By: Tom Hannagan This post is a feature from my colleague and guest blogger, John Robertson, Senior Process Architect in Advisory Services at Baker Hill, a part of Experian. Years ago, I attended a seminar at which the presenter made a statement that struck me as odd, but has proven to be quite prophetic.  He simply stated, “margins will continue to narrow … forever!” He was spot on. At that time, a variety of loan products (such as mortgage loans) were becoming commoditized and this emerging market acted as an intermediary for needed cash to provide banks the wherewithal to continue to lend in their respective locales. The presenter continued by making a call for a systematic and effective pricing methodology then and “forever”. Pricing loans in a competitive market does not necessarily translate into smaller yields. Nor should banks be willing to accept smaller yields for less than quality loans. There are several viable options to consider when loan pricing in a market where the margins continue to shrink. Cutting operating expenses Generally, a financial institution’s first reaction to narrowing margins is to cut operating expenses. Periodically the chaff does need culling, but most banks run efficient shops by depending heavily on technology to create those efficiencies and for risk management. They continually measure themselves with efficiency ratios which, in part, help to drive their strategic operating decisions. So, when the edict comes from above to cut operating expenses, there aren’t too many options. So, why is a bank’s first reaction usually an all-out call to cut operating expenses? Generally, it’s because these operating expenses are more easily identifiable and banks still lack effective tools to measure the value of their customers and relationships. Couple that with the perception that there is no control over a competitive market with narrowing margins. As a result, banks price accordingly -- just to get the deal. Consequently, their efficiency ratios may look good, but what about the potential impact on yield, service and internal morale? Community banks, in particular, pride themselves on customer service and, in fact, site it as one of their strengths against larger banks. Do you give up that advantage? Relationship management To price effectively in a market where margins have narrowed, the bank has to also consider the relationship’s value. The value of deposits should be measured and included to allow for more competitive pricing. The influence of deposits on the relationship allows the bank to be more aggressive in its loan pricing or can enhance the relationship yield itself. Loan pricing in a competitive market does not have to translate into smaller yields and/or credit quality. The key to staying ahead of competition is measuring the value of the relationship and applying any or all of the outlined effective risk-based pricing methodologies to position the bank to win the deal and still meet the targeted return objectives. While the phrase “margins will continue to narrow … forever” may seem to hold true, banks can counter by using the “power of pricing” to offset the impact to earnings …forever!

At which stage of the application process does the Red Flags Rule apply? The Red Flag Rule would apply whenever you detect a Red Flag in connection with an application. This could occur as soon as you receive an application, for example: if the application appears to have been altered or forged; or the consumer’s identification appears to be forged or is inconsistent with the information on the application. Is the social security number (SSN) check a requirement? No, but an invalid SSN may be a Red Flag – i.e., an indicator of possible identity theft – and obtaining and verifying a SSN may be a reasonable means of application risk management to detect this Red Flag when opening accounts. You may be able to utilize your existing procedures under your Customer Identification Program under the USA PATRIOT Act.  

After reviewing more details around the "The President's Identity Theft Task Force Report" (September 2008), and some of the activities surrounding it, I find myself again pondering how all of this may be impacting our clients.  Does heightened consumer awareness around both identity theft Red Flags rules and government initiatives (like the task force report) put more pressure on various industries to have buttoned up identity theft prevention programs that are not only effective, but also "marketed" to consumers?  Are consumers now expecting to see more blatant identity theft prevention measures in place each time they transact with a service provider…any service provider?Lots of questions here, so let me know if you are feeling residual pressures from your consumer base as a result of any of the latest initiatives or reports.  I can say that we do have some clients that believe effective identity theft measures matter to their customers and use their protection measures as marketing messages.  For example, the use of knowledge-based authentication questions during an application or transaction approval process is not only effective in preventing fraud, but also leaves customers with a sense of security and an understanding that their financial institutions are working to combat identify theft..

What to do when you see a Red Flag. Your Identity Theft Prevention Program should include appropriate responses when you detect a Red Flag. You must assess whether the Red Flag evidences a risk of identity theft. If so, your response must be commensurate with the degree of risk posed. Depending on the level of risk, an appropriate response may include contacting your applicant, not opening a new account or even determining that no response is necessary.  

