Supervisory Insights

Document Sample
Supervisory Insights Powered By Docstoc
					            Supervisory Insights
                            Devoted to Advancing the Practice of Bank Supervision

Vol. 4, Issue 2                                                                     Winter 2007

             Liquidity Analysis:
             Decades of Change

             Managing Commercial
             Real Estate Concentrations

             The Importance of
             Timely and Effective
             Suspicious Activity

             HMDA Data: Identifying
             and Analyzing Outliers

             Authentication in
             Internet Banking

             Community Bank
             Leverage Strategies
Supervisory Insights
Supervisory Insights is published by the
Division of Supervision and Consumer
Protection of the Federal Deposit
Insurance Corporation to promote
sound principles and best practices
for bank supervision.
Sheila C. Bair
Chairman, FDIC
Sandra L. Thompson
Director, Division of Supervision and
Consumer Protection
Journal Executive Board
George French, Deputy Director and
  Executive Editor
Christopher J. Spoth, Senior Deputy
John M. Lane, Deputy Director
Donna J. Gambrell, Deputy Director
William A. Stark, Deputy Director
M. Anthony Lowe, Acting Regional
Doreen R. Eberley, Regional Director
Stan R. Ivie, Regional Director
James D. LaPierre, Regional Director
Sylvia H. Plunkett, Regional Director
Mark S. Schmidt, Regional Director
Journal Staff
Bobbie Jean Norris
Managing Editor
Christy C. Jacobs
Financial Writer
Eloy A. Villafranca
Financial Writer
Supervisory Insights is available
online by visiting the FDIC’s website at To provide comments or
suggestions for future articles, to request
permission to reprint individual articles,
or to request print copies, send an e-mail

The views expressed in Supervisory Insights are
those of the authors and do not necessarily reflect
official positions of the Federal Deposit Insurance
Corporation. In particular, articles should not be
construed as definitive regulatory or supervisory
guidance. Some of the information used in the
preparation of this publication was obtained from
publicly available sources that are considered
reliable. However, the use of this information does
not constitute an endorsement of its accuracy by
theFederal Deposit Insurance Corporation.
 Issue at a Glance
 Volume 4, Issue 2                                                                                                                 Winter 2007

 Letter from the Director......................................................... 2


Liquidity Analysis: Decades of Change                                          4       Authentication in Internet Banking:
Over the past 15 years, there has been a significant shift                             A Lesson in Risk Management         39
from asset-based liquidity management to more complex                                  Federal banking regulators issued guid-
funding strategies that emphasize liability sources and off-                           ance in 2005 instructing financial insti-
balance-sheet funding. Consistent with this migration, meas-                           tutions to actively protect customers’
urements have shifted from more simplistic ratios toward                               online banking access credentials.
more forward-looking measures. This article highlights some                            This article discusses how the guid-
of these changes and discusses the importance of scenario                              ance addresses the risks of Internet
analysis and contingency funding plans.                                                banking and how banks and technol-
                                                                                       ogy service providers have responded
Managing Commercial Real Estate Concentrations                                12       to the guidance.
Rising growth in commercial real estate (CRE) lending and
subsequent concentrations in many banks led to the joint
agency supervisory guidance on managing CRE risk in 2006.
This article discusses the scope of the guidance and elabo-
rates on many of the topics in the guidance. Topics covered                            Regular Features
include market monitoring and analysis, credit underwriting
and administration, portfolio management, credit risk rating
and review, and stress testing. The authors also draw from                             From the Examiner’s Desk . . .
their firsthand observations to share methods banks use to                             Community Bank Leverage
monitor and control CRE concentration risk.
                                                                                       Strategies: Short-term Rewards
                                                                                       and Longer-term Risks                       45
Connecting the Dots . . . The Importance of                                            Community banks are constantly seek-
Timely and Effective Suspicious Activity Reports                              24       ing ways to improve their earnings
There is often a financial connection to crime, and Suspicious                         performance. One strategy community
Activity Reports (SARs) play a critical role in exposing the                           banks use involves leverage transactions
financial links to illicit activities and fighting financial crimes.                   that use wholesale funding to purchase
For the suspicious activity reporting system to be effective,                          investment securities. Using experience
SARs must be complete, accurate, and timely. This article                              from banks in the FDIC’s Dallas Region,
highlights the importance of SARs, provides examples of                                the authors discuss the risks of these
how various agencies use SARs, discusses common defi-                                  transactions and the regulatory risk
ciencies in SAR filings, and provides tips on what makes an                            management expectations both prior to
effective SAR.                                                                         entering into a leverage transaction and
                                                                                       on an ongoing basis when conducting
                                                                                       this business activity.
HMDA Data: Identifying and Analyzing Outliers                                 33
Beginning with the 2004 Home Mortgage Disclosure Act
(HMDA) data, lenders have been required to report data on                              Regulatory and
certain higher-priced home mortgage loans. Effective analysis                          Supervisory Roundup                         53
of these pricing data relies on clear communication and effec-                         This feature provides an overview of
tive information sharing between banks and the FDIC. This                              recently released regulations and
article describes the FDIC’s process of HMDA loan review and                           supervisory guidance.
analysis and offers suggestions to bankers and examiners
gleaned from analyses of two years of HMDA pricing data.

Supervisory Insights                                                                                                          Winter 2007
Letter from the Director

                                 ince the publication of the June        Preventing bank fraud remains a high
                                 2007 issue of Supervisory             priority for both law enforcement and
                                 Insights, it has become increas-      supervisory agencies. One of the primary
                           ingly clear that banks are entering a       means of monitoring potentially illicit
                           more challenging phase of the credit        activities is through Suspicious Activity
                           cycle. Risks that may have seemed           Reports, or SARs. The usefulness of the
                           hypothetical last year have become          information in the SAR is largely depend-
                           more concrete. In this more challenging     ent upon the quality and timeliness of
                           environment, bank supervisors play an       the data itself. “Connecting the Dots….
                           important role in ensuring that banks       The Importance of Timely and Effec-
                           are a source of capital strength and        tive Suspicious Activity Reports”
                           liquidity for the financial system and a    describes the importance of SARs and
                           trusted source of financial services for    explains how banks can make their SARs
                           consumers.                                  more effective.
                             The articles in this issue of Supervi-      Data collected under the Home Mort-
                           sory Insights cover a range of topics of    gage Disclosure Act (HMDA) continue
                           current interest in the bank regulatory     to reveal that certain minorities are
                           arena. As always, the intent is to          more likely to receive high-cost mort-
                           provide concrete information, derived       gages than other racial or ethnic groups.
                           from firsthand experience, that will be     As we begin to analyze the third year
                           useful to bankers, bank examiners, and      of HMDA pricing data, “HMDA Data:
                           practitioners in related disciplines.       Identifying and Analyzing Outliers”
                                                                       shares insights on our analysis process
                             Liquidity has taken center stage in the
                                                                       and lessons learned from our analysis
                           last few months as investors have tried
                                                                       of the 2004 and 2005 pricing data.
                           to limit their exposures to subprime
                           mortgages, certain leveraged loans,           The banking agencies issued guidance
                           and other illiquid or complex assets.       in 2005 aimed at the increasing
                           “Liquidity Analysis: Decades of             instances of identify theft and online
                           Change” describes how banks’ and            banking fraud. “Authentication in
                           examiners’ view of liquidity manage-        Internet Banking: A Lesson in Risk
                           ment has evolved in response to             Management” discusses some of the
                           changes in the financial landscape.         risks inherent in Internet banking, the
                           The article outlines the funding trends     2005 guidance intended to address
                           that have elevated some banks’ liquidity    these risks, and strategies that financial
                           risk profiles and highlights the impor-     institutions and technology service
                           tance of a forward-looking approach to      providers have implemented to
                           liquidity planning.                         strengthen authentication standards for
                                                                       higher-risk online banking activities.
                             Bank supervisors continue to be atten-
                           tive to the risk profiles of institutions    Our feature “From the Examiner’s
                           with significant concentrations in          Desk” uses experience from FDIC-
                           commercial real estate, as evidenced by     supervised institutions in our Dallas
                           the publication of interagency guidance     Region to provide insights related to
                           on this topic in December 2006.             the risks of leverage strategies and
                           “Managing Commercial Real Estate            associated expectations for managing
                           Concentrations” provides additional         those risks. Our other regular feature,
                           context on some of the key risk             “Accounting News,” will return in our
                           management issues and practices that        Summer 2008 issue.
                           the authors have observed at banks
                           both large and small.

