After reviewing more details around the "The President's Identity Theft Task Force Report" (September 2008), and some of the activities surrounding it, I find myself again pondering how all of this may be impacting our clients.  Does heightened consumer awareness around both identity theft Red Flags rules and government initiatives (like the task force report) put more pressure on various industries to have buttoned up identity theft prevention programs that are not only effective, but also "marketed" to consumers?  Are consumers now expecting to see more blatant identity theft prevention measures in place each time they transact with a service provider…any service provider?Lots of questions here, so let me know if you are feeling residual pressures from your consumer base as a result of any of the latest initiatives or reports.  I can say that we do have some clients that believe effective identity theft measures matter to their customers and use their protection measures as marketing messages.  For example, the use of knowledge-based authentication questions during an application or transaction approval process is not only effective in preventing fraud, but also leaves customers with a sense of security and an understanding that their financial institutions are working to combat identify theft..

What to do when you see a Red Flag. Your Identity Theft Prevention Program should include appropriate responses when you detect a Red Flag. You must assess whether the Red Flag evidences a risk of identity theft. If so, your response must be commensurate with the degree of risk posed. Depending on the level of risk, an appropriate response may include contacting your applicant, not opening a new account or even determining that no response is necessary.  

By: Tom Hannagan Part 2 There is one rather interesting clause that appears to represent an open-ended business porfolio risk management decision for the future. It is one small paragraph, named Amendment, in the middle of Article V - Miscellaneous, just ahead of governing law (which is federal law, backed up by the laws of the State of New York). Amendment begins normally enough, requiring the usual signed agreement of each party, but then states: “provided that the Investor may unilaterally amend any provision of this Agreement to the extent required to comply with any changes after the Signing Date in applicable federal statutes.” Wow. My understanding of this is that if Congress in the future, enacts anything that Treasury finds (or Congress requires Treasury to find) applicable to any aspect of the previously signed TARP Agreement, the bank is bound to adhere. Forget about the non-voting aspect of the preferred shares issued to the Treasury. Once the TARP Agreement is executed by the bank, management is not only bound by what’s in the document to begin with, it is in addition, subject to future federal law as long as the TARP shares are held by the government. So, this new major owner does have a voice. The Purchase Agreement covers what the new owner wants now and may decide it wants in the future. This a form of strategic business risk that comes with accepting the capital infusion, along with the various financial implications of the funding.

By: Tom Hannagan Part 1 Beyond the risk management considerations related to a bank’s capital position, which is directly impacted by Troubled Asset Relief Program (TARP) participation, it should be clear that TARP also involves business (or strategic) risk.  We have spoken in the past of several major categories of risk: credit risk, market risk, operational risk and business risk. Business risk includes: A variety of risks associated with the outcomes from strategic decision making; Governance considerations; Executive behavior (for lack of better terminology); Management succession events or other leadership occurrences that may affect the performance and financial viability of the business. Aside from the monetary impact on the bank’s capital position, TARP involves a new capital securities owner being in the mix. And, with a 20% infusion of added tier 1 capital, we are almost always talking about a very large, new owner relative to existing shareholders. The United States Department of the Treasury is the investor or holder of the newly issued preferred stock and warrants. The Treasury Department does not have voting rights like common shareholders, but the Treasury’s Securities Purchase Agreement – Standard Form includes at least 35 pages of terms, plus the required Letter Agreement, Schedules attached to the Letter Agreement and at least five significant Annex’s to the Purchase Agreement. It’s NOT an easy, quick or fun read. In the Recitals section, it states that the bank: “agrees to expand the flow of credit to U.S. consumers and businesses on competitive terms as appropriate to strengthen the health of the U.S. economy” and, later, “agrees to work diligently, under existing programs, to modify the terms of residential mortgages as appropriate to strengthen the health of the U.S. economy.” Fortunately, if you’re a banker, these topics are not (currently) revisited elsewhere in the document, period. However, these are examples of the new shareholder effecting business decision making without the need to be on the Board of Directors, or voting common shares. The Agreement covers a number of other requirements and limitations, such as executive compensation, dividend payments, other capital sourcing and retention of bank holding company status. None of these are particularly onerous, but they must be taken into account by management. Visit my next post to read about the very interesting Amendment clause that may represent an open-ended business portfolio risk management decision for the future.

