By Jason C. Schemmel
In 1995, the Board of Governors of the Federal Reserve System issued SR 95-51, which instructed examiners to begin assigning a formal supervisory rating to the adequacy of an institution’s risk management processes. Examiners had always emphasized the importance of sound risk management processes, but this guidance heralded an era of heightened awareness in light of new technologies, product innovation and rapidly changing banking markets.
Examiners continue to assess and consider factors such as profitability, asset quality and capital adequacy when assigning supervisory ratings, but these indicators, to a large degree, tell a story about the past. At the heart of risk management is the concept of looking toward the future, as being able to identify, measure, monitor and control risks before they spread is critical to the conduct of safe and sound banking, regardless of the size and complexity of the institution.
Analysis of banking performance during the recession of 2007–2009 indicates that banks with strong forward-looking risk mitigation strategies weathered the recession more successfully than other banks, even those taking identical risks (see “Weathering the Storm: A Case Study of Healthy Fifth District State Member Banks Over the Recent Downturn” in the summer 2012 edition of S&R Perspectives). These successful institutions all possessed the key elements of a risk management framework, including:
To understand the risk management challenges currently facing our state member banks, we asked key members of the Federal Reserve Bank of Richmond’s Community and Regional (C&R) management team to identify areas that are (1) consistently cited in reports of examination as risk management weaknesses or (2) expected to receive heightened attention in the near future. This article reinforces existing supervisory guidance and expectations and discusses the most commonly cited examination issues related to the management of credit, liquidity, market, operational, and legal and reputational risks. Properly addressing these matters will improve the prospects of early risk detection and help to prevent losses.
C&R relationship managers and subject matter experts alike expressed concern over three areas: new product lines, home equity lines of credit (HELOC) and appraisal review.
New Product Lines
Interviews with bankers during examinations over the previous 12–24 months revealed that many management teams and boards of directors intend to reduce future reliance on real estate lending by expanding into commercial lending. The number of bankers that stated this intention is striking and indicates the potential for fierce competition for commercial business. In fact, several banks have reported recent solicitations from third parties attempting to negotiate participation in syndicated commercial loans.
Prior to expanding into commercial lending, or any new product line, it will be critical for banks to properly research the product and ensure it aligns with the bank’s strategic plan and the risk appetite of the board of directors. Banks that venture into commercial lending are expected to have the appropriate expertise on staff to underwrite and monitor the credits. Moreover, the lending staff must be guided by robust policies, procedures and risk limits. As was the case in the late 1990s, intense competition for commercial loan customers often leads to significant easing of both loan terms and front-end financial analysis. Discipline was — and will be — a key success factor. Existing supervisory guidance stresses:
Additionally, exceptions to approved underwriting and pricing policies should be rare, properly approved, aggregated and actively monitored by senior management.
There is considerable concern among C&R credit risk specialists that, unlike many other real estate loans, the losses in HELOC portfolios have yet to fully materialize. Many of the loans originated from 2003 to 2007 are approaching the end of their draw periods and will soon convert from interest-only to amortizing loans or have principal due as a balloon payment. Observations from recent examinations indicate that banks with significant concentrations of HELOCs have not fully identified and measured the potential impact of these events. Institutions with significant exposure to HELOCs should ensure that they are adhering to effective account management practices.2 These include:
Measurement of this data will allow bankers to identify customers who may default when loan terms change and facilitate the creation of effective workout solutions. Data procured from this analysis should also be incorporated into the institution’s allowance for loan and lease losses (ALLL) methodology.3
Examiners continue to observe appraisal review practices that are inconsistent with supervisory guidance.4 Too often, appraisal reviews only consist of checklists used by the reviewer to determine compliance with federal regulations. While determining compliance with regulations is surely critical, it is merely one aspect of the appraisal review process. Just as important is an evaluation of whether the methods, assumptions and data sources in the appraisal (or evaluation) are appropriate and well-supported.
An institution’s policies and procedures for reviewing appraisals and evaluations should address, at a minimum, the following:
All financial institutions, regardless of size and complexity, should have a formal contingency funding plan (CFP) that clearly sets out the strategies for addressing liquidity shortfalls in emergency situations.5 C&R relationship managers indicated that most banks have instituted some form of CFP; however, many banks continue to struggle with the details. In general, the CFPs reviewed during examinations do not adequately address a sufficient range of liquidity stress events. The narrative section of the CFP should contain a thorough description of any liquidity event — or combination of events — that could adversely impact the bank’s liquidity. The events may be institution-specific or arise from external factors. Examples include, but are not limited to, the inability to fund asset growth; the inability to renew or replace a maturing funding source; unexpected deposit runoff; or financial market dislocations.
