A New Risk Measurement?

While the Federal Reserve, the FDIC, and the Office of the Comptroller all expect a financial institution to have in place a risk management program, commensurate with the size and complexity of the institution, to identify, measure, monitor, and control risk, the categories of risk to be included in a risk management program vary across agency. All three agencies include: credit risk; liquidity risk; price/market risk; transactional/operational risk; and, compliance/legal risk. The Fed and the OCC include reputation risk; and the OCC also incorporates interest rate risk, strategic risk, and foreign exchange risk. In spite of the differences in categories of risk, the primary objective of the program is consistent across the agencies: to measure the institution’s potential risk of loss associated with its activities, given the level of mitigating factors implemented by the institution.

Enter the Consumer Financial Protection Bureau. The CFPB was established as a regulator of financial institutions to supervise banks, credit unions, and other financial companies and to enforce Federal consumer financial laws. However, its mission is to make markets for consumer financial products and services work for Americans; a somewhat different focus from the other regulatory agencies. And the difference is further highlighted in the Risk Assessment process set forth in the CFPB Supervision and Examination Manual published in September 2011. This risk assessment evaluates the “risk to consumers,” defined as “the potential for consumers to suffer economic loss or other legally-cognizable injury as a result of a violation of Federal consumer financial law.”

The two risk assessments use the same methodology; with both evaluating the inherent risk and analyzing the effectiveness of the controls to arrive at a residual risk level or, in the case of the CFPB, an overall consumer risk level. But if one approach is focused on the risk to the financial institution and the other on the risk to the consumer, are the results comparable? In a case where an institution has a high level of residual compliance risk associated with a specific product, is there an equally high level of consumer risk?

Let’s look at a few examples. If an institution makes a significant number of real estate loans in a special flood hazard area, has a history of flood violations, and has weak controls, the residual risk to the institution is high. If a consumer obtains a real estate loan in a special flood hazard area and the institution fails to require flood insurance, the risk that the consumer may suffer a loss if the area floods is also high. In spite of the difference in focus, the residual risks appear comparable – when an institution is facing a high level of compliance risk, there is also a high level of consumer risk.

In our next example, consider an institution with a history of violations relating to transaction limitations for savings accounts under Regulation D. Given the prior violations and assuming weak controls, the residual risk to the institution is high. However, under the CFPB’s definition of consumer risk, does this violation have “the potential for consumers to suffer economic loss or other legally-cognizable injury as a result of a violation of Federal consumer financial law?” Because the institution’s lack of enforcing these limitations will allow the consumer to continue to maintain the account and continue to exceed the transaction limitations, there is no harm to the consumer.

Clearly these two different risk assessment approaches do not always yield comparable results. How, then, is the institution to identify, measure, monitor, and control consumer risk? Although the CFPB does not require institutions to implement its risk assessment methodology, it appears that institutions will need to add consumer risk and the CFPB’s methodology to its current risk management program.

Another interesting difference in the CFPB’s risk assessment is the manner in which an institution’s inherent risk to consumer is mitigated or amplified by the strength or weakness of the controls. The CFPB provides a Risk Matrix similar to those developed to represent the traditional method, with inherent risk categorized as high, moderate, or low, and the quality of risk controls defined as strong, adequate, or weak.

However, under this new methodology, a high level of inherent risk cannot be mitigated to less than moderate risk level – even with strong controls. A low risk area increases to moderate risk if the risk controls are weak. And, across every inherent risk level, implementing adequate controls will not reduce the residual risk below the inherent risk level.

To illustrate, let’s apply a typical point rating system to this risk assessment analysis. Using a one-to-three scale:

• High/Weak = 3 points
• Moderate/Adequate = 2 points
• Low/Strong = 1 point

Based on the total point structure, the Overall risk categories are defined as:

• High Risk = 7 to 9 points
• Moderate Risk = 4 to 6 points
• Low Risk = 1 to 3 points

The resulting risk matrix, using the traditional risk assessment methodology is:

Whereas, under the CFPB’s new risk assessment methodology, the amplified by approach produces a very different matrix:

As you can see from this illustration, implementing strong controls will result in a decreased residual risk; however, adequate controls will never reduce the residual risk level below the inherent level. How long before an examiner tells you that adequate controls are no longer good enough?

Will your Risk Management Program withstand this new focus?

