Decision Analytics | Risk Management

--by Monica Bellflower

There seems to be two viewpoints in the market today about Knowledge Based Authentication (KBA): one positive, one negative.  Depending on the corner you choose, you probably view it as either a tool to help reduce identity theft and minimize fraud losses, or a deficiency in the management of risk and the root of all evil.  The opinions on both sides are pretty strong, and biases “for” and “against” run pretty deep.

One of the biggest challenges in discussing Knowledge Based
Authentication as part of an organization’s identity theft prevention program, is the perpetual confusion between dynamic out-of-wallet questions and static “secret” questions.  At this point, most people in the industry agree that static secret questions offer little consumer protection.  Answers are easily guessed, or easily researched, and if the questions are preference based (like “what is your favorite book?”) there is a good chance the consumer will fail the authentication session because they forgot the answers or the answers changed over time.

Dynamic Knowledge Based Authentication, on the other hand, presents questions that were not selected by the consumer.  Questions are generated from information known about the consumer – concerning things the true consumer would know and a fraudster most likely wouldn’t know.  The questions posed during Knowledge Based Authentication sessions aren’t designed to “trick” anyone but a fraudster, though a best in class product should offer a number of features and options.  These may allow for flexible configuration of the product and deployment at multiple points of the consumer life cycle without impacting the consumer experience.

The two are as different as night and day.  Do those who consider “secret questions” as Knowledge Based Authentication consider the password portion of the user name and password process as KBA, as well?  If you want to hold to strict logic and definition, one could argue that a password meets the definition for Knowledge Based Authentication, but common sense and practical use cause us to differentiate it, which is exactly what we should do with secret questions – differentiate them from true KBA.

KBA can provide strong authentication or be a part of a multifactor authentication environment without a negative impact on the consumer experience.  So, for the record, when we say KBA we mean dynamic, out of wallet questions, the kind that are generated “on the fly” and delivered to a consumer via “pop quiz” in a real-time environment; and we think this kind of KBA does work.  As part of a risk management strategy, KBA has a place within the authentication framework as a component of risk- based authentication… and risk-based authentication is what it is really all about.

---by Monica Bellflower

When a client is selecting questions to use, Knowledge Based Authentication is always about the underlying data – or at least it should be.  The strength of Knowledge Based Authentication questions will depend, in large part, on the strength of the data and how reliable it is.  After all, if you are going to depend on Knowledge Based Authentication for part of your risk management and decisioning strategy the data better be accurate.  I’ve heard it said within the industry that clients only want a system that works and they have no interest where the data originates.  Personally, I think that opinion is wrong. 

I think it is closer to the truth to say there are those who would prefer if clients didn’t know where the data that supports their fraud models and Knowledge Based Authentication questions originates; and I think those people “encourage” clients not to ask.  It isn’t a secret that many within the industry use public record data as the primary source for their Knowledge Based Authentication products, but what’s important to consider is just how accessible that public record information is.  Think about that for a minute.  If a vendor can build questions on public record data, can a fraudster find the answers in public record data via an online search? 

Using Knowledge Based Authentication for fraud account management is a delicate balance between customer experience/relationship management and risk management.  Because it is so important, we believe in research – reading the research of well-known and respected groups like Pew, Tower, Javelin, etc. and doing our own research.  Based on our research, I know consumers prefer questions that are appropriate and relative to their activity.  In other words, if the consumer is engaged in a credit-granting activity, it may be less appropriate to ask questions centered on personal associations and relatives.  Questions should be difficult for the fraudster, but not difficult or perceived as inappropriate or intrusive by the true consumer.  Additionally, I think questions should be applicable to many clients and many consumers.  The question set should use a mix of data sources: public, proprietary, non-credit, credit (if permissible purpose exists) and innovative. 

Is it appropriate to have in-depth data discussions with clients about each data source?  Debatable.  Is it appropriate to ensure that each client has an understanding of the questions they ask as part of Knowledge Based Authentication and where the data that supports those questions originates?  Absolutely.

 

-- by Kari Michel

What is Basil II?  Basel II is the international convergence of Capital Measurement and Capital Standards. It is a revised framework and is the second iteration of an international standard of laws. The purpose of Basel II is to create an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operations risk banks face.  Basel II ultimately implements standards to assist in maintaining a healthy financial system. 

The business challenge

The framework for Basel II compels the supervisors to ensure that banks implement credit rating techniques that represent their particular risk profile.  Besides the risk inputs (Probability of Default (PD), Loss Given Default (LGD) and Exposure at Default (EAD)) calculation, the final Basel accord includes the “use test” requirement which is the requirement for a firm to use an advanced approach more widely in its business and met merely for calculation of regulatory capital.

