Pitfalls to Avoid When Developing a Fair Lending Assessment-Part Two

Pitfalls to Avoid When Developing a Risk Assessment for Fair Lending- Part Two

In part one of this series, we made the argument that an individual risk assessment should be performed for the area of Fair Lending.   When performing the risk assessment there are several pitfalls that must be avoided.

Policies and Procedures

The review of institutions’ policies and particularly, its procedures is a basic and critical part to any risk assessment in the area of Fair Lending.

Potential Pitfall:  Policies and procedures can be fully in compliance with regulatory requirements and still have the potential for Fair Lending issues.  Review of the policies and procedures must consider both compliance with the requirements of regulations and the impact on customers!

First, these documents should be reviewed to determine that all of the required information is up to date and correct.  In this review, it is important that regulatory requirements such as “grossing up” income[1] in credit decisions, spousal signature rules and Fair Lending principles are included.  This review should also include a review of procedures to ensure that they match policies.

The second phase of the review should be completed to ensure that policies and procedures do not present the possibility of disparate impact.  In this review, the goal is to review the policies and procedures to determine the level of discretion allowed and how this discretion can be checked against Fair Lending risk.  For example, do the procedures require documentation of delays in processing loans?  Do policies and procedures emphasize the need for secondary review?

Credit Policies

Credit Policies are an area of particular concern in the Fair lending Assessment.  The review of credit policies should also be completed in two phases

Potential Pitfall: Credit policies should reflect the idea that the bank has made a reasoned decision about how it is meeting the credit needs of its community.  Policies that are fully compliant can become outdated quickly.  Review of credit policies should consider the changes in the assessment area and should reflect the business decisions of the Board.

Credit formulas and guidelines should be reviewed and validated independently to ensure that the data is valid.   Though these validations don’t need to be performed annually, it is a best practice to test the guidelines Vis a Vis adverse action trends at the bank.  Guidelines that yield an extremely high number of loan declines may need study and possibly adjustment.

In the second phase of the review, a comparison between the credit policies, the strategic plan of the bank and current economic data should be completed.  The purpose of this review is to determine that the bank’s credit policies and procedures match the credit needs of the community.   It is imperative that the Bank be able to document the business reasons for the list of products being offered.  For example, a decision by a Bank not to offer home equity loans when there is strong need for such loans in an assessment area, may be called into question during a Fair Lending examination.  A best practice is to have the economic data to demonstrate that these loans are not economically feasible at the bank, or that some other legitimate business reason exists for not making such loans.

Credit Decision Process

The credit decision process from the time of application to ultimately credit decision or withdrawal by the applicant should be assessed with an eye towards eliminating the ability of single bank employee from thwarting the will of the Board by engaging in illegal behavior

Potential Pitfall:  When reviewing adverse actions and withdrawals for timely notices, it is possible to overlook the warning signs of Fair Lending issues.

The review of adverse actions generally includes a check to make sure that notices are given within the timeframes required by Regulation B.  In addition a good review includes a check to determine that the information given is sufficient for the applicant to understand the issues that cause an adverse decision.   However, a best practice is also to review for Fair Lending ‘warning signs”.  For example, an extremely low rate of adverse actions is a strong indicator or pre-screening.  A high rate of withdrawals among protected groups is a strong indicator of discouragement.

It is a best practice to review the credit decision process to determine the ability of an individual to make credit decisions without oversight.  The more autonomy loan officers have, the more the system for secondary review should be empowered.

Lending Decisions

The traditional Fair Lending analysis focuses on a review of the approvals versus declines at the Bank.  A common practice is to review “matched pairs” which compares the low rated credit approvals with highly rated declines (loans that were barely declined).

Potential Pitfall:  If this is the heart of the analysis, then the bank is not getting the full story!  The analysis must look at the applicant’s total experience to ensure that all are getting the same considerations.

The analysis should consider:

  • Application to decision time-trends for members in protected classes
  • Comparative analysis- close decisions to approve versus decline
  • Pricing Analysis
  • Special considerations

o   Insufficient collateral frequently being given as a reason for decline

o   Large number of declines in a certain product area

  • High number of approvals versus a small number of declines

If all of the above is not part of the analysis that is being performed, then your bank may have potential Fair Lending issues that are going undetected.

Vendor Management

Financial institutions are charged with knowing and managing the results obtained from their vendors.  The regulatory agencies have made it clear that in every area from indirect auto lending to appraisals that they expect that financial institutions will monitor the results that they are getting from vendors.

Potential Pitfall:  If the review of the vendor ends with a background check, your institution may not be getting the full story.  The best practices require that the Bank pay attention to the results of the vendor’s efforts.  There has to be a general check that results are reasonable and consistent

The assessment must consider whether the results being produced are consistent and reliable.  For example, are appraisals being reviewed and compared to complaints?   Is it possible that certain appraisers consistently yield lower property values in certain income tracts?  Are flood insurance determinations being updated to match changes in the flood map?  The bank will be held accountable for the misbehavior of its vendors!

