Friday, June 15, 2012

The Rules of Operational Risk

Recently, I spoke with several clients who had attended mortgage industry conferences. Each one of them pointed out the very same fact: operational risk and regulatory compliance are the most prominent subjects being discussed. Thinking of learning more about new loan products and services, they left these conferences wondering about how they would ever be able to implement all the regulatory requirements being placed on them. As an old friend who runs a mid-tier, mortgage banking company said to me, "I came as a mortgage company and left as a compliance company!"
One of them said, "you know, Jonathan, you're sort of in the 'cat-bird seat' now, since you were among the first to predict that mortgage compliance would oneday dominate how we originate loans." I'm not sure if that was a back-handed compliment, but I appreciate the sentiment, nonetheless. At least LCG tries to lift some of the regulatory burden borne by our clients and free up their time to do what they do best: originate loans.
That said, let's acquaint ourselves with operational risk and how to put some structure into risk management.*
Controlling Credit Risk
Four Basic Rules
Six Even More Basic Rules
Articles and Newsletters
First and foremost, compliance decisions should be made not only on the basis of sound policy and regulatory mandates but also on the basis of how compliance procedures are viewed by regulators. Examiners want to see a financial institution enforcing existing regulatory requirements. However, they also are not antagonists on a witch hunt. They honestly want to product the kind of findings - good or bad - that will help a company to thrive. They do not get a thrill out of putting forth adverse findings.
Building a solid framework begins with cataloging the company's people, processes and technology, and continues on into deriving the means by which a stable policy is designed to formalize the way the company tracks operational risk and identifies those risks within the organization's personnel and departments. Tasking, tracking, and managing risk are central features of governance.
Companies large and small should implement operational risk frameworks that formalize their operational risk management. There really is no excuse, in this day and age - especially with ready access to information and guidance - that any size financial institution cannot position operational risk practices into the loan flow process.

Risk can't be managed if there is no framework through which to manage it.
Reviewing and formalizing an operational risk framework does not need to be a complicated exercise. The size, complexity, and risk profile of the financial institution will dictate the ways and means by which risk is managed.
Controlling Credit Risk
At the start of this year, I published an article about Controlling Credit Risk [PDF]. In the article I pointed out that risk is identifiable and measurable - and it can be controlled. To get a sense of how my firm goes about evaluating credit risk and the concurrent role played by risk management, I outlined two features of managing risk: Quantity of Risk and Quality of Risk Management.
And I concluded with a section, entitled Implementing Risk Management, in which I offered some guidance about how to use credit risk information effectively to fortify a financial institution.
I urge you to download and read it. [PDF] In formalizing a framework to manage operational risk, you need to get some idea of how firms like mine work with clients to ensure appropriate risk management strategies.
Four Basic Rules
(1) Analyze Processes. This requires creating a catalogue of the company's operational processes. This is always the first step. It can be presented like a flow chart or nested folders or in any form that makes sense to management, so long as it makes logistical and experiential sense. In effect, the analysis must reflect the way that the company actually conducts its business.
(2) Identify Risks. Now that processes have been analyzed, each process should be considered on the basis of efficiency, data integrity, and potential risks. This is accomplished through an internal audit, external audit, or designating a competent employee to conduct a generic self-assessment. Whatever the choice, be sure to standardize the evaluation method.
(3) Centralize Policies. Bring together all the company's policies and procedures. Take inventory and determine which policy statements are missing, which ones are outdated, and which ones may be redundant. The requirements of disparate policy statements may conflict with one another, so gather them all together and assess them as a group.
(4) Establish a Master Policy. At this point - having analyzed processes, identified risks, and centralized policies - we are able to draft a master policy. Such an approach is reflective of 'best practices' governance. The master policy sets forth the overarching set of policies and rules that govern the company's management of operational risk. It is the "map" that serves as a guide to the operational risk framework. Be sure that the master policy also provides 'track-back' features and identifies the "owners" of each risk area.
Six Even More Basic Rules
I mentioned above that the master policy is the "map" to the operational risk framework. But, as the philosopher Alfred Korzybski noted, the map is not the territory. Working through the four basic rules takes time and resources. Sometimes we can't even get to the Four Basic Rules, because we have not taken into consideration the Six Even More Basic Rules.
Here follows those six rules, without which an operational risk framework is not really attainable.
(1) Assemble the Management Team. Bring together the company's executive and senior management. Start a conversation about operational risk and how to create a top-down approach toward risk management. Do this at least annually.
(2) Make Lists. Before the management meeting, each member of the management team should draft a list - long or short - of not only the known operational risks but the potential or unexpected risks. Assume that "Black Swans" do happen! Managers should offer insights relating to their own operational area as well as any other areas of the company. An unaccounted for risk, actual or potential, could cause massive financial, strategic, legal, and regulatory damage.
(3) Detail the Risk. Specify the risk in as much detail as possible. State the consequences of risk failure. And, where possible, always provide a solution. If a risk is perceived, seek a way to mitigate or remove it. Don't waste time on solutions seeking a risk; concentrate on risks seeking a solution.
(4) Discuss Risk. In an open and conversational way, discuss the lists. Determine if there are coinciding or divergent perceptions of risk. Identify where there are gaps in knowledge or implementation. And encourage a discussion regarding perceived risk, to be sure that there is some general understanding about the levels of risk tolerance.
(5) Draft a Master List. Now build a consensus amongst the assembled management team. Create priorities to the various lists of risks provided by each participant. Determine the mitigation strategies that are acceptable, given the company's risk profile and risk tolerance.
(6) Work the List. Implement the Master List, which may include the Four Basic Rules outlined above, but may just form sufficient guidelines and directives to establish appropriate means to manage operational risk. Appoint a member of the management team to monitor the Master List and update the list for those risks that have been resolved or mitigated.
Articles and Newsletters
Articles - Newsletters
* Jonathan Foxx is the President & Managing Director of Lenders Compliance Group