    Supervisory Insights                                                                               Winter 2007
  We encourage readers to continue
to provide comments on articles,
to ask follow-up questions, and to
suggest topics for future issues.
All comments, questions, and
suggestions should be sent to

         Sandra L. Thompson
         Division of Supervision and
         Consumer Protection

Supervisory Insights                   Winter 2007
Liquidity Analysis:
Decades of Change
                           FDIC Training Center: 1992                                   availability of abundant liquidity. During
                                                                                        periods of economic downturn, however,

                                  he year is 1992, and the FDIC is
                                                                                        liquidity can quickly be elevated to the
                                  holding one of its first Financial Insti-
                                                                                        most important CAMELS component, as
                                  tution Analysis Schools in the newly
                                                                                        it is critical to the continued solvency of
                           constructed FDIC Seidman Center in
                                                                                        a distressed financial institution. A bank
                           Arlington, Virginia. The instructors have
                                                                                        may have good asset quality, strong earn-
                           covered all other CAMELS component
                                                                                        ings, and adequate capital, but if it is
                           ratings,1 and now a presumably unlucky
                                                                                        unable to maintain sufficient liquidity,
                           instructor must rush through the final
                                                                                        it runs the risk of failure. And the speed
                           topic: liquidity. The instructor opens with
                                                                                        at which liquidity can evaporate makes
                           “Liquidity should really be rated a 1 or a
                                                                                        effective risk analysis particularly rele-
                           5…you either have liquidity or you don’t.”
                                                                                        vant to bank regulators.
                           While this definition perhaps possesses a
                           kernel of truth in the extreme, many of
                           the examiners and other specialists attend-                  Analysis Framework
                           ing this session would come to find this
                           feast-or-famine view of liquidity decidedly                    The level of a bank’s liquidity is analo-
                           unhelpful as they began assessing widely                     gous to the amount of water in a bath-
                           divergent liquidity practices in the field.                  tub. There are multiple faucets that pour
                                                                                        liquidity (cash inflows) into the tub and
                             After his opening statement, the instruc-                  multiple drains where liquidity leaks out
                           tor walked the class through several static                  (cash outflows) of the tub. No bank has
                           balance sheet ratios commonly used by                        enough liquidity if we turn off all faucets
                           bankers and regulators to assess liquidity                   and open all drains for an extended
                           risk—ratios that implicitly assumed loans                    period. In fact, most banks could not
                           were illiquid, securities were liquid, and                   long withstand an extended period when
                           insured deposits were stable. Over the                       the pace of cash outflows rapidly exceeds
                           past 15 years, changes in funding have                       the pace of cash inflows. By contrast, in
                           fundamentally altered these assumptions,                     an increasingly competitive environ-
                           making liquidity analysis and risk assess-                   ment, few banks can be profitable when
                           ment more complex. This article will look                    drowning in liquidity by pursuing a
                           at the most significant liquidity manage-                    liquidity maximization strategy. Liquidity
                           ment advances over the past 15 years,                        management fundamentally involves
                           including forward-looking cash flow                          optimizing the level of liquidity by identi-
                           metrics, more robust scenario analysis,                      fying a variety of faucets to add cash flow
                           and improved contingency funding plan-                       when liquidity gets tight and developing
                           ning. The importance of these tools is                       strategies to reduce the liquidity drains
                           highlighted by recent events, which illus-                   during times of rapid outflow.
                           trate how rapidly liquidity conditions can
                           change.                                                        Bank managers can choose to emphasize
                                                                                        liquidity sources from either the asset or
                                                                                        the liability side of the balance sheet.
                           Regulatory Importance of                                     Fifteen years ago, liquidity at most
                           Liquidity                                                    (nonmoney center) banks was biased
                                                                                        toward asset liquidity, and analysis was
                            During booming economic environ-                            less complex. Most often, large liquid
                           ments it is easy to take for granted the                     investment portfolios provided for
                             There are six regulatory component ratings: capital, asset quality, management, earnings, liquidity, and sensitiv-
                           ity to market risk, collectively known as CAMELS. Each individual component is rated on a scale from 1 to 5, with
                           1 being the best and 5 being the worst rating.

    Supervisory Insights                                                                                                         Winter 2007
contingent liquidity needs and comple-         involve disruptions to the broader capital
mented operating cash flows as primary         markets or the payment system. Events in
sources of liquidity. Over the past decade,    the summer of 2007 highlighted the possi-
liability sources of liquidity have become     bility of a systemic shock wherein an
more centralized and liquidity analysis has    entire class of securities (mortgage-backed
become far more complex. Even the small-       securities containing subprime collateral)
est banks have had to adjust to a decline in   becomes illiquid and an entire class of
core deposits, and most banks have sought      wholesale funding sources (asset-backed
to improve profitability by reducing the       commercial paper) becomes unattractive.
size and liquidity of investment portfolios.   These events have illustrated how complex
Thus, most banks use wholesale funding         and interlinked financial markets have
sources and off-balance-sheet sources of       become: liquidity events affecting one
liquidity regularly.                           sector can be correlated in unexpected
                                               ways to liquidity of other sectors.

Role of Low-Probability Stress                   Events affecting banks’ liquidity are,
Scenarios in Liquidity                         almost by their nature, unexpected. Unex-
                                               pected changes in credit risk, operational
Management                                     disruptions, regulatory or policy changes
  Bank managers must focus on adequate         can all affect the liquidity profile of specific
liquidity during both normal times and         asset classes, individual banks, or the
times of stress. Liquidity managers are        financial system. Market participants expe-
rightly concerned with profitable, effi-       riencing these events tend to view them at
cient operations in normal economic            the time as unprecedented. This percep-
environments. The best managers use            tion is correct in the limited sense that
scenario analysis to balance the inverse       each event is caused by unique circum-
relationship between liquidity and earn-       stances. Nevertheless, a broader view of
ings during good times, but will also          such events over time suggests that unex-
spend time evaluating the impact of            pected and unprecedented events happen
stressful, low-probability liquidity events.   relatively often. This observation suggests
When evaluating liquidity risk and isolat-     a lesson for liquidity risk management:
ing the liquidity component rating,            Expect the unexpected. (See Table 1.)
examiners are primarily concerned with
the risk management information
derived from management’s evaluation           Liquidity Risk Management—
of more extreme liquidity scenarios.           Balance Sheet Trends
  These low-probability scenarios typically
                                               Diversify Liquidity Sources
come in two broad categories: bank-              Against the backdrop of uncertainty
specific and systemic. Bank-specific crisis    around potential liquidity events, bank
scenarios are often the most useful and        managers have restructured their balance
may include scenarios with deteriorating       sheets and sought additional liquidity
asset quality or operational fraud. For        sources. Starting in the 1990s, loan growth
example, as credit quality for a specific      has been outpacing traditional deposit
bank deteriorates, the Federal Home Loan       growth, requiring banks to adjust their
Bank (FHLB) or Federal Reserve Bank            balance sheets to meet borrowers’
might restrict the availability of the fund-   demands. The level of core deposits began
ing that would otherwise be available by       to erode, in part, because bank deposit
imposing larger haircuts, higher rates, or     accounts lost significant ground to higher-
limits on eligible collateral. Most banks      yielding mutual funds and the euphoria of
would benefit from considering the effect      the stock market, particularly during the
of these and other adverse scenarios on        late 1990s. Thus, as shown in Charts 1 and
their operations. Systemic events may          2, financial institutions increasingly have

Supervisory Insights                                                                              Winter 2007
Decades of Change
continued from pg. 5