We have been hearing quite a bit about the ponzi scheme that was created and managed by Bernie Madoff.  Almost $50 billion dollars was taken from those that were considered to be sophisticated and definitely not the typical type to be scammed.  So, what created the environment that allowed such large sums of money to be lost in such a basic con game as a ponzi scheme?  I believe there are a few basic factors that prompted these seemingly sophisticated people to invest in this ill-fated “investment.” A strong desire to generate investment returns when the typical channels were not delivering. The reputation(s) of the existing client list -- If they invested why shouldn’t I? The thought that if it paid off with smaller dollar investments, just think what could be made with larger dollars! Hmmm!  Sounds like how we got ourselves into today’s credit situation.  Basically, we were distracted by the items noted above and ignored the warning signs. Putting the items above into credit industry terms it can be summed up as follows: We have to continue to grow and we are pressured to find more opportunities.  If we go lower in the credit quality spectrum, it can generate immediate volume from the existing application volume. Other financial institutions have gone into this type of lending and they aren’t showing any signs of significant distress in their portfolios.  We need to do the same.  (Everyone in the herd in favor of this action please respond by saying “Moo.”) Our test portfolio has performed acceptably, so let’s increase the volume. Let’s continue the correlation between these two “problems.”  In the Madoff ponzi scheme, there were warning signs that cropped up - some earlier than others. These included: In 2000, the Securities and Exchange Commission received a letter from an outside money manager which warned of a possible scheme. In 2005, the Bostonian submitted an 18-page document to the SEC citing 29 red flags and indicated some level of corruption within Madoff’s investment company. The SEC’s own earlier investigation conducted in 1999, included an acknowledgement that they had received “credible allegations” but these allegations were ignored. So, what were the signs that were in front of us but we simply chose to ignore? Were the portfolios turning over so fast that we could not actually gather statistically valid data to support performance? Since we were selling off the loans, either individually or in bulk, did we ignore the actual risk that was taken by the industry? Were we appropriately monitoring the portfolio growth and performance, utilizing risk reduction and risk avoidance techniques, doing regular rescores and tracking potential behavioral issues? Whether the signs were visible to us or not, the fact remains that they existed in the past and they will likely exist in the future.  As we continue to clean up the mess of our past, we need to consider a few items: What we did in the past will no longer be acceptable going forward. We must change. We must improve. Regulatory pressures will increase and changes will continue to be made. We will not have the luxury of time to respond to these pressures and/or changes. We must act now. What is a financial institution to do?  Well, the worst thing we can do is wait for the regulators to tell us what to do because that is simply too late.  We need to act and act now. Assess the risk management methods that were employed in the past and determine deficiencies. Note the gaps between the historical tools and data sources compared with the updated credit decisioning tools and sources available in the industry. Develop a plan for implementing the new risk reduction methods and tools. Determine the estimated lift and manage/monitor your performance against your estimates. Don’t forget about the new additions to the portfolio. Once you have the existing risk identified, you should make the appropriate adjustments to the product risk parameters and terms and conditions to improve the overall quality of the new portfolio. Overall, the worst thing that we can do is nothing. Remember, “Those who do not remember the past are condemned to repeat it.” George Santayana, a philosopher, essayist, poet, and novelist

How do I know which Red Flags apply to me? The Red Flag guidelines that will apply to you depend on a number of factors including: The types of covered accounts you offer and how those accounts may be opened and accessed Your previous experiences with identity theft In order to determine the applicable Red Flags, you must consider these factors as well as various sources and categories of Red Flags identified in the Guidelines. There are many resources available to help you gain the upper hand on Identity Theft Red Flags. I encourage you to visit this site for more information including a white paper, webinar, data sheet and more.  

There seems to be some ground-laying for follow-on Red Flag compliance guidelines to emerge either pre- or post- May 1, 2009.  Whether they arrive in the form of clarifying statements by the Red Flags Rule drafting agencies, or separate guidelines beyond the current Rule, the ambiguity associated with the current set of parameters leads me to believe that:The door is open for many entities, not clearly called out in the Red Flags Rule as 'covered' to be more formally placed under that umbrella, andA new series of mandates may be on the horizon as the focus on identity theft prevention and, of critical note, consumer protection continues to sharpen.I look at "The President's Identity Theft Task Force Report" (September 2008) as a potential catalyst for the publication of more formal directives around consumer identity theft prevention programs.  While the report currently sits in the form of recommendations, it is likely that some of these recommendations may evolve into more definitive enactments.  Additionally, it's clear that even commercial entities that are potentially not covered by the Red Flag Rule today are called out as still in need of stringent and diligent identity theft prevention measures.  More to follow next time on this report.