Therefore many financial institutions are required to make considerable changes in their approach to risk management (i.e. infrastructure, systems, processes, data requirements).  Experian is a leading provider of risk management solutions -- products and services for the new Basel Capital Accord (Basel II).  Experian’s approach includes consultancy, software, and analytics tailored to meet the lender’s Basel II requirements.

 

- by Kelly Kent

A recent January 29, 2010 article in the Wall Street Journal * discussing the repurchasing of loans by banks from Freddie Mae and Fannie Mac included a simple, yet compelling statement that I feel is worth further analysis. The article stated that "while growth in subprime defaults is slowing, defaults on prime loans are accelerating." I think this statement might come as a surprise to some who feel that there is some amount of credit risk and economic immunity for prime and super-prime consumers – many of whom are highly sought-after in today’s credit market. To support this statement, I reference a few statistics from the Experian-Oliver Wyman Market Intelligence Reports:

• From Q1 2007 to Q1 2008, 30+ DPD mortgage delinquency rates for VantageScore A and B consumers remained flat (actually down 2%); while near-prime, subprime, and deep-subprime consumers experienced an increase of over 36% in 30+ rates.

• From Q4 2008 to Q4 2009, 30+ DPD mortgage delinquency rates for VantageScore A and B consumers increased by 42%; whereas consumers in the lower VantageScore tiers saw their 30+ DPD rate increase by only 23% in the same period

Clearly, whether through economic or some other form of impact, repayment practices of prime and super-prime, consumers have been changing as of late, and this is translating to higher delinquency rates. The call-to-action for lenders, in their financial risk management and credit risk modeling efforts, is increased attentiveness in assessing credit risk beyond just a credit score...whether this be using a combination of scores, or adding Premier Attributes into lending models – in order to fully assess each consumer’s risk profile.

*  http://online.wsj.com/article/SB10001424052748704343104575033543886200942.html
 

- by Wendy Greenawalt

Marketing is typically one of the largest expenses for an organization and it is also a priority to reach short- and long-term growth objectives. With the current economic environment continuing to be unpredictable, many organizations have reduced budgets and are focusing more on risk management and recovery activities. However, in the coming year, we expect to see improvements in the economy and organizations renewing their focus on portfolio growth.

We expect that marketing campaign budgets will continue to be much lower than those allocated before the mortgage meltdown but organizations will still be looking for gains in efficiency and responsiveness to meet business objectives. Optimizing decisions, creation of optimized marketing strategies, is quick and easy when leveraging optimization technology.  Those strategies enable your internal resources to focus on more strategic issues.

Whether your objective is to increase organizational or customer level profit, growth in specific product lines or maximizing internal resources, optimization / optimzing decisions can easily identify the right solution while adhering to key business objectives. The advanced software now available to facilitate optimizing decisions enables an organization to compare multiple campaign options simultaneously while analyzing the impact of modifications to revenue, response or other business metrics.

Specifically, very detailed product offer information, contact channels, timing, and letter costs from multiple vendors -- and consumer preferences -- can all be incorporated into an optimization solution. Once defined, the complex mathematical algorithm factors every combination of all variables, which could range in the thousands.  These variables are considered at the consumer level to determine the optimal treatment to maximize organizational goals and constraints. In addition, by optimizing decisions and incorporating them into marketing strategies, marketers can execute campaigns in a much shorter timeframe allowing an organization to capitalize on changing market conditions and consumer behaviors. To illustrate the benefit of optimization: an Experian bankcard client was able to reduced analytical time to launch programs from seven days to 90 minutes while improving net present value.

In my next blog, we will discuss how organizations can cut costs when acquiring new accounts.

 

-- by Tom Hannagan

While waiting on the compilation of fourth quarter banking industry results, I thought it might be interesting to relate the commercial real estate (CRE) risk management position facing commercial banks from the third quarter. CRE risk is an important consideration in enterprise risk management and for loan pricing and profitability.

The slowdown in the global economy has affected CRE credit risk because of increased vacancy rates, halted development projects, and the loss of value affecting commercial properties. As CRE loans come up for renewal, many will find that there have equity deficits and that they are facing tightened credit standards.

If a commercial property loan started life at 80 percent loan to value, and the property value has dropped 25 percent, the renewed loan balance will be down at least 25 percent, requiring a substantial net payoff from the borrower. This net cash payoff requirement would be tough to accomplish in good times and all-but-impossible for many borrowers in this economy. After all, the main reason for the decline in property value to begin with is its reduced cash flow performance.

