We have talked about: the creation of the vision for our loan portfolios (current state versus future state) – e.g. the strategy for moving our current portfolio to the future vision. Now comes the time for execution of that strategy. In changing portfolio composition and improving credit quality, the discipline of credit must be strong (this includes in the arenas of commercial loan origination, loan portfolio monitoring, and credit risk modeling of course). Consistency, especially, in the application of policy is key. Early on in the change/execution process there will be strong pressure to revert back to the old ways and stay in a familiar comfort zone.  Credit criteria/underwriting guidelines will have indeed changed in the strategy execution. In the coming blogs we will be discussing: • assessment of the current state in your loan portfolio; • development of the specific strategy to effect change in the portfolio from a credit quality perspective and composition; • business development efforts to affect change in the portfolio composition; and • policy changes to support the strategy/vision. More to come.

By: Tom Hannagan For the last 16 months or so, the financial services industry has been indicted, tried, found guilty, sentenced and duly executed for ignoring accepted enterprise risk management practices.  Banks, albeit along with goofy risk ratings agencies, lax regulators, and greedy leveraged investors, have been blamed for abandoning normal and proper credit risk behavior and lending to many who did not meet basic debt servicing capability. After things went terribly wrong in capital and liquidity markets, followed by a now-official recession in the “real” economy, banks have tightened lending standards.  (See my blog posted November 13th for more about tightened lending.)   Now, following the TARP capital infusion, the press and Congress seem very upset that banks aren’t rapidly expanding their lending, or even moderating their credit risk regimen.  This dismay, with the lack of an immediate expansion of credit granting, occurs in the face of what the same press and most politicians refer to as the greatest economic meltdown since the Great Depression.   Granted, banks are historically easy whipping boys, but they now seem damned for what they did and damned if they don’t do some more of it. Although suffering in many ways, most banks are still for-profit organizations. Contrary to popular belief, they also actually have credit policies and processes that are aimed at responsible credit risk management – at least for the loans they intend to keep on their own books. Average management intelligence would dictate being cautious in the middle of an economic downturn.   The TARP capital infusion is a sudden large windfall of new equity, like a 20 percent increase for the receiving banks. It begs the question of what to do with it. To grow assets proportionately to the TARP infusion would mean a very rapid (circa plus 30 percent) growth in lending in a very short timeframe. Given the prevalence of banks, it would be very difficult for all of them to grow their loan portfolios this fast even in a good economy.   Most banks do not need TARP funds to survive in the short term. And the weakest banks are not supposed to be granted TARP funds. This is like a steroid shot into the natural process of bank consolidation. It’s obvious that the stronger banks, now infused with hot capital, are using TARP funds to acquire other banks. In many cases the acquired banks have weaknesses that they could not likely overcome on their own. So, the TARP funds are addressing the over-banked state of the financial industry and probably offsetting what would otherwise have been a drain on the Deposit Insurance Fund. I maintain that this is a good, if unintended, outcome for both the industry and the taxpayers.   I’ve heard and read comments (by people who should know better) that the hoarding of TARP funds is aiding bank earnings. Some say that those earnings are protected by TARP because it offsets credit losses. This is an accounting absurdity. The TARP will only help bank earnings if and when it is deployed successfully. This, in turn, requires two things to take place: 1) leveraging up the new capital with other sources of funds; and 2) successfully investing the proceeds in assets that provide a decent risk-adjusted return. In any event, whenever a new amount of risk-based capital comes into the equity account, the ROE will suffer for a while.   Another kind of issue with TARP, even if it isn’t needed or desired by a healthy bank, is the stigma associated with not getting it. The few banks in this category have had to go out of their way to explain why they didn’t go for it. There is a concern that, even if it really isn’t needed, a bank will be at a cash and balance sheet disadvantage in the big fish eating the little fish game.   Finally, who asked for TARP to be created? Bear and Lehman went down. Merrill was rescued. Countrywide went down early and WAMU went later. Citi is now on both a heart-lung machine and dialysis. A bunch of the big boys got killed or were in serious trouble. But not all of them. And, several of them reportedly had to be coerced into taking their share of the first $125 billion. Everyone else pretty much observed the circus on Wall Street and Capital Hill.   So, policy makers, make up your mind.  Do you want banks exercising sound credit risk management practices or not?  Do you want industry consolidation or don’t you?  Do you want sounder banks to acquire relatively weaker ones or would you rather see the FDIC pick up the pieces later?  Do you want to dictate how and when private organizations allocate risk-based capital or not?  A little clarity would be appreciated.  After all, TARP was your idea.  It wasn’t requested by the industry at large. And the flow through to businesses and consumers will take a while. Sorry. It’s in everybody’s best interest that good risk management processes prevail at this time (and always) -- in granting and pricing credit, and in managing available capital. The lack of same helped get us all to this point.