Wednesday, June 6, 2012

CFPB: Re-Opening "Ability-to-Repay"

On June 5, 2012, the Consumer Financial Protection Bureau (Bureau) announced that it is "reopening the comment period" for the proposed rule, issued on May 11, 2011 by the Federal Reserve Board (Board), addressing the new ability-to-repay requirements that generally will apply to consumer credit transactions secured by a dwelling and the definition of a "qualified mortgage."
The ability-to-repay requirements were set forth in the May 11, 2011 proposal to amend Regulation Z (the implementing regulation of the Truth in Lending Act (TILA) to implement amendments to TILA made by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank).
Since then, pursuant to Dodd-Frank, the Board's rulemaking authority for TILA was transferred to the Bureau as of July 21, 2011. The original comment period to the proposed rule closed on July 22, 2011.
The Bureau is reopening the comment period until July 9, 2012 to seek comment specifically on certain new data and information submitted during or obtained after the close of the original comment period.
I have written extensively about the ability-to-repay. And I would urge you to read some of these articles to become familiar with these important requirements:*
Ability-to-Repay: Regulating or Underwriting? Part I
Ability-to-Repay: Regulating or Underwriting? Part II
Ability-to-Repay: The Basics and a Chart
Ability-to-Repay: The Chart
Ability-to-Repay: Additional Analysis
FRB: Proposes Rule - Ability-to-Repay
New Data
Questions and Comments
Litigation and Liability
Litigants and Complaints
Outcomes from Litigation
Factors or Costs
Sections 1411, 1412, and 1414 of the Dodd-Frank created new TILA section 129C, which, among other things, established new ability-to-pay requirements. If a mortgage is a so-called "qualified mortgage," the compliance with the ability-to-repay rule would offer a presumption of compliance.
The word 'presumption' is a dispositive word in this proposal. Please keep the phrase "presumption of compliance" in mind as you read through this brief outline.
On May 11, 2011, the Board published for notice and comment a proposed ability-to-repay rule, amending Regulation Z to implement new TILA section 129C. The comment period for this initial proposal closed on July 22, 2011.
Then, on July 21, 2011 Dodd-Frank transferred the Board's rulemaking authority for TILA, among other consumer financial protection laws, to the Bureau. Accordingly, all comment letters on the proposed rule were also transferred to the Bureau. According to the Bureau, in response to the proposed rule approximately 1800 comment letters were received from numerous commenters, including members of Congress, lenders, consumer groups, trade associations, mortgage and real estate market participants, and individual consumers.
Even after the comment period closed, various interested parties, including industry and consumer group commenters, submitted to the Bureau oral and written ex parte presentations on the proposed rule.
Through various comment letters, ex parte communications, and the Bureau's own collection of data, the Bureau has received additional information and new data pertaining to the proposed rule.
The Bureau is now interested in providing opportunity for additional public comment on these materials. Thus, it is reopening the comment period until July 9, 2012, in order to request comments specifically on certain additional information or new data, but not other aspects of the proposed rule already submitted previously.
So, what are the new data?
New Data
The Bureau now seeks comment on mortgage loan data that the Bureau has received from the Federal Housing Finance Agency (FHFA). To date, the Bureau has received a sample drawn from the FHFA's Historical Loan Performance (HLP) data along with tabulations from the entire file.
The data include a one percent random sample of all mortgage loans in the HLP data from 1997 through 2011. Tabulations of the HLP data by the FHFA show the number of loans and performance of those loans by year and debt-to-income (DTI) range.
The HLP data consists of all mortgage loans purchased or guaranteed by the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac) (jointly, the GSEs), but does not include loans backing private-label mortgage-backed securities (MBS) bought by the GSEs.
The data contains loan-level information on characteristics and performance of all single-family mortgages purchased or guaranteed by the GSEs. FHFA updates the HLP data quarterly with information from each GSE.
Among other elements, the data includes product type; payment-to-income and debt-to-income (PTI/DTI) ratios at origination; initial loan-to-value (LTV) ratios based on the purchase price or appraised property value and the first-lien balance; and credit scores.
The Bureau proposes to use these data to tabulate volumes and performance of loans with varying characteristics and to perform other statistical analyses that may assist the Bureau in defining loans with characteristics that make it appropriate to presume that the lender complied with the ability-to-pay requirements or assist the Bureau in assessing the benefits and costs to consumers, including access to credit, and covered persons of, as well as the market share covered by, alternative definitions of a "qualified mortgage."