By: Tom Hannagan Part 2 There is one rather interesting clause that appears to represent an open-ended business porfolio risk management decision for the future. It is one small paragraph, named Amendment, in the middle of Article V - Miscellaneous, just ahead of governing law (which is federal law, backed up by the laws of the State of New York). Amendment begins normally enough, requiring the usual signed agreement of each party, but then states: “provided that the Investor may unilaterally amend any provision of this Agreement to the extent required to comply with any changes after the Signing Date in applicable federal statutes.” Wow. My understanding of this is that if Congress in the future, enacts anything that Treasury finds (or Congress requires Treasury to find) applicable to any aspect of the previously signed TARP Agreement, the bank is bound to adhere. Forget about the non-voting aspect of the preferred shares issued to the Treasury. Once the TARP Agreement is executed by the bank, management is not only bound by what’s in the document to begin with, it is in addition, subject to future federal law as long as the TARP shares are held by the government. So, this new major owner does have a voice. The Purchase Agreement covers what the new owner wants now and may decide it wants in the future. This a form of strategic business risk that comes with accepting the capital infusion, along with the various financial implications of the funding.

By: Tom Hannagan Part 1 Beyond the risk management considerations related to a bank’s capital position, which is directly impacted by Troubled Asset Relief Program (TARP) participation, it should be clear that TARP also involves business (or strategic) risk.  We have spoken in the past of several major categories of risk: credit risk, market risk, operational risk and business risk. Business risk includes: A variety of risks associated with the outcomes from strategic decision making; Governance considerations; Executive behavior (for lack of better terminology); Management succession events or other leadership occurrences that may affect the performance and financial viability of the business. Aside from the monetary impact on the bank’s capital position, TARP involves a new capital securities owner being in the mix. And, with a 20% infusion of added tier 1 capital, we are almost always talking about a very large, new owner relative to existing shareholders. The United States Department of the Treasury is the investor or holder of the newly issued preferred stock and warrants. The Treasury Department does not have voting rights like common shareholders, but the Treasury’s Securities Purchase Agreement – Standard Form includes at least 35 pages of terms, plus the required Letter Agreement, Schedules attached to the Letter Agreement and at least five significant Annex’s to the Purchase Agreement. It’s NOT an easy, quick or fun read. In the Recitals section, it states that the bank: “agrees to expand the flow of credit to U.S. consumers and businesses on competitive terms as appropriate to strengthen the health of the U.S. economy” and, later, “agrees to work diligently, under existing programs, to modify the terms of residential mortgages as appropriate to strengthen the health of the U.S. economy.” Fortunately, if you’re a banker, these topics are not (currently) revisited elsewhere in the document, period. However, these are examples of the new shareholder effecting business decision making without the need to be on the Board of Directors, or voting common shares. The Agreement covers a number of other requirements and limitations, such as executive compensation, dividend payments, other capital sourcing and retention of bank holding company status. None of these are particularly onerous, but they must be taken into account by management. Visit my next post to read about the very interesting Amendment clause that may represent an open-ended business portfolio risk management decision for the future.

We have been hearing quite a bit about the ponzi scheme that was created and managed by Bernie Madoff.  Almost $50 billion dollars was taken from those that were considered to be sophisticated and definitely not the typical type to be scammed.  So, what created the environment that allowed such large sums of money to be lost in such a basic con game as a ponzi scheme?  I believe there are a few basic factors that prompted these seemingly sophisticated people to invest in this ill-fated “investment.” A strong desire to generate investment returns when the typical channels were not delivering. The reputation(s) of the existing client list -- If they invested why shouldn’t I? The thought that if it paid off with smaller dollar investments, just think what could be made with larger dollars! Hmmm!  Sounds like how we got ourselves into today’s credit situation.  Basically, we were distracted by the items noted above and ignored the warning signs. Putting the items above into credit industry terms it can be summed up as follows: We have to continue to grow and we are pressured to find more opportunities.  If we go lower in the credit quality spectrum, it can generate immediate volume from the existing application volume. Other financial institutions have gone into this type of lending and they aren’t showing any signs of significant distress in their portfolios.  We need to do the same.  (Everyone in the herd in favor of this action please respond by saying “Moo.”) Our test portfolio has performed acceptably, so let’s increase the volume. Let’s continue the correlation between these two “problems.”  In the Madoff ponzi scheme, there were warning signs that cropped up - some earlier than others. These included: In 2000, the Securities and Exchange Commission received a letter from an outside money manager which warned of a possible scheme. In 2005, the Bostonian submitted an 18-page document to the SEC citing 29 red flags and indicated some level of corruption within Madoff’s investment company. The SEC’s own earlier investigation conducted in 1999, included an acknowledgement that they had received “credible allegations” but these allegations were ignored. So, what were the signs that were in front of us but we simply chose to ignore? Were the portfolios turning over so fast that we could not actually gather statistically valid data to support performance? Since we were selling off the loans, either individually or in bulk, did we ignore the actual risk that was taken by the industry? Were we appropriately monitoring the portfolio growth and performance, utilizing risk reduction and risk avoidance techniques, doing regular rescores and tracking potential behavioral issues? Whether the signs were visible to us or not, the fact remains that they existed in the past and they will likely exist in the future.  As we continue to clean up the mess of our past, we need to consider a few items: What we did in the past will no longer be acceptable going forward. We must change. We must improve. Regulatory pressures will increase and changes will continue to be made. We will not have the luxury of time to respond to these pressures and/or changes. We must act now. What is a financial institution to do?  Well, the worst thing we can do is wait for the regulators to tell us what to do because that is simply too late.  We need to act and act now. Assess the risk management methods that were employed in the past and determine deficiencies. Note the gaps between the historical tools and data sources compared with the updated credit decisioning tools and sources available in the industry. Develop a plan for implementing the new risk reduction methods and tools. Determine the estimated lift and manage/monitor your performance against your estimates. Don’t forget about the new additions to the portfolio. Once you have the existing risk identified, you should make the appropriate adjustments to the product risk parameters and terms and conditions to improve the overall quality of the new portfolio. Overall, the worst thing that we can do is nothing. Remember, “Those who do not remember the past are condemned to repeat it.” George Santayana, a philosopher, essayist, poet, and novelist