                           Table 1                                                              past ten years, FHLB borrowings have
                                                                                                increased significantly as legislation2
                           Expect the Unexpectedket crash                                       expanded the role of the FHLB and as
                               1987             U.S. Stock Market Crash                         collateral requirements eased.
                               1990             Collapse of U.S. high-yield                       Brokered deposits have been used since
                                                bond market
                                                                                                the early 1950s and for much of that time
                               1991             Oil price surge                                 have exemplified potential risks associated
                               1992             Britain removes pound from                      with banks’ reliance on volatile funding
                                                the European Exchange                           sources. In 1959, for example, the FHLB
                                                Rate Mechanism
                                                                                                Board limited brokered deposits to five
                               1994             U.S. bond market crash                          percent of total deposits. In 1981, this limit
                               1995             Mexican crisis                                  was repealed, a decision that some
                               1997             Asian crisis                                    observers subsequently viewed as an
                               1998             Russian default, ruble collapse,                important contributor to the savings and
                                                Long-Term Capital Management                    loan crisis of the 1980s. As a result, in
                                                bailout                                         1989, Congress began restricting insured
                               2000             Technology, media, and telecom                  institutions’ access to brokered deposits,
                                                sectors collapse                                and by 1991, only well-capitalized institu-
                               2001             September 11 payment                            tions could accept brokered deposits with-
                                                system disruption                               out restriction.3 Banks’ and thrifts’ overall
                               2002             Argentine crisis                                use of brokered deposits is comparable
                               2002             German banking crisis                           now in dollar volume to their use of FHLB
                               2007             U.S. subprime mortgage turmoil                  advances (compare Tables 2 and 3).
                               Next             ?
                                                                                                  Many interest rate sensitive deposits,
                               Source: Freely adapted from a presentation by Leonard Matz,
                               International Director, BancWare Academy for SunGard BancWare,
                                                                                                such as Internet deposits, may not fall
                               at FFIEC Capital Markets Specialist Conference in June 2007.     within the technical definition of brokered
                                                                                                deposit (see 12 CFR 337.6), but their
                           funded loan growth not only by reducing                              inherent risk characteristics are similar—
                           their level of highly liquid investments, but                        premium rates, no relationship with the
                           also by seeking alternative funding sources.                         bank, and less stable sources of funding.
                           Now, most banks fund a portion of their                              While neither Call nor Thrift Financial
                           balance sheet with wholesale funding such                            Reports gather data on such deposits,
                           as federal funds, FHLB advances, repur-                              there is little doubt that the level of rate-
                           chase agreements, and brokered deposits.                             sensitive deposits held by banks and thrifts
                                                                                                is significantly greater than that shown by
                           Reliance on FHLB Advances and                                        the brokered deposits in Table 3.
                           Brokered Deposits Increases
                                                                                                Liquid Securities Decline
                             Congress established the FHLB system
                           in 1932 to facilitate the extension of                                 Investment securities are often used as
                           mortgage credit to individuals by offer-                             a secondary source of liquidity through
                           ing funding primarily to thrift institu-                             maturing securities, the sale of securities
                           tions that were collateralized by loans                              for cash, or pledging securities as collat-
                           on one- to four-family residential proper-                           eral in a repurchase agreement or other
                           ties. As illustrated in Table 2, over the                            borrowing arrangement. In this manner,

                               Financial Institutions Reform, Recovery and Enforcement Act of 1989 and the Gramm-Leach-Bliley Act of 1999.
                             Institutions that are “adequately capitalized” may apply to the FDIC for a waiver in accordance with FDIC Rules
                           and Regulations, 12 CFR 337—Unsafe and Unsound Banking Practices, section 337.6 Brokered Deposits,
                           ( Capital categories are defined in FDIC Rules and Regula-
                           tions, 12 CFR 325—Capital Maintenance, Subpart B – Prompt Corrective Action (

    Supervisory Insights                                                                                                          Winter 2007
                                  Nondeposit Funding Sources Increase

Chart 1
                                               Insured Institutions’ Funding
                                               as a Percentage of Liabilities
                              0%                       1%     3%


      Deposits (traditional)            Brokered deposits                    FFP & Repos               Trading liabilities
      FHLB advances                     Other borrowings                     Subordinated debt         All other liabilities

Chart 2
                                                Insured Institutions’ Funding
                                                as a Percentage of Liabilities

                                          5%         2%       3%


      Deposits (traditional)            Brokered deposits                    FFP & Repos               Trading liabilities
      FHLB advances                     Other borrowings                     Subordinated debt         All other liabilities

   Note: FPP=Federal Funds Purchased; FHLB=Federal Home Loan Bank Board.
   Source: Call Reports and Thrift Financial Reports.

Table 2
Federal Home Loan Bank Advances Rise
                    Total                         Total Borrowing                 Total Borrowing           Total Advances
                  Membership                     Commercial Banks                      Thrifts
12/31/96            6,146                               2,165                           1,225                  $161 billion
12/31/06            8,125                               4,245                            954                   $641 billion
 Source: Federal Home Loan Banks 1996 and 2006 combined financial reports.

Supervisory Insights                                                                                                           Winter 2007
Decades of Change
continued from pg. 6

                           Table 3                                                             in 2006, the average volume increased to
                                                                                               50 percent. The median percentage in
                               Brokered Deposits Near FHLB                                     2006 also equaled 50 percent, which
                               Advance Levels                                                  means that half of all banks in the United
                               Wholesale Funding Held by Financial                             States have encumbered more than half
                               Institutions (in millions)                                      of their securities portfolio through pledg-
                                                           Brokered                  FHLB      ing, making those securities unavailable
                                                           Deposits                Advances    as a source of liquidity.5
                               12/31/2006                   $523,014                $640,681     Over time, perhaps due to intense
                               12/31/2005                   $481,870                $598,341   pressure from shareholders to enhance
                               12/31/2004                   $422,626                $541,857   earnings, the composition of banks’
                               12/31/2003                   $329,224                $479,736   investment portfolios has shifted in a way
                               12/31/2002                   $284,613                $450,587   that appears to reflect a preference for
                               12/31/2001                   $261,166                $452,527   yield at the expense of liquidity. For
                               Source: Call Reports and Thrift Financial Reports               example, at year-end 1992, U.S. Treasury
                                                                                               securities comprised 27 percent of
                                                                                               insured banks’ investment portfolios; at
                           the securities portfolio serves as a
                                                                                               year-end 2006, treasuries comprised only
                           reserve to help balance potential funding
                                                                                               2 percent of investment portfolios.
                           mismatches and provides a cushion for
                                                                                               During the same period, investment port-
                           unanticipated funding needs.
                                                                                               folios markedly increased their reliance
                             The level of securities portfolios has                            on a variety of mortgage-related securi-
                           declined slightly as a percentage of total                          ties. Some of these nonagency securities
                           assets—from 18.9 percent in 1996 to                                 have recently seen a marked decline in
                           16.7 percent by 2006.4 While the level of                           liquidity.
                           securities has declined only modestly,
                           the liquidity of investment portfolios has
                           declined more materially as banks have                              Liquidity Risk Management—
                           pledged more of their securities and as                             Moving beyond Traditional
                           the composition of securities portfolios                            Liquidity Ratios
                           has changed.
                                                                                                 The best liquidity managers have
                             Often, banks pledge investment securi-                            moved beyond static balance sheet ratios
                           ties as collateral for borrowing arrange-                           in favor of forward-looking metrics,
                           ments, such as secured FHLB borrowings                              including cash flow projections and
                           and repurchase agreements, or to secure                             multiple scenario modeling. These
                           public deposits. Many times, the best or                            managers also have developed contin-
                           most liquid assets are those pledged. In                            gency funding plans that consider the
                           each of the past five years, approximately                          level and severity of various potential
                           88 percent of FDIC-insured institutions                             liquidity events.
                           reported that at least a portion of their
                                                                                                 Quantifying liquidity risk today is not as
                           securities portfolio was pledged. Further-
                                                                                               straightforward as it has been historically
                           more, a larger volume of securities are
                                                                                               owing to the growth of wholesale borrow-
                           being pledged today than ever before,
                                                                                               ings, asset securitization, and Internet
                           primarily due to the expansion of FHLB
                                                                                               banking. In the past, financial institu-
                           advance funding to commercial banks.
                                                                                               tions often relied on the assumption that
                           For example, the volume of pledged secu-
                                                                                               any needed liquidity would come from
                           rities to total securities for FDIC-insured
                                                                                               the liquidation of their investment portfo-
                           institutions averaged 44 percent in 2001;
                                                                                               lios, preferably from short-term, highly
                               FDIC Statistics on Banking. See
                               FDIC Uniform Bank Performance Reports.

