Red Flag Guidelines

Part 1

In my last three posts, we have covered the key parts of how risk-based loan pricing works. We have discussed how the key foundational elements involved in risk-adjusted loan pricing can and should relate to the bank’s accounting results and strategic policies. We went from the pricing analysis of an individual loan on a risk-adjusted basis to solving for a bank-wide target or guideline return. We also mentioned how this analysis can be expanded to the client relationship level, both producing a relationship management view of any existing loans and the impact of pricing a renewal or new credit to impact the client-level return. Finally, I mentioned that although this capability can exist (and does in more banks than ever before), it isn’t an easy undertaking in an industry that is historically keyed to volume goals rather than transaction profit (let alone risk-adjusted profit).

So, why go through the effort? Moving to a risk-adjusted view of lending and relationship management requires serious thought, effort and resolve. It involves change and teaching lenders a new trick. It even suggests that the lending executive (perhaps the next president of the bank) hasn’t been doing the best job possible to protect and advance the bank’s margins. Any new undertaking involves management risk. And, accurate or not, bank executives are not generally viewed as terrific change agents. Is this concept of risk-based pricing worth all the time and trouble? We think so – for two general reasons.

Corporate governance
Almost any business, if not any undertaking of any kind, involves risk to some degree. Finance in general, and commercial banking, specifically, involves several kinds of risk. The most obvious risk is repayment or credit risk. Banks have been lending money successfully for a long time. The funny thing is that often, when we’ve studied the actual loan rates of a bank’s portfolio versus the bank’s own risk ratings (or risk grades), we see almost no difference in loan pricing. The banks have credit policies that discuss the different ratings in some detail. And, the banks usually have some sort of provisioning process or ALLL (Allowance for Loan and Lease Losses) logic that uses these differences in risk rating. Loan review guidelines often use the differences in risk rating to gauge the review frequency and depth.

So, the banks know what’s going on. They know that a higher risk borrower/loan is less likely to be repaid in full than a lower credit risk borrower/loan. But, the lending operation goes on as if they were all about the same. There seems to be a disconnect (kind of like when my arms and brain disconnect when I swing a golf club). I know if I slow down I’ll hit a better shot, but I still swing way too fast. It seems to me that since the bank has all of these terrific policies in place dealing with credit risk, that good governance would require that credit risk be reflected more fully when loans are marketed, negotiated and agreed to – rather than just when they go awry.

I would make the same general argument for management consistency associated with other risk types. If the loan duration is longer, good governance would reflect (pay for) a realistic marginal funding cost of the same duration. This would help to align the loan pricing effort with the guidelines or policies associated with ALCO or Asset and Liability Policy Committee and Interest Rate Risk (IRR) management. If a loan involves higher or lower risk of unexpected loss based on loan/collateral type and risk rating, then the risk capital associated with the loan should vary accordingly. The risk-based allocation of capital will then require different pricing in order for the loan to hit a targeted return. This protection of return, on a risk-adjusted basis, is the final step in good governance – in this case, to protect the shareholders specific contribution (of their equity) to funding the loan in question.

Finally, if I were a director, regulator or an auditor (again), and I reviewed all of these fine policies related to risk management, and did not see them reflected in deal pricing, I would have to ask “why?”.  It would seem that either executive management doesn’t really believe in their own policies, or they are willing to set them aside when negotiating deals for the added business. Maybe loan management doesn’t want to be bothered by the policies while they’re out there in the “real world” fighting for added loan volume. Either way, there seems to be a governance disconnect. Which I know on the golf course, leads to lost balls and unnecessary poor scores.

My second major reason will follow in my next blog.

Part 1

Risk-based pricing starts as a product-level reflection of a bank’s financial and risk characteristics. In my last few posts we have covered the key parts of how risk-based loan pricing works. In doing so, we have discussed how the key foundation elements involved in risk-adjusted loan pricing can (and should) relate to the bank’s accounting results and strategic policies:

• Loan balance, rate and fee data relates to the bank’s actual general ledger amounts;
• The administrative costs are also derived from actual non-interest expenses; 
• The cost of funds is aligned with the policies used in the ALCO operation and in the IRR management processes; 
• The statistical cost of credit risk used in pricing (providing sensitivity to the loan’s risk rating) is derived partially from the bank’s credit and provisioning policies;
• The taxes are the bank’s actual average experience; and 
• For banks using ROE/RAROC, the equity allocation is related to the bank’s overall (unexpected) risk posture and its capital sufficiency policies.