In my last blog, I talked about the overall need for a vision for your loan portfolio and the similarity of a loan portfolio to that of an investment portfolio.  Now that we have that vision in place, we can focus on the overall strategy to achieve that vision. A valuable first step in managing an investment portfolio is to establish a targeted value by a certain time (say, our targeted retirement age).  Similarly, it’s important that we establish our vision for the loan portfolio regarding overall diversification, return and risk levels. The next step is to create a strategy to achieve the targeted state.  By focusing on the gaps between our current state and the vision state we have created, we can develop an action plan for achieving the future/vision state.  I am going to introduce some rather unique ideas here. Consider which of your portfolio segments are overweight?  One that comes to mind would be the commercial real estate portfolio.  The binge that has taken place over the past five plus years has resulted in an unhealthy concentration of loans in the commercial real estate segment.  In this one area alone, we will face the greatest challenge of right-sizing our portfolio mix and achieving the appropriate risk model per our vision. We have to assess our overall credit risk in the portfolios next.  For small business and consumer portfolios, this is relatively easy using the various credit scores that are available to assess the current risk.  For the larger commercial and industrial portfolios and the commercial real estate portfolios, we must employ some more manual processes to assess risk.  Unfortunately, we have to perform appropriate risk assessments (current up-to-date risk assessments) in order to move on to the next stage of this overall process (which is to execute on the strategy). Once we have the dollar amounts of either growth or divestiture in various portfolio segments, we can employ the risk assessment to determine the appropriate execution of either growth or divestiture. Stick with me on this topic because in my next blog we will discuss appropriate risk assessment methodologies and determine appropriate portfolio distributions/segmentations.

By: Tom Hannagan I was hoping someone would ask about this. Return on Equity (ROE) is generally net income divided by equity, while Return on Assets (ROA) is net income divided by average assets. There you have it. The calculations are pretty easy. But, what do they mean? ROA tends to tell us how effectively an organization is taking earnings advantage of its base of assets.  This used to be the most popular way of comparing banks to each other -- and for banks to monitor their own performance from period to period. Many banks and bank executives still prefer to use ROA…though typically at the smaller banks. ROE tends to tell us how effectively an organization is taking advantage of its base of equity, or capital. This has gained in popularity for several reasons and has become the preferred measure at larger banks. One huge reason for the growing popularity of ROE is, simply, that it is not asset-dependent. ROE can be applied to any line of business or any product. You must have “assets” for ROA, since one cannot divide by zero. This flexibility allows banks with differing asset structures to be compared to each other, or even for banks to be compared to other types of businesses. The asset-independency of ROE also allows a bank to compare internal product line performance to each other. Perhaps most importantly, this permits looking at the comparative profitability of lines of business like deposit services. This would be difficult, if even possible, using ROA. If you are interested in how well a bank is managing its assets, or perhaps its overall size, ROA may be of assistance. Lately, what constitutes a good and valid portrayal of assets has come into question at several of the largest banks. Any measure is only as good as its components. Be sure you have a good measure of asset value, including credit risk adjustments. ROE on the other hand looks at how effectively a bank (or any business) is using shareholders’ equity. Many observers like ROE, since equity represents the owners’ interest in the business. Their equity investment is fully at risk compared to other sources of funds supporting the bank. Shareholders are the last in line if the going gets rough. So, equity capital tends to be the most expensive source of funds, carrying the largest risk premium of all funding options. Its deployment is critical to the success, even the survival, of the bank. Indeed, capital allocation or deployment is the most important executive decision facing the leadership of any organization. If that isn’t enough, ROE is also Warren Buffet’s favorite measure of performance. Finally, there are the risk implications of the two metrics. ROA can be risk-adjusted up to a point. The net income figure can be risk adjusted for mitigated interest rate risk and for expected credit risk that is mitigated by a loan loss provision. The big missing element in even a well risk-adjusted ROA metric is unexpected loss (UL). Unexpected loss, along with any unmitigated expected loss, is covered by capital. Further, aside from the economic capital associated with unexpected loss, there are regulatory capital requirements. This capital is left out of the ROA metric. This is true at the entity level and for