Monday, April 20, 2009

Should Loan Originators be Risk Rated?


For thirty years, a supervisory risk rating has been used by federal regulators to evaluate the overall condition of the country’s banks. The Uniform Financial Institutions Rating System (UFIRS), adopted by the Federal Financial Institutions Examination Council (FFIEC) on November 13, 1979, set forth the rating system that provided a unique and methodical way to determine bank stability.

Under the UFIRS a bank is assigned ratings based on performance in the following five areas: Capital Adequacy, Asset Quality, Management Capability, Earnings, and Liquidity. Given the acronym CAMEL, this system has been used ever since by federal supervisory agencies to evaluate the safety and soundness of a banking institution. In January 1997, the FRB revised the UFIRS by adding a sixth component for Sensitivity to Market Risk. This CAMELS rating system provides a composite of a bank’s condition and overall performance, and it has been adopted by many countries, including, of course, Hong Kong.

However, no similar rating system has ever been devised or federally mandated for entities that originate residential mortgage loans. If such a system were in place, standardizing all findings, the regulatory and state licensing agencies as well as the public would be assured of the kind of oversight that will serve to strengthen the mortgage industry and consumer confidence.

In 2007, we developed a risk rating system to evaluate the safety and soundness of loan originating entities. Called the CORE Compliance Matrix™, our procedures assess four critical components and five composite ratings that must be considered when evaluating the safety and soundness of an entity originating residential mortgage loans. We evaluate a company’s Compliance Program, Organizational Structure, Regulatory Risks, and Enforcement Strategies. Our methodology uses the acronym CORE. The CORE™ review findings are derived through the risk rating protocols of our CORE Compliance Matrix™.

Let us first take a brief look at the CAMELS rating system and its basic components, followed by the new CORE™ system, which takes its inspiration from the CAMELS concept, though it adapts the latter’s conceptual framework to the mortgage banking industry. 

The Last Straw that Breaks the CAMELS’ Back

The CAMELS composite ratings are generated from the ratings derived from the above-mentioned six components constituting the CAMELS acronym. Each component is rated on a scale of 1 to 5, with high performance associated with ratings of 1 or 2 and incrementally lower performance associated with ratings of 3, 4, or 5. The component ratings, therefore, are the building blocks that produce the composite rating.

A CAMELS composite rating is assigned on a scale of 1 to 5, with 1 representing the highest rating (strongest performance or condition) and 5 representing the lowest (weakest performance or condition). A bank that receives a rating of 1 or 2 is believed to have few significant supervisory issues. However, a bank with a composite rating of 3, 4, or 5 presents incrementally greater regulatory risk.

The following Table provides an overview of CAMELS ratings.

CAMELS Composite Ratings

CAMELS Composite Rating # 1 Bank is safe and sound in every respect.
CAMELS Composite Rating # 2 Bank is fundamentally sound and stable, substantial compliance with laws and regulations.
CAMELS Composite Rating # 3 Bank exhibits some degree of supervisory concern in one or more of the component areas, requires additional supervision (i.e., enforcement actions).
CAMELS Composite Rating # 4 Bank generally exhibits unsafe and unsound practices or conditions, poses a risk to the deposit insurance fund.
CAMELS Composite Rating # 5

Bank exhibits extremely unsafe and unsound practices or conditions, poses a significant risk to the deposit insurance fund. Bank failure is highly probable.

It should be noted that a financial institution’s CAMELS composite rating is confidential, only available generally to senior management and the primary regulator’s supervisory staff. CAMELS composite ratings are never made publicly available, and there has been some controversy over the years about the benefits of releasing these ratings to the public. That particular issue is still unresolved; however, generally speaking, the public can gather a good idea of supervisory concern by watching what actions the primary regulator takes with respect to a bank’s performance. Actions taken are reported by the Board of Governors.

And what are those supervisory actions?

A comprehensive, on-site examination is conducted at least once every 12 months (which can be extended if, among other requirements, the institution’s asset threshold is under a specified amount and it has a CAMELS composite rating of 1 or 2). To get any extension up to 18 months a bank must also have no enforcement actions or change in control. It is common, though, for bank examiners to conduct two or more exams a year, when needed. The results of these examinations determine the consequent supervisory actions.

An institution with a CAMELS composite rating of 1 or 2 generally presents no supervisory concerns, though a rating of 2 could have some violations that require an adjustment to the compliance program or perhaps an additional audit procedure.

Institutions with ratings of 3, 4, or 5 pose increasing levels of supervisory concern and these ratings will often bring about various actions. A rating of 3, for example, might indicate that management may have the ability to effectuate compliance, though violations discovered may be an indication that management has not devoted sufficient time and attention to consumer compliance. A typical action would be to require the institution to designate a compliance officer, or develop and implement a more effective compliance program.