Once a bank understands risk-adjusted pricing and can calculate the risk-adjusted return (ROA or ROE/RAROC) for a given loan, what more can we do to help the lender close the deal? And, what can we do to help lenders assist the bank with meeting profit goals? The answer to both questions is: “quite a lot”. First, bank management and lending executives can set various risk-based goals or guidelines that are based on the same data and foundation logic that was used to create the risk-based profit calculations. This analytical form of targeting helps take the profit (and therefore pricing) process out of the realm of “blue sky” numbers or simply wishful thinking on the part of management. The risk-based targeting guidelines benefit from the same analytical processes that went into the logic behind creating the profit calculations. The targets should be as well-founded as the analysis that went into the profit calculations.

Then the fun begins.
First at the loan level: Once we have the ability to calculate risk-adjusted loan profit and we have similarly founded targets or guidelines, we can easily use the profit calculations in reverse to solve for a required loan rate and/or origination fee that will meet the target profit. The lender can change a structural aspect of the loan under consideration and quickly see the impact on risk-adjusted profit. More importantly, they can see how these changes relate to the guidelines or target.

In fact, the lender could look at any number of changes to the loan amount, tenor, amortization rate, moving the risk rating up or down, and changing the rate from fixed to floating impact to see what relative impact the change has on risk-adjusted profit. Because knowledge is one key to successful negotiation, the lender is in a substantially stronger position to conduct the sales and negotiation phases of landing the deal. There is a substantially higher likelihood the resulting loan will be a better risk-adjusted return for the bank than would take place by ignoring such pricing practices. Add up all of the loan and lines done in the course of a year and you see a significant impact on the bank’s overall performance.

In my next post, I’ll expand this concept to the relationship management level.

I’m speculating a bit here, but I have a feeling that as the first wave of Red Flag rule examinations occurs, one of the potential perceived weak points in your program(s) may be your vendor relationships.  Of particular note are collections agencies.  Per the guidelines, “Section 114 applies to financial institutions and creditors.” Under the FCRA, the term “creditor” has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a.15 ECOA defines “creditor” to include a person who arranges for the extension, renewal or continuation of credit, which in some cases could include third-party debt collectors.  Therefore, the Agencies are not excluding third-party debt collectors from the scope of the final rules and “a financial institution or creditor is ultimately responsible for complying with the final rules and guidelines even if it outsources an activity to a third-party service provider.”

A general rule of thumb in any examination process is to look closely at activities that are the most difficult for the examinee to control.  Third-party relationship management certainly falls into this category.  So, make sure your written and operational programs have procedures in place to ensure and regularly monitor appropriate Red Flag compliance -- even when customer (or potential customer) activities occur outside your walls.

Good luck!

What is your greatest concern as the May 1, 2009 enforcement date approaches for all guidelines in the Identity Theft Red Flags Rule?

Hello Red Flaggers!  I’m still getting some questions from our clients these days around the FTC enforcement extension.  My concern is that there seems to be a perception that May 1, 2009 is the enforcement date for all of the guidelines in the Red Flags Rule.  In reading through the recently released FTC Enforcement Policy (Identity Theft Red Flags Rule, 16 CFR, 681.2), it clearly states the following:

This delay in enforcement is limited to the Identity Theft Red Flags Rule (16 CFR
681.2), and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 CFR 681.1), or to the rule regarding changes of address applicable to card issuers (16 CFR 681.3).

So, while you may be breathing a sigh of relief as far as the implementation of your overall Identity Theft Prevention Program is concerned, be advised that the May 1, 2009 extension does not cover the need to detect and/or respond to address discrepancies on consumer reports or during address changes on card accounts.

As previously mentioned in an earlier blog of mine (see Nov. 13 blog), responding to address discrepancies on consumer reports may be the biggest challenge for many of our clients, as (depending on market served) the percentage of consumer reports with an address discrepancy can number over 20 percent.  This can create an operational burden from the perspective of cost, customer experience, and the ability to quickly book legitimate and profitable customers.  Have a look at my previous blog on a risk based approach to address discrepancies for a refresher on this subject.  Good luck!!

We continue to receive inquiries from our clients, and the market in general, around whether they are required to comply with the Red Flag Rule or not. That final decision can be found with the legal and compliance teams within your organization. I am finding, however, that there generally seems to be too literal and narrow an interpretation of the terms ‘creditor’ or ‘financial institution’ as described in the guidelines. 