CFPB's New Service Provider Pronouncement

The CFPB, Obamacare for the financial industry, has reared its ugly head, again, and rattled the “unfair, deceptive or abusive acts or practices” sabre. The Bureau (and I don’t mean the piece of furniture where you keep your socks and underwear and sometimes hide a Christmas gift for your spouse) has announced that covered financial institutions may be held responsible for illegal actions of a service provider. Institutions are expected to be responsible for their service provider’s activities beyond the normal due diligence practices that have served the industry and consumers well for the past several decades. The Bureau’s expectations are summed up in the following bullet points:
• Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law; (A nebulous expectation from a nebulous agency. Do we give them a 10 page multiple choice test to document their understanding? Is it a pass/fail grading system? And what about Spring Break?)
• Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities; (Does the Bureau really believe that the large national or international service provider will turn over all the documentation that an institution needs to properly do this? And if they do, how many institutions have the staff, time, and wherewithal to properly analyze all this information provided? If they do comply, I have Las Vegas odds that the price of the service will increase.)
• Including in the contract clear expectations about compliance as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices; (Unfortunately, it’s the CFPB that determines what is an unfair, deceptive, or abusive acts or practice and only then when it can’t cite a violation of anything else.)
• Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law; and (Again, how may large service providers will put up with this nonsense?)
• Taking prompt action to address fully any problems identified thorough the monitoring process, including terminating the relationship where appropriate. (This is the only sensible part of the expectations, and institutions are already doing this.)

Presumably, the resources that institutions would normally employ to serve their customers are thought, by the Bureau, to be better used in combatting the evils lurking in the service provider realm. Undeterred by the fact that most consumers neither care about the consumer compliance laws designed to protect them nor read the ream after ream of disclosures designed to make them better informed, the Bureau, in its never-ending quest to protect somebody from something, marches on making mountains out of molehills.

You should be concerned about this pronouncement even if your institution isn’t regulated by the CFPB. The tone set by the Bureau will, as does other kinds of…stuff, roll downhill and will be coming soon to a regulator near you.

ABS is ready, willing, and able to assist you with compliance strategies.

Model Risk Management

In April 2011, the OCC released Bulletin 2011-12, Supervisory Guidance on Model Risk Management, describing the elements of a sound program for effective management of risks arising when banks use quantitative models to make decisions. Superseding guidance issued in 2000 which focused primarily on model validation, this guidance significantly expands the elements required to meet the supervisory standards. Consistent with other risk management related supervisory guidance, all banking organizations are expected to implement a process – commensurate with the size, complexity, and risk profile of the institution - to identify, measure, monitor, and control model risk. The guidance articulates three categories of activities that should be included in your program: 1) Model Development, Implementation, and Use; 2) Model Validation; and 3) Governance, Policies, and Controls. Does your program measure up?

Model Development, Implementation, and Use

Model development is not something that most Community Banks undertake; more often, the institution acquires a model from a vendor. Nonetheless, the institution retains accountability for evaluating the model to verify that the model’s purpose, design, theory, and logic are appropriate for the institution’s intended use. The institution should, to the extent possible, obtain documentation from the vendor that sufficiently explains the: methodologies and processing components, including the mathematical operations; model merits and limitations; and integrity, relevance, and suitability of data or data proxies used.

During implementation and periodically thereafter, testing of the model should be performed and documented. The type of testing is directly correlated with the type of model; however, testing should confirm the validity and accuracy of the model’s output, re-validate the limitations and assumptions, and confirm the overall functionality and performance of the model. Testing should also include a verification of data flow between, and integration with, other related systems or models. One often overlooked testing process involves the evaluation of feedback and questions from line of business users relating to the reports provided and the model’s output. Finally, the testing should incorporate an evaluation of continued applicability of the model given current business strategy and a re-assessment of the costs and benefits associated with the model. With respect to vendor-supplied models, the vendor should provide the institution with its testing results confirming that the model performs as expected.

Model Validation

The purpose of model validation is to re-affirm that the model is performing as expected. The validation process and activities should: 1) verify that the model is aligned with design objectives and business use; 2) identify the potential impact and validity of limitations and assumptions; and, 3) generally assess the overall accuracy and soundness of the model. Validation should be performed, to the extent possible, by individuals independent of development and use of the model, but with appropriate knowledge, skills, and expertise. The validation framework should encompass three core elements: 1) evaluation of the conceptual soundness, including developmental evidence; 2) ongoing monitoring, including process verification and benchmarking; and 3) outcomes analysis, including back-testing. In addition to reviewing the results of vendor-completed validation, institutions relying on vendor-provided models are expected to perform their own periodic validation of the model. This validation should include a re-evaluation of the appropriateness of any bank-specific customization and vendor-input data and assumptions, an examination of the extent to which vendor-data is representative of the bank’s situation, and an analysis of model performance using the institution’s outcomes.