 Following the third quarter numbers, total U.S. commercial real estate is generally estimated at $3.4 to $3.5 trillion. Commercial banks owned just over half of that debt, or about $1.8 trillion according to Federal Reserve and FDIC sources. The (possibly only) good news with that total is that commercial banks owned a relatively small share of the commercial-mortgage-backed securities (CMBS) slice of CRE exposure. CMBS assets were 21 percent of total CRE credit or $714 billion, but banks owned a total of $54 billion, which represented only 3 percent of total bank CRE assets. Unfortunately, the opposite is true for construction lending. U.S. banks, in total, had $486 to $534 billion (depending on the source) in construction and land loans, representing 27 percent to 30 percent of banks’ total CRE holdings. 

The true credit risk management picture is much more revealing if we cut the numbers by bank size. According to Deutsche Bank research, the largest 97 banks (those with over $10 billion in total assets) had $14.8 trillion in total assets and $1.0 trillion of the banking industry’s CRE credits.  This amounts to about 7 percent of the total assets for this group of larger banks. The 7,500 community banks, with aggregate assets of $2 trillion, had about $786 billion in CRE lending. This amounts to about 28 percent of total assets. That is roughly four times the level of exposure found in the larger banks. The 7 percent level of credit risk average exposure at the large bank group is less than their average level of equity or risk-based capital. For the banks under the $10 billion level, the 28 percent level of CRE exposure is almost three times their average equity position.

The riskiest portion of CRE lending is clearly the construction and land development loans. The subtotals in this area confirm where the cumulative risk lies. Again, according to Deutsche Bank research, the largest 97 banks had $299 billion of the banking industry’s $534 billion in construction loans. Although this is 56 percent of total bank construction lending, it amounts to only 2 percent of this group’s total assets.  The 7,500 community banks had aggregate construction loans of $235 billion. This amounts to about 8.5 percent of total assets. That is a bit over four times the level of exposure found in the larger banks. The 2 percent level of construction credit risk exposure at the large bank group is one-fourth of their average level of common equity. At banks under the $10 billion level, the 8.5 percent level of CRE exposure, compared to total assets, is about the same as their average equity position.

According to Moody’s, bank have already taken about $90 billion in net loan losses in CRE assets through the third quarter of 2009. That means the industry has perhaps another $150 billion in write-offs coming. This would total $240 billion in CRE credit losses for the banking industry due to this economic downturn. That would equate to 13.3 percent of the banking industry’s share of total CRE credit. With the decline in commercial property values ranging from 10 percent to 40 percent, a 13 percent loss is certainly not a worst case scenario.

Banks have ramped up their loss reserves, and although the numbers aren’t out yet, we know many banks have used the fourth quarter 2009 to further bolster their allowances for loan and lease losses (ALLL). The larger the ALLL, the safer the risk-based equity account. Risk managers are aware of all of this and banks are very actively developing their strategies to handle the refunding requirements and, at the same time, be in a position to explain to regulators and external auditor how they are protecting shareholders. But the numbers are very daunting and not every bank will have enough net cash flow and risk equity to cover the inevitable losses.

--by Amanda Roth

Last week, we discussed how pricing with competition is important to ensure sound decision practices are being implemented in the domains of loan pricing and profitability.  The extreme of pricing too high for the market can obviously be detrimental to your organization.  The other extreme can be just as dangerous.

Pricing for your profitability, regardless of what the competition is charging in your area, has a few potential issues associated with it regarding management of risk.  For example, the statistics state you can charge 5 percent in your “A” tier and still be profitable, but the competition is charging 7.5 percent for the same tier.  You may be thinking that by offering 5 percent you will attract the “best of the best” to your organization.  However, what your statistics may not be showing you is the risk outside of your applicant base.  If you significantly change the customers you are bringing in, does your risk increase as well, ultimately increasing the cost associated with each loan?   Increased costs will reduce or even eliminate the profitability you had expected.

A second potential issue is setting the expectation within the marketplace.  It is often understood with the consumers that when changes occur to the interest rate at the federal level, there will be changes at their local financial institution.  These changes are often very small.  By undercutting your competition by such an extreme amount, your customers may question any attempts to raise rates more than 50bp, if you do experience increased costs as a result of the earlier situation or any other factors.  A safer strategy would be to charge between 6.5 percent and 7 percent, which allows you to obtain some of the best customers, ensure stability within the market, and take advantage of additional profitability while it is available.  This is definitely a winning strategy for all -- and an important consideration as you develop your portfolio risk management objectives.

-- by Kari Michel

The Credit Card Act has important implications on risk management, relationship management and assessing credit risk.  The Federal Reserve Board approved final rules implementing the Credit Card Act which will require credit card issuers to assess borrowers’ “ability to pay”.  The Credit Card Act added new Truth in Lending Act (TILA) Section 150 prohibiting a card issuer from opening a credit card account for a consumer, or increasing the credit limit applicable to a credit card account, unless the card issuer considers the consumer’s ability to make the required minimum payment.