    Supervisory Insights                                                                                                        Winter 2007
marketable securities. It was also fairly                liquidity risk of complex instruments,
safe to assume that most liquidity pres-                 assets, liabilities, and off-balance-sheet
sure would come from deposit runoff.                     positions with uncertain cash flows,
Given these assumptions, one could                       market value, or maturities should be
easily measure liquidity from a handful                  subject to documentation and review.
of static balance sheet ratios. Today,                   Assumptions regarding the stability of
however, these assumptions no longer                     retail deposits, brokered deposits, and
hold true, and banks have several more                   secondary market borrowings should also
liquidity management options available                   be subject to scrutiny. Institutions with
to them, which also complicates                          complex liquidity profiles should perform
how banks monitor—and examiners                          sensitivity tests measuring the effects of
evaluate—liquidity.                                      changes to material assumptions.
  Today, monitoring liquidity in many
institutions requires careful considera-                 Contingency Funding Plans
tion of potential adverse scenarios rather                 Unforeseen liquidity events can nega-
than just the quick calculation of a few                 tively affect all institutions, regardless of
ratios. Generally, banks should estimate                 their size and complexity. Such risks
likely future cash flows, stress those cash              could arise from the inability to fund
flow estimates under various scenarios,                  asset growth, difficulty renewing or
and develop detailed plans for coping                    replacing funding as it matures, the exer-
with potential shortfalls.                               cise of options by customers to withdraw
                                                         deposits or use off-balance-sheet commit-
Pro Forma Cash Flows                                     ments, and other events. Both high-
                                                         probability/low-impact events and low-
  Pro forma cash flow statements are
                                                         probability/high-impact events can cause
often a critical tool for managing liquid-
                                                         liquidity pressure—immediate and short-
ity risk. In the normal course of measur-
                                                         term or longer-term, sustained situa-
ing and managing liquidity risk and
                                                         tions—that may escalate over time.
analyzing an institution’s sources and
uses of funds, effective liquidity man-                    Institutions that rely on liability-based
agers project cash flows under various                   liquidity management benefit from
liquidity scenarios. Cash flow projection                having a contingency funding plan
statements may range from simple                         (CFP) that addresses when it is prudent
spreadsheets to very detailed reports,                   to access alternative funding sources.
depending on the complexity and sophis-                  Incorporating a CFP into an overall
tication of the institution and its liquidity            liquidity policy helps management
risk profile. While many banks are effec-                monitor liquidity risk, ensure that an
tively using asset-liability management                  appropriate amount of liquid assets are
(ALM) software to monitor interest rate                  maintained, measure and project fund-
risk, fewer are using ALM software pack-                 ing requirements during various scenar-
ages to measure liquidity, although much                 ios, and manage access to funding
of the data captured in these models                     sources.6 In a crisis situation, manage-
could be useful to liquidity management.                 ment often has limited time to form a
                                                         strategy, so it is important to have a
  Given the critical importance of
                                                         well-developed contingency liquidity
assumptions in constructing measures of
                                                         plan before a crisis occurs.
liquidity risk and cash flow projections,
institutions should ensure that assump-                    A robust CFP should identify relevant
tions used are reasonable and appropri-                  bank-specific and systemic stress events
ate. Assumptions used in assessing the                   for which an institution should prepare.
 From the FDIC’s Risk Management Manual of Examination Policies, Section 6.1—Liquidity. See

Supervisory Insights                                                                                     Winter 2007
Decades of Change
continued from pg. 9

                            Stress events may include changes in                         agreement lines with securities brokers/
                            credit ratings, deterioration in asset qual-                 dealers. These back-up lines may be a
                            ity, Prompt Corrective Action (PCA)                          viable option under normal business
                            downgrade,7 unplanned asset growth,                          conditions; however, many federal fund
                            operating losses, negative media cover-                      credit agreements contain a material
                            age, or other events that may cause                          adverse change clause, which allows the
                            market participants to question an insti-                    correspondent banks to terminate or
                            tution’s ability to meet its obligations.                    reduce the lines at the first sign of trou-
                                                                                         ble. Similarly, securities brokers/dealers
                              A liquidity stress event often progresses
                                                                                         may require the institution to pledge
                            through various stages and levels of
                                                                                         more collateral on repurchase transac-
                            severity. Institutions can use the different
                                                                                         tions if the institution’s financial condi-
                            stages or levels of severity identified to
                                                                                         tion deteriorates or the market value of
                            design early warning indicators, assess
                                                                                         the securities pledged declines. Manage-
                            potential funding needs at various points
                                                                                         ment should understand the ramifica-
                            in a developing crisis, and specify
                                                                                         tions of having federal funds lines and
                            comprehensive action plans. They should
                                                                                         FHLB advances curtailed if the institu-
                            also conduct periodic testing of borrow-
                                                                                         tion’s financial strength deteriorates, and
                            ing lines to assess the timing and logisti-
                                                                                         the bank’s CFP should identify alternative
                            cal concerns involved with borrowing.
                                                                                         sources of funding.

                            Managing Risks of More                                         Banks that use brokered deposits
                            Complex Funding Strategies                                   should monitor their capital levels
                                                                                         closely, be familiar with the regulation
                              An institution’s financial performance                     governing brokered deposits, and under-
                            and its market perception could have                         stand the requirements for requesting a
                            significant implications for the adequacy                    waiver from the FDIC.8 Deposits
                            of its liquidity and cash flow projections,                  attracted over the Internet, through CD
                            especially in institutions that rely signifi-                listing services, or through special adver-
                            cantly on credit-sensitive funds such as                     tising programs offering premium rates
                            FHLB borrowings and federal funds. The                       (to customers without another banking
                            FHLB scrutinizes an institution’s credit                     relationship) also require special moni-
                            risk profile on an ongoing basis. If asset                   toring. In May 2001, the federal bank
                            quality deteriorates, the FHLB may refuse                    regulatory agencies issued a joint agency
                            to renew advances upon maturity, accel-                      advisory statement on brokered and rate-
                            erate repayment of advances due to a                         sensitive deposits, warning institutions
                            covenant breach, raise collateral require-                   that rely on a significant amount of these
                            ments, or reduce funding lines. Addition-                    deposits to have proper risk management
                            ally, many community banks’ cash flow                        practices in place.9 For example, these
                            projections involve the use of back-up                       institutions should have cash flow projec-
                            correspondent bank federal funds lines                       tions that address the risk that these
                            and securities sold under repurchase
                             Capital categories are defined in FDIC Rules and Regulations, 12 CFR 325, Capital Maintenance, Subpart B—
                            Prompt Corrective Action. See
                              Banks that are considered only “adequately capitalized” under the Prompt Corrective Action (PCA) standard
                            must receive a waiver from the FDIC before they can accept, renew, or roll over any brokered deposit. They also
                            are restricted in the rates they may offer on such deposits. Banks falling below the adequately capitalized range
                            may not accept, renew, or roll over any brokered deposit nor solicit deposits with an effective yield more than 75
                            basis points above the prevailing market rate. These restrictions will reduce the availability of funding alterna-
                            tives as a bank’s condition deteriorates.
                              FDIC PR-37-2001, Joint Agency Advisory on Brokered and Rate-Sensitive Deposits, May 11, 2001, at
                            news/news/press/2001/pr3701.html. The federal banking regulators include FDIC, Federal Reserve Board, Office
                            of the Comptroller of the Currency, and Office of Thrift Supervision.

     Supervisory Insights                                                                                                         Winter 2007
deposits may not roll over and provide a                 alternative cash flow sources and strate-
reasonable alternative funding strategy.                 gies to reduce the magnitude of cash flow
                                                         drains during times of stress. The knowl-
  Banks that engage in asset securitization
                                                         edge gained by funding managers contem-
should be aware of the liquidity challenges
                                                         plating different liquidity situations that
associated with this activity. One signifi-
                                                         could arise through scenario analysis and
cant liquidity danger relates to the early
                                                         planning a response to a liquidity situation
amortization clauses in the contracts/
                                                         further demonstrates the benefits of
agreements. Such clauses are typically
                                                         adequate contingency funding plans and
triggered by an indicator of deterioration
                                                         ongoing scenario analyses.
in the performance of the underlying port-
folio of securitized loans/receivables. The                Recently, investor confidence in the
purpose of the early amortization is to                  subprime loan market and commercial
protect investors from prolonged credit                  paper market has dropped. The
exposure in a pool of receivables by accel-              marketability of subprime loans and
erating the repayment of principal of the                mortgage-backed securities containing
securities. Investors may also lose confi-               subprime collateral changed significantly
dence in the stability of the institution’s              in a short period. Spreads widened on
asset-backed securities, limiting the insti-             higher-quality mortgage-backed securi-
tution’s ability to raise new funds through              ties, and institutions that focused on the
securitization. Moreover, banks may be                   subprime (and alt-A) market have seen a
explicitly or implicitly obligated to repur-             decline in market value.
chase loans previously sold. At the same
                                                           Regardless of the outcome of this
time, the institution is continuing to book
                                                         recent market turmoil, we can be certain
new receivables that need to be funded. In
                                                         there will be other unexpected liquidity
2002, the federal banking agencies issued
                                                         events. For this reason, bankers and
an advisory statement on asset securitiza-
                                                         examiners alike need to consider a range
tion that stated, in part, that “any banking
                                                         of stressful liquidity environments to
organization that uses securitization as a
                                                         ensure adequate liquidity tomorrow.
funding source should have a viable
contingency funding plan in the event it
                                                                    Kyle L. Hadley
can no longer access the securitization
                                                                    Senior Capital Markets
                                                                    Washington, DC
New Liquidity Metrics Provide
Foundation for Next Big                                             Drew Boecher
                                                                    Senior Capital Markets
Stress Event                                                        Specialist
  The banking industry has moved from                               Lexington, MA
asset-based liquidity management to a
                                                         Acknowledgments: The authors would
more complex world of liability and
                                                         like to thank Bonn Phillips, case manager
off-balance-sheet funding. Consistent
                                                         in the FDIC’s San Francisco Region, and
with this movement, liquidity measure-
                                                         Darlene Spears-Reed, senior capital
ments have migrated from simplistic
                                                         markets specialist in the Capital Markets
ratios that give an idea of the static level
                                                         Branch of the Washington Office, for their
of liquidity toward forward-looking
                                                         contributions to this article.
measures. These forward-looking
measures should help bankers identify