any line-of-business performance measures internally. Since ROE uses shareholder equity as its divisor, and the equity is risk-based capital, the result is, more or less, automatically risk-adjusted. In addition to the risk adjustments in its numerator, net income, ROE can use an economic capital amount. The result is a risk-adjusted return on capital, or RAROC. RAROC takes ROE to a fully risk-adjusted metric that can be used at the entity level and that can also be broken down for any and all lines of business within the organization. As discussed in the last post, ROE and RAROC help a bank get to the point where they are more fully “accounting” for risk – or “unpredictable variability”. Sorry about all of the alphabet soup, but there is a natural progression that I’m pointing to that we do see banks working their way through. That progression is being led by the larger banks that need to meet more sophisticated capital reporting requirements, and is being followed by other banks as they get more interested in risk-adjusted monitoring as a performance measurement. The better bank leadership is at measuring risk-adjusted performance, using ROE or RAROC, the better leadership can become at pricing for all risk at the client relationship and product levels.

We get the following question quite a bit: Would the regulators expect to see a log of detected activity and resulting mitigation? Short answer: The Red Flags Rule does not specifically require you to maintain a log, nor do the guidelines suggest that a log should be maintained. However, covered institutions are required to prepare regular reports around the effectiveness of their program.  Additionally, there exists the requirement to incorporate an institution’s own experiences with identity theft when reviewing and updating their program. Long answer: Think now about the value of incorporating robust (and, optimally, transaction level) reporting into your program for a few key reasons: 1. Reporting allows you to more easily and comprehensively create and disseminate board-level reports related to program effectiveness.  These aren’t a bad thing to show a regulator either. 2. Detailed reporting provides you an opportunity to more accurately monitor your program’s performance with respect to decisioning strategies, false positives, false negatives, fraud detection and prevention rates, resultant losses and legitimate costs. 3. The more historic detail you have compiled, the easier it will be to make educated, analytically based, and quantifiable updates to your program over time.  Without this, you may be living and dying with anecdotal decision making….never good. 4. Finally, maintaining program performance data will afford you the ability to work with other service providers in validating their capabilities against known transactional or account level outcomes.  We, at Experian, certainly find this useful in working with our clients to deliver optimal strategies. Thanks as always.

The Federal Trade Commission (FTC) suspended enforcement of the new Red Flag Rule until May 1, 2009.  According to the FTC’s Enforcement Policy, “…during the course of the Commission’s education and outreach efforts following publication of the rule, the Commission has learned that some industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule.  These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA Sections 114 and 315 definitions of ‘creditor’ or ’financial institution’.” So, depending upon which enforcement entity (or entities) will be knocking on your door in the coming months, you may (and I emphasize “may”) have some extra time to get your house in order.   While many of you are likely confident that you have a compliant written and operational Identity Theft Prevention Program, this break in the action can be a great time to take care of setting up some ongoing procedures for keeping your program up to date.  Here are some ideas to keep in mind along the way: 1. Make sure you have clear responsibilities and accountabilities identified and assigned to appropriate persons.  Lack thereof may lead to everyone thinking someone else is keeping tabs. 2. Start setting the stage for a process to update your program based on: a. Your new experiences with identity theft; b. Changes in methods of identity theft; c. Changes in methods to detect, prevent, and mitigate identity theft; d. Changes in the types of accounts you offer or maintain; and e. Changes in your business arrangements, including mergers, acquisitions, alliances, joint ventures and service provider arrangements. 3. Set up a process for program review at the board level.  Remember that your program does not have to be approved by your board of directors annually, but the board (or a committee of the board) or senior management must review reports regarding your program each year.  They must approve any material changes to your program should they occur. 4. Prepare now for follow up actions associated with your first Red Flag Rule examination(s).  There will surely be suggestions or mandates stemming from that exercise, and now is a good time to start securing appropriate resources and time. My key message here is that, while there may be lull in the world of Red Flags activity, this is a great time to keep momentum in your program development and upkeep by planning for the next wave of updates and your impending examinations.  Best of luck.