A rating of 4 might indicate that a pattern or practice results in repeated violations, or perhaps management may show a lack of interest in administering an effective compliance program. Typically, supervisory actions will include a comprehensive overhaul of the compliance program, including various enforcement actions. And, finally, a CAMELS composite  rating of 5 indicates substantial non-compliance with consumer statutes and regulations and could very well point to a management that is either unwilling or unable to implement the changes needed to attain compliance. Supervisory actions in such instances may include placing the subject bank into receivership or finding another bank to take it over.

The Core™ is the Cure

In developing our CORE™ review, we eliminated certain components that are already monitored by federal and state agencies for compliance. Therefore, we do not review a loan originator’s capital adequacy, asset quality, earnings, liquidity, or sensitivity to market risk. We conduct a separate review to determine the condition and performance of a loan originator’s mortgage loan portfolio, if applicable. The CORE™ concentrates on components that are unique to residential mortgage loan originators. Based on our review, a CORE™ rating is derived that demonstrates the current performance and condition of the loan originating entity.

Like CAMELS components, the CORE™ also has components that are building blocks. These are the above-mentioned four components constituting the CORE™ acronym: the Compliance Program, Organizational Structure, Regulatory Risk, and Enforcement Strategies. And, just as is the case in the CAMELS system, each CORE™ component is rated on a scale of 1 to 5, with high performance associated with ratings of 1 or 2 and incrementally lower performance associated with ratings of 3, 4, or 5. The findings are situated in the CORE Compliance Matrix™ (CCM) and then extrapolated into the CORE Compliance Rating™ (CCR).

Download Click Image for CORE™ Presentation

The following Table provides an overview of the CORE™ ratings.

CORE Compliance Rating™

CORE Compliance Rating # 1 Strong performance and risk management practices relative to institution's size, complexity, and risk profile. Substantial compliance with laws and regulations. No regulatory concerns. Any weaknesses are minor and can be handled in a routine manner by management. CCM components are rated either 1 or 2
CORE Compliance Rating # 2

Overall risk management practices are satisfactory relative to institution's size, complexity, and risk profile. No material regulatory concerns. Only moderate weaknesses are present and well within management's capabilities and willingness to correct. No CCM component is given a risk rating more severe than 3.

CORE Compliance Rating # 3

Risk management practices are less than satisfactory relative to institution's size, complexity, and risk profile. Some degree of regulatory concern in one or more areas of the Core Compliance Matrix™. Significant noncompliance with laws and regulations. Failure appears unlikely, but institution exhibits weaknesses that may range from moderate to severe. No CCM component is rated more severely than 4.

CORE Compliance Rating # 4

Risk management practices are generally unacceptable relative to institution's size, complexity, and risk profile. Unsafe and unsound practices or conditions. Matrix deficiencies result in unsatisfactory performance and significant noncompliance with laws and regulations. Failure is a distinct possibility if problems and weaknesses are not satisfactorily resolved.

CORE Compliance Rating # 5

Inadequate risk management practices relative to institution's size, complexity, and risk profile. Extremely unsafe and unsound practices or conditions. Matrix findings indicate critically deficient performance. Volume and severity of problems are beyond management's ability or willingness to correct. Immediate assistance is needed to avoid failure.

Our CORE™ reviews are given exclusively to senior management and those individuals or entities that management so designates. Where needed, we recommend corrective actions and provide all the legal and regulatory compliance guidance necessary to improve the CORE™ rating. In due course, we follow up with visits to evaluate management response and assess the effectiveness of enforcing the appropriate regulatory requirements.

Should Loan Originators be Risk Rated?

Without a standardized methodology to determine the overall compliance of a loan originating entity, there is no independent way for such entities to fully anticipate, control, and coordinate the implementation of regulatory requirements.

Needless to say, waiting for a banking department examiner to point out compliance deficiencies is an example of reactive management, often leading to very strong supervisory actions, such as mandating the disgorging of fees, requiring reimbursements for violations, substantial fines, and even pursuing license suspension or forfeiture. In their role as consumer advocates, banking departments and regulators will do whatever is necessary to promote adherence to all federal and state regulations. Will the loan originating entity also do whatever it takes to pursue these same ends?

Market, strategic, and certainly capital formation risks are elevated, and often adversely impacted, due to belatedly effectuating appropriate compliance initiatives. Legal risk is mitigated by a review program, such as the CORE™ review, which looks at and risk rates all aspects of compliance affecting loan originations.

It is said that preventive medicine is the best medicine. The CORE Compliance Matrix™ is that medicine. It is always better for management to be able to independently evaluate compliance conditions and performance in advance than to find out about deficiencies from a regulator or plaintiff’s counsel.

Yes, loan originators should be risk rated!

The sooner the better: for the preservation of the residential mortgage banking industry and the continuing protection of the public.

Jonathan Foxx, a former Chief Compliance Officer of two publicly traded financial institutions, is the President and Managing Director of Lenders Compliance Group.