by Lynn Woosley, CRCM
(Originally published in ABA Risk and Compliance, May/June 2024)
Sources of Concentration Risk
Banking regulators have long recognized concentrations of credit as a source of risk, with banks expected to maintain robust credit risk management practices. Banks are further expected to maintain levels of capital and allowances for credit losses, commensurate with their levels of exposure. As the Comptroller’s Handbook on Concentrations of Credit notes:
Excessive concentrations of credit have been key factors in banking crises and failures. . . A central lesson learned from past financial crises is that concentrations can accumulate within and across products, business lines, geographic areas, countries, and legal entities within a banking company. Products containing the same types of risks under different names and in different units, such as structured products and off-balance-sheet funding structures, can mask some exposures and risks. . . This booklet focuses on concentrations of credit, but effectively managing other types of concentrations is also important. Examples of non-credit concentrations include elevated interest rate risk due to maturity concentrations; liquidity risk due to funding concentrations; or operational risks associated with concentrations of certain lines of business, such as mortgage servicing.[i]
Safety and soundness regulators have also recognized risks in correspondent concentration. Regulation F identifies minimum standards for selecting correspondents and limits credit exposure to an individual correspondent.[ii] The Interagency Guidance on Correspondent Concentration Risk expands on Regulation F by offering “supervisory expectations on sound practices for managing risks associated with funding and credit concentrations arising from correspondent relationships.”[iii] This guidance includes expectations related to correspondent due diligence, as well as requirements to “identify, monitor, and manage correspondent concentration risk on a standalone and organization-wide basis.”[iv]
Credit Concentrations and Compliance Risks
While identifying and managing credit and counterparty concentrations is crucial for financial institutions, the potential impact on compliance often gets overlooked. Despite the focus on the safety and soundness aspects of concentrations, there has been little examination of the effect of concentration on fair lending risks. A concentration of lending activity in a particular credit type can be a source of additional operational and compliance risks, particularly if the portfolio is growing rapidly. If a bank portfolio is large and rapidly growing, it may be difficult for compliance management systems (CMS) to keep pace with loan volume growth. An inadequate CMS hampers the lender’s ability to maintain appropriate levels of controls, monitoring, and testing to prevent or detect compliance failures related to originating loans in the rapidly growing portfolio segment. Regulatory reporting, such as reporting required under the Home Mortgage Disclosure Act (HMDA) or the Community Reinvestment Act (CRA), may call additional attention to these risks.
A Federal Deposit Insurance Corporation (FDIC) consent order with a fintech-focused state bank provides an example of concentration-related compliance risks.[v] To resolve fair lending and other issues in its extensive fintech lending portfolio, the bank entered into a consent order requiring enhancements in its fair lending monitoring and testing, third-party risk management, internal audit, risk assessment, information systems, and credit underwriting practices. The consent order required the bank to obtain an independent assessment of whether the data and documentation received from third-party originators were sufficient to monitor compliance with fair lending laws and regulations. The consent order also required the lender to provide the FDIC with a detailed list of fintech partners and all products offered through each partner and seek prior approval from the FDIC for any new products or partnerships.
For a broader example, consider the mortgage crisis of 2007 to 2010. Rapid growth in home prices, increases in home ownership, and expansion of mortgage credit availability to subprime and near-prime borrowers contributed to significant growth in mortgage volume,[vi] including the widespread use of higher-risk mortgage products, such as no-doc and interest-only loans.[vii] Some lenders lacked sufficient CMS for the mortgage volume when originating loans in the rapid growth period leading up to the mortgage crisis. Inadequate CMS resulted in insufficient assessments of the ability to repay, failures to sufficiently verify income, employment, assets, source of funds for down payments, and occupancy status, miscalculations of debt-to-income ratios, or deficient quality control functions related to mortgage origination, FHA insurance, appraisals, and securitization.[viii] In some cases, these origination practices resulted in significant monetary settlements under the False Claims Act and requirements to enhance training, compliance, and internal audit capabilities.[ix]
Concentrations and Servicing Compliance
The mortgage crisis also provides examples of concentration-related compliance issues in servicing portfolios. After housing prices peaked, the number of troubled borrowers needing assistance increased sharply.[x] In the aftermath, regulators identified compliance concerns in servicing practices. In one year, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB), and the Office of Thrift Supervision (OTS) issued numerous formal enforcement actions against mortgage servicers to resolve “significant and pervasive compliance failures and unsafe and unsound practices” in residential mortgage loan servicing and foreclosure processing.[xi]
Concentrations of systems or service providers may also increase compliance risks, as a compliance failure at a large provider or within an important system will have a more significant consumer impact than a similar failure at a provider with a narrower scope. Indeed, some critical service or systems providers have such broad usage across the banking industry that a compliance failure could impact numerous banks and their customers. Banking regulators have recognized this risk. As early as 2017, the Office of the Inspector General of the Federal Reserve recommended enhancements to the supervision of banks and their service providers to improve oversight of multiregional data processing services.[xii]
Managing Compliance Risks of Concentrations
So, how can banks manage fair lending and other compliance risks associated with concentrations?
