumer reporting agencies are related to the consumer with whom the financial institution or creditor are doing business Reviewing address discrepancies