As published in WesternBanker by Karen Cullen, Issue 3 2019

History has taught us that the regulatory landscape is ever-evolving, and strong compliance programs can adjust to changes when necessary. Sustaining a strong compliance program however, can be a challenge. Consider 2018; between the implementation of expanded HMDA data and mixed messages on heightened fair-lending risks, the path to ensuring fair-lending compliance hasn’t been an easy one.

How do strong compliance programs effectively navigate the challenging environment of fair-lending compliance? The answer is simple. Now is the time for institutions to check on the health of their fair-lending program.

Begin by going back to basics and remembering the purpose of fair lending. Fair-lending compliance is about ensuring that an institution is treating all customers equally and that products and their related processes do not create inequality based on the prohibited bases outlined in fair-lending laws and regulations. That fact hasn’t changed, won’t change, and represents the purpose of fair-lending regulation. Strong fair-lending compliance management programs incorporate this purpose and contain the necessary components to mitigate risk, identify possible failures, and enable effective and sustainable corrective action.

Two major components that help achieve this goal are risk assessment and effective performance analysis. These are already instrumental parts of any fair lending program; however, the key ingredient to success is establishing a connection between them. Risk assessment should drive the priority of performance analysis. In turn, that analysis should factor into determining control effectiveness and overall residual risk. Developing that connection requires a solid understanding of both fair lending risk assessment and performance analysis.

Risk Assessment and Performance Analysis Working Together

Effective fair-lending risk assessments not only identify an institution’s level of risk based on key fair-lending factors and indicators, but will also drive the policies and processes to mitigate risk effectively. Equipped with this knowledge, an institution will then be able to develop effective controls and risk-based performance analysis.

Start the process by identifying the applicable key risk factors that apply to the products and services offered. These factors are highlighted within both the Interagency Fair Lending Examination Procedures and the Consumer Financial Protection Bureau (CFPB) Supervision and Examination Manual. These factors form a road map from which institutions can develop risk statements that are applicable to their business models.

Once factors are identified, processes should be reviewed to assess the level of risk and develop effective controls. In performing compliance risk assessments, the CFPB in its Supervision and Examination Manual considers two broad sets of factors: 1) the inherent risks in a particular line of business or the institution as a whole, and 2) the quality of controls implemented by the institution to manage and mitigate those risks. Stated in risk-management terms, inherent risk is the value of risk based on the impact and likelihood of errors occurring in the absence of risk-mitigating processes and controls. When rating inherent risk, consider impacts based on the severity of the event in terms of market share, customer base, regulatory or legal impacts, and the extensiveness of required corrective action. Product design, systems, number of customers, and prior occurrence should influence the likelihood that the error will recur. Once inherent risk is identified and scored, controls can be developed or revised with the appropriate focus and strength.

Residual risk is what remains after considering the developed controls. It is at this stage that the key-risk indicators can be used as a measurement of control effectiveness and can contribute to the overall residual-risk calculation.

These indicators should be considered not only for the development of performance analysis but also for the relationship of that analysis to the overall level of risk. Performance analysis is often completed in a vacuum with no alignment to other fair-lending program elements. If performance analysis indicates a disparity, then the adequacy of controls should be reviewed, and adjustments to both inherent and residual risk ratings should be made. Solid understanding of what the data is representing is essential to successfully considering the results as a key-risk indicator.

Performance analysis is a valuable tool in creating an awareness of how, where, and to whom an institution is lending; however, when done incorrectly, it can create more risk. Performance analysis utilizes statistical models to provide an understanding of when an actual disparity has occurred, thereby affecting fair lending risk. Regression analysis, which allows examination of the influence of one or more independent variables (credit or loan attributes), should be used if a sufficient number of transactions exist and when it is warranted by statistically significant disparities. The regression should be focused on only those disparities. If the regression analysis suggests areas of concern, a comparative file review would be the next step. The comparative file review will help identify why a difference in outcomes occurred for similarly situated applicants. Each time performance is analyzed, the institution should revisit the risk assessment and adjust the assigned risk ratings based on performance analysis results. Each institution must develop its own risk appetite to determine how and when the performance results will affect both inherent and residual risk measurements. Identified issues requiring corrective action should weigh heavily on both the impact and likelihood of a risk until the issue is resolved.

Additional performance analysis should also be completed on exception data. Institutions should create exception percentages that are within their developed risk tolerance. Timely reviews of this data can make it possible for an institution to ensure exceptions remain within risk tolerance and can also help them to understand exception trends and determine when additional review is necessary.

It is important to remember that performance analysis should be occurring in all aspects of the lending process, including origination and servicing activities. By aligning the process to identified risks, an institution can develop a stronger understanding of performance results, which then enables it to create focused reviews and, when necessary, institute effective corrective action.

A Step by Step Approach

A fully aligned fair-lending risk assessment and performance analysis is essential to a strong fair lending compliance program. Start by analyzing the current relationship between the two and follow a step-by-step approach to either establish or build stronger connections.

The process is illustrated below through review of the pricing process. Pricing is part of any well-developed fair lending risk assessment and performance analysis. In this example, the institution is allowing limited pricing discretion.

Step One: Identify the risk – Fair-lending pricing risk arises with the presence of broad discretion in loan pricing. Discretion may include not only the interest rate but fees, points, and APR. Remember, discretion can be present even with the use of rate sheets if any deviation is allowed not only by lender, but by channel, location, and customer service.

Step Two: Review the process – Review any processes involved in the pricing of a product to determine the level of risk. The levels of risk will increase based on the amount of discretion. Process understanding is key. How applications are being processed needs to be understood to adequately identify where the fair-lending risk lies.

Step Three: Establish procedures and monitor exceptions – Once the risk is identified and the relevant process is understood, the development of controls can occur. Clear and documented procedures for the use of, and monitoring of, discretion should be implemented. It is during this step that indicators of pricing risk, such as disparities in pricing that were quoted or charged to prohibited basis characteristic applicants, should be considered to ensure that the connection to performance analysis occurs.

Step Four: Analyze pricing discretion – Based on the level of risk, pricing performance analysis will be completed to detect whether the discretion policy has a disparate effect on prohibited basis applicants. In cases where performance analysis indicates a potential issue, compliance officers can reference the risk that caused the issue and develop corrective action based on the processes and controls aligned to that risk. Corrective actions could include changing the policy to eliminate discretion in pricing, developing better training for those who have discretion, and decreasing the period of time to the next re-test of the indicator in order to determine the results of corrective actions.

The process becomes sustainable by continuing to align the risk, process, and results of performance analysis, and adjusting procedures, controls, and the risk assessment as necessary. The key to success is establishing and maintaining a strong relationship between fair-lending risk and both the planning and the results of performance analysis.

Successful fair-lending program management can be a challenge for even the most seasoned compliance officers and programs. Programs must be able to predict and react to both the internal and external risk landscape.

Sustainable fair lending compliance programs connect performance to all aspects of fair lending risk. Building an understanding of how risk and performance analysis works together will help create the focus needed for an institution to successfully maintain its success and grow.