By: Joel Pruis When the OCC put forth the supervisory guidance on model risk governance the big focus in the industry was around the larger financial institutions that had created their own risk models.  The overall intent to make sure that the larger financial institutions were properly managing the risk they were assuming through the use of the custom risk models they had developed.  While we can’t say that this model risk governance was a significant issue, the guidance provided by the OCC is intended to provide financial institutions with the minimum requirements for model risk governance. Now that the OCC and the Federal Reserve have gone through the model risk governance reviews for the largest financial institutions in the US, their attention has turned to the rest of the group.  While you may not have developed your own custom scorecard model, you may be using a generic scorecard model to support your credit decisions either for loan origination and/or portfolio management.  As a result of the use of even generic scorecards and models, you do have obligations for model risk governance as stated in the guidance.  While you may not be basing any decisions strictly on a score alone, the questions you have to asking yourself are: Does my credit policy or underwriting guidelines reference the use of a score in my decision process? While I may not be doing any type of auto-decision, do I restrict any credit authority based upon a score? Do I adjust any thresholds/underwriting guidelines based upon a score that is returned?  For example, do I allow a higher debt to income if the score is above a certain level? How long have you been using a score in your decision processes that may have become a significant influence on how you decision credit? As you can see from the questions above, the guidance covers a significant population of the financial institutions in the US.  As a result, some of the basic components that your financial institution must demonstrate it has done (or will do) are: Recent validation of the scorecard against your portfolio performance Demonstration of appropriate policy governing the use of credit risk models per the regulation Independence around the authority and review of the model risk governance and validations Proper support and documentation from your generic scorecard provider per the guidance. If you would like to learn more on this topic, please join me at the upcoming RMA Annual Risk Management Conference where I will be speaking on Model Validation for Community Banks on Monday, Oct. 27, 9:30 a.m. – 10:30 a.m. or 11 a.m. – 12 p.m. Also, if you are interested in gaining deeper insight on regulations affecting financial institutions and how to prepare your business, download Experian’s Compliance as a Differentiator perspective paper.

Card-to-card balance transfers represent a substantial profit opportunity for lenders.

By: Maria Moynihan Mobile devices are everywhere, and landlines and computer desktops are becoming things of the past. A recent American Marketing Association post mentioned that there already are more than 1 billion smartphones and more than 150 million tablets worldwide. As growth in mobile devices continues, so do expectations around convenience, access to mobile-friendly sites and apps, and security. What is your agency doing to get ahead of this trend? Allocating resources toward mobile device access and improved customer service is inevitable, and, arguably, investment and shifts in one of these areas ultimately will affect the other. As ease of information and services improves online or via mobile app, secure logons, identity theft safeguards and authentication measures must all follow suit. Industry best practices in network security call for advancements in: Authenticating users and their devices at the point of entry Detecting new and emerging fraud schemes in processes Developing seamless cross-checks of individuals across channels Click here to see what leading information service providers like Experian are doing to help address fraud across devices. There is a way to confidently authenticate individuals without affecting their overall user experience. Embrace the change.      

According to a recent 41st Parameter® study, 85 percent of consumers use online or mobile channels to conduct business.