 FIL 53-2002, Interagency Advisory on the Unsafe and Unsound Use of Covenants Tied to Supervisory Actions in

Securitization Documents, May 23, 2002, at

Supervisory Insights                                                                                           Winter 2007
Managing Commercial Real
Estate Concentrations
                                    ommercial real estate (CRE) loans
                                    comprise a major portion of many                  Background
                                    banks’ loan portfolios. Demand for                  According to History of the Eighties—
                            CRE lending—a traditional core business                   Lessons for the Future, the high number
                            for many community banks—has been                         of bank and savings institution failures
                            very strong in recent years, and a growing                during the 1980s and early 1990s can be
                            number of banks have CRE concentra-                       attributed primarily to overinvestment in
                            tions that are high by historical standards               CRE loans.2 Weak underwriting stan-
                            and rising. Growth in land acquisition,                   dards and portfolio management tech-
                            development, and construction (ADC)                       niques during this time contributed to a
                            lending has been especially pronounced.                   significant oversupply of CRE properties
                            Many de novo banks in areas with signifi-                 that weakened the entire CRE market,
                            cant job and population growth (predomi-                  leaving borrowers unable to repay their
                            nately in East and West Coast states)                     loans and collateral that provided far less
                            have used ADC loans as the primary asset                  support than originally thought. Other
                            class to drive growth and meet pre-                       factors that contributed to the CRE
                            opening projections. The rapid growth in                  losses included:
                            CRE exposures in recent years presents
                            additional challenges for bank manage-                    s   Lack of market information
                            ment as it monitors and controls risks it                 s   Highly leveraged transactions
                            may not have faced in the past.
                                                                                      s   Relatively low borrowing costs and the
                              In response to rapid growth in CRE loan                     easy availability of credit
                            concentrations and observed weaknesses
                            in risk management practices at some                      s   Government policy, including income
                            institutions, the Federal Deposit Insur-                      tax benefits
                            ance Corporation (FDIC), the Board of                     s   Long gestation periods that allowed
                            Governors of the Federal Reserve System                       supply-and-demand dynamics to
                            (FRB), and the Office of the Comptroller                      change before a project’s completion
                            of the Currency (OCC) (collectively,
                            the federal banking agencies) published                   s   Nonrecourse lending and legal struc-
                            Joint Guidance on Concentrations in                           tures that shielded project sponsors
                            Commercial Real Estate Lending, Sound                         from risk
                            Risk Management Practices (CRE guid-                      s   Out-of-area lending, including the
                            ance) in December 2006.1 This article                         purchase of loan participations from
                            provides additional information and                           out-of-area lenders
                            context to some of the topics discussed
                            in the CRE guidance, drawn from the                       s   An unregulated real estate appraisal
                            authors’ firsthand observation of the risk                    industry that often used inflated
                            management practices of both large and                        assumptions and relied on inexperi-
                            small banks. It covers market monitoring                      enced appraisers
                            and analysis, credit underwriting and                      Today, many lenders, directors, and
                            administration, portfolio management,                     senior officers have not experienced a
                            credit risk rating and review, and stress                 CRE downturn in their careers. They
                            testing.                                                  may never have learned the lessons of

                              Concentrations in Commercial Real Estate Lending, Sound Risk Management Practices, Federal Register,
                            Vol. 71, No. 238, December 12, 2006, pp. 74580–74588 (CRE Guidance). Also see FDIC FIL-104-2005 at
                             See FDIC’s History of the Eighties—Lessons for the Future, December 1997, at

     Supervisory Insights                                                                                                     Winter 2007
the 1980s or may view them as distant                     CRE loans. The guidance “focuses on
history that “can’t happen again.” Indus-                 those CRE loans for which the cash
try and regulatory changes that arose                     flow from the real estate is the primary
from the tumult of the 1980s remain                       source of repayment rather than loans to
intact and are intended to prevent a re-                  a borrower for which real estate collateral
occurrence of the ill-conceived practices                 is taken as a secondary source of repay-
of the past. For example, the appraisal                   ment or through abundance of caution.”6
industry is now regulated, and appraisal                  The target of the guidance, then, gener-
quality is far superior to what it was in                 ally would include development and
the 1980s. Banks and thrifts must now                     construction loans for which repayment
follow federal appraisal regulations, and                 is dependent upon the sale of the prop-
regulators require banks to establish an                  erty as well as properties for which repay-
effective real estate appraisal and evalua-               ment is dependent upon rental income.
tion program to ensure independence
                                                            The CRE guidance also identifies insti-
and improve quality.3 4
                                                          tutions that are potentially exposed to
  In addition to the changes regarding                    significant CRE concentration risk as
appraisals, the federal banking agencies,                 those that have experienced rapid growth
along with the Office of Thrift Supervi-                  in CRE lending, have notable exposures
sion (OTS), have established underwrit-                   to a specific type of CRE, or are
ing and risk management requirements.5                    approaching or exceed the following
A pillar of these requirements is loan-to-                supervisory criteria:
value (LTV) limits for different CRE prop-
                                                          s   Total loans reported on the Report
erty types. Adhering to these regulatory
                                                              of Condition for construction, land
LTV limits should make institutions less
                                                              development, and other land repre-
vulnerable to downturns in CRE markets,
                                                              sent 100 percent or more of the insti-
as borrowers will have more tangible
                                                              tution’s total capital; or
equity in the collateral real estate to
cushion against declining values.                         s   Total CRE loans as defined in the
Conversely, institutions that ignore these                    CRE guidance represent 300 percent
LTV limits and have substantial volumes                       or more of the institution’s total capi-
of high LTV loans are more susceptible                        tal, and the outstanding balance of
to the adverse affects of CRE downturns.                      the institution’s CRE loan portfolio
                                                              has increased by 50 percent or more
  CRE loan growth recently prompted
                                                              during the prior 36 months.
regulators to issue guidance to address
concerns about CRE concentrations and                       These criteria are not limits and are
to provide expectations for managing a                    viewed neither negatively nor as a safe
concentrated portfolio. The CRE guid-                     haven. A bank can have significant
ance recognizes that diversification can                  diversification within its CRE portfolio
be achieved within CRE portfolios and                     or have a concentration within a specific
differentiates risk in different types of                 CRE category. If a bank’s portfolio goes
 The federal bank and thrift regulatory agencies have adopted substantially similar appraisal regulations.
See 12 CFR 323 (FDIC); 12 CFR Part 34, subpart C (OCC); 12 CFR 208.18 and 12 CFR 225, subpart G (FRB); and,
12 CFR 564 (OTS).
  FIL-74-94, Interagency Appraisal and Evaluation Guidelines, November 11, 1994,
 See Interagency Guidelines for Real Estate Lending Policies: 12 CFR 365 and appendix A (FDIC); 12 CFR 34,
subpart D and appendix A (OCC); 12 CFR 208, subpart E and appendix C (FRB); and 12 CFR 545 and 563 (OTS). See
also Interagency Guidelines Establishing Standards for Safety and Soundness: 12 CFR 364, appendix A (FDIC); 12
CFR 30, appendix A (OCC); 12 CFR 208, appendix D-1 (FRB); and 12 CFR 570, appendix A (OTS).
    CRE Guidance, p. 74585.