I often hear an organization state that they don’t believe they’re covered because they are not one of those types of entities. Ultimately, as I said, that’s up to your internal team(s) to establish. I would recommend, however, that you ensure that opinion and ultimate determination is well researched. It may sound simple, but reach out to your examining agencies or the Federal Trade Commission (FTC) and discuss any ambiguities you feel exist related to covered accounts. 

There is some great clarifying language out there beyond the initial Red Flag Rule. For example, the FTC provided a very useful article (www.ftc.gov/bcp/edu/pubs/articles/art11.shtm) that described how even health care providers can be covered under the Red Flag Rule. 

At first glance, they may not seem to fall under the umbrella of a ‘creditor or financial institution.’ As stated in the article, the extension of credit “means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. Even if you’re a non-profit or government agency, you still may be a creditor if you accept deferred payments for goods or services.”

Maybe it’s just me, but that description is arguably much broader-reaching than one might initially think. Long story short: do your research, and don’t assume you or your accounts are not covered under the guidelines. Better to find out now instead of after your first examination….for obvious reasons.

We have talked about: the creation of the vision for our loan portfolios (current state versus future state) – e.g. the strategy for moving our current portfolio to the future vision. Now comes the time for execution of that strategy.

In changing portfolio composition and improving credit quality, the discipline of credit must be strong (this includes in the arenas of commercial loan origination, loan portfolio monitoring, and credit risk modeling of course). Consistency, especially, in the application of policy is key. Early on in the change/execution process there will be strong pressure to revert back to the old ways and stay in a familiar comfort zone.  Credit criteria/underwriting guidelines will have indeed changed in the strategy execution.

In the coming blogs we will be discussing:

• assessment of the current state in your loan portfolio;
• development of the specific strategy to effect change in the portfolio from a credit quality perspective and composition;
• business development efforts to affect change in the portfolio composition; and
• policy changes to support the strategy/vision.

More to come.

We get the following question quite a bit:

Would the regulators expect to see a log of detected activity and resulting mitigation?

Short answer:

The Red Flags Rule does not specifically require you to maintain a log, nor do the guidelines suggest that a log should be maintained. However, covered institutions are required to prepare regular reports around the effectiveness of their program.  Additionally, there exists the requirement to incorporate an institution’s own experiences with identity theft when reviewing and updating their program.

Long answer:

Think now about the value of incorporating robust (and, optimally, transaction level) reporting into your program for a few key reasons:

1. Reporting allows you to more easily and comprehensively create and disseminate board-level reports related to program effectiveness.  These aren’t a bad thing to show a regulator either.

2. Detailed reporting provides you an opportunity to more accurately monitor your program’s performance with respect to decisioning strategies, false positives, false negatives, fraud detection and prevention rates, resultant losses and legitimate costs.

3. The more historic detail you have compiled, the easier it will be to make educated, analytically based, and quantifiable updates to your program over time.  Without this, you may be living and dying with anecdotal decision making….never good.

4. Finally, maintaining program performance data will afford you the ability to work with other service providers in validating their capabilities against known transactional or account level outcomes.  We, at Experian, certainly find this useful in working with our clients to deliver optimal strategies.

Thanks as always.

As someone heavily engaged with the market and our clients discussing Red Flag Rule compliance, Red Flag guidelines, etc...this question has come up over and over again.  You’d think by now I’d have a simple, clever, and strategically created product name to throw out there.  Well, I don’t, and here’s why: we had Red Flag relevant products before Red Flags were in vogue.  So, why didn’t we just rename them under the Red Flag brand?  Because honestly, that would border on irresponsibility.  Let me explain briefly…

If you recall, the Red Flags Rule requires that covered institutions employ a written and operational Program that addresses the four mandatory elements of:

• Identifying Red Flags applicable to covered accounts and incorporating them into the Program;

• Detecting and evaluating the Red Flags included in the Program;

• Responding to the Red Flags detected in a manner that is appropriate to the degree of risk they pose; and

• Updating the Program to address changes in the risks to customers, and to the financial institution’s or creditor’s safety and soundness, from identity theft.

You read in these requirements words like “applicable” and “appropriate” and “degree of risk.”  You don’t read words like “use this tool” or “detect this specific set of conditions.”  My point here is that, over the past year, we’ve been working with our clients to map in the “appropriate” and “applicable” set of products and services to allow them to become Red Flag compliant.  These products and services range in data leverage and provision, predictive power, decisioning, and of course, cost.  That is a good thing, as our clients require individualized tool sets and processes based on their serviced market, gathered information, consumer relationships, products offered, and risk associated with all of those factors.