Additionally, CFPs frequently are not robust enough with regard to the various stages and levels of stress severity that can occur during a contingent liquidity event. The narrative section should fully describe the stages of each event, its severity and its expected duration. Stress events should be modeled with sufficient severity to provide management and the board of directors with enough information to ascertain the durability of the bank’s liquidity position. Moreover, the duration of the event is a critical factor in accurately measuring potential funding gaps and available funding sources. Some events may be temporary while others may be longer-term. In either case, the event should ultimately be modeled through its conclusion. Designing the CFP in this fashion affords the opportunity to identify early-warning indicators for each stage, assess potential funding needs at various points in a developing crisis and specify action plans.
Proper measurement of market risk requires regularly assessing the reasonableness of assumptions that underlie an institution’s exposure estimates.6 C&R subject matter experts have observed repeated weaknesses in three areas related to model assumptions: documentation, sensitivity testing and corporate governance.
Key model assumptions such as asset prepayments, nonmaturity deposit price sensitivity and deposit decay rates are often unsupported and undocumented. Inputs for these assumptions typically have a material impact on the model’s output; therefore, it is critical to ensure they are accurate. Assumptions should be specific to the bank and based on an appropriate level of empirical evidence. The decisions made and the rationale behind them should then be thoroughly documented.
To aid in determining which assumptions exert the greatest impact on measurement results, banks should periodically perform sensitivity testing. Doing so will provide valuable insight into how to allocate scarce resources, i.e., the most critical assumptions should be given the most attention. When actual experience differs significantly from past assumptions and expectations, institutions should use a range of assumptions to appropriately reflect this uncertainty.
Finally, banks should develop a comprehensive governance system for actively monitoring and regularly updating key underlying assumptions. This system should include oversight by representatives from any major business line that can directly or indirectly influence the bank’s market risk exposure. Deliberations from these meetings and the rationale behind changes to key assumptions should be thoroughly documented in meeting minutes.
C&R operational risk specialists have identified two areas of concern as technology is increasingly integrated into the business of banking: information security and vendor management.
One of the most common operational risk deficiencies cited during examinations over the last 18 months relates to information security. It remains a challenge for all banks, regardless of size, because of the complex interconnectivity between the bank, its customers and its vendors. The proliferation of mobile devices and electronic payment channels has increased the opportunities for hackers to compromise bank systems and steal critical data. Therefore, strong internal controls surrounding access management are essential, including a robust risk assessment process; effective procedures for administering, logging and monitoring critical systems; and independent validation of controls through audits or penetration testing.7
Not surprisingly, the increase in technological banking solutions has led to an increase in outsourcing. The scope of activities outsourced, however, has not been limited to traditional activities such as core processing and now may include interest rate risk modeling, stress testing or loan loss mitigation strategies. Recent examinations indicate that vendor management practices are often not keeping pace with the growing volume and scope of outsourcing activities, particularly in the areas of due diligence and service provider oversight.
Due diligence prior to engagement should fully consider the provider’s ability to meet the institution’s needs. Institutions should consider the provider’s technical and industry expertise, operations and controls, and financial condition. Once a contract has been signed, the institution must implement an oversight program to monitor each service provider’s controls, conditions and performance. The oversight program should be commensurate with the risk of the outsourced relationship and be thoroughly documented for use in future contract negotiations, termination issues and contingency planning.8
Legal and Reputational Risk
Finally, C&R operational risk specialists expressed concern with the proliferation of social networking platforms and their potential effect on banks’ legal and reputational risks. A social networking service is an online service, platform or site that facilitates the building of social relations among people who share common interests, activities or relationships. Their use has exploded as companies attempt to reach customers with advertising and to generate business intelligence for future sales or customer service. Social networks pose several risks to banking organizations, including the potential disclosure of nonpublic personal information (NPI), disinformation or derogatory information, and security threats such as viruses or social engineering. Any of these or similar events could result in significant lawsuits or damage to the institution’s reputation. Banks are encouraged to develop sound social connectivity policies that govern the use of social media by employees and to provide adequate training to employees on those policies. The use of social media should also be considered in the institution’s information technology risk assessment.
The current recession has been longer and deeper than any since the Great Depression, and institutions facing severe earnings pressures may be tempted to reduce resources dedicated to risk management. But evidence suggests that strong risk management, not historical financial performance, is the common denominator of successful community banks. Institutions should remain vigilant in order to identify risks that could negatively affect the bank and take appropriate action to measure, monitor and control them.
Jason C. Schemmel is a Community and Regional supervisory examiner with the Federal Reserve Bank of Richmond. He can be reached at email@example.com.
The analyses and conclusions set forth in this publication are those of the authors and do not necessarily indicate concurrence by the Board of Governors, the Federal Reserve Banks, or the members of their staffs. Although we strive to make the information in this publication as accurate as possible, it is made available for educational and informational purposes only. Accordingly, for purposes of determining compliance with any legal requirement, the statements and views expressed in this publication do not constitute an interpretation of any law, rule or regulation by the Board or by the officials or employees of the Federal Reserve System.
Supervision, Regulation & Credit