The final rules explicitly allow for the use of “empirically derived, demonstrably and statistically sound models that reasonably estimate a consumer’s income or assets.”  The Board clarified that the card issuers are not obligated to obtain income or asset information directly from a consumer.  Instead, card issuers may also rely on information from third parties, subject to any applicable restrictions on information sharing. The rule provides that card issuers may use models that reasonably estimate a consumer’s income or assets.  This rule will become effective February 22, 2010.

Many lenders were relieved to hear that ‘ability to pay’ models can be used to comply with this new regulation.  Experian’s Income InsightSM addresses the requirements of the final Federal Reserve Board rules for assessment of ability to pay.  The model supports lenders’ compliance in a cost-effective and efficient manner.

--by Tom Hannagan

Apparently my last post on the role of risk management in the pricing of deposit services hit some nerve ends. That’s good. The industry needs its “nerve ends” tweaked after the dearth of effective risk management that contributed to the financial malaise of the last couple of years. Banks, or any business, can prosper by simply following their competitors’ marketing strategies and meeting or slightly undercutting their prices. The actions of competitors are an important piece of intelligence to consider, but not necessarily optimal for your bank to copy.

One question is regarding the “how-to” behind risk-based pricing (RBP) of deposits. The answer has four parts. Let’s see. First, because of the importance and size of the deposit business (yes, it’s a line of business) as a funding source, one needs to isolate the interest rate risk. This is done by transfer pricing, or in a sense, crediting the deposit balances for their marginal value as an offset to borrowing funds. This transfer price has nothing to do with the earnings credit rate used in account analysis – that is a merchandising issue used to generate fee income. Fees, resulting from account analysis, when not waived, affect the profitability of deposit services, but are not a risk element.

Two things are critical to the transfer of funding credit: 1) the assumptions regarding the duration, or reliability of the deposit balances and 2) the rate curve used to match the duration. Different types of deposit behave differently based on changes in rates paid. Checking account deposit funds tend to be very loyal or “sticky” - they don’t move around a lot (or easily) because of rate paid, if any. At the other extreme, time deposits tend to be very rate-sensitive and can move (in or out) for small incremental gains. Savings, money market and NOW accounts are in-between.

Since deposits are an offset (ultimately) to marginal borrowing, just as loans might (ultimately) require marginal borrowing, we recommend using the same rate curve for both asset and liability transfer pricing. The money is the same thing on both sides of the balance sheet and the rate curve used to fund a loan or credit a deposit should be the same. We believe this will help, greatly, to isolate IRR. It is also seems more fair when explaining the concept to line management.

Secondly, although there is essentially no credit risk associated with deposits, there is operational risk. Deposit make up most of the liability side of the balance sheet and therefore the lion’s share of institutional funding. Deposits are also a major source of operational expense. The mitigated operational risks such as physical security, backup processing arrangements, various kinds of insurance and catastrophe plans, are normal expenses of doing business and included in a bank’s financial statements. The costs need to be broken down by deposit category to get a picture of the risk-adjusted operating expenses.

The third major consideration for analyzing risk-adjusted deposit profitability is its revenue contribution. Deposit-related fee income can be a very significant number and needs to be allocated to particular deposit category that generates this income. This is an important aspect of the return, along with the risk-adjusted funding value of the balances. It will vary substantially for various deposit types. Time deposits have essentially zero fee income, whereas checking accounts can produce significant revenues.

The fourth major consideration is capital. There are unexpected losses associated with deposits that must be covered by risk-based capital – or equity. The unexpected losses include: unmitigated operational risks, any error in transfer pricing the market risk, and business or strategic risk. Although the unexpected losses associated with deposit products are substantially less than found in the lending products, they needs to be taken into account to have a fully risk-adjusted view. It is also necessary to be able to compare the risk-adjusted profit and profitability of such diverse services as found within banking. 

Enterprise risk management needs to consider all of the lines of business, and all of the products of the organization, on a risk-adjusted performance basis. Otherwise it is impossible to decide on the allocation of resources, including precious capital. Without this risk management view of deposits (just as with loans) it is impossible to price the services in a completely knowledgeable fashion. Good entity governance, asset and liability posturing, and competent line of business management, all require more and better risk-based profit considerations to be an important part of the intelligence used to optimally price deposits.

--by Kent Kelly

In a continuation of my previous entry, I’d like to take the concept of the first-mover and specifically discuss the relevance of this to the current bank card market.

