Regulatory Compliance

Well, in my last blog, I was half right and half wrong.  I said that individual trade associations and advocacy groups would continue to seek relief from Red Flag Rules ‘coverage’ and resultant FTC enforcement.  That was right.  I also said that I thought the June 1 enforcement date would ‘stick’.  That was wrong. Said FTC Chairman Jon Leibowitz, “Congress needs to fix the unintended consequences of the legislation establishing the Red Flag Rule – and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift.  As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.” I think the key words here are ‘unintended consequences’.  It seems to me that the unintended consequences of the Red Flag Rules reach far beyond just which industries are covered or not covered (healthcare, legal firms, retailers, etc).  Certainly, the fight was always going to be brought on by non-financial institutions that generally may not have had a robust identity authentication practice in place as a general baseline practice.  What continues to be lost on the FTC is the fact that here we are a few years down the road, and I still hear so much confusion from our clients as to what they have to do when a Red Flag compliance condition is detected.  It’s easy to be critical in hindsight, yes, but I must argue that if a bit more collaboration with large institutions and authentication service providers in all markets had occurred, creating a more detailed and unambiguous Rule, we may have seen the original enforcement date (or at least one of the first or second postponement dates) ‘stick’. At the end of the day, the idea of mandating effective and market defined identity theft protection programs makes a lot of sense.  A bit more intelligence gathering on the front end of drafting the Rule may, however, have saved time and energy in the long run.  Here’s hoping that December 31st ‘sticks’…I’m done predicting.  

By: Kari Michel The Federal Reserve’s decision to permit card issuers to use income estimation models to meet the Accountability, Responsibility, and Disclosure (CARD) Act requirements to assess a borrower’s ability to repay a loan makes good sense. But are income estimation models useful for anything other than supporting compliance with this new regulation? Yes; in fact these types of models offer many advantages and uses for the financial industry. They provide a range of benefits including better fraud mitigation, stronger risk management, and responsible provision of credit. Using income estimation models to understand your customers’ complete financial picture is valuable in all phases of the customer lifecycle, including: • Loan Origination – use as a best practice for determining income capacity • Prospecting – target customers within a specific income range • Acquisitions – set line assignments for approved customers • Account Management – assess repayment ability before approving line increases • Collections – optimize valuation and recovery efforts One of the key benefits of income estimation models is they validate consumer income in real time and can be easily integrated into current processes to reduce expensive manual verification procedures and increase your ROI. But not all scoring models are created equal. When considering an income estimation model, it’s important to consider the source of the income data upon which the model was developed. The best models rely on verified income data and cover all income sources, including wages, rent, alimony, and Social Security. To lean more about how income estimation models can help with risk management strategies, please join the following webinar: Ability to pay:  Going beyond the Credit CARD on June 8, 2010. http://www.bulldogsolutions.net/ExperianConsumerInfo/EXC1001/frmRegistration.aspx?bdls=24143    

By: Kari Michel What is Basel II?  Basel II is the international convergence of Capital Measurement and Capital Standards. It is a revised framework and is the second iteration of an international standard of laws. The purpose of Basel II is to create an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operations risk banks face.  Basel II ultimately implements standards to assist in maintaining a healthy financial system. The business challenge The framework for Basel II compels the supervisors to ensure that banks implement credit rating techniques that represent their particular risk profile.  Besides the risk inputs (Probability of Default (PD), Loss Given Default (LGD) and Exposure at Default (EAD)) calculation, the final Basel accord includes the “use test” requirement which is the requirement for a firm to use an advanced approach more widely in its business and met merely for calculation of regulatory capital. Therefore many financial institutions are required to make considerable changes in their approach to risk management (i.e. infrastructure, systems, processes, data requirements).  Experian is a leading provider of risk management solutions -- products and services for the new Basel Capital Accord (Basel II).  Experian’s approach includes consultancy, software, and analytics tailored to meet the lender’s Basel II requirements.  

A recent New York Times (1) article outlined the latest release of credit borrowing by the Federal Reserve, indicating that American’s borrowed less for the ninth-straight month in October. Nested within the statistics released by the Federal Reserve were metrics around reduced revolving credit demand and comments about how “Americans are borrowing less as they try to replenish depleted investments.” While this may be true, I tend to believe that macro-level statements are not fully explaining the differences between consumer experiences that influence relationship management choices in the current economic environment. To expand on this, I think a closer look at consumers at opposite ends of the credit risk spectrum tells a very interesting story. In fact, recent bank card usage and delinquency data suggests that there are at least a couple of distinct patterns within the overall trend of reducing revolving credit demand: • First, although it is true that overall revolving credit balances are decreasing, this is a macro-level trend that is not consistent with the detail we see at the consumer level. In fact, despite a reduction of open credit card accounts and overall industry balances, at the consumer-level, individual balances are up – that’s to say that although there are fewer cards out there, those that do have them are carrying higher balances. • Secondly, there are significant differences between the most and least-risky consumers when it comes to changes in balances. For instance, consumers who fall into the least-risky VantageScore® tiers, Tier A and B, show only 12 percent and 4 percent year-over-year balance increases in Q3 2009, respectively. Contrast that to the increase in average balance for VantageScore F consumers, who are the most risky, whose average balances increased more than 28 percent for the same time period. So, although the industry-level trend holds true, the challenges facing the “average” consumer in America are not average at all – they are unique and specific to each consumer and continue to illustrate the challenge in assessing consumers' credit card risk in the current credit environment. 1 http://www.nytimes.com/2009/12/08/business/economy/08econ.html  

Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time") offers institutions a viable strategy for balancing the following competing forces and pressures: • Compliance – the need to ensure each transaction is approved only when compliance requirements are met; • Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions; • Risk mitigation – the need to minimize fraud exposure at the account and transaction level. A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling. Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.  

As I wrote in my previous posting, a key Red Flags Rule challenge facing many institutions is one that manages the number of referrals generated from the detection of Red Flags conditions.  The big ticket item in referral generation is the address mismatch condition. Identity Theft Prevention Program I’ve blogged previously on the subject of risk-based authentication and risk-based pricing, so I won’t rehash that information.  What I will suggest, however, is that those institutions who now have an operational Identity Theft Prevention Program (if you don’t, I’d hurry up) should continue to explore the use of alternate data sources, analytics and additional authentication tools (such as knowledge-based authentication) as a way to detect Red Flags conditions and reconcile them all within the same real-time transaction. Referral rates Referral rates stemming from address mismatches (a key component of the Red Flags Rule high risk conditions) can approach or even surpass 30 percent.  That is a lot.  The good news is that there are tools which employ additional data sources beyond a credit profile to “find” that positive address match.  The use of alternate data sources can often clear the majority of these initial mismatches, leaving the remaining transactions for treatment with analytics and knowledge-based authentication and Identity Theft Prevention Program. Whatever “referral management” process you have in place today, I’d suggest exploring risk-based authentication tools that allow you to keep the vast majority of those referrals out of the hands of live agents, and distanced from the need to put your customers through the authentication wringer.  In the current marketplace, there are many services that allow you to avoid high referral costs and risks to customer experience.  Of course, we think ours are pretty good.  

While the FACT Act’s Red Flags Rule seems to capture all of the headlines these days, it’s just one of a number of compliance challenges that banks, credit unions, and a myriad of other institutions face on a daily basis.  And meeting today’s regulatory requirements is more complicated than ever.  Risk managers and compliance officers are asked to consider many questions, including: 1. Do FACTA Sections 114 and 315 apply to me? 2. What do I have to do to comply? 3. What impact does this have on the customer’s experience? 4. What is this going to cost me in terms of people and process? Interpretation of the law or guideline – including who it applies to and to whom it does not - varies widely.  Which types of businesses are subject to the Red Flags Rule?  What is a “covered account?”  If you’re not sure, you’re not alone - it’s a primary reason why the Federal Trade Commission (FTC) continues to postpone enforcement of the rule, while this healthy debate continues. And by the way, FTC – it’s almost November 1st…aren’t we about due for another delay? But we’re not talking about just protecting consumers from identity theft and reducing fraud and protecting themselves using the Identity Theft Prevention Program. The USA Patriot Act and “Know Your Customer” requirements have been around much longer, but there are current challenges of interpretation and practical application when it comes to identifying customers and performing due diligence to deter fraud and money laundering.  Since Customer Identification Programs require procedures based on the bank’s own “assessment of the relevant risks,” including types of accounts opened, methods of opening, and even the bank’s “size, location, and customer base,” it’s safe to say that each program will differ slightly – or even greatly. So it’s clear there’s a lack of specificity in the regulations of the Red Flags Rule which cause heartburn for those tasked with compliance…but are there some common themes and requirements across the two?  The short answer is Yes.  In my next post, I’ll talk about the elements in common and how authentication products can play a part in addressing both.  

There were always questions around the likelihood that the August 1, 2009 deadline would stick.  Well, the FTC has pushed out the Red Flag Rules compliance deadline to November 1, 2009 (from the previously extended August 1, 2009 deadline). This extension is in response to pressures from Congress – and, likely, "lower risk" businesses questioning their being covered under the Red Flag Rule to begin with (businesses such as those related to healthcare, retailers, small businesses, etc). Keep in mind that the FTC extension on enforcement of Red Flag Guidelines does not apply to address discrepancies on credit profiles, and that those discrepancies are expected to be worked TODAY.  Risk management strategies are key to your success. To view the entire press release, visit: http://www.ftc.gov/opa/2009/07/redflag.shtm