Governance, Policies, and Controls

Institutions are expected to develop and maintain strong governance, policies, and controls over model risk management. The board and senior management are expected to establish a framework for model risk management, based on a solid understanding of model risk in the aggregate, and addressing the development, implementation, use, and validation of models. Senior management is charged with responsibility for establishing adequate policies and procedures, assigning competent staff, providing oversight with respect to the development, implementation, use, validation, and corrective action associated with identified model deficiencies. Senior management is also accountable for apprising the board of the level of model risk and compliance with policy. The board ensures that risk levels are within tolerance and directs changes where required.

Internal audit, acting at the direction of the board, should assess the overall effectiveness of the model risk management framework. This includes an assessment and evaluation of: 1) the framework’s ability to address risk at the individual model and the aggregate model levels; 2) the related policies, procedures, and internal controls; and 3) the sufficiency of documentation to support the model risk management framework. Audit will also ensure that adequate validation is performed and appropriately documented, and the identified deficiencies are resolved.

Policies and procedures, consistent with the guidance, define responsibilities, include model and risk definitions, and provide for the development, implementation, use, testing, and validation of models. Policies should require maintenance of an inventory of models across the institution, incorporate standards for utilizing external resources, model accuracy, acceptable levels of discrepancies, and define procedures for resolving unacceptable discrepancies. The board will, at least annually, review and, when necessary, revise the policies and procedures to adjust for changes in market conditions, bank products and strategies, bank exposure and activities, and industry practices.

While many of the activities included in the guidance are common industry practice, regulators expect each institution to confirm that its practices conform to the principles contained therein. But it’s vital to remember, programs will vary from institution to institution; each institution’s program will be evaluated in the context of its own size, complexity, and risk profile.

We Told You So...Did You Listen? CompliancePro is STILL the ANSWER!

Last year American Bank Systems SOUNDED THE ALARM to thrifts formerly regulated by the OTS that trials lay ahead with future oversight by the OCC. Our solution then...CompliancePro...Our solution today, STILL CompliancePro.  The consequences of inaction by some institutions can be seen in the recent NY TIMES article.  Our blog entry from June 2011 is still valid today.  Let American Bank Systems help you avoid the trials of institutions like those in the article that are running for the hills, or on their way to failure.

_________________________________________________

Thursday, June 23, 2011

From the OTS to the OCC - Are You Ready?

From the OTS to the OCC - Are You Ready?

With CompliancePro^® from American Bank Systems Your Answer is YES!

As a result of the Dodd-Frank Act, which became law in 2010, all OTS thrift institutions will come under the oversight of the OCC on July 21, 2011. You may be unclear as to some of the differences between these two regulators. Below are some of the questions you should be asking yourself to assess your state of preparedness for this change, along with answers that we believe you should consider.

 

Should we expect a higher level of scrutiny according to OCC examination philosophy?

Maintaining satisfactory or better compliance examination ratings is essential to financial institution stability, especially in our current and expanding regulatory culture. The OCC has a reputation of being more assertive and intense than the OTS. They place a lot of weight on the institution’s internal compliance audits with emphasis also on written policies and procedures, and training. Comparatively, the OCC performs very little transactional testing, especially if they have confidence in the institution’s compliance risk management system and controls. Whereas the OTS may look at thirty loans during an examination, the OCC may look at as few as five. However, if deficiencies are discovered, the OCC will typically provide lower examination ratings. CompliancePro® is a time tested and proven tool to strengthen regulatory compliance programs, and ready financial institutions for examination preparedness.

 

Are we prepared to meet the OCC’s supervisory expectations for compliance risk management?

The OCC employs a risk-based supervisory philosophy focused on evaluating risk, identifying material and emerging problems, and ensuring that individual institutions take corrective action before problems compromise their safety and soundness. Institutions are expected to have a compliance risk management system which assesses risk by products/services offered and which monitors and manages compliance risk by performing regular monitoring between examinations. CompliancePro® can help you meet these expectations with its risk assessment and monitoring and issue management capabilities which provide for regular and consistent review and testing for all consumer regulated activity across lines of business, bank products and regulation.

 

Will our risk assessment process meet the standards of the OCC?

Simply speaking, the OCC’s focus on risk management is huge. This is their starting point for examinations. Whatever policies, procedures, training, or controls you have in place; it has to follow the risk assessment. While regulatory consumer compliance risk processes in large institutions are relatively well established, some small and medium sized institutions may need to improve upon their risk assessments to satisfy the OCC. If your current risk process is informal, rudimentary and undocumented, the CompliancePro® Risk Module is what you need to prepare a sound risk assessment process with our Inherent Risk and Risk Mitigation Analysis functionality, reporting and dashboard capability.

Email us at: espringer@abs-ok.com or call at 405-607-7000.