In a recent webinar, we addressed how both the growing diversity of technology used for online transactions and the many different types of access can make authentication complicated. Technology is ever-changing and is continually reshaping the way we live. This leaves our industry to question how device intelligence factors into both the problem and solution surrounding diverse technologies in the online transaction space. Industry experts Cherian Abraham from the Experian Decision Analytics team and David Britton from 41st Parameter, a part of Experian, weighed in on the discussion. Putting It All Into Context Britton harkened back to a simpler time of authentication practices. In the early days of the web, user names and passwords were the only tools people had to authenticate online identities. Eventually, this led organizations to begin streamlining the process. “They did things like using cookies or placing files onto a computer so that the computer would be “known” to the business,” said Britton. However, those original methods are now struggling to fit into the modern-day authentication puzzle. “The challenge has been that for both privacy reasons and for the advancements of technology we have actually moved to a more privacy-centric environment where those types of things have fallen away in terms of their efficacy.  For example, cookies are often easily deleted by simply browsing incognito. So as a result there’s been a counter move approach to how to authenticate online,” said Britton. New Technology – A Quick Fix? Don’t be fooled. Newer technologies cannot necessarily provide an easy alternative and incorporate older authentication methods. Britton referenced how the advent of mobile has actually made recognizing the consumer behind the device, the behavior of the machine and the data that the consumer is presenting even more complex. Additionally, rudimentary methods of authentication don’t actually exist well in the mobile environment. On the other hand, newer technologies and the mobile environment force a more layered approach to authentication methods. “There is a better way and the better way is to look at a variety of other inspirations beyond user names and passwords before vindicating the customer. This is all the more evident when you get to newer channels such as mobile where consumer expectations are so different and you cannot rely on the customer having to answer a long stream of characters and letters such as a user name or a password,” said Abraham. Britton weighed in as well on device intelligence and the layered approach. “Our whole philosophy around this has been that if you can recognize aspects of the device in the form of device intelligence – we’re able to actually leverage that information without crossing the boundaries of good privacy management. Furthermore, we are then able to say we recognize the attributes of the device and can recognize the device as that person is attempting to come back into an environment,” said Britton. He emphasized how being able to help companies understand who might be on the other end of the device has made a world of difference. This increasingly points to how authentication will continue to evolve in a in a multi-device, multi-screen and multi-channel environment. For more information and access to the full webinar – Stay tuned for additional #fraudlifecycle posts.

Auto loan originations reached $153 billion in Q2 2014, which was a 16 percent increase over the same quarter last year. While the largest contribution came from captive auto lenders at $47 billion (a 14 percent increase), credit unions experienced the largest year-over-year increase of 35 percent, with originations reaching $37 billion in the latest quarter. As auto loan originations continue to grow, lenders can stay ahead of the competition by using advanced analytics to target the right customers and increase profitability. Learn how your automotive portfolio compares through the peer-benchmarking capabilities of IntelliViewSM, and view sample reports by industry. Source: Access the latest credit trends with Experian's IntelliView.

Our second annual data breach preparedness study, Is Your Company Ready for a Big Breach?, conducted by the Ponemon Institute, reveals good news and bad news for businesses concerned with data security—and that should be all business. First, the good news: more companies are acting to address data breach risks. The majority (73%) of organizations now have a data breach response plan in place – 12 percent more than in 2012. And nearly half (48%) have boosted investment in security technologies in the past 12 months, aiming to better detect and respond to a data breach. Now, for the not-so-good news: they’re not doing enough, and don’t have confidence in the effectiveness of their current measures. Survey results illustrate that not everyone is taking all the necessary steps to prepare for a data breach: A majority of 78 percent don’t regularly update their data breach response plans to address evolving threats. About two-thirds don’t have trained customer service staff who can respond to customer questions, concerns or complaints if a breach occurs. Only 29 percent of companies involve the CEO in dealing with security risks. Nearly three-quarters don’t have cyber insurance policies. Just 44 percent conducted a technical impact assessment to understand potential fallout from an incident. Less than a third had SIEM systems to facilitate early detection of an incident. 66 percent lack Mobile Device Management (MDM) to protect sensitive information from being pushed to mobile devices. Those who have made provisions don’t necessarily feel more secure because of them: 62 percent don’t feel their organizations are prepared to respond to a data breach. 49 percent didn’t feel they were prepared to respond to the theft of information that would require notification to victims and regulators. Just a quarter were confident they could communicate about a breach and manage customer needs. 40 percent worry about the potential for a third party losing their data. Insider threats concern 56 percent, with 43 percent citing BYOD and cloud services as their top two internal threat concerns. As to post-breach response, we are pleased to see however that companies are well aware of the importance of providing customers involved in a breach with identity theft protection products and access to a call center; in fact, they cited those two as the most important services companies could provide post-breach. Many of the concerns companies expressed over data breach preparedness and response – and in particular, worries over customer communication and regulatory compliance – can be addressed by preparing a response plan and practicing the plan on an ongoing basis.  It’s also important to secure external partners such as legal counsel and a public relations firm, and make a selection of a quality identity protection product to offer affected customers ahead of time.  When a breach occurs, the complete response team and moving parts are ready to allow for a quick and smooth response. Learn more about our Data Breach solutions

According to a recent Experian Data Quality study, three out of four organizations personalize their marketing messages or are in the process of doing so.