The difference between market risk and credit risk By: Tom Hannagan Market risk is different than credit risk. The bank’s assets are mostly invested in loans and securities (about 90% of average assets). These loans and securities have differing interest rate structures – some are fixed and some are floating. They also have differing maturities. Meanwhile, the bank’s liabilities, deposits and borrowings also have differing maturities and interest rate characteristics. If the bank’s (asset-based) interest income structure is not properly aligned with the (liability-based) interest expense structure, the result is interest rate risk. As market rates change (up or down), the bank’s earning are impacted (positively or negatively) based on the mismatch in its balance sheet structure. The bank can offset market risk by purchasing interest rate swaps or other interest rate derivatives. The impact of insufficient attention to interest rate risk can damage earnings and may, again, negatively affect the bank’s capital position. So, ultimately, the bank’s risk-based capital acts as the last line of defense against the negative impact from, you guessed it, unpredictable variability – or “risk.” That is why equity is considered risk-based capital. Good risk management, predicting and risk-based pricing leads to safer earnings performance and equity position.

By: Tom Hannagan In my past postings, we’ve discussed financial risk management, the role of risk-based capital, measuring profitability based on risk characteristics and the need for risk-based loan pricing (credit risk modeling). I thought it might be worthwhile to take one step back and explain what we mean by the term “risk.” “Risk” means unpredictable variability. Reliable predictions of an outcome tend to reduce the risk associated with that outcome. Similarly, low levels of variability also tend to reduce risk. People who are “set in their ways” tend to lead less risky lives than the more adventuresome types. Insurance companies love the former and charge additional premiums to the latter. This is a terrific example of risk-based pricing. Financial services involve risk. Banks have many of the same operational risks as other non-financial businesses. They additionally have a lot of credit risk associated with lending money to individuals and businesses. Further, banks are highly leveraged, borrowing funds from depositors and other sources to support their lending activities. Because banks are both collecting interest income and incurring interest expense, they are subject to market, or interest rate, risk. Banks create credit policies and processes to help them manage credit risk. They try to limit the level of risk and predict how much they are incurring so they can reserve some funds to offset losses. To the extent that banks don’t do this well, they are acting like insurance companies without good actuarial support. It results in a practice called “adverse selection” – incorrectly pricing risk and gathering many of the worst (riskiest) customers. Sufficiently good credit risk management practices control and predict most of the bad outcomes most of the time, at least at portfolio levels. Bad outcomes (losses) that are not well-predicted, and therefore mitigated with sufficient loan-loss reserves, will negatively impact the bank’s earnings and capital position. If the losses are large enough, they can wipe out capital and result in the bank’s failure.

Part 2 Reason one Unfortunately, there is a management issue regarding their transparency with the investment community and/or client base.  Regrettably for the managers and leaders choosing this approach, if this problem persists too long, the organization may choose to rectify with a change in the management and leadership Reason two The solution is both simple and complex.  In simplistic terms, the financial institution must evolve its portfolio risk management reduction techniques and take a more proactive stance.  Both internal and external data exists that can provide significant insight to the portfolio, its trends and potential future loss. Such data sources include: Internal behavioral characteristics (negative changes outside of just delinquencies) High line usage Non sufficient funds frequency & severity (for those borrowers who also have a deposit account with the institution) Deposit account closuresExternal data Regular rescore of the borrowers (both small business and consumer) Derogatory payment trends with other creditors (the borrower may be current with you but for how long?) Judgments or liens Such data can be used to create models for portfolio performance calculating: Delinquency trends by score (as the portfolio trends up or down in the score ranges we can adjust the expected loss rates, delinquency rates, etc.) Within score ranges and based upon other behavioral characteristics, what is the likelihood for charge-off or recovery. The biggest takeaway is that these portfolio management techniques are not new and untested.  Your data provider (such as Experian), has used these techniques and has the data to support the effectiveness.  While we are in trouble, we may find ourselves wanting to keep the “dirty secrets” to ourselves.  Too often such an approach leads to one’s demise.  Seek information, seek help, get control and truly start to move in a positive direction.