Supervisory Insights                                                                                             Winter 2007
Commercial Real Estate
continued from pg. 13

                            outside of these general guidelines, as        obtain market data for CRE other than
                            many do, the bank will not automatically       single-family residential properties from
                            be criticized, but heightened risk             national providers such as Property &
                            management practices may be needed.            Portfolio Research, Real Estate Invest-
                            Different CRE types may have different         ment Services, and Torto-Wheaton
                            risk characteristics. Risk management          Research. Residential market information
                            practices should be commensurate with          is also available from a number of national
                            the complexity of the bank and its port-       and regional providers. Outside of large
                            folio. The guidance states, “in evaluating     MSAs, vendor data are often unavail-
                            CRE concentrations, the Agencies will          able. In these areas, in-house knowledge
                            consider the institution’s own analysis of     and communication with local builders,
                            its CRE portfolio, including considera-        developers, real estate agents, and civic
                            tion of factors such as:                       leaders may be the primary tools for
                                                                           gathering information on market activity
                            s    Portfolio diversification across prop-
                                                                           and gauging market conditions.
                                 erty types.
                                                                             The level of CRE monitoring required
                            s    Geographic dispersion of CRE loans.
                                                                           can differ among institutions depending
                            s    Underwriting standards.                   on exposure level or perceived risk in a
                                                                           product type or geographic area. Institu-
                            s    Level of pre-sold units or other types
                                                                           tions involved in construction and devel-
                                 of take-out commitments on construc-
                                                                           opment lending have a greater need to
                                 tion loans.
                                                                           monitor CRE markets, as conditions can
                            s    Portfolio liquidity (ability to sell or   change dramatically between the time an
                                 securitize exposures on the secondary     institution makes a loan commitment and
                                 market).”7                                the time a project is completed. Moni-
                                                                           toring speculative single-family housing
                            These factors could mitigate the risk
                                                                           development can be especially challeng-
                            posed by the concentration. Additionally,
                                                                           ing. Institutions must have a clear under-
                            banks that have experienced recent,
                                                                           standing of the demand for housing
                            significant growth in CRE lending will
                                                                           within geographic areas, submarkets, or
                            receive closer regulatory review than
                                                                           specific projects, as well as price points
                            those that have demonstrated a success-
                                                                           within markets or projects. Institutions
                            ful track record of managing the risks
                                                                           should track available inventory and their
                            of CRE concentrations.
                                                                           own levels of exposure at a level of granu-
                             The remainder of this article provides        larity sufficient to allow management to
                            context and additional information for         determine if the institution should curtail
                            some of the topics addressed in the CRE        lending for specific products or in loca-
                            guidance.                                      tions of concern, even if other products or
                                                                           locations continue to perform well. The
                                                                           granularity warranted may be product-by-
                            Market Monitoring and                          product, location-by-location or some
                            Analysis                                       other degree (e.g., price point, specula-
                              A bank’s ability to monitor develop-         tive versus presold), depending upon the
                            ments in its CRE market area is a critical     institution’s markets and product types.
                            element of successful CRE lending. Vari-        Markets may be monitored by staff or
                            ous tools may be available to monitor          management, but ultimately both must
                            CRE markets, depending on the size of          understand what is being monitored and
                            the market. In many larger metropolitan        why. The monitoring function can be
                            statistical areas (MSAs), institutions can     organized in a variety of ways. For exam-
                                CRE Guidance, p. 74587.

     Supervisory Insights                                                                                  Winter 2007
ple, the institution may create a CRE risk                             reference to identify whether the strategy
management function that is responsible                                for a particular market or product type is
for establishing CRE concentration risk                                to grow, maintain, or reduce exposure. In
limits (approved by the institution’s                                  markets where demand is very strong,
board) and overseeing compliance with                                  management may instruct lending staff
those limits. To ensure that risk manage-                              to pursue additional opportunities and
ment and lending are working in concert,                               adjust pricing and other terms to attract
the two functions must communicate. The                                additional business. In areas where
lending staff must pass along market infor-                            management deems risks to be higher,
mation to the risk management function.                                lenders may be instructed to curtail or
Once risk management has compiled the                                  discontinue lending activities altogether.
information, it must deliver its market
                                                                         No matter the form of the market
analysis back to the lending staff. (See
                                                                       analysis, management must convey its
Figure 1.) This mechanism ensures that
                                                                       strategy to lending staff in a timely
both risk management and the lending
                                                                       manner and maintain sufficient over-
staff are in agreement about the market-
                                                                       sight of lending activity to ensure that
place conditions and the lending strategy.
                                                                       the loans being originated are consistent
  Risk management staff should provide                                 with management’s strategy. Reporting
its analysis of market data to senior                                  systems should be sufficiently detailed
management in a manner they can use to                                 to identify situations where the strategy
develop a comprehensive lending and risk                               is not being followed.
mitigation strategy. A common delivery
method is to provide lenders with a “heat
map” that details management’s view of                                 Credit Underwriting
the demand for product types in each                                   Standards and Administration
geographic market and directs lenders’                                  A CRE concentration increases the
degree of aggressiveness for those prod-                               importance of sound lending policies.
ucts. A heat map can serve as a quick                                  An institution’s lending policies should

 Figure 1. Communication must occur between lending and risk management functions.

                                        Credit Risk
         External                                                                                        External
         Market                        Management                                                        Market
                                          Group                                                        Information

                                     Evaluated Data                        Heat Map
                                                      Market Information

                              tion                                                        ar
                          rma                                                                  tI
                      nfo                                                                           or
                   tI                                                                                   ma
                 ke                                                                                       tio
              ar                                                                                             n

             Lenders                             Lenders                                       Lenders

             Lenders                             Lenders                                       Lenders

Supervisory Insights                                                                                                 Winter 2007
Commercial Real Estate
continued from pg. 15

                            communicate the level of risk acceptable       An institution’s lending policies should
                            to its board of directors. The policies       permit only limited exceptions to under-
                            should provide clear and measurable           writing standards. When an institution
                            underwriting standards that enable lend-      permits an exception, it should docu-
                            ing staff to evaluate all relevant credit     ment how the transaction does not
                            and market factors. The CRE guidance          conform to the institution’s policy or
                            provides several internal and external        underwriting standards and why the
                            factors that should be considered when        exception is in the best interest of the
                            establishing policies, such as market         bank. The institution should also ensure
                            position, historical experience, present      that appropriate management approvals
                            and prospective trade area, probable          are obtained. Robust risk management
                            future loan and funding trends, staff         systems can also track the number of
                            capabilities, and technology resources.       exceptions by type and amount to help
                                                                          point out areas of policy that may need
                              Institutions should also consider the
                                                                          permanent amendment or that need to
                            following items with regard to managing
                                                                          be reinforced by the institution’s board
                            construction loans:
                                                                          of directors.
                            s   Independent property inspections—
                                There should be initial site visits and
                                ongoing inspections during the            Portfolio Management
                                construction phase.                         The bank should have a management
                            s   Loan disbursement practices—They          information system (MIS) that provides
                                should be based on engineering or         sufficient information to measure, moni-
                                inspection reports, requirements for      tor, and control CRE concentration risk.
                                lien waivers from subcontractors, etc.    This includes meaningful information on
                                                                          CRE portfolio characteristics relevant to
                            s   Sponsor/developer experience level—       the institution’s lending strategy, under-
                                Institutions should establish standards   writing standards, and risk tolerances.
                                to ensure that the sponsor/developer      Many institutions will want to expand the
                                as well as the underlying contractor      level of information captured to specifi-
                                has a proven track record and suffi-      cally include underwriting characteris-
                                cient experience in the market and in     tics, such as LTVs, debt service coverage
                                the property type being developed to      levels, speculative versus presold units,
                                complete the proposed project.            etc., to allow for more enhanced report-
                            s   Loan agreements, collateral documen-      ing and analysis. Information can be
                                tation, and appraisal practices—Robust    captured on mainframe systems or other
                                loan agreements and collateral docu-      systems—including the use of simple
                                mentation are expected. Plans and         spreadsheets—but should be retained in
                                budgets are also needed to establish      a form that can be readily accessed for
                                disbursement/draw schedules. Loan         analysis purposes.
                                agreements should clearly communi-         MIS reports may include:
                                cate draw schedules, release provi-
                                sions, and repayment requirements.        s   CRE loan segmentations (to deter-
                                                                              mine diversification within a portfolio)
                            s   Debt service coverage analysis—Debt
                                service coverage thresholds as well as    s   Established concentration limits (for
                                presold or preleased standards are            CRE in aggregate as well as by
                                useful tools to control the risks in a        subcategory)
                                CRE transaction.                          s   Concentration reports by property
                            s   Sponsor or guarantor financial analy-         type
                                sis, if applicable.