It is the time of year during which budgets are either in the works or have been completed.  Typically, when preparing budgets, we project overall growth in our loan portfolios…maybe.  Recently we conducted an informal survey, the results of which indicate that loan portfolio growth is still a major target for 2009.  But when asked what specific areas in the loan portfolio -- or how loan pricing and profitability -- will drive that growth, there was little in the way of specifics available.  This lack of direction (better put, vision) is a big problem in credit risk management today.   We have to remember that our loan portfolio is the biggest investment vehicle that we have as a financial institution.  Yes; it is an investment.  We choose not to invest in treasuries or fed funds -- and to invest in loan balances instead -- because loan balances provide a better return.  We have to appropriately assess the risk in each individual credit relationship; but, when it comes down to the basics, when we choose to make a loan, it is our way of investing our depositors’ money and our capital in order to make a profit.   When you compare lending practices of the past to that of well-tested investment techniques, we can see that we have done a poor job with our investment management.  Remember the basics of investing, namely: diversification; management of risk; and review of performance.  Your loan portfolio should be managed using these same basics.  Your loan officers are pitching various investments based on your overall investment goals (credit policy, pricing structure, etc.).  Your approval authority is the final review of these investment options.  Ongoing monitoring is management of the ongoing risk involved with the loan itself.   What is your vision for your portfolio?  What type of diversification model do you have?  What type of return is required to appropriately cover risk?  Once you have determined your overall vision for the portfolio, you can begin to refine your lending strategy.  I’ll comment on that in my next blog entry.

By: Tom Hannagan In several posts we’ve discussed financial risk management, the role of risk-based capital, measuring profitability based on risk characteristics and the need for risk-based loan pricing (credit risk modeling). I thought it might be worthwhile to take one step back and explain what we mean by the term “risk.”   “Risk” means unpredictable variability. Reliable predictions of an outcome tend to reduce the risk associated with that outcome. Similarly, low levels of variability also tend to reduce risk. People who are “set in their ways” tend to lead less risky lives than the more adventuresome types. Insurance companies love the former and charge additional premiums to the latter. This is a terrific example of risk-based pricing.   Risk goes to both extremes. It is equally impossible to predict who will win a record amount in the lottery (a good outcome) and who will be struck by a meteor (a very bad outcome for the strikee). Both occurrences represent significant outcomes (very high variability from the norm). However, the probability of either event happening to any one of us is infinitesimally small. Therefore, the actual risk is small – not even enough to bother planning for or mitigating. That is why most of us don’t buy meteor strike insurance. It is also why most of us don’t have a private jet on order.   Most of us do purchase auto insurance, even in states that do not require it. Auto accidents (outcomes) happen often enough that actuaries can and do make a lot of good predictions as to both the number of such events and their cost impact. In fact, so many companies are good at this that they can and do compete on their prices for taking on our risk. The result is that we can economically mitigate our individual inability to predict a collision by buying car insurance.   Financial services involve risk. Banks have many of the same operational risks as other non-financial businesses. They additionally have a lot of credit risk associated with lending money to individuals and businesses. Further, banks are highly leveraged, borrowing funds from depositors and other sources to support their lending activities. Because banks are both collecting interest income and incurring interest expense, they are subject to market, or interest rate, risk.   Banks create credit policies and processes to help them manage credit risk. They try to limit the level of risk and predict how much they are incurring so they can reserve some funds to offset losses. To the extent that banks don’t do this well, they are acting like insurance companies without good actuarial support. It results in a practice called “adverse selection” – incorrectly pricing risk and gathering many of the worst (riskiest) customers.   Sufficiently good credit risk management practices control and predict most of the bad outcomes most of the time, at least at portfolio levels. Bad outcomes (losses) that are not well-predicted, and therefore mitigated with sufficient loan-loss reserves, will negatively impact the bank’s earnings and capital position. If the losses are large enough, they can wipe out capital and result in the bank’s failure.   Market risk is different than credit risk. The bank’s assets are mostly invested in loans and securities (about 90% of average assets). These loans and securities have differing interest rate structures – some are fixed and some are floating. They also have differing maturities. Meanwhile, the bank’s liabilities, deposits and borrowings also have differing maturities and interest rate characteristics. If the bank’s (asset-based) interest income structure is not properly aligned with the (liability-based) interest expense structure, the result is interest rate risk. As market rates change (up or down), the bank’s earning are impacted (positively or negatively) based on the mismatch in its balance sheet structure.   The bank can offset market risk by purchasing interest rate swaps or other interest rate derivatives. The impact of insufficient attention to interest rate risk can damage earnings and may, again, negatively affect the bank’s capital position.   So, ultimately, the bank’s risk-based capital acts as the last line of defense against the negative impact from, you guessed it, unpredictable variability – or “risk.” That is why equity is considered risk-based capital. Good management, predicting and pricing for all risks leads to safer earnings performance and equity position.