How do I know which Red Flags apply to me? The Red Flag guidelines that will apply to you depend on a number of factors including: The types of covered accounts you offer and how those accounts may be opened and accessed Your previous experiences with identity theft In order to determine the applicable Red Flags, you must consider these factors as well as various sources and categories of Red Flags identified in the Guidelines. There are many resources available to help you gain the upper hand on Identity Theft Red Flags. I encourage you to visit this site for more information including a white paper, webinar, data sheet and more.  

There seems to be some ground-laying for follow-on Red Flag compliance guidelines to emerge either pre- or post- May 1, 2009.  Whether they arrive in the form of clarifying statements by the Red Flags Rule drafting agencies, or separate guidelines beyond the current Rule, the ambiguity associated with the current set of parameters leads me to believe that:The door is open for many entities, not clearly called out in the Red Flags Rule as 'covered' to be more formally placed under that umbrella, andA new series of mandates may be on the horizon as the focus on identity theft prevention and, of critical note, consumer protection continues to sharpen.I look at "The President's Identity Theft Task Force Report" (September 2008) as a potential catalyst for the publication of more formal directives around consumer identity theft prevention programs.  While the report currently sits in the form of recommendations, it is likely that some of these recommendations may evolve into more definitive enactments.  Additionally, it's clear that even commercial entities that are potentially not covered by the Red Flag Rule today are called out as still in need of stringent and diligent identity theft prevention measures.  More to follow next time on this report.

The difference between market risk and credit risk By: Tom Hannagan Market risk is different than credit risk. The bank’s assets are mostly invested in loans and securities (about 90% of average assets). These loans and securities have differing interest rate structures – some are fixed and some are floating. They also have differing maturities. Meanwhile, the bank’s liabilities, deposits and borrowings also have differing maturities and interest rate characteristics. If the bank’s (asset-based) interest income structure is not properly aligned with the (liability-based) interest expense structure, the result is interest rate risk. As market rates change (up or down), the bank’s earning are impacted (positively or negatively) based on the mismatch in its balance sheet structure. The bank can offset market risk by purchasing interest rate swaps or other interest rate derivatives. The impact of insufficient attention to interest rate risk can damage earnings and may, again, negatively affect the bank’s capital position. So, ultimately, the bank’s risk-based capital acts as the last line of defense against the negative impact from, you guessed it, unpredictable variability – or “risk.” That is why equity is considered risk-based capital. Good risk management, predicting and risk-based pricing leads to safer earnings performance and equity position.

By: Tom Hannagan In my past postings, we’ve discussed financial risk management, the role of risk-based capital, measuring profitability based on risk characteristics and the need for risk-based loan pricing (credit risk modeling). I thought it might be worthwhile to take one step back and explain what we mean by the term “risk.” “Risk” means unpredictable variability. Reliable predictions of an outcome tend to reduce the risk associated with that outcome. Similarly, low levels of variability also tend to reduce risk. People who are “set in their ways” tend to lead less risky lives than the more adventuresome types. Insurance companies love the former and charge additional premiums to the latter. This is a terrific example of risk-based pricing. Financial services involve risk. Banks have many of the same operational risks as other non-financial businesses. They additionally have a lot of credit risk associated with lending money to individuals and businesses. Further, banks are highly leveraged, borrowing funds from depositors and other sources to support their lending activities. Because banks are both collecting interest income and incurring interest expense, they are subject to market, or interest rate, risk. Banks create credit policies and processes to help them manage credit risk. They try to limit the level of risk and predict how much they are incurring so they can reserve some funds to offset losses. To the extent that banks don’t do this well, they are acting like insurance companies without good actuarial support. It results in a practice called “adverse selection” – incorrectly pricing risk and gathering many of the worst (riskiest) customers. Sufficiently good credit risk management practices control and predict most of the bad outcomes most of the time, at least at portfolio levels. Bad outcomes (losses) that are not well-predicted, and therefore mitigated with sufficient loan-loss reserves, will negatively impact the bank’s earnings and capital position. If the losses are large enough, they can wipe out capital and result in the bank’s failure.