First, accurately identify areas of concentration within the institution. Optimally, banks will capture risks associated with concentrations of credit, service providers, and third-party originators in their fair lending, compliance, and audit risk assessments. Within areas of concentration, pay extra attention to products and services that are novel or have higher inherent risk. Consider factors like product complexity, geographic distribution, borrower demographics, and historical lending patterns, as well as the strength of controls related to compliance and fair lending risks.
Second, ensure data accuracy and completeness for areas of credit and servicing concentration. Without accurate and complete data, the bank will not have the ability to conduct meaningful compliance and fair lending monitoring and testing. Although banks regularly evaluate the integrity of HMDA data and CRA small loans to businesses and farms, they may have yet to pay similar attention to data integrity for other loan types. Implementing data quality controls as part of a robust data governance framework can help ensure the ability to manage concentration risk meaningfully for both credit and compliance.
Third, ensure adequate coverage of concentrations in compliance and audit work plans. Compliance monitoring and testing must be sufficient to evaluate the risks and controls associated with the areas of concentration. Lenders may need to design targeted monitoring and testing programs specific to the identified risk in each area of concentration. For credit products with sufficient volumes, it is a best practice to include statistical analyses to measure fair lending risks in the work plans. Statistical analyses may include regression analysis of loan underwriting and pricing outcomes. However, it may also consist of regression and non-regression statistical analysis to detect redlining in lending, servicing, and marketing activities, as well as other differences in loan underwriting and servicing outcomes. Remember to benchmark institutional performance to industry performance where peer or aggregate data is available, such as in HMDA-reportable lending and CRA small loans to businesses and farms.
Fourth, ensure the institution has appropriate compliance oversight of third-party relationships, including those creating concentration risks. The 2023 Interagency Guidance on Third-Party Risk Management notes that the use of third parties does not diminish the organization’s responsibility to ensure that operations are conducted in a safe and sound manner and in compliance with all applicable laws and regulations, including “those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive or abusive acts or practices) and those addressing financial crimes.”[xiii] Effective compliance oversight of third parties will require involvement in due diligence, vendor selection, and ongoing oversight. A robust third-party compliance management system will include monitoring and testing, including complaint analysis, information security, privacy, and fair lending, at the portfolio, third party, and product levels. Contingency plans for exiting unsatisfactory third-party relationships should be a part of every vendor risk management system.
Finally, elevate awareness. Board and management reporting is critical to ensure senior leadership understands the potential compliance impacts of concentration risk. Clear reporting lines for escalating issues with potential fair lending and compliance risks are critical where risk layering or concentrations of risk exist.
In summary, concentrations can increase compliance risk as well as credit, counterparty, and funding risks. A robust CMS will include appropriate consideration of concentrations and their impact on compliance, including fair lending and UDAAP risks, in risk assessments, data governance, monitoring and testing, vendor management, and Board and management reporting.
[i] https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/concentrations-of-credit/pub-ch-concentrations.pdf
[ii] https://www.ecfr.gov/current/title-12/chapter-II/subchapter-A/part-206
[iii] Issued as SR 10-10 by the Federal Reserve https://www.federalreserve.gov/boarddocs/srletters/2010/sr1010.pdf, FIL-18-2010 by the FDIC https://www.fdic.gov/news/financial-institution-letters/2010/fil10018.html, and Bulletin 2010-16 by the OCC https://www.occ.gov/news-issuances/bulletins/2010/bulletin-2010-16.html
[iv] https://www.federalreserve.gov/boarddocs/srletters/2010/sr1010.pdf
[v] https://orders.fdic.gov/sfc/servlet.shepherd/document/download/0693d000007xEStAAM?operationContext=S1
[vi] https://www.federalreservehistory.org/essays/subprime-mortgage-crisis
[vii] https://www.consumerfinance.gov/about-us/newsroom/consumer-financial-protection-bureau-issues-rule-to-protect-consumers-from-irresponsible-mortgage-lending/
[viii] https://www.justice.gov/opa/file/831121/dl?inline
[ix] https://www.justice.gov/archives/opa/blog/false-claims-act-federal-housing-administration-lending#:~:text=In%20order%20to%20protect%20America’s,lenders%20knew%20were%20not%20eligible.
[x] https://www.federalreservehistory.org/essays/subprime-mortgage-crisis
[xi] https://www.federalreserve.gov/publications/2014-independent-foreclosure-review-executive-summary.htm
[xii] https://oig.federalreserve.gov/reports/board-cybersecurity-supervision-apr2017.pdf
[xiii] https://www.federalregister.gov/documents/2023/06/09/2023-12340/interagency-guidance-on-third-party-relationships-risk-management#h-26