Fraud is not a point-in-time problem and data breaches should not be considered isolated attacks, which break through network defenses to abscond with credentials. In fact, data breaches are just the first stage of a rather complex lifecycle that begins with a vulnerability, advances through several stages of validation and surveillance, and culminates with a fraudulent transaction or monetary theft. Cyber criminals are sophisticated and have a growing arsenal of weapons at their disposal to infect individual and corporate systems and capture account information: phishing, SMSishing and Vishing attacks, malware, and the like are all attempts to thwart security and access-protected information. Criminal tactics have even evolved to include physical-world approaches like infiltrating physical call centers via social engineering attacks aimed at unsuspecting representatives. This, and similar efforts, are all part of the constant quest to identify and exploit weaknesses in order to stage and commit financial crimes. There are some companies that claim malware detection is the silver bullet to preventing fraud. This is simply not the case. The issue is that malware is only one method by which fraudsters may obtain credentials. The seemingly endless supply of pristine identity and account data in the criminal underground means that detecting a user’s system has been compromised is akin to closing the barn door after the hose has bolted. That is, malware can be an indicator that an account has been compromised, but it does not help identify the subsequent usage of the stolen credentials by the criminals, regardless of how the credentials were compromised. Compromised data is first validated by the seller as one of their “value adds” to the criminal underground and typically again by the buyer. Validation usually involves logging into an account to ensure that the credentials work as expected, and allows for a much higher “validated” price point. Once the credentials and/or account have been validated, cyber criminals can turn their attention to surveillance. Remember, by the time one realizes that credential information has been exposed, cyber criminal rings have captured the information they need – such as usernames, passwords, challenge responses and even token or session IDs – and have aded it to their underground data repositories. with traditional online authentication controls, it is nearly impossible to detect the initial fraudulent login that uses ill-gotten credentials. That is why it is critical to operate from the assumption that all account credentials have been compromised when designing an online authentication control scheme.

Consumer debt for every major consumer lending category has decreased over the past few years, except for student loans.

I have heard from a few creditors that when it comes to allocating accounts to collection agencies for recoveries creating a rule based strategy isn’t always in the cards. When clients use multiple collection agencies their ability to allocate accounts to the different agencies based on rule based strategies isn’t always available.  Some have a single setting on a billing or assignment system that indicates the account is to be assigned to Collection Agency X versus Collection Agency Y, and there is no easy method to make that assignment based on a true strategy.  Worse yet, it is often difficult to impossible to reassign that account from Collection Agency X to Collection Agency Y if the account status or risk level changes.  This means that their use of multiple collection agencies is not as “optimized” as it could be if a scripting or rule based tool was available to the business user.   Optimizing assignments means that the account is initially as well as subsequently assigned to the right agency at the right time based on its type, risk, history, balance, status and other circumstances to maximum recoveries.   This approach can make a significant difference in the recovery of bad debt. Furthermore, test results or allocations should be displayed after a script has been entered.  This usually provides a “what if” on collection agency assignments displaying the number or dollar value assigned if the rule was implemented.  That way you know if the script is correct (ballpark allocation seems reasonable), and if the allocation to any particular agency is within policy limits by dollar amount or number of accounts. Do you believe that you are optimizating your allocations to the agencies you use?  Do you have the tools you need to effectively assign each account to the right agency? Experian can help with its agency allocation and management solutions through Tallyman Agency Allocation. Learn more about our Tallyman Agency Allocation software. 

HELOC originations grew 27 percent year over year in Q2 2014.