I’m working with many of our clients in reviewing their existing or evolving Red Flags Identity Theft Prevention Programs.  While the majority of them appear to be buttoned up from the perspective of identifying covered accounts and applicable Red Flag conditions, as well as establishing detection methodologies, I often still see too much subjectivity in their response and reconciliation procedures. Here are a few reasons why the “response” portion of a strong Red Flags Identity Theft Prevention program needs to employ consistent and objective process, decisioning, and actions: 1. Inconsistent or subjectively varied responses and actions greatly reduce the ability to measure process effectiveness over time.  It becomes increasingly difficult for retro-analysis to identify which processes and specific steps in those processes were successful in either positively or negatively reconciling potential fraudulent activity.  Subsequently, it clouds any ability to make effective or necessary changes to specific activities that may not be working well. 2. Examiners may focus heavily on the response portion of your program.  During operational side by sides, or even written program reviews, the less ambiguity and inconsistency identified or perceived, the better.  A quick rule of thumb for any examination: preempt any questions with exhaustive information and clarity.  Examiners that don’t need to ask many, or any, questions are happy examiners. 3. Objective and consistent process allows for more manageable staff training.  It is much easier to educate your staff around a justified and effective uniform process than around intuitive and haphazard procedures and consumer interactions.  It is tough to set expectations with your staff if there are gaping holes in the activities they are expected to execute. 4. Customer experience will certainly be more positive, and less of a worry for managers, as inequity of treatment is removed from the equation.  It is better to have each customer progress through similar steps toward authentication than varied ones from the perspective of time, perception, effectiveness, and convenience.   Now, certainly, a risk-based approach allows for varied treatment based on that risk.  The point here is more toward the need to apply those varied techniques consistently. 5. Social engineering.  Fraudsters are pretty good at figuring out if an operational process is open to interpretation and manipulation.  They’ll continue to engage in a process with the goal of landing with the right associate who may be following a more easily penetrable fraud detection method.  Bottom line: keep the walls around your business the same height throughout. Until next time, best of luck as you continue to develop and improve your Red Flags programs.

The pendulum has definitely swung back in favor of the credit discipline within financial institutions. The free wheeling credit standards of the past have proven once again to be problematic. So, things like cost of credit, credit risk modeling, and scoring models are back in fashion. The trouble that we have created is that, in an effort to promote greater emphasis on the sales role, we centralized the underwriting function. This centralization allowed the sales team to focus on business development and underwriting, on credit. The unintended result, however, is that we removed the urgent need to develop credit professionals. Instead, we pushed for greater efficiencies and productivity in underwriting -- further stalling any consideration for the development of the credit professional.   Now we find ourselves with more problem credits than we have seen in the past 20 years and the pool of true credit professionals is nearly gone.   Once this current environment is corrected, let's be sure to keep balance in mind. Again, soundness, profitability and growth -- in that order of priority.