Here are some statistics to set the stage:

• Q2 2009 bankcard origination levels are now at 54 percent of Q2 2008 levels
• In Q2 2009, bankcard originations for subprime and deep-subprime were down 63 percent from Q2 2008
• New average limits for bank cards are down 19 percent in Q2 2009 from peak in Q3 2008
• Total unused limits continued to decline in Q3 2009, decreasing by  $100 billion in Q3 2009

Clearly, the bank card market is experiencing a decline in credit supply, along with deterioration of credit performance and problematic delinquency trends, and yet in order to grow, lenders are currently determining the timing and manner in which to increase their presence in this market. In the following points, I’ll review just a few of the opportunities and risks inherent in each area that could dictate how this occurs.

Lender chooses to be a first-mover:

• Mining for gold – lenders currently have an opportunity to identify long-term profitable segments within larger segments of underserved consumers. Credit score trends show a number of lower-risk consumers falling to lower score tiers, and within this segment, there will be consumers who represent highly profitable relationships. Early movers have the opportunity to access these consumers with unrealized creditworthiness at their most receptive moment, and thus have the ability to achieve extraordinary profits in underserved segments.
 
• Low acquisition costs – The lack of new credit flowing into the market would indicate a lack of competitiveness in the bank card acquisitions space. As such, a first-mover would likely incur lower acquisitions costs as consumers have fewer options and alternatives to consider.
 
• Adverse selection - Given the high utilization rates of many consumers, lenders could face an abnormally high adverse selection issue, where a large number of the most risky consumers are likely to accept offers to access much needed credit – creating risk management issues.
 
• Consumer loyalty – Whether through switching costs or loyalty incentives, first-movers have an opportunity to achieve retention benefits from the development of new client relationships in a vacant competitive space.

Lender chooses to be a secondary or late-mover:

• Reduced risk by allowing first-mover to experience growing pains before entry. The implementation of new acquisitions and risk-based pricing management techniques with new bank card legislation will not be perfected immediately. Second-movers will be able to read and react to the responses to first movers’ strategies (measuring delinquency levels in new subprime segments) and refine their pricing and policy approaches.

• One of the most common first-mover advantages is the presence of switching costs by the customer. With minimal switching costs in place in the bank card industry, the ability for second-movers to deal with an incumbent is not one where switching costs are significant issues – second-movers would be able to steal market share with relative ease.

• Cherry-picked opportunities – as noted above, many previously attractive consumers will have been engaged by the first-mover, challenging the second-mover to find remaining attractive segments within the market. For instance, economic deterioration has resulted in short-term joblessness for some consumers who might be strong credit risks, given the return of capacity to repay. Once these consumers are mined by the first-mover, the second-mover will likely incur greater costs to acquire these clients.

Whether lenders choose to be first to market, or follow as a second-mover, there are profitable opportunities and risk management challenges associated with each strategy.  Academics and bloggers continue to debate the merits of each, (1)  but it is the ultimately lenders of today that will provide the proof.

[1] http://www.fastcompany.com/magazine/38/cdu.html

 --by Amanda Roth

The reality of risk-based pricing is that there is not one “end all be all” way of determining what pricing should be applied to your applicants.  The truth is that statistics will only get you so far.  It may get you 80 percent of the final answer, but to whom is 80 percent acceptable?  The other 20 percent must also be addressed.

I am specifically referring to those factors that are outside of your control.  For example, does your competition’s pricing impact your ability to price loans?  Have you thought about how loyal customer discounts or incentives may contribute to the success or demise of your program?  Do you have a sensitive population that may have a significant reaction to any risk-base pricing changes?  These questions must be addressed for sound pricing and risk management.

Over the next few weeks, we will look at each of these questions in more detail along with tips on how to apply them in your organization.  As the new year is often a time of reflection and change, I would encourage you to let me know what experiences you may be having in your own programs.  I would love to include your thoughts and ideas in this blog.

 

--by Roger Ahern

To calculate the expected business benefits of making an improvement to your decisioning strategies, you must first identify and prioritize the key metrics you are trying to positively impact.  For example, if one of your key business objectives is improved enterprise risk management, then some of the key metrics you seek to impact, in order to effectively address changes in credit score trends, could include reducing net credit losses through improved credit risk modeling and scorecard monitoring. Assessing credit risk is a key element of enterprise risk management and can addressed as part of your application risk management processes as well as other decisioning strategies that are applied at different points in the customer lifecycle. 

In working with our clients, Experian has identified 15 key metrics that can be positively impacted through optimizing decisions.  As you review the list of metrics below, you should identify those metrics that are most important to your organization.

• Approval rates
• Booking or activation rates
• Revenue
• Customer net present value
• 30/60/90-day delinquencies
• Average charge-off amount
• Average recovery amount
• Manual review rates
• Annual application volume
• Charge-offs (bad debt & fraud)
• Avg. cost per dollar collected
• Average amount collected
• Annual recoveries
• Regulatory compliance
• Churn or attrition

Based on Experian’s extensive experience working with clients around the world to achieve positive business results through optimizing decisions, you can expect between a 10 percent and 15 percent improvement in any of these metrics through the improved use of data, analytics and decision management software.