Part 2 Reason one Unfortunately, there is a management issue regarding their transparency with the investment community and/or client base.  Regrettably for the managers and leaders choosing this approach, if this problem persists too long, the organization may choose to rectify with a change in the management and leadership Reason two The solution is both simple and complex.  In simplistic terms, the financial institution must evolve its portfolio risk management reduction techniques and take a more proactive stance.  Both internal and external data exists that can provide significant insight to the portfolio, its trends and potential future loss. Such data sources include: Internal behavioral characteristics (negative changes outside of just delinquencies) High line usage Non sufficient funds frequency & severity (for those borrowers who also have a deposit account with the institution) Deposit account closuresExternal data Regular rescore of the borrowers (both small business and consumer) Derogatory payment trends with other creditors (the borrower may be current with you but for how long?) Judgments or liens Such data can be used to create models for portfolio performance calculating: Delinquency trends by score (as the portfolio trends up or down in the score ranges we can adjust the expected loss rates, delinquency rates, etc.) Within score ranges and based upon other behavioral characteristics, what is the likelihood for charge-off or recovery. The biggest takeaway is that these portfolio management techniques are not new and untested.  Your data provider (such as Experian), has used these techniques and has the data to support the effectiveness.  While we are in trouble, we may find ourselves wanting to keep the “dirty secrets” to ourselves.  Too often such an approach leads to one’s demise.  Seek information, seek help, get control and truly start to move in a positive direction.

“Unprecedented times”, “financial crisis”, “credit crisis” and many other terms continue to be buzzwords that we hear every day.  We are almost becoming desensitized to the terms, yet we feel the impact on a daily basis.  Everyone is waiting for some positive news in the financial services industry and more bad news keeps coming. Each quarter we continue to read about financial institutions claiming that the worst is over. They have recognized the risk in their portfolios through risk assessment, set aside adequate reserves or loan loss allowances and are now ready to turn the corner.  Yet we continue to read about these same institutions coming back with more bad news, more credit losses and a restatement of the assurance that the problems have been recognized. As a result, this financial risk management has brought to light all of the high-risk accounts and the trend will begin to change. Why does this story keep repeating itself? Reason one  Management assesses to what extent the market (both stock market and the client base) will tolerate the level or degree of bad news, recognize losses to that extent and will then work hard to try to correct any known issues before we actually have to report the next quarter.  Unfortunately, this approach simply delays the inevitable and brings into question the risk management practices of the particular institution.  Like the boy who cried wolf, the more times you make a statement and it proves to be false, the less likely you will be believed the next time. Reason two The financial institutions are actually surprised each quarter with a new batch of credit losses.  The institution, its credit management team and workout areas are diligently trying to address the current problem. But, just when they start to see the light at the end of the tunnel, a new batch of credit problems arise.  For the most part, the credit issues still persist in the high-volume, low-dollar credits such as residential mortgages, home equity loans, automobiles, credit cards and small business loans.  Due to the sheer volume of clients/loans, it becomes more difficult to assess what issues may be brewing in the portfolio.  For the large volume, small dollar portfolios, the notion of a pending credit issue comes when the delinquency starts to rise to a delinquency of 60 or 90 days. The real issue is identifying those accounts that are likely to go 60 or 90 days past due and then assess the likelihood that they will go into charge-off. Regardless of the reason, we have a “credibility” problem in addition to a “credit” problem.

It seems to me that there remains quite a bit of dispute and confusion around the inclusion of healthcare providers under the umbrella of "creditors." This would, in turn, imply that a physician's office would need to have a Red Flags Identity Theft Prevention Program in place.  Yikes!  My guess is that this will not be fully resolved by May 1, 2009.  I see too many disparate opinions out there to think otherwise.  I certainly see both sides.  On the one hand, the definition of "creditor" to include "deferred payment of debts" does make the case for most physicians’ offices to be covered under the rule.  On the other hand, to what extent will each and every physician's office be able to have a verification process in place by May 1, 2009?  Certainly, those offices integrated with third party processing will have an easier go of it, but the stand-alone practices are facing a tough challenge.    There is no doubt that the healthcare space is, and should be, covered under the Red Flags rule, I just have to wonder how comprehensive and enforceable compliance will be.  Let me know your thoughts!

During a recent real-time survey of 850 representatives of the financial services industry: only 36 percent said that they completely understood the new Identity Theft Red Flags Rule guidelines and were prepared to meet the deadline. 60 percent said that they had just started to determine their approach to Red Flag compliance.