As someone heavily engaged with the market and our clients discussing Red Flag Rule compliance, Red Flag guidelines, etc...this question has come up over and over again.  You’d think by now I’d have a simple, clever, and strategically created product name to throw out there.  Well, I don’t, and here’s why: we had Red Flag relevant products before Red Flags were in vogue.  So, why didn’t we just rename them under the Red Flag brand?  Because honestly, that would border on irresponsibility.  Let me explain briefly… If you recall, the Red Flags Rule requires that covered institutions employ a written and operational Program that addresses the four mandatory elements of: • Identifying Red Flags applicable to covered accounts and incorporating them into the Program; • Detecting and evaluating the Red Flags included in the Program; • Responding to the Red Flags detected in a manner that is appropriate to the degree of risk they pose; and • Updating the Program to address changes in the risks to customers, and to the financial institution’s or creditor’s safety and soundness, from identity theft. You read in these requirements words like “applicable” and “appropriate” and “degree of risk.”  You don’t read words like “use this tool” or “detect this specific set of conditions.”  My point here is that, over the past year, we’ve been working with our clients to map in the “appropriate” and “applicable” set of products and services to allow them to become Red Flag compliant.  These products and services range in data leverage and provision, predictive power, decisioning, and of course, cost.  That is a good thing, as our clients require individualized tool sets and processes based on their serviced market, gathered information, consumer relationships, products offered, and risk associated with all of those factors. We don’t offer an unlimited or overwhelming number of Red Flag relevant products, but we do offer a diverse enough set that has afforded our clients an opportunity to select the best fit.  Whether you choose to adopt Experian as your Red Flag partner or another service provider, keep in mind that one size does not fit all, and be wary of those claiming to be just that.  As Red Flag examinations start rolling out in the coming months, there will be a focus on ensuring that your programs are comprehensive and effective.  Examiners will be looking at your programs, not your service provider.  Be sure to collaborate with your partners to meticulously apply the best solution.  At Experian, we’ve taken this collaborative approach with each of our clients, and have employed products ranging from our robust Precise ID SM consumer authentication platform to our Fraud Shield SM risk warning product.  Time spent up front in identifying your Red Flag requirements and working with your service provider to determine the best course of action will pay dividends down the road, and ensure you implement a compliant process once….not twice.

By: Tom Hannagan In previous posts, we’ve dealt with the role of risk-based capital, measuring performance based on risk characteristics and the need for risk-based loan pricing. What about risk mitigation? Some of the greatest sins of the financial industry in the current malaise have been the lack of transparency, use of complex transactions to transfer risk and the creation of off-balance-sheet entities to house dodgy investments. Much has been made of the role of Credit Default Swaps (CDSS) as one of the unregulated markets (and therefore guilty parts) of the current credit meltdown. The regulatory agencies and the media are aghast at the volume (peak of some $62 trillion in notional value) of CDSS that have resulted from a totally private market. The likes of Lehman Brothers, Bear Sterns and AIG were all big issuers of CDSS. And the trillions of notional value of open CDSS is as much as 100 times the underlying value of the actual debt being insured. There are problems here, but it may be worth clarifying the useful risk management activities from the potentially abusive excesses involving such instruments. CDSS are derivative contracts whereby one party buys credit protection from a counterparty. The buyer pays a premium to the seller either in a lump sum or periodically over the life of the contract. If a credit event such as a default on a loan or a bond occurs, the seller of the CDSS pays the holder for the loss or purchases the initial debt, the reference obligation, at a pre-set price.  