“Unprecedented times”, “financial crisis”, “credit crisis” and many other terms continue to be buzzwords that we hear every day.  We are almost becoming desensitized to the terms, yet we feel the impact on a daily basis.  Everyone is waiting for some positive news in the financial services industry and more bad news keeps coming. Each quarter we continue to read about financial institutions claiming that the worst is over. They have recognized the risk in their portfolios through risk assessment, set aside adequate reserves or loan loss allowances and are now ready to turn the corner.  Yet we continue to read about these same institutions coming back with more bad news, more credit losses and a restatement of the assurance that the problems have been recognized. As a result, this financial risk management has brought to light all of the high-risk accounts and the trend will begin to change. Why does this story keep repeating itself? Reason one  Management assesses to what extent the market (both stock market and the client base) will tolerate the level or degree of bad news, recognize losses to that extent and will then work hard to try to correct any known issues before we actually have to report the next quarter.  Unfortunately, this approach simply delays the inevitable and brings into question the risk management practices of the particular institution.  Like the boy who cried wolf, the more times you make a statement and it proves to be false, the less likely you will be believed the next time. Reason two The financial institutions are actually surprised each quarter with a new batch of credit losses.  The institution, its credit management team and workout areas are diligently trying to address the current problem. But, just when they start to see the light at the end of the tunnel, a new batch of credit problems arise.  For the most part, the credit issues still persist in the high-volume, low-dollar credits such as residential mortgages, home equity loans, automobiles, credit cards and small business loans.  Due to the sheer volume of clients/loans, it becomes more difficult to assess what issues may be brewing in the portfolio.  For the large volume, small dollar portfolios, the notion of a pending credit issue comes when the delinquency starts to rise to a delinquency of 60 or 90 days. The real issue is identifying those accounts that are likely to go 60 or 90 days past due and then assess the likelihood that they will go into charge-off. Regardless of the reason, we have a “credibility” problem in addition to a “credit” problem.

It seems to me that there remains quite a bit of dispute and confusion around the inclusion of healthcare providers under the umbrella of "creditors." This would, in turn, imply that a physician's office would need to have a Red Flags Identity Theft Prevention Program in place.  Yikes!  My guess is that this will not be fully resolved by May 1, 2009.  I see too many disparate opinions out there to think otherwise.  I certainly see both sides.  On the one hand, the definition of "creditor" to include "deferred payment of debts" does make the case for most physicians’ offices to be covered under the rule.  On the other hand, to what extent will each and every physician's office be able to have a verification process in place by May 1, 2009?  Certainly, those offices integrated with third party processing will have an easier go of it, but the stand-alone practices are facing a tough challenge.    There is no doubt that the healthcare space is, and should be, covered under the Red Flags rule, I just have to wonder how comprehensive and enforceable compliance will be.  Let me know your thoughts!

During a recent real-time survey of 850 representatives of the financial services industry: only 36 percent said that they completely understood the new Identity Theft Red Flags Rule guidelines and were prepared to meet the deadline. 60 percent said that they had just started to determine their approach to Red Flag compliance.

