Regulatory Compliance

One of the more significant operational concerns around Red Flags compliance centers on the management of resultant referral volumes, i.e., the potential that the account origination or maintenance process will get bogged down due to a significant number of red flags detected.  These concerns are not without merit, and are arguably the most frequently discussed Red Flag issue with our client base. Organizations may be able to control referral volumes through the use of automated tools that evaluate the level of identity theft risk in a given transaction.  For example, customers with a low-risk authentication score can be moved quickly through the account origination process absent any additional red flags detected in the ordinary course of the application or transaction.  In fact, using such tools may allow organizations to speed up the origination process for these customers and identify and focus resources on those transactions that pose the greatest potential for identity theft. A risk-based approach to Red Flags compliance affords an institution the ability to reconcile the majority of detected Red Flag conditions efficiently, consistently and with minimal consumer impact.  Detection of Red Flag conditions is literally only half the battle.  In fact, responding to those Red Flag conditions is a substantial problem to solve for most institutions.  A response policy that incorporates scoring, alternate data sources and flexible decisioning can reduce the vast majority of referrals to real-time approvals without staff intervention or customer hardship.  Rather than implementing a “rules-based” program (one in which particular Red Flags are identified, detected and used in isolation or near isolation in decisioning), many institutions are opting to approach Red Flag compliance from a “risk-based” perspective. This “risk-based” approach assumes that no single Red Flag Rule or even set of rules provides a comprehensive view of a consumer’s identity and associated fraud risk. Instead, a “risk-based” systematic approach to consumer authentication employs a process by which an appropriately comprehensive set of consumer data sources can provide the foundation for highly effective fraud prediction models in combination with detailed consumer authentication conditions (such as address mismatches or Social Security number inconsistencies).  A risk-based fraud detection system allows institutions to make consumer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a consumer’s identity and predicted likelihood of associated identity theft. Many, if not all, of the suggested Rules in the published guidelines are not “silver bullets” that ensure the presence or absence of identity theft. A substantial ratio of false positives will comprise the set of consumers and accounts being reviewed as having met one or more of the suggested Red Flag rule conditions. These rules and guidelines are intended neither to prevent legitimate consumers from establishing relationships with institutions nor create a burdensome and prohibitive volume of consumer “referrals.” While those rules incorporated into an institution’s Program must be addressed when detected, a risk-based system allows for an operationally efficient method of reconciliation in tandem with identity theft mitigation.

By: Tom Hannagan In my last post, I addressed the need for banks to advance their management of risk to include the relationship between capital and risk in their internal decisions and actions. While it is difficult for me to make this topic very exciting, it can’t be ignored. It very nearly resulted in bankrupting the global financial system. Beyond profitability, bank executives must measure and monitor their risk-based capital because: 1) equity capital represents the ownership interest in a bank; 2) equity capital is by far the most expensive source of funding; and 3) the risk associated with capital sufficiency and continued solvency is important. As Colonel Jessup might confirm, “Yes, we’re talking about mortal danger”. Many are scrambling to apply for the TARP (Troubled Asset Relief Program) capital infusion – and most are getting approved for these windfall funds. (Today’s investment advice from the experts: don’t buy common shares in any bank that applied and was turned down.) Let’s take a look at the impact of these funds. If we were, for example, a $10 billion total asset bank, with say $800 million in equity capital prior to TARP and had roughly $700 million in risk-weighted assets, we might get approved for $200 million in TARP-related preferred shares at a cost of 5 percent (after tax) for the next five years. If, our make believe $10 billion bank was earning an average pre-2008 economic-and-credit-crisis return on assets of 1 percent, or $100 million per annum, what are the implications of the added $200 million in capital on future earnings? That $100 million in “pre-crisis” earnings represented a return on equity of 12.5 percent on our original capital of $800 million. (Stay with me, now…)   Since we need to pay the Feds (our new shareholders) $10 million in preferred dividends per annum in after-tax money, we need to earn an added $16 million in pre-tax operating income just to break even on the deal. That would mean, in our otherwise static model, that earnings need to move from $100 million to $110 million. More importantly, pre-tax income needs to move from say $150 million to $166 million, assuming about a 33 percent effective tax rate. We’ve got the fresh $200 million to work with, assuming we don’t need part of it to cover credit charge-offs or other asset write-downs. To earn $16 million from that $200 million investment, we would need an 8  percent pre-tax operating income (that’s after expenses, folks). I’m open to suggestions at this point...And you thought banking was easy. You do that the old fashion way -- with leverage. You use the $200 million to get someone (depositors, the Federal Home Loan Bank, a Federal Reserve Bank, or anyone else) to give you more money to invest (at a critically important tax-deductible cost) along with your fresh $200 million in preferred equity. Remember, our bank is already operating with leverage, supporting $7 billion in risk-weighted assets, and $10 billion in total assets, with the pre-existing $800 million in capital. Unfortunately, leverage involves at least liquidity risk, and probably market risk -- on top of whatever direct (credit, market, operational) risks are associated with whatever end investment you choose (…and the Feds hope you choose loans). Obviously, the fastest way to get the added leverage, along with a quick addition to earnings assets, is to go buy another bank (and absorb them more successfully than the two of you ran separately). Thus, a new round of consolidation has begun. Regardless of the method used to grow into the TARP money, any bank that doesn’t take into account the risks associated with these decisions/actions is merely kidding itself. TARP funding will not make any real headway in improving risk-adjusted earnings going forward. There is (and always has been) a direct relationship between actual risk and risk-adjusted return.  It is now more important than ever for bank management to monitor and measure their organization’s activities (loan pricing and profitability, investing, deposit taking, investment management, credit risk modeling, buying other banks...and anything else they do) based on the relative risk of those activities and based on the equity capital realistically required to support those risks. This means using return on equity measurement internally as well as at the entity level. I look forward to your comments.

For those of us that have been following the Red Flag Rules adoption for more than a year now, the recent arrival and passing of the November 1 compliance deadline allows us to pause to assess where we are -- and where we are heading.  One question seems to surface regularly these days: How ready or compliant is the market today? Well, I think it’s safe to say that the market is certainly not 100% home when it comes to compliance readiness.  Experian surveys registrants on our Red Flags online resource site.  As of October 31 -- a.k.a. ‘Compliance Eve’ -- nearly half of the registrants (48%) fell into the category of ‘just starting to review the rules and determine a compliance plan’.  Other industry surveys, interviews, and analyst reports suggest an even lower rate of compliance (closer to only one-third of covered institutions) in the market.  The Federal Trade Commission seemed to sense this market condition, and granted a six-month reprieve from Red Flags compliance enforcement – to May 1, 2009.  While this extension is welcome news for those institutions falling under the FTC’s jurisdictional umbrella, other institutions are arguably out of compliance today, and face pending examinations in the coming months.  So, is the market ready today?  The broad answer is a resounding ‘no.’  Much of the market’s effort has gone into the creation of written Identity Theft Prevention Programs as part of the Red Flag Rule requirements.  How well will these written procedures be received by the examining agencies?  How will these written programs translate into effective and (as importantly) manageable operational processes?  The first wave of examinations will help answer some of these questions and concerns….and ongoing cost analysis (associated with: referral volumes; application acceptance rates; manual or automated processes; and, of course, fraud losses) will help paint a clearer picture in the months to come.