The initial high-level business benefit calculation, therefore, is quite important and straightforward.  As an example, assume your current approval rate for vehicle loans is 65 percent, the average value of an approved application is $200 and your volume is 75,000 applications per year.  Keeping all else equal, a 10 percent improvement in your approval rates (from 65 percent to 72 percent) would generate $10.7 million in incremental business value each year ($200 x 75,000 x .65 x 1.1).  To prioritize your business improvement efforts, you’ll want to calculate expected business benefits across a number of key metrics and then focus on those that will deliver the greatest value to your organization.

--by Tom Hannagan

This blog has often discussed many aspects of risk-adjusted pricing for loans. Loans, with their inherent credit risk, certainly deserve a lot of attention when it comes to risk management in banking. But, that doesn’t mean you should ignore the risk management implications found in the other product lines. Enterprise risk management needs to consider all of the lines of business, and all of the products of the organization. This would include the deposit services arena.

Deposits make up roughly 65 percent to 75 percent of the liability side of the balance sheet for most financial institutions, representing the lion’s share of their funding source. This is a major source of operational expense and also represents most of the bank’s interest expense. The deposit activity has operational risk, and this large funding source plays a huge role in market risk – including both interest rate risk and liquidity risk. It stands to reason that such risks are considered when pricing deposit services. Unfortunately it is not always the case. Okay, to be honest, it’s too rarely the case.

This raises serious entity governance questions. How can such a large operational undertaking, not withstanding the criticality of the funding implications, not be subjected to risk-based pricing considerations? We have seen warnings already that the current low interest rate environment will not last forever. When the economy improves and rates head upwards, banks need to understand the bottom line profit implications. Deposit rate sensitivity across the various deposit types is a huge portion of the impact on net interest income. Risk-based pricing of these services should be considered before committing to provide them.

Even without the credit risk implications found on the loan side of the balance sheet, there is still plenty of operational and market risk impact that needs to be taken into account from the liability side. When risk management is not considered and mitigated as part of the day-to-day management of the deposit line of business, the bank is leaving these risks completely to chance. This unmitigated risk increases the portion of overall risk that is then considered to be “unexpected” in nature and thereby increases the equity capital required to support the bank.

--by Heather Grover

In my previous entry, I covered how fraud prevention affected the operational side of new DDA account opening. To give a complete picture, we need to consider fraud best practices and their impact on the customer experience.

As earlier mentioned, the branch continues to be a highly utilized channel and is the place for “customized service.” In addition, for retail banks that continue to be the consumer's first point of contact, fraud detection is paramount IF we should initiate a relationship with the consumer. Traditional thinking has been that DDA accounts are secured by deposits, so little risk management policy is applied. The reality is that the DDA account can be a fraud portal into the organization’s many products.

Bank consolidations and lower application volumes are driving increased competition at the branch – increased demand exists to cross-sell consumers at the point of new account opening. As a result, banks are moving many fraud checks to the front end of the process: know your customer and Red Flag guideline checks are done sooner in the process in a consolidated and streamlined fashion. This is to minimize fraud losses and meet compliance in a single step, so that the process for new account holders are processed as quickly through the system as possible.

Another recent trend is the streamlining of a two day batch fraud check process to provide account holders with an immediate and final decision. The casualty of a longer process could be a consumer who walks out of your branch with a checkbook in hand – only to be contacted the next day to tell that his/her account has been shut down. By addressing this process, not only will the customer experience be improved with  increased retention, but operational costs will also be reduced.

Finally, relying on documentary evidence for ID verification can be viewed by some consumers as being onerous and lengthy. Use of knowledge based authentication can provide more robust authentication while giving assurance of the consumer’s identity. The key is to use a solution that can authenticate “thin file” consumers opening DDA accounts. This means your out of wallet questions need to rely on multiple data sources – not just credit. Interactive questions can give your account holders peace of mind that you are doing everything possible to protect their identity – which builds the customer relationship…and your brand.

--by Amanda Roth

To refine your risk-based pricing another level, it is important to analyze where your tiers are set and determine if they are set appropriately.  (We find many of the regulators / examiners are looking for this next level of analysis.)

This analysis begins with the results of the scoring model validation.  Not only will the distributions from that analysis determine if the score can predict between good and delinquent accounts, but it will also highlight which score ranges have similar delinquency rates, allowing you to group your tiers together appropriately.  After all, you do not want to have applicants with a 1 percent chance of delinquency priced the same as someone with an 8 percent chance of delinquency.  By reviewing the interval delinquency rates as well as the odds ratios, you should be able to determine where a significant enough difference occurs to warrant different pricing.