In recent months, the topics of stress-testing and loss forecasting have been at the forefront of the international media and, more importantly, at the forefront of the minds of American banking executives. The increased involvement of the federal government in managing the balance sheets of the country’s largest banks has mixed implications for financial institutions in this country. On one hand, some banks have been in the practice of building macroeconomic scenarios for years and have tried and tested methods for risk management and loss forecasting. On the other hand, in financial institutions where these practices were conducted in a less methodical manner, if at all, the scrutiny placed on capital adequacy forecasting has left many looking to quickly implement standards that will address regulatory concerns when their number is called. For those clients to whom this process is new, or for those who do not possess a methodology that would withstand the examination of federal inspectors, the question seems to be – where do we begin? I think that before you can understand where you’re going, you must first understand where you are and where you have been. In this case, it means having a detailed understanding of key industry and peer benchmarks and your relative position to those benchmarks. Even simple benchmarking exercises provide answers to some very important questions. • What is my risk profile versus that of the industry? • How does the composition of my portfolio differ from that of my peers? • How do my delinquencies compare to those of my peers? How has this position been changing? By having a thorough understanding of one’s position in these challenging circumstances, it allows for a more educated foundation upon which to build assessments of the future.  

We at Experian have been conducting a survey of visitors to our Red Flag guidelines microsite (www.experian.com/redflags). Some initial findings show that approximately 40 percent of those surveyed were "ready" by the original November 1, 2008 deadline.  However, nearly 50 percent of the respondents found the Identity Theft Red Flag deadline extension(s) helpful. For those of you that have not taken the survey, please do so.  We welcome your feedback.  

One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy.  A couple of common questions and answers to get us started: 1.  How do the credit reporting agencies display an address discrepancy? Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry. 2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested? Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly. In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report. Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change. A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.  

What are your thoughts on the third extension to the Identity Theft Red Flags Rule deadline? Was your institution ready to meet Red Flag guidelines? 

  Does the rule list the Red Flags? The Identity Theft Red Flags Rule provides several examples of Red Flags in four separate categories: 1. alerts and notifications recieved from credit reporting agencies and third-party service providers; 2. the presentation of suspicious documents or suspicious identifying information;   3. unusual or suspicious account usage patterns; and 4. notices from a customer, identity theft victim or law enforcement.    

Optimization is a very broad and commonly used term today and the exact interpretation is typically driven by one's industry experience and exposure to modern analytical tools. Webster defines optimize as: "to make as perfect, effective or functional as possible". In the risk/collections world, when we want to optimize our strategies as perfect as technology will allow us, we need to turn to advanced mathematical engineering. More than just scoring and behavioral trending, the most powerful optimization tools leverage all available data and consider business constraints in addition to behavioral propensities for collections efficiency and collections management. A good example of how this can be leveraged in collections is with letter strategies. The cost of mailing letters is often a significant portion of the collections operational budget. After the initial letter required by the Fair Debt Collection Practice Act (FDCPA) has been sent, the question immediately becomes: “What is the best use of lettering dollars to maximize return?” With optimization technology we can leverage historical response data while also considering factors such as the cost of each letter, performance of each letter variation and departmental budget constraints, while weighing the alternatives to determine the best possible action to take for each individual customer. n short, cutting edge mathematical optimization technology answers the question: "Where is the point of diminishing return between collections treatment effectiveness and efficiency / cost?"  

I was recently asked in a comment, "What do we have to do to become compliant?" Great question.  There is not a single path to compliance when it comes to Red Flags compliance.  Effectively, an institution that has covered accounts under the Rule must implement both a written and operational Identity Theft Prevention Program.    The Red Flags Rule requires financial institutions and creditors to establish and maintain a written Program designed to detect, prevent and mitigate identity theft in connection with their covered accounts. The Program is a self-prescribed system of checks and balances that each financial institution and creditor implements to reach compliance with the Red Flags Rule. The goal of the provisions is to drive organizations to put into place a system that identifies patterns, practices and forms of activities that indicate the possible existence of identity theft. The provisions are not designed to steer the market to a “one size fits all” compliance platform. In essence, how businesses choose to meet the requirements will depend on the business size, operational complexity, customer transaction processes and risks associated with each of these characteristics.   A compliant Program must contain reasonable policies and procedures to address four mandatory elements: Identifying Red Flags applicable to covered accounts and incorporating them into the Program Detecting and evaluating the Red Flags included in the Program Responding to the Red Flags detected in a manner that is appropriate to the degree of risk they pose and Updating the Program to address changes in the risks to customers, and to the financial institution’s or creditor’s safety and soundness, from identity theft  The Red Flags Rule includes 26 illustrative examples of possible Red Flags financial institutions and creditors should consider when implementing a written Program. While implementation of any predetermined number of the 26 Red Flag examples is not mandatory, financial institutions and creditors should consider those that are applicable to their business processes, consumer relationships and levels of risk.   The Red Flags Rule requires financial institutions and creditors to focus on identifying Red Flags applicable to their account opening activities, existing account maintenance, and new activity on an account that has been inactive for two years or more. Some mandatory requirements include: Keeping a current, written Identity Theft Prevention Program that contains reasonable policies and procedures to identify, detect and respond to Red Flags, and keeping the Program updated Confirming that the consumer reports requested from consumer reporting agencies are related to the consumer with whom the financial institution or creditor are doing business Reviewing address discrepancies