Enterprise Risk Management - In the Crosshairs

ERM is at the center of regulatory focus for 2013. As you plan out the year, don't forget the risk management theme that should weave through the entire enterprise. While it might not add to your EPS or revenue growth, it is a necessary element to maintaining the license to operate a bank of any size in the US.

The themes you should consider in mapping your ERM activities for this year and beyond are outlined below:

  1. Shift in attention to risk categories. In the past, major risk categories that received heightened regulatory scrutiny included elements such as credit; liquidity; interest rate; and market risk. Regulatory attention is shifting to another set of risks which they deem warrant more attention this year: operations (which includes a major compliance component); compliance; strategic; and reputation.

    Issues such as BSA/AML, mortgage foreclosures, mis-selling (new term!), vendor risk management, information security and business continuity now need to be addressed via rigorous processes, strong talent, dynamic systems and a strong audit and risk management process to review the procedures in place to mitigate these risks

    This shift in regulatory emphasis will be reflected in examinations and banks should be well prepared to demonstrate their ability to effectively control and mitigate these risks.

  2. Concern about strategic challenges and the business model. The regulators are appropriately concerned about pressures to generate revenue growth at all costs. The stretch for yield is already present in many facets of bank operations and lines of business, ranging from pricing to relaxation of credit standards and consideration of new lines of business that have different profitability and risk tradeoffs.

    The regulators are especially sensitive to the fragility of our economy. The system is more vulnerable to shocks such as fiscal cliff, Eurozone quakes etc. This volatility challenge raises concerns of another recession (Japan and the UK have already experienced this development) which, in turn, could have a major negative impact on the housing market.

    Even if fiscal cliff takes place, the expected drag on economy of $580B from higher taxes and lower government spending will likely reduce employment and create pressure leases and other real estate interests.

  3. Key risk management expectations. The bank's ERM function should provide a framework and guidance to the enterprise to achieve the following important risk management aspects:

    • Talent planning and succession planning of the management of risk and compliance functions.
    • Development of a risk appetite framework which outlines the bank's willingness to take risk across the enterprise and the mitigation factors put in place to ensure that that risk appetite is effectively implemented
    • Give compliance and BSA officer stature within the bank to ensure that they are heard and are empowered to make permanent changes. Develop detailed succession planning and talent management programs for the compliance, BSA and risk management functions of the bank to ensure you have qualified staff in place. Don't do this on the cheap.
    • Establishment of strong audit and risk management programs including dynamic systems that update customer risk ratings based upon current behaviors
    • Protection of the sanctity of the depository institution charter by ensuring that only appropriate activities are undertaken by the bank and the holding company
    • Risks during the crisis emanated from underwriting; growth pressure; leverage; and concentrations (major emphasis on the last item).

  4. New Product Introduction. The pressure on the Net Interest margin is causing banks to explore forays into new (and old) lines of business, ranging from indirect auto lending to Asset-based lending. The regulators will examine more thoroughly these new products and any high growth areas. ERM should ensure that the growth is controlled and that appropriate expertise is recruited to enter a new LOB, including strong risk management infrastructure and vetting.

    As you consider new products ask the following questions through a formal process:

    • Is this a fair product? Does it add value to the customer?
    • Would I put my mother in that product?
    • Will customers consider the product unfair? The new standard for customer complaint validity is whether they think so

  5. BSA/AML. This topic has been at the forefront of regulatory attention for years now, but, thanks to HSBC, is subject to even greater scrutiny. Among the new areas of emphasis are:

    • Staffing the BSA/AML area with experienced people. Don't do this on the cheap. Find qualified people and don't skimp on the headcount.
    • Implement controls before new products are introduced to ensure compliance with consumer regulations.
    • Focus on customer complaints. Define what a complaint is, collect all complaints from all channels (branch, phone, website etc.), respond in a timely fashion and ensure appropriate attention is given to any patterns emerging from complaints.
    • SAR files are the first line of defense. Make sure they are properly filed.
    • The OCC implemented two changes to its BSA supervision:
      • BSA exam results will now be scored as part of the management rating for the CAMEL rating and not as a part of the compliance rating.
      • Early warning on BSA violations will be given even if a single one of the four "pillars" is violated.
    • A highly qualified BSA officer is essential. That executive can't do double-duty as compliance officer.
    • Install strong monitoring systems that keep pace with new products and have thorough customer due diligence (including customer risk classifications and updates). This is an extension of "know your customer". Vendor selection is key here.
    • Offer strong training program for the staff and integrate BSA compliance into bank activities.

  6. CFPB. The Consumer Financial Protection Bureau is relevant to every bank in America, since its rule-making authority impacts all banks, not just the larger ones. This is especially true since it appears that the Bureau's focus has shifted from individual institutions to specific products. Current areas of focus include overdraft and deposit advances; mortgage servicing; and add-on products (especially by third party vendors). Many banks offer add-ons, such as debt cancellation, payment protection, credit monitoring, identity theft etc. This is now an area of high scrutiny. Banks must make sure the customer actually uses the service and that if they attempt to cancel the service they are not hampered in any way .

    Prudent vendor management is a major area of emphasis by the regulators. It is a major effort, and involves detailed monitoring including call monitoring of both the bank's call center and the vendor's calling efforts. Any example of pressuring customers not to cancel or to buy the product will not be tolerated. Areas of sensitivity include:

    • Clear, accurate marketing about product terms, fees, and conditions
    • Ensuring that the customer is actually receiving the service they are being charged for
    • Unencumbered cancellation
    • Service and customer contact by vendor consistent with bank's own policies and expectations
    • Sufficient third party monitoring takes place, including financial strength

    The theme here is that good compliance takes the customer's perspective into account. It is the bank's responsibility to ensure that the customer is treated fairly.

  7. Dodd Frank. It's been over two years since Dodd Frank became law and yet much of it is still unwritten. The Volcker Rule alone received over 14,000 comments. One upcoming clarification is the risk retention rule and its application to residential mortgages. It is anticipated to be completed by CFPB in January.

    I'm told that it will take 26,000 additional FTEs to keep up with the regulations that have been written out so far.

  8. Interest only home equity loans. A bulk of IO home equity loans will start repricing to include principal reductions in 2013-2014. Risk Management should conduct sensitivity analysis to ascertain the borrowers' ability to repay interest and principal as this change occurs and prepare for appropriate loss mitigation activities.

  9. Mortgage servicing. Concerns about mortgages are less related to quality and much more focused on operational risks associated with mortgage servicing, maintenance, loss reserves and foreclosure activities, and the reputation risk incurred by them. In addition, compliance with Service-member Civil Relief Act is a hot topic, especially when foreclosures are concerned. Compliance with the Act is targeted for the next exam cycle.

  10. Cyber-security. The exponential growth of cyber-attacks must receive CRO attention. In addition to establishing a strong communication culture, banks are expected to:

    • Implement strong layered security using current tools
    • Maintain sound online and offline payment authorization requirements
    • Monitor and updates systems as new threats emerge
    • Educate customers but don't rely on customer controls
    • Plan and test for attacks

In summary, Risk Management should be considered in its totality across each bank, and interaction among risks is part and parcel of the expectations for CROs. Tone from the top is important to effectively execute risk management throughout the organization and is considered essential by the regulators.