So, a CDSS is in effect a put option that is deep-out-of-the-money. They expire upon termination and most are never exercised. They are subject to fair-value accounting and can change in value from month to month as the credit markets premiums for similar cover moves up or down. Banks and others can use CDSS to, in effect, adjust the nature of credit risk in their portfolios by both buying and selling such contracts. Asset securitizations, whether mortgage-backed securities or other formulations, are in fact broken-down and re-packaged forms of assets that can be sold -- transferring certain rights, values and risk to another party for payment received. They are complex and therefore mostly opaque to the general public and even many practitioners. They often involve the use of special purpose entities or trusts that can further confuse investors. These tactics have added to the difficulty of the credit crisis and the collapse of capital markets. But, CDSS are contingent in nature and act more like fire insurance or a back-up data center. Such operational expenses are intended to control risks. The accounting treatment is complex and, to an extent (especially as regards the tax treatment), still not well defined by accounting authorities. For most banks, and most CDSS contract, the premium is amortized over the life of the contract. The premium expense entry in their general ledgers is an expense of doing business that is intended to alleviate some credit risk. We are now talking about a covered CDSS, where the bank has extended credit or invested in a debt instrument. Those who purchased uncovered CDSS are gambling on a default occurrence and used CDSS as a more cost-effective (and secretive) alternative to shorting securities. It is somewhat like a naked short. So, a covered CDSS is ultimately an expense associated with protecting the net asset value of a credit transaction. Importantly, this expense should be included in any performance analysis or pricing of the risk-adjusted profitability of the credit obligation and/or client relationship involved. This risk mitigation exercise may be in lieu of a higher required rate or fee on an otherwise uncovered/unmitigated credit transaction, or being satisfied with a lower risk-adjusted return where the bank assumes (self-insures) all of the credit risk. CDSS quotes/costs, similar to rate spreads on corporate bonds, are the open market’s current feeling regarding an entity’s credit quality or relative probability of default. There are some 400 or so participants in the CDSS market, including writers and dealers. Market data is published for many obligations. Even the previously risk-free Treasury securities now have CDSS quotes – and they have gone up considerably in recent months. It is always the buyers’ responsibility to decide if the quoted prices make sense or not and how such quotes should be used in evaluating credit and negotiating lending opportunities in addition to whether or not to purchase this insurance. Finally, the quality of the seller is a consideration. There is no good reason to buy fire insurance from someone that might not be able to pay for your building if it burns down. CDSS have been private party transactions and, as stated earlier, there have been solvency problems with some of the sellers of such instruments. There is now a move under way to create a central exchange for such transactions with both regulations governing the sellers, more standardized contracts and financial backing of the instruments from the exchange. Such an exchange will address both the transparency of the process and the efficiency of market prices. Risk mitigation strategies (risk-based pricing, portfolio risk management, credit risk modeling, etc.) need to be carried out thoughtfully. If something sounds too good to be true, it deserves a deeper look. Your bank’s credit regimen may well be better at evaluating default probability than a marketplace that is prone to feed on its own fears. But, CDSS “insurance” quotes are an outside point of reference and an option to mitigate some credit risk…no pun intended. Here are two interesting sources of information: *  BNET Business Network * Georgetown University -- Law Center

Just as with diet recommendations, moderation needs to be the new motto for credit risk management.  Diets provide for the occasional bag of chips or dessert after dinner, but these same food items become problems if the small quantity or occasional indulgence suddenly becomes the norm.   Similarly, we, in our risk management efforts, put forth guidelines that establish limitations on certain loan types or categories that have been deemed risky should the numbers or quantity become too large a part of the overall portfolio.  Unfortunately, we have a tendency to allow earnings or portfolio growth to cloud our judgment and take an attitude of “just one more.”   In the past several years, we have experienced excesses in commercial real estate, residential development and subprime mortgages.  It is now these excesses that are creating the problems that we are dealing with today.   Bringing back these limitations – in other words, reestablishing the discipline in our portfolio risk management – will go a long way in avoiding these same problems in the future.   As I learned early in my banking career:  “…soundness, profitability and growth…in that order.”