     Supervisory Insights                                                                                  Winter 2007
    • Presold (considered lowest risk, but                   CRE markets are typically cyclical.
      purchaser deposit amounts should                     Strong markets promote additional build-
      be considered)                                       ing, which can result in oversupply
    • Speculative (no sales contract or                    followed by weakened market fundamen-
      prelease agreement exists)                           tals. Consequently, the real benefit of
    • Portfolio or borrower aging (age of                  implementing systems to identify and
      CRE inventory by portfolio or                        control CRE concentrations lies in limit-
      borrower)                                            ing the level of risk brought on by those
                                                           concentrations when markets begin to
    • Aggregate by market (CRE inven-
                                                           falter. While it may be easy to manage a
      tory broken down by market or
                                                           concentration during the good times,
                                                           managing one once market demand has
    • Aggregate by price range (CRE                        slowed is much more challenging.
      inventory broken down by price
      range)                                                 Good risk management starts with
                                                           setting reasonable concentration limits
s   Borrower concentration reports,                        for different products and markets.
    including guidance line (informal,                     Adjusting those limits when market
    uncommitted) limits                                    fundamentals change is also a prudent
s   Loan underwriting exception reports                    risk management tool. After all, how
    (CRE loans requiring loan policy                       beneficial can market monitoring and
    exception approvals)                                   analysis be if concentration limits and
    • Number and volume of exceptions                      exposures are not adjusted when that
       by nature, justification, and trends                market information indicates a change
                                                           in market conditions? Listed below are
    • Performance of exception loans
                                                           some examples of possible indicators
       compared with loans underwritten
                                                           that particular markets are at or near a
       within guidelines
                                                           peak. The specific numerical examples
s   Supervisory LTV exception reports8                     are not intended to represent triggers we
                                                           believe bankers should use, but merely to
s   Typical loan production and perfor-                    illustrate that management may wish to
    mance reports by type, region, officer,                consider a number of concrete numeri-
    etc.                                                   cal indicators in forming a judgment
  Many banks fail to collect the data                      about the risks in a particular market:
necessary to produce the reports listed                    s   Loan pricing becomes too thin for the
above. They may have separate legacy                           underlying risk (e.g., construction
systems that do not aggregate data effi-                       loan pricing has fallen almost 150
ciently, if at all. In addition, many banks                    basis points in recent years owing to
do not have the resources to search                            competition).
hard copy files and backfill data into
their systems. Management first needs                      s   Underwriting weakens to unreason-
to identify the drivers that will affect                       able levels or to levels banks previ-
segmentation at origination and then                           ously would not have approved (e.g.,
capture those data fields on the system.                       deposits for qualifying presold
These drivers could be LTV, rate type                          condominium units are reduced by
(fixed versus floating), debt coverage                         half to entice enough preconstruc-
ratios, or large tenants that could create                     tion buyers to demonstrate demand
concentrations when aggregated.                                for a project).

  Appendix A to 12 CFR 365—Interagency Guidelines for Real Estate Lending Policies—states that loans exceed-
ing the supervisory LTV guidelines should be recorded in the institution’s records and reported to the board at
least quarterly. See section titled “Loans in Excess of the Supervisory Loan-to-Value Limits.”

Supervisory Insights                                                                                              Winter 2007
Commercial Real Estate
continued from pg. 17

                            s   Inventory and planned production are        and early 1990s, developers walked away
                                excessive relative to market dynamics       from partially finished properties, and
                                (e.g., office space in the pipeline         some lenders were forced to complete
                                exceeds several years’ absorption rate      projects to salvage their investment. In
                                without any significant increase in         many of these instances, costs escalated
                                employment expectations; condo-             dramatically as lenders were forced to
                                minium units in the pipeline exceed         restart projects and remediate shoddy
                                the level of several prior years’ sales).   workmanship, adopt engineering and
                                                                            architectural changes to make the proj-
                            s   Speculators drive prices to unwar-
                                                                            ect viable, pay off subcontractor liens,
                                ranted levels (e.g., home prices
                                                                            and pursue zoning or other legal issues.
                                increase by 30 percent year-over-year
                                for an extended period, while inven-          Another major expense often overlooked
                                tory is expected to grow to unprece-        is the opportunity cost of holding a large
                                dented levels).                             volume of nonearning assets. Lenders
                                                                            often severely underestimate the length of
                            s   The regional or national economy
                                                                            time necessary for the sale of foreclosed
                                shows signs of stress.
                                                                            assets in a distressed market. Additional
                              If CRE lending is a substantial source        costs accrue during the holding period,
                            of revenue, the decision to reduce expo-        including property taxes and the cost of
                            sure levels will likely be met with signifi-    sales, maintenance, and security. Many
                            cant resistance from managers and loan          lenders found during the CRE downturn
                            officers concerned about short-term             of the 1980s and early 1990s that the
                            earnings performance. If CRE lending is         “first loss is the best loss,” meaning that it
                            the primary earnings driver, the institu-       would have been cheaper in the long run
                            tion should be prepared to diversify into       to have disposed of distressed CRE assets
                            other areas of lending or wait for CRE          earlier rather than later.
                            markets to return. The failure to control
                            exposure levels when warning signs are
                            evident can result in excessive loan            Credit Risk Rating and Review
                            losses. The level of losses will generally        Risk rating systems can vary greatly
                            depend on the quality of loan underwrit-        between community and large banks.
                            ing and the breadth and depth of the            One solution does not and should not
                            CRE market downturn.                            fit all banks—the risk rating and review
                              Unfortunately, the importance of CRE          process should be commensurate with
                            portfolio management and appropriate            the bank’s size and complexity. A small,
                            concentration limits becomes most               noncomplex bank may need only a one-
                            apparent only when the bank’s market            dimensional rating system with a small
                            enters a downturn. As loan quality deteri-      number of rating grades, while a large
                            orates, banks must expend significant           or complex organization may require
                            resources, both human and monetary,             a rating system with more grades to
                            for collection and, in some cases, foreclo-     measure risk levels adequately. Larger
                            sure on the underlying collateral. While        banks often use rating systems that
                            the direct costs of these actions are           assign separate ratings for default risk
                            apparent, there are often other costs that      and loss severity. This type of system
                            bear mention. If market conditions dete-        has the added benefit of delineating
                            riorate severely, sponsors or developers        credit risk, which should aid lenders
                            may simply abandon a project, especially        in mitigating those risks.
                            if they have insufficient capital invested       In addition to being used to determine
                            and there is no recourse to the princi-         capital levels, adequacy of the allowance
                            pals. In many instances during the 1980s

     Supervisory Insights                                                                                     Winter 2007
for loan and lease losses, and loan pric-     eliminated if a CRE downturn appears
ing strategy, risk ratings can be used as     to be on the horizon.
a parameter for setting concentration
                                                Independence in the validation process
limits and sublimits. Risk ratings should
                                              is the third leg to any successful rating
be accurate and uniformly applied
                                              system. Individuals outside the lending
across product lines and geographic
                                              process should evaluate and validate the
areas. Banks identified as having CRE
                                              entire process. Banks with limited staffing
concentrations possess an additional
                                              resources can use external audit staff or
level of risk and complexity that should
                                              consulting firms to conduct the validation.
be considered when evaluating the risk
                                              As banks grow, this process is typically
rating and review system. Risk rating
                                              brought in-house. The review and valida-
and review processes should have the
                                              tion personnel will generally be the best
following characteristics:
                                              resource for identifying problems in the
s   Transparency                              rating system. Credit review personnel
                                              should provide the board and senior
s   Granularity
                                              management with periodic feedback
s   Independence                              regarding the effectiveness of the rating
                                              system and any recommended changes for
  Transparency is critical for any risk
                                              improving transparency and granularity.
rating system. Account officers, loan
review personnel, and regulatory exami-
nation staff should be able to review         Portfolio Stress Testing and
rating guidelines and reach the same          Sensitivity Analysis
conclusion on the rating grade assigned
to individual credits. This becomes             Most geographic locations in the United
increasingly important as the bank grows      States have not experienced serious
and more people are involved in the risk      declines in CRE markets for a number
rating process. Specific, objective rating    of years. Much has changed in CRE
criteria rather than broad, subjective        lending since the last downturn. Some
criteria promote consistency in the           analysts suggest that a major sea change
rating process. Transparency is generally     has occurred in the form of greater
evaluated by reading the bank’s rating        transparency and liquidity that acts as
policy guidelines and conducting transac-     a cushion against the deep losses of the
tion testing. The key is to have someone      1980s and 1990s. Banks may tend to
other than the original credit analyst        believe that the losses during that time
attempt to come to the same conclusion        were much more severe than they would
using the tools provided by policy. If        ever again encounter. Yet, while the CRE
agreement with a high percentage of           credit market has been influenced by
assigned credit ratings cannot be             excess liquidity for a number of years,
achieved, the rating guidelines may           recent events in the credit markets for
need further clarification.                   housing and leveraged finance demon-
                                              strate that liquidity can evaporate quickly
  Granularity is also necessary to            if lenders’ and investors’ perceptions of
provide an accurate assessment of port-       the level of risk inherent in those loan
folio risk. At a minimum, the risk rating     products change.
system should rank order risk in the
portfolio and provide enough grades so          In light of the possibility of significant
that the vast majority of loans do not fall   losses in CRE portfolios, banks with
into just one grade. A granular rating        concentrations in CRE can use stress
system that effectively rank orders risk      testing to assess the extent of their
should aid management in identifying          exposure to a downturn in CRE
the exposures that should be reduced or       markets. Stress testing can also inform