You will increase the opportunity for portfolio profitability through this analysis, as you are reducing the likelihood that higher risk applicants are receiving lower pricing.  As expected, the overall risk management of the portfolio will increase when a proper risk-based pricing program is developed.

In my next post we will look the final level of validation which does provide insight into pricing for profitability.

 

--Kelly Kent

In a recent presentation conducted by The Tower Group, “2010 Top 10 Business Drivers, Strategic Responses, and IT Initiatives in Bank Cards,” the conversation covered many of the challenges facing the credit card business in 2010.  When discussing the shift from “what it was," to “what it is now” for many issues in the card industry, one specific point caught my attention – the perception of unused credit lines – and the change in approach from lenders encouraging balance load-up to the perception that unused credit lines now represent unknown vulnerability to lenders.

Using market intelligence assets at Experian, I thought I would take a closer look at some of the corresponding data credit score profile trends to see what color I could add to this insight. Here is what I found:

• Total unused bankcard limits have decreased by $750 billion from Q3 2008 to Q3 2009
• By risk segment, the largest decline in unused limits has been within the VantageScore® A consumer – the super prime consumer – where unused limits have dropped by $420 billion
• More than 82 percent of unused limits reside with VantageScore A and B consumers – the super-prime and prime consumer segments

So what does this mean to risk management today? If you subscribe to the approach that unused limits now represent unknown vulnerability, then this exposure does not reside with traditional “risky” consumers, rather it resides with consumers usually considered to be the least risky. 

So this is good news, right? Well, maybe not.

Vintage analysis of recent credit trends shows that vulnerability within the top score tiers might represent more risk than one would suspect. Delinquency trends for VantageScore A and B consumers within recent vintages (2006 through 2008) show deteriorating rates of delinquency from each year’s vintage to the next. Despite a shift in loan origination volumes towards this group, the performance of recent prime and super-prime originations shows deterioration and underperformance against historical patterns.

If The Tower Group’s read on the market is correct, and unused credit now represents vulnerability and not opportunity, it would be wise for lenders to reconsider where and how yesterday’s opportunity has become today’s risk.

--by Monica Bellflower

I received a call on my cell phone the other day. It was my bank calling because a transaction outside of my normal behavior pattern tripped a flag in their fraud models. “Hello!" said the friendly, automated voice, “I’m calling from [bank name] and we need to talk to you about some unusual transaction activity on your account, but before we do, I need to make sure Monica Bellflower has answered the phone. We need to ask you a few questions for security reasons to protect your account. Please hold on a moment.” 

At this point, the IVR (Interactive Voice Response) system invoked a Knowledge Based Authentication session that the IVR controlled. The IVR, not a call center representative, asked me the Knowledge Based Authentication questions and confirmed the answers with me. 

When the session was completed, I had been authenticated, and the friendly, automated voice thanked me before launching into the list of transactions to be reviewed. Only when I questioned the transaction was I transferred, immediately – with no hold time, to a human fraud account management specialist. The entire process was seamless and as smooth as butter.

Using IVR technology is not new, but using IVR to control a Knowledge Based Authentication session is one way of controlling operational expenses. An example of this is reducing the number of humans that are required, while increasing the ROI made in both the Knowledge Based Authentication tool and the IVR solution. 

From a risk management standpoint, the use of decisioning strategies and fraud models allows for the objective review of a customer’s transactions, while employing fraud best practices. After all, an IVR never hinted at an answer or helped a customer pass Knowledge Based Authentication, and an IVR didn't get hired in a call center for the purpose of committing fraud.  

These technologies lend themselves well, to fraud alerts and identity theft prevention programs, and also to account management activities. Experian has successfully integrated Knowledge Based Authentication with IVR as part of relationship management and/or risk management solutions. 

--by Monica Bellflower

I have already commented on “secret questions” as the root of all evil when considering tools to reduce identity theft and minimize fraud losses.  No, I’m not quite ready to jump off  that soapbox….not just yet, not when we’re deep into the season of holiday deals, steals and fraud.  The answers to secret questions are easily guessed, easily researched, or easily forgotten.  Is this the kind of security you want standing between your account and a fraudster during the busiest shopping time of the year?

There is plenty of research demonstrating that fraud rates spike during the holiday season.  There is also plenty of research to demonstrate that fraudsters perpetrate account takeover by changing the pin, address, or e-mail address of an account – activities that could be considered risky behavior in decisioning strategies.  So, what is the best approach to identity theft red flags and fraud account management?  A risk based authentication approach, of course! 