By: Tom Hannagan Part 3 This post continues my discussion of the reasons for going through the time and trouble to analyze risk-based pricing for loans. I mentioned before that the second general major justification for going through the effort to risk-adjust loan pricing as a normal part of the lending function is financial. I thought it might help put this into perspective by offering rough numbers that relate to risk-adjusted profit performance, bottom line earnings and expand on the premise that risk has a cost. Lending, in the leveraged/banking sense, involves credit risk, market (interest rate) risk and operational risk. The fourth area, the risk of unexpected loss, is covered by capital. Unmitigated risk will eventually impact earnings and common equity.  The question is when and by how much? It’s important to understand that the cost of risk mitigation efforts depend on the various risk characteristics of the bank’s loans and loan portfolio. The differential cost of market risk As an example, a floating rate loan that reprices every month involves little market risk, requiring little if any expense to offset. Compare it to a five-year fixed rate, interest-only loan that involves greater exposure to market risk. That risk costs something to offset. The difference in annualized marginal funding cost ranges widely depending on the steepness of the yield curve on the date the loan is closed. The difference between Federal Home Loan Banks 30-day rates and five-year bullet funding today, for instance, is close to 200 basis points. If risk-based loan pricing models don’t reflect this difference by using a matched marginal funding cost, the bank is voluntarily assuming some or all of the market (or interest rate) risk. Multiply an implied 200 bps risk-based funding cost difference by $100M in average loan balances and the implied annualized additional risk-free funding expense is $2,000,000. Multiply that by the average life of the portfolio to get the full risk-adjusted cost difference that the bank is assuming. And that’s just for the market risk. The implied cost of credit risk A loan with a pass risk rating of ‘2’ involves a lower likelihood of defaulting than a loan with a pass risk rating of ‘4.’ The lower risk (grade 2) loan, therefore, involves less of an Allowance for Loan Lease and Losses reserve requirement and an implied lower provisioning expense than the higher risk (grade 4) loan. Depending on the credit regimen and net loss experience of a given bank, the difference in the implied annualized expected loss due to credit risk could be 40 bps or more. Multiply the implied 40 bps credit risk cost difference by $100M in average loan balances and the implied annualized additional risk-adjusted credit expense is $400,000. Multiply that by the average tenor of the portfolio to get the full risk-adjusted cost difference to the bank. The implied difference in administrative (or operations) expenses These expenses include all mitigated (insured) operational risk. An owner occupied commercial mortgage is normally much less expensive to monitor than a line of credit backing a construction project. Those cost differences often range into several thousand dollars per annum. If, in our example of the $100M portfolio, our average credit is $400K, then we have around 250 loans. These loans multiplied by $3,000 in fully-absorbed annual non-interest expense differences would amount to $750K. A competent risk-adjusted loan pricing effort would take this cost difference into account. Again, multiply that yearly amount by the average life of the portfolio to get the full cost difference that the bank is incurring. In reality, the three sample portfolios above would not overlap perfectly. The total actual assets from the above examples would lie between $100M and $300M. However, the total pretax cost difference of these three sample risk-based costs adds up to $3.15M per annum. The after-tax negative impact on risk-adjusted earnings is therefore about $2M yearly. So, the impact on ROA would be between 2.00% (if the three portfolios overlapped perfectly, for $100M in total assets) down to .67% (if there was no overlap, for $300M in total assets). This is a huge difference in earnings, on a risk-adjusted and fully cost-absorbed basis. Finally, the amount of risk-based capital needed to back loans with differing risk characteristics, for purposes of unexpected loss, can be substantially different. This can be looked at as a difference in the implied cost of capital or in the performance ratio of ROE. In a simple application, the implied required equity might range from say 6% on the lower-risk loans up to 8% for moderate risk (average pass grade risk rating). If the portfolio in question is earning 1% ROA, the difference in risk-based equity would result in an ROE of either 12.5% for the higher risk loans versus 16.7% for the lower risk loans. The differences in fully risk-based ROE, or RAROC, could easily be more dramatic than this. As stated before, if these differences are not “priced” into the loans somehow, the bank is not getting paid for the risk it is incurring or it is charging the lower risk borrowers a rate that pays for the added risk expenses of the higher risk borrowers. The business risk to the bank then becomes losing the better clients over time rather than attracting the riskier deals. An economic look at performance We are not talking in terms of “normal” accounting practices or “typical” quarterly reporting periods. We do use general ledger numbers to start the analysis process by relying on actual balances, rates and maturities. But, GAAP doesn’t address risk. So the risk adjustments are a more “economic” look at performance. Eventually, the risk reduction approach and the GL-based results will even out. The question is not “if” risk will eventually surface, but when and how it will manifest itself in GL results. We’ve seen a lot of this in the news the past eighteen months – and there’s likely more to come as the economy is in a downturn phase. Going through the effort is worth it Once risk is created by making a loan or placing a bet, someone owns it. The reason to go through the effort to price loans (and relationships) on a fully risk-adjusted basis is to understand the impact of risk at the only point in time when you can do something about getting paid for it – at the time the loan is agreed upon. After that, the bank is pretty much along for the ride. Risk-adjusted pricing is smart banking. It not only puts some teeth in the bank’s already existing risk management policies, it is justifiable to the client and it makes sense to most lending officers.

Stephanie Butler, manager of Process Architects, in Advisory Services at Baker Hill, a part of Experian continues from her last post by adding how to get back to the risk management basics. With all that said, what is next?  You’ve learned the lessons and are ready to begin 2009 fresh.  How do you make sure that history does not repeat itself?  Simply get back to the basics by: • Refocusing your lenders The lenders are your first line of defense.  Make sure they understand the importance of accurate, complete information.  Through their incentives, hold them accountable for credit quality.  Retrain them, if necessary, on credit policy, financial analysis, business development, etc. • Creating or enhancing your loan review staff A strong, internal loan review staff is crucial.  They are your second line of defense.  By sampling the entire portfolio on a regular basis, loan review can see trends that an individual loan officer cannot.  Loan review can aid in the portfolio management concentrations,  policy adherence and portfolio growth.  By reporting to either the holding company or credit administration, loan policy review can give an unbiased opinion on the quality of lending and the portfolio. • Bring back the credit department and formally-trained credit analysts For larger commercial loan underwriting requests, it is important to bring back the use of credit analysts and the credit department for in-depth financial analysis, loan write-ups and the discussion of strengths and weaknesses.  Don’t forget to train the credit analysts!  If you don’t feel you have the skill set within your institution for training, there are many good courses that your credit analysts can take.  Remember, this is your bench for future lenders. • Bring accountability back Everyone in your organization is accountable for a specific job or task.  You must hold your entire team, including senior management, accountable for their tasks, roles and the process of risk management. Remember, a lot of lessons were learned in 2008.  The key is not to waste this knowledge going forward.  Don’t keep doing what you have been doing!  Embrace the potential to improve your lending practices, financial risk management, training opportunities and customer satisfaction.  2009 is a new year!