By: Maria Moynihan As consumers, we expect service, don’t we? When service or convenience lessens or is taken away from us altogether, we struggle to comprehend it. As a recent example, I went to the pharmacy the other day and learned that I couldn’t pick up my prescription since the pharmacists were out to lunch. “Who takes lunch anymore?” I thought, but then I realized that too often organizations limit their much needed services as a cost-saving measure. Government is no different. City governments, for instance, may reduce operating hours or slash services to balance budgets better, especially when collectables are maxed out, with little movement. For many agencies, reducing services is the easiest way to offset costs. Often, municipalities offset revenue deficits by optimizing their current collections processes and engaging in new methods of revenue generation. Why then isn’t revenue optimization and modernization being considered more often as a means to offset costs? Some may simply be unsure of how to approach it or unaware of the tools that exist to help. For agencies challenged with collections, there is an option for revenue assurance. With the right data, analytics and technologies, agencies can maximize collection efforts and take advantage of their past-due fines and fees to: Turn stale debt into a new source of revenue by determining the value of their entire debt portfolio and evaluating options for a stale assets sale Reduce delinquencies by better assessing constituents and businesses at the point of transaction and collecting outstanding debt before new services are rendered Minimize current debt by segmenting and prioritizing collection efforts through finding and contacting debtors and gauging their capacity to pay Improve future accounts receivable streams by identifying the best collectable debt for outsourcing What is your agency doing to offset costs and balance budgets better? See what industry experts suggest as best practices for collections, and generate more revenue to keep services fully in place for your constituents.

Collection agencies provide reports with respect to their performance and collection activities.  Depending on which system the agencies are using and the extent it has been modified, the reports may look similar, but then again the data and format may be completely different.   Finding the common data and comparing the performance of two or more agencies may become a daunting, manual task. Agency management systems have solved that problem by bringing back performance, activity and other data from the agencies back into a common reporting database.  This allows for easy comparison through tables and calculations via common data elements.  The ability to truly compare data in this way allows for a more analytical “champion/challenger” approach to managing collection agencies.  The key to champion/challenger is the ability to easily compare the performance of one or more agencies using like accounts placed at the same time.  Tracking allocations of accounts which fall into the same placement strata, split between agencies on the same allocation, makes it easy to compare recoveries of discrete, similar “sample data sets” over time for a more true comparison.  These results should lead to the allocation of more accounts of similar types to the champion, less to the challenger. Do you have the systems you need for a champion/challenger approach with respect to your collection agencies?  Experian can help with its agency allocation and management solutions through Tallyman Agency Allocation. Learn more about our Tallyman Agency Allocationsoftware. 

By: Mike Horrocks A recent industry survey was published that called out the number one reason that lenders were dissatisfied or willing to go to another financial institution (and take their book of business with them) was not compensation.  While, compensation is often thought of as the number one driver for this kind of change in your bench of lenders, it had much more to do with being able to serve customers efficiently. One of the key reasons that lenders were unhappy was that they were in a workflow and decisioning process where the lender could not close loans on time, putting stress on the loan officer's relationships and destroying borrower confidence.  Thinking of my own experiences as a commercial lender, my interactions with the private bankers, branch managers, and lenders that served every kind of customer, I would absolutely have to agree with this study.  Nothing is more disheartening then working on bringing in a client, and then having the process not give me a response in the time that my clients are expecting or that the completion is achieving. Automation in the process is the key.  While lenders still will need to be engaged in the process and paying attention to the relationship, it can be significantly refocused to other parts of the business.  This leads to benefits such as: Protecting the back office and the consistence of booking and servicing loans. Ensuring that the risk appetite is consistent for the institution for every deal. Growing a portfolio of loans that can and will adhere to sound portfolio management techniques. So how is your process supporting lenders?  Are you automating to help in areas that give you a competitive advantage with robust credit scores, decision strategies or risk management solutions that are helping close deals quickly or are you requiring a process that is keeping them from bringing more customers (and profits) in the door? Henry Ford is credited to say, “Coming together is a beginning. Keeping together is progress. Working together is success.”   Take a closer look at your lending process.  Do you have the tools that help bring your lenders, your customers, and your organization together?  If you don’t you may be losing some of your best talent for loan production at a time when you can least afford it.