Knowledge Based Authentication (KBA) provides strong authentication and can be a part of a multifactor authentication environment without a negative impact on the consumer experience, if the purpose is explained to the consumer.  Let’s say a fraudster is trying to change the pin or e-mail address of an account.  When one of these risky behaviors is initiated, a Knowledge Based Authentication session begins. To help minimize fraud, the action is prevented if the KBA session is failed.  Using this same logic, it is possible to apply a risk based authentication approach to overall account management at many points of the lifecycle:

• Account funding 
• Account information change (pin, e-mail, address, etc.)
• Transfers or wires
• Requests for line/limit increase
• Payments
• Unusual account activity
• Authentication before engaging with a fraud alert representative

Depending on the risk management strategy, additional methods may be combined with KBA; such as IVR or out-of-band authentication, and follow-up contact via e-mail, telephone or postal mail.  Of course, all of this ties in with what we would consider to be a comprehensive Red Flag Rules program. (For more on Red Flag guidance, visit our dedicated site at:  http://www.bulldogsolutions.net/ExperianDecisionAnalytics/EXD_RedFlagSite/index.aspx?bdls=16924) 

Risk based authentication, as part of a fraud account management strategy, is one of the best ways we know to ensure that customers aren’t left singing, “On the first day of Christmas, the fraudster stole from me…”

--by Jeff Bernstein

In the current economic environment, many lenders and issuers across the globe are struggling to manage the volume of caseloads coming into collections. The challenge is that as these new collection cases come into collections in early phases of delinquency, the borrower is already in distress, and the opportunity to have a good outcome is diminished.

One of the real “hot” items on the list of emerging best practices and innovating changes in collections is the concept of early lifecycle treatment strategy. Essentially, what we are referring to is the treatment of current and non-delinquent borrowers who are exhibiting higher risk characteristics.  There are also those who are at-risk of future default at higher levels than average. The challenge is how to identify these customers for early intervention and triage in the collections strategy process.

One often-overlooked tool is the use of maturation curves to identify vintages within a portfolio that is performing worse than average. A maturation curve identifies how long from origination until a vintage or segment of the portfolio reaches a normalized rate of delinquency.

Let’s assume that you are launching a new credit product into the marketplace. You begin to book new loans under the program in the current month. Beyond that month, you monitor all new loans that were originated/booked during that initial time frame which we can identify as a “vintage” of the portfolio. Each month’s originations are a separate vintage or vintage analysis, and we can track the performance of each vintage over time.

How many months will it take before the “portfolio” of loans booked in that initial month reach a normal level of delinquency based on these criteria: the credit quality of the portfolio and its borrowers, typical collections servicing, delinquency reporting standards, and factor of time?  The answer would certainly depend upon the aforementioned factors, and could be graphed as follows:

Exhibit 1

 
0 Comments »

Round 1 – Pick your corner

---by Monica Bellflower

There seems to be two viewpoints in the market today about Knowledge Based Authentication (KBA): one positive, one negative.  Depending on the corner you choose, you probably view it as either a tool to help reduce identity theft and minimize fraud losses, or a deficiency in the management of risk and the root of all evil.  The opinions on both sides are pretty strong, and biases “for” and “against” run pretty deep.

One of the biggest challenges in discussing Knowledge Based
Authentication as part of an organization’s identity theft prevention program, is the perpetual confusion between dynamic out-of-wallet questions and static “secret” questions.  At this point, most people in the industry agree that static secret questions offer little consumer protection.  Answers are easily guessed, or easily researched, and if the questions are preference based (like “what is your favorite book?”) there is a good chance the consumer will fail the authentication session because they forgot the answers or the answers changed over time.

Dynamic Knowledge Based Authentication, on the other hand, presents questions that were not selected by the consumer.  Questions are generated from information known about the consumer – concerning things the true consumer would know and a fraudster most likely wouldn’t know.  The questions posed during Knowledge Based Authentication sessions aren’t designed to “trick” anyone but a fraudster, though a best in class product should offer a number of features and options.  These may allow for flexible configuration of the product and deployment at multiple points of the consumer life cycle without impacting the consumer experience.

The two are as different as night and day.  Do those who consider “secret questions” as Knowledge Based Authentication consider the password portion of the user name and password process as KBA, as well?  If you want to hold to strict logic and definition, one could argue that a password meets the definition for Knowledge Based Authentication, but common sense and practical use cause us to differentiate it, which is exactly what we should do with secret questions – differentiate them from true KBA.

KBA can provide strong authentication or be a part of a multifactor authentication environment without a negative impact on the consumer experience.  So, for the record, when we say KBA we mean dynamic, out of wallet questions, the kind that are generated “on the fly” and delivered to a consumer via “pop quiz” in a real-time environment; and we think this kind of KBA does work.  As part of a risk management strategy, KBA has a place within the authentication framework as a component of risk- based authentication… and risk-based authentication is what it is really all about.