We don’t offer an unlimited or overwhelming number of Red Flag relevant products, but we do offer a diverse enough set that has afforded our clients an opportunity to select the best fit.  Whether you choose to adopt Experian as your Red Flag partner or another service provider, keep in mind that one size does not fit all, and be wary of those claiming to be just that. 

As Red Flag examinations start rolling out in the coming months, there will be a focus on ensuring that your programs are comprehensive and effective.  Examiners will be looking at your programs, not your service provider.  Be sure to collaborate with your partners to meticulously apply the best solution.  At Experian, we’ve taken this collaborative approach with each of our clients, and have employed products ranging from our robust Precise ID SM consumer authentication platform to our Fraud Shield SM risk warning product.  Time spent up front in identifying your Red Flag requirements and working with your service provider to determine the best course of action will pay dividends down the road, and ensure you implement a compliant process once….not twice.

One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy. 

A couple of common questions and answers to get us started:

1.  How do the credit reporting agencies display an address discrepancy?

Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry.

2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested?

Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly.

In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report.

Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change.

A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.

Just as with diet recommendations, moderation needs to be the new motto for credit risk management.  Diets provide for the occasional bag of chips or dessert after dinner, but these same food items become problems if the small quantity or occasional indulgence suddenly becomes the norm. 

Similarly, we, in our risk management efforts, put forth guidelines that establish limitations on certain loan types or categories that have been deemed risky should the numbers or quantity become too large a part of the overall portfolio.  Unfortunately, we have a tendency to allow earnings or portfolio growth to cloud our judgment and take an attitude of “just one more.” 

In the past several years, we have experienced excesses in commercial real estate, residential development and subprime mortgages.  It is now these excesses that are creating the problems that we are dealing with today. 

Bringing back these limitations – in other words, reestablishing the discipline in our portfolio risk management – will go a long way in avoiding these same problems in the future. 

As I learned early in my banking career:  “…soundness, profitability and growth…in that order.”

One of the more significant operational concerns around Red Flags compliance centers on the management of resultant referral volumes, i.e., the potential that the account origination or maintenance process will get bogged down due to a significant number of red flags detected. 

These concerns are not without merit, and are arguably the most frequently discussed Red Flag issue with our client base.

Organizations may be able to control referral volumes through the use of automated tools that evaluate the level of identity theft risk in a given transaction.  For example, customers with a low-risk authentication score can be moved quickly through the account origination process absent any additional red flags detected in the ordinary course of the application or transaction.  In fact, using such tools may allow organizations to speed up the origination process for these customers and identify and focus resources on those transactions that pose the greatest potential for identity theft.

A risk-based approach to Red Flags compliance affords an institution the ability to reconcile the majority of detected Red Flag conditions efficiently, consistently and with minimal consumer impact.  Detection of Red Flag conditions is literally only half the battle.  In fact, responding to those Red Flag conditions is a substantial problem to solve for most institutions.  A response policy that incorporates scoring, alternate data sources and flexible decisioning can reduce the vast majority of referrals to real-time approvals without staff intervention or customer hardship. 

Rather than implementing a “rules-based” program (one in which particular Red Flags are identified, detected and used in isolation or near isolation in decisioning), many institutions are opting to approach Red Flag compliance from a “risk-based” perspective. This “risk-based” approach assumes that no single Red Flag Rule or even set of rules provides a comprehensive view of a consumer’s identity and associated fraud risk. Instead, a “risk-based” systematic approach to consumer authentication employs a process by which an appropriately comprehensive set of consumer data sources can provide the foundation for highly effective fraud prediction models in combination with detailed consumer authentication conditions (such as address mismatches or Social Security number inconsistencies). 

A risk-based fraud detection system allows institutions to make consumer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a consumer’s identity and predicted likelihood of associated identity theft.

Many, if not all, of the suggested Rules in the published guidelines are not “silver bullets” that ensure the presence or absence of identity theft. A substantial ratio of false positives will comprise the set of consumers and accounts being reviewed as having met one or more of the suggested Red Flag rule conditions. These rules and guidelines are intended neither to prevent legitimate consumers from establishing relationships with institutions nor create a burdensome and prohibitive volume of consumer “referrals.” While those rules incorporated into an institution’s Program must be addressed when detected, a risk-based system allows for an operationally efficient method of reconciliation in tandem with identity theft mitigation.