Supervisory Insights                                                                         Winter 2007
Commercial Real Estate
continued from pg. 19

                            management of the institution’s specific        writing criteria and lending standards.
                            vulnerabilities to CRE markets and indi-        Along with project assumptions, loan-
                            cate where actions should be taken to           specific variables, such as interest rates
                            mitigate those risks.                           and LTV ratios inferred from capitaliza-
                                                                            tion rates, are commonly analyzed.
                              The CRE guidance includes a general
                            expectation that an institution with CRE          While loan-level sensitivity analysis is
                            concentrations will conduct portfolio stress    a valuable tool for all banks originating
                            testing consistent with the size, complex-      CRE loans, this type of analysis could
                            ity, and risk characteristics of its CRE loan   be performed on a portfolio-wide basis.
                            portfolio. However, the guidance does not       Such an analysis would measure the
                            provide specific minimum expectations.          depth and breadth of the portfolio’s
                            Following are examples of the types of          vulnerability to changes in real estate
                            stress tests commonly used in banks.            markets and interest rates. These analy-
                                                                            ses can be conducted on a scheduled
                            Transactional Sensitivity Analysis              basis or when market fundamentals
                                                                            dictate. Systematically aggregating the
                              Most institutions that specialize in CRE      results of individual transactional stress
                            lending, and especially ADC lending,            tests could involve:
                            are accustomed to running analyses to
                            determine loan and project exposure as          s   Determining market fundamentals for
                            part of the underwriting process. Before            each product type and geographic
                            making a commitment for financing,                  market where the bank has funds
                            an institution will analyze sponsor and             committed. (For practical purposes,
                            lender assumptions to determine the                 it may be necessary to establish a
                            degree to which a project can withstand             materiality threshold.)
                            market fluctuations and still repay the         s   Developing sensitivity analysis fore-
                            loan. Analysis covers testing the                   casts, such as increased vacancy rates
                            common assumptions and combinations                 in the market by product type, slower
                            of assumptions shown in Table 1.                    absorption rates, reduced sales prices,
                                                                                higher capitalization rates, or higher
                            Table 1
                                                                                interest rates.
                             Assumptions to be tested for                   s   Testing each credit in the portfolio,
                             CRE lending                                        considering the current status of each
                             Properties       Properties     Loan               project against the impact of the sensi-
                              for Sale        for Lease    Variables            tivity analysis forecasts.
                             Absorption       Absorption Interest rates
                                rates            rates                      s   Aggregating the impact of each tested
                            Sales prices      Rent rates   LTV ratios           credit to determine the vulnerability
                            Contingency     Vacancy rates Amortization
                                                                                within the portfolio.
                              reserves                        term            For income-producing properties with
                                             Rollover risk                  long-term, fixed-rate loans and long-term
                                             Reserves for                   tenants, the analysis may reveal little or
                                           maintenance and                  no additional exposure unless capitaliza-
                                            improvements                    tion rates are expected to increase on
                                                                            the specific property type. However, the
                                                                            analysis of loans granted for speculative
                              Given that some of the assumptions            lot development projects with slower
                            interact with other assumptions, a range        absorption rates could reveal substantial
                            of outcomes may be used to determine if         additional exposure, suggesting that the
                            the loan meets the institution’s under-         bank should consider limiting its expo-

     Supervisory Insights                                                                                    Winter 2007
sure in certain geographic markets or                                 granularity. For example, the ADC
product types.                                                        loss history on the reference port-
                                                                      folio is for a geographically diverse
Stressed Loss Rates                                                   group of loans, but the current
                                                                      portfolio is largely concentrated
  Stressed loss rate testing entails deter-                           in one location. In this case, an
mining loss rates at levels that could be                             upward adjustment in loss rates
expected during CRE market downturns                                  would seem necessary to address
and forecasting the ultimate effect of                                the additional concentration risk.
these losses on capital. The stressed loss
rates would be developed through an                            s   Calculate the losses that would be
analysis akin to the following:                                    expected in a market downturn by
                                                                   applying the adjusted historical loss
s     Obtain historical loss rates on CRE
                                                                   rates to the current portfolio.
      loans (the “reference portfolio”) at
      the most granular level available.                         If the bank has not previously experi-
      (Available data will often be fairly                     enced significant CRE downturns, using
      general in nature—losses on hotels,                      external data may be more appropriate
      retail buildings, office buildings, etc.—                than using internal data. The FDIC has
      rather than for more specific product                    historical CRE data that could be used
      types—suburban hotels versus down-                       to construct loss rates, although the
      town hotels, multitenant office build-                   FDIC data lacks much granularity.9
      ings versus owner-occupied office
                                                                 Like an aggregate transactional sensitiv-
      buildings, etc.) In banks with more
                                                               ity analysis, stressed loss rate testing can
      limited CRE lending experience, the
                                                               provide useful input to a bank’s capital,
      data may be at higher levels, such as
                                                               earnings, and liquidity planning. While
      all types of ADC loans or even all
                                                               not providing specific information for
      CRE loans. Generally, the longer a
                                                               managing CRE concentrations, it should
      bank has been a CRE lender, the
                                                               inform management of the possible level
      more granular the loss data.
                                                               of the bank’s exposure if a CRE down-
s     Identify loss rates that occurred as a                   turn were to occur. The usefulness of this
      result of previous market downturns,                     type of test relies heavily on the reference
      generally the highest loss rates experi-                 portfolio selected to conduct the test. In
      enced in the reference portfolio. Loss                   institutions with limited or only recent
      rates may lag the downturn by a                          experience in CRE lending, the historical
      number of months or years.                               perspective required to conduct this sort
                                                               of stress analysis would be based on
s     Identify the similarities or differences
                                                               external data that may or may not be
      between the bank’s current portfolio
                                                               applicable. In these institutions, the type
      and the historical reference portfolio,
                                                               and level of adjustments to historical loan
      and adjust the loss rates appropriately.
                                                               loss rates are critical elements to develop-
      • In general, the loss rates from the
                                                               ing a useful outcome.
         reference portfolio will be a good
         starting point. The historical loss
         rates are applied at the same gran-                   Scenario Analysis
         ular level as the reference portfolio.                  Thus far, the examples cited have not
      • Adjustments to the historical loss                     necessarily been related to a particular,
         rates may be necessary to account                     perhaps local, event. For risk management
         for differences in the current port-                  purposes, a bank may develop stress
         folio. This is especially true if the                 scenarios customized to its circumstances
         data for the reference portfolio lack                 to make assumptions about how its CRE
    See Statistics on Depository Institutions at

Supervisory Insights                                                                                          Winter 2007
Commercial Real Estate
continued from pg. 19

                            portfolio would react. For example, a                  cated internal data is to stress ratings
                            community bank might assume layoffs at                 migrations. This process requires a
                            a major employer and measure the antic-                review of prior years’ migrations to deter-
                            ipated results on new housing demand                   mine the typical migration experience.
                            and other CRE property performance.                    Each year a percentage of credits (oblig-
                            The trickle-down effect of the layoffs could           ors in cases of banks with two-dimen-
                            spread across CRE property types if local              sional rating systems) improves, remains
                            businesses’ revenues slowed and tenants                the same, or declines. If sufficient data
                            were unable to make their lease payments.              exist to capture a CRE downturn, the
                                                                                   bank could select the year with the high-
                              The results of the scenario might affect
                                                                                   est percentage of downgrades as the
                            the bank’s other credit portfolios and
                                                                                   stress year. Alternatively, the bank could
                            lines of business, in addition to CRE
                                                                                   develop a relationship between economic
                            loans. Although most banks do not
                                                                                   variables and ratings migrations. If these
                            perform bankwide scenario stress test-
                                                                                   data are not available, a bank might
                            ing, the process of developing such
                                                                                   choose to apply conservative estimates
                            stress tests may be useful for planning
                                                                                   of migrations to establish a stress year.
                            purposes and to identify potential vulner-
                            abilities. (See, for example, the discus-                The bank would use the results of
                            sion of planning for contingencies in                  the stress year migration to move the
                            “Liquidity Analysis: Decades of Change”                appropriate volume of exposures in
                            in this issue of Supervisory Insights.)                each current rating grade to the grades
                                                                                   reflected in the stress year ratings matrix.
                            Ratings Migration Analysis                             The new volumes in each grade would
                                                                                   then be processed through the bank’s
                             Another technique used by some banks                  allowance for loan and lease loss model
                            with larger portfolios and more sophisti-              to determine what provisions might be
                                                                                   needed to value the CRE portfolio and the
                            Table 2
                            Effects of a market downturn           Total               Total Borrowing      