By: Tom Hannagan An autonomic movement describes an action or response that occurs without conscious control. This, I fear, may be occurring at many banks right now related to their risk-based pricing and profit picture for several reasons. First, the credit risk profile of existing customers is subject to continuous change over time. This was always true to some extent. But, as we’ve seen in the latest economic recession, there can be a sizeable risk level migration if enough stress is applied. It is most obvious in the case of delinquencies and defaults, but is also occurring with customers that have performing loans. The question is: how well are we keeping up with the behind-the-scenes changes risk ratings/score ranges? The changes in relative risk levels of our clients are affecting our risk-based profit picture — and required capital allocation — without conscious action on our part. Second, the credit risk profile of collateral categories is also subject to change over time. Again, this is not exactly new news. But, as we’ve seen in the latest real estate meltdown and dynamics affecting the valuation of financial instruments, to name two, there can be huge changes in valuation and loss ratios. And, this occurs without making one new loan.  These changes in relative loss-given-default levels are affecting our risk-based expected loss levels, risk-adjusted profit and capital allocation, in a rather autonomic manner. Third, aside from changes in risk profiles of customers and collateral types, the bank’s credit policy may change. The risk management analysis of expected credit losses is continuously (we presume) under examination and refinement by internal credit risk staff. It is certainly getting unprecedented attention by external regulators and auditors. These policy changes need to be reflected in the foundation logic of risk-based pricing and profit models. And that’s just in the world of credit risk. Fourth, there can also be changes in our operating cost structure, including mitigated operational risks, and product volumes that affect the allocation of risk-based non-interest expense to product groups and eventually to clients. Although it isn’t the fault of our clients that our cost structure is changing, for better or worse, we nonetheless expect them to bear the burden of these expenses based on the services we provide to them. Such changes need to be updated in the risk-based profit calculations. Finally, there is the market risk piece of risk management.  It is possible if not likely that our ALCO policies have changed due to lessons from the liquidity crisis of 2008 or the other macro economic events of the last two years. Deposit funds may be more highly valued, for instance. There may also be some rotation in assets from lending. Or, the level of reliance on equity capital may have materially changed. In any event, we are experiencing historically low levels for the price of risk-free (treasury rate curve) funding, which affects the required spread and return on all other securities, including our fully-at-risk equity capital. These changes are occurring apart from customer transactions, but definitely affect the risk-based profit picture of each existing loan or deposit account and, therefore, every customer relationship. If any, let alone all, of the above changes are not reflected in our risk-based performance analysis and reporting, and any pricing of new or renewed services to our customers, then I believe we are involved in autonomic changes in risk-based profitability.

By:Wendy Greenawalt In my last few blogs, I have discussed how optimizing decisions can be leveraged across an organization while considering the impact those decisions have to organizational profits, costs or other business metrics. In this entry, I would like to discuss how this strategy can be used in optimizing decisions at the point of acquisition, while minimizing costs. Determining the right account terms at inception is increasingly important due to recent regulatory legislation such as the Credit Card Act. These regulations have established guidelines specific to consumer age, verification of income, teaser rates and interest rate increases. Complying with these regulations will require changes to existing processes and creation of new toolsets to ensure organizations adhere to the guidelines. These new regulations will not only increase the costs associated with obtaining new customers, but also the long term revenue and value as changes in account terms will have to be carefully considered. The cost of on-boarding and servicing individual accounts continues to escalate, and internal resources remain flat. Due to this, organizations of all sizes are looking for ways to improve efficiency and decisions while minimizing costs. Optimization is an ideal solution to this problem. Optimized strategy trees can be easily implemented into current processes and ensure lending decisions adhere to organizational revenue, growth or cost objectives as well as regulatory requirements.  Optimized strategy trees enable organizations to create executable strategies that provide on-going decisions based upon optimization conducted at a consumer level. Optimized strategy trees outperform manually created trees as they are created utilizing sophisticated mathematical analysis and ensure organizational objectives are adhered to. In addition, an organization can quantify the expected ROI of a given strategy and provide validation in strategies – before implementation. This type of data is not available without the use of a sophisticated optimization software application.  By implementing optimized strategy trees, organizations can minimize the volume of accounts that must be manually reviewed, which results in lower resource costs. In addition, account terms are determined based on organizational priorities leading to increased revenue, retention and profitability.

There seems to be two viewpoints in the market today about Knowledge Based Authentication (KBA): one positive, one negative.  Depending on the corner you choose, you probably view it as either a tool to help reduce identity theft and minimize fraud losses, or a deficiency in the management of risk and the root of all evil.  The opinions on both sides are pretty strong, and biases “for” and “against” run pretty deep. One of the biggest challenges in discussing Knowledge Based Authentication as part of an organization’s identity theft prevention program, is the perpetual confusion between dynamic out-of-wallet questions and static “secret” questions.  At this point, most people in the industry agree that static secret questions offer little consumer protection.  Answers are easily guessed, or easily researched, and if the questions are preference based (like “what is your favorite book?”) there is a good chance the consumer will fail the authentication session because they forgot the answers or the answers changed over time. Dynamic Knowledge Based Authentication, on the other hand, presents questions that were not selected by the consumer.  Questions are generated from information known about the consumer – concerning things the true consumer would know and a fraudster most likely wouldn’t know.  The questions posed during Knowledge Based Authentication sessions aren’t designed to “trick” anyone but a fraudster, though a best in class product should offer a number of features and options.  These may allow for flexible configuration of the product and deployment at multiple points of the consumer life cycle without impacting the consumer experience. The two are as different as night and day.  Do those who consider “secret questions” as Knowledge Based Authentication consider the password portion of the user name and password process as KBA, as well?  If you want to hold to strict logic and definition, one could argue that a password meets the definition for Knowledge Based Authentication, but common sense and practical use cause us to differentiate it, which is exactly what we should do with secret questions – differentiate them from true KBA. KBA can provide strong authentication or be a part of a multifactor authentication environment without a negative impact on the consumer experience.  So, for the record, when we say KBA we mean dynamic, out of wallet questions, the kind that are generated “on the fly” and delivered to a consumer via “pop quiz” in a real-time environment; and we think this kind of KBA does work.  As part of a risk management strategy, KBA has a place within the authentication framework as a component of risk- based authentication… and risk-based authentication is what it is really all about.