UDAAP Review

The risk assessment should include a review of the potential for UDAAP.  This is an area that is growing in scope and influence.

Potential Pitfall:  UDAAP is far reaching and can be easily overlooked.

The assessment should consider whether there is consistency in advertising and actual disclosures.  The risk assessment must look at the Bank’s products/operations from the point of view of the consumer.

Customer complaints are an area of focus for regulators.  Make sure that complaints are getting categorized and reported to the Board.  If no complaints have been received, there should be at least a policy and procedures in place to handle these once they do appear.


Many community banks use testimonials as part of their marketing.  The relationship with the community is after all, one of the strengths of being a community bank.

Potential Pitfall:   A risk assessment that exclusively covers direct compliance with Reg. Z and DD may overlook Fair Lending concerns in advertising.

Risk assessment should cover the reasons for the advertising and the markets that you are attempting to reach.  Has the bank considered expanding advertising to nontraditional communities?   Are there communities within the Bank’s assessment area that are left out of the advertising and marketing?

Strategic Plan

Examiners expect that the Bank has direct knowledge of the credit needs of the assessment area.  This should be considered as part of the risk assessment

Potential Pitfall:  Without considering the overall strategy of the Bank, it is difficult to get the full picture of how the bank is addressing Fair Lending within its community

The strategic plan is most often not considered as part of the Fair Lending assessment.  However, in many cases, the examiners will start considering an institutions strategy in offering products to its community as a consideration of Fair Lending effectiveness.

A Fair Lending risk assessment is a critical component of effective compliance management.

[1] See reg. B at 202.6(b) 5

Strengthening Your Compliance Program-Getting to the Root of the Problem

Getting to the Root of the Problem- An important Step to Strong Compliance

The compliance examiners are coming!  It is time to get everything together to prepare for the onslaught right?   Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily!  The compliance examination is really an evaluation of your compliance management program (“CMP”).  By approaching your examinations and audits as an evaluation of the effectiveness of your overall CMP, the response to the news of an upcoming review becomes (almost) welcome.

The Elements of the CMP

There is really no “one size fits all” way to set up a strong compliance program.  There are, however, basic components that all compliance management systems need.  These components are often called the pillars of the CMP.  The pillars are:

  • Policies and procedures
  • Internal Controls
  • Management Information systems
  • Training

The relative importance of each of these pillars depends on the risk kevels at individual financial institutions.  The compliance examination is a test of how well the institution has identified these risks and deployed resources.   For example, when one has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal.  On the other hand, at an institution where new products are being offered regularly, the need for training can be critical.   The central question is whether or not risks have been properly identified at your institution.  Once risks have been identified have effective steps been taken to mitigate risks.

Making the CMP fit Your Bank 

Making sure that your CMP is right-sized starts with an evaluation of what the institution is doing and the inherent risk in that activity.  For example, consumer lending comes with a level of risk.  Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio.   In addition to the risks inherent in the portfolio are the risks associated with the manner in which the institution conducts it consumer business.   Are risk assessments conducted when a product is going to be added or terminated?  Both decisions can create risks.  For example, the decision to cease HELOC’s may create a fair lending issue; while the decision to start making HELOC’s has to be made in light of the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.

We suggest that compliance has to be a part of the overall business and strategic plan of any financial institution.  The best way to make sure that the CMP is appropriate is to include compliance in all of the business decisions.   The CMP has to be flexible enough to absorb changes while remaining effective and strong.

The Test of the CMP

Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of internal audit, and examinations as well as quality control checks.  When reviewing these findings what is most important is getting to the root of the problem.    Both the findings and the recommendations that can be found in examination and audit reports can be used to help “tell the story” of the effectiveness of the CMP.  As the institution receives its readout of findings and recommendations, it is very important to ask the examiner or auditor “In your opinion, what was the cause of this finding?”  Generally, we believe that you will find that the answer you receive will be candid and extremely helpful in addressing the problem.  Let’s face it, sometimes findings occur when people have bad days.  On those bad days, even the secondary review may not quite catch the problem.  These are generally not the types of findings that should keep you up at night.

The findings that should cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation.  These findings are systemic and tend to raise the antenna of auditors and examiners.  Unfortunately, too often the tendency for institutions is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it.  Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.

Addressing Findings  

We suggest a five step process to truly address findings and strengthen the CMP;

  1. Make sure that the compliance staff truly understands the nature of the finding.  This may sound obvious, but far too many times there is a great deal loss in translation between the readout and the final report.  Many of our clients have stated that they felt like what was discussed at the exit doesn’t match the final report they receive.  We recommend fighting the urge to dismiss the auditor/examiner as a crank!  Call the agency making the report and get clarification to make sure that concern that is being express is understood by staff.
  2. Develop an understanding of the root cause of the finding.  Does this finding represent a problem with our training?  Perhaps we have not deployed our personnel in the most effective manner.  It is critical that management and the compliance team develop an understanding or why this finding occurred to most effectively address it.
  3. Assign a personal responsible along with an action plan and benchmark due dates.   Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed.
  4. Assign an individual to monitor progress in addressing findings.  We also recommend that this person should report directly to the Audit Committee of the Board of Directors.  This builds further accountability into the system.
  5. Validate the response.   Before an item can be removed from the tracking list, there should be an independent validation of the response.  For example, if training was the issue; the response should not be simply that all staff have now taken the training.  The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training. In addition, a quality control check should be performed.

Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened.  For example, it may be easy to see that an institution has a problem with disclosing right of recession disclosures.  It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective.  Only by diving into the root cause of the problem can the CMP be fully effective.

Does Your Outsourced Audit Meet Regulatory Standards? Part Two

Does Your Internal Audit Scope Meet Regulatory Standards? 

A Two Part Series-Part TWO-Setting the Scope    

As we  noted in the first part of this series, the scope of the internal audit function at financial institutions has been an area of focus for  regulators.  In particular, regulators have focused on whether or not the scope of internal audits meets both regulatory standards and is appropriate in light of the overall risk profile of a financial institution.  It is the second of these two considerations that has most recently  caused findings and created concerns.    It is therefore, critical that the scope of audits reflect an understanding of the risks inherent at your financial institution.

Using Risk Assessments Effectively

The Federal Financial Institutions Examination Council (FFIEC”) issued a comprehensive policy statement on the audit process in 2003.  This statement is still the definitive regulatory guidance on the proper development and maintenance of the internal audit function for financial institutions.   The guidance states that risk assessments are a key component of internal audits.  A risk assessment is defined as follows:

A control risk assessment (or risk assessment methodology) documents the internal auditor’s understanding of the institution’s significant business activities and their associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure of the institution. They should be updated regularly to reflect changes to the system of internal control or work processes, and to incorporate new lines of business.[1]

At smaller institutions, there generally is not a full time internal auditor on staff.  This does not obviate the need for comprehensive and timely risk assessments.  Unfortunately, the risk assessment process is often overlooked.   The risk assessment should consider the following:

Past Examination and Audit Results

It goes without saying that the past can be a  prelude to the future.   Prior findings are an immediate indication of lack of effectiveness of internal controls.  It is important that the root cause of the finding or recommendations from regulators is identified and addressed.  Internal audits should coordinate with the risk assessment to test the effectiveness of the remediation.

Changes in Staff and Management

Change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.  For example, suppose the head of Note Operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used to past procedures may become confused.  Change generally increases the possibility of findings or mistakes.   Your risk assessment should take into account the risks associated with changes and how best to address them.  In addition, this is an area that should be covered by internal audit as it presents a risk.

Changes in Products, Customers or Branches

It is also important that your risk assessment consider all  of the different aspects of changes that have occurred or will occur during the year.  Any new products or services, new vendors, and/or marketing campaigns that are designed to entice new types of customers are all changes that impact the overall risk profile of the institution.    The resources necessary to address these changes should also be a consideration for the internal audit.

Changes in Regulations

Over the past few years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact smaller institutions directly, but many do.  Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process has to consider changes that will affect your institution.  The internal audit scope should also consider whether the institution is prepared to meet changing regulatory requirements.

Monitoring systems in place

The information systems being employed to monitor the effectiveness of internal controls should be considered.  For many institutions, this system is comprised of word of mouth and the results of audits and examinations.  Information used by senior management and reported to the Board should be sufficient to allow credible challenges by the Board.[2]

Using the Risk assessment to Set Audit Scopes

Once a risk assessment is completed, the results should be directly tied to the internal audit schedule.   The FIIEC guidance points out the relationship between the internal audit plan and the risk assessment:

An internal audit plan is based on the control risk assessment and typically includes a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget.[3]

The risk assessment should prioritize the potential for findings, while the audit scope should be developed to test mitigation steps made to reduce findings.

The criticism that is often raised about outsourced audit is that the scope is incomplete.  This is often the case because outsourced vendors have developed their scope based upon best practices, and their experiences at various institutions.  While this is obviously a best practice for the audit vendor, the problem is that it doesn’t always fit the individual institution.   Information from a comprehensive risk assessment should be incorporated into the scope of an internal audit.

In this manner, the auditor can best consider the areas of risk that are the highest priority at a particular institutions.  For example, when developing the scope for an independent audit of a BSA/AML program, the scope should include the most recent risk assessment.  Changes in the customer base, an increase in the overall risk profile of the bank or a change in personnel are all factors that should be included in the audit scope.  In addition, the auditor should consider whether current monitoring systems have the capability to properly monitor the additional level of risk.  Finally, the professional abilities of the BSA staff should be considered as they relate to additional risk.

Ultimately, it is the responsibility of the Board to ensure that the internal audit is effectively testing the strength of internal controls.

[1] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

[2] See for example, OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations

[3] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

Your Partner in Balancing Compliance