By: Tom Hannagan The problem in the 2005 to 2007 home lending frenzy was not just granting credit to anyone who applied. It was giving loans to everyone at essentially the same price range regardless of normal credit risk scrutiny.   While “selling” financial services may be largely an art form, appropriate risk-based pricing is more of a science.   Although the financial press seemed to have discovered sub-prime lending in the last year or so, such high-risk lending isn’t new at all. It has been (and is still being) done since finance and money were invented. And, importantly, sub-prime lending has been done profitably by many lenders all along.  The secret to their success, not surprisingly, has always been risk-based pricing -- even if they didn’t call it that until recent times.   Sub-prime funding has been available in many forms and from many sources. Providers range from venture capitalists to pawn shops. It includes pay-day lenders, micro loans, tax refund loans, consumer finance companies, and even dates to Shakespeare’s merchant of Venice.   We often hear complaints that the effective rates (prices) on loans from such sources are unfairly high and predatory. The cost of that credit is high, but so is the risk of that credit. Without these kinds of sources, and their high rates, there would not be any credit granted from for-profit sources to high-risk borrowers.   Listed firms that regularly provide pay-day loans or cash advances to sub-prime borrowers have very high gross margins and very high credit charge-offs, compared to banks. They also have much higher risk-based capital (or equity) positions that range from 40 percent to 60 percent of their average assets. This risk-based capital burden is much higher than the 8 to 10 percent found at commercial banks. So the sub-prime lenders have a significantly larger capital cushion than banks. Most of these financial results and ratios are examples of successful risk management where the credit risks are identified, managed, priced and backed by sufficient capital.   Then…along came the rose-colored greed of the housing bubble that resulted in aggressive building and selling of homes, loan originations to all (no-down, no-income, no-assets, no-problem mortgages), securities packaging and attractive ratings, and global leveraged investing -- all by prime-oriented entities and all at prime-oriented prices. Well, obviously, it didn’t work.   Risk-based pricing of mortgages would have dissuaded many home buyers to begin with… but what would we have done with all of those shiny new homes? Realistic credit models (that took into account a full credit cycle and a huge proportion of sub-prime credits) would not have rated mortgage-backed securities as AAA. Regulators that were still focused on earnings correctness (the last major snafu) should have been looking into realistic net asset values. And highly compensated investment bankers, with 30-to-1 leverage ratios, would not have gone overboard with intuitively dodgy investments. Few of these players took risk management seriously.   The new danger is that banks are doing the whole thing in reverse. They are tightening lending standards -- which is, of course, a euphemism for shutting off credit. The danger has nothing to do with so-called credit standards. It’s the general over-reaction of shutting off credit to all borrowers, again, without regard to relative risk. The latest Federal Reserve Board survey of senior loan officers paints a picture of rapid tightening to record levels.   We feel that credit standards should always improve AND that loan pricing should always proportionately reflect risk-adjusted rates and terms. Opening the flood gates and then slamming them shut is a very pro-cyclical behavior pattern on the part of bankers that doesn’t reflect a measured approach, borrower-by-borrower, using reasonable risk management at the client relationship level.

One of the more significant operational concerns around Red Flags compliance centers on the management of resultant referral volumes, i.e., the potential that the account origination or maintenance process will get bogged down due to a significant number of red flags detected.  These concerns are not without merit, and are arguably the most frequently discussed Red Flag issue with our client base. Organizations may be able to control referral volumes through the use of automated tools that evaluate the level of identity theft risk in a given transaction.  For example, customers with a low-risk authentication score can be moved quickly through the account origination process absent any additional red flags detected in the ordinary course of the application or transaction.  In fact, using such tools may allow organizations to speed up the origination process for these customers and identify and focus resources on those transactions that pose the greatest potential for identity theft. A risk-based approach to Red Flags compliance affords an institution the ability to reconcile the majority of detected Red Flag conditions efficiently, consistently and with minimal consumer impact.  Detection of Red Flag conditions is literally only half the battle.  In fact, responding to those Red Flag conditions is a substantial problem to solve for most institutions.  A response policy that incorporates scoring, alternate data sources and flexible decisioning can reduce the vast majority of referrals to real-time approvals without staff intervention or customer hardship.  Rather than implementing a “rules-based” program (one in which particular Red Flags are identified, detected and used in isolation or near isolation in decisioning), many institutions are opting to approach Red Flag compliance from a “risk-based” perspective. This “risk-based” approach assumes that no single Red Flag Rule or even set of rules provides a comprehensive view of a consumer’s identity and associated fraud risk. Instead, a “risk-based” systematic approach to consumer authentication employs a process by which an appropriately comprehensive set of consumer data sources can provide the foundation for highly effective fraud prediction models in combination with detailed consumer authentication conditions (such as address mismatches or Social Security number inconsistencies).  A risk-based fraud detection system allows institutions to make consumer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a consumer’s identity and predicted likelihood of associated identity theft. Many, if not all, of the suggested Rules in the published guidelines are not “silver bullets” that ensure the presence or absence of identity theft. A substantial ratio of false positives will comprise the set of consumers and accounts being reviewed as having met one or more of the suggested Red Flag rule conditions. These rules and guidelines are intended neither to prevent legitimate consumers from establishing relationships with institutions nor create a burdensome and prohibitive volume of consumer “referrals.” While those rules incorporated into an institution’s Program must be addressed when detected, a risk-based system allows for an operationally efficient method of reconciliation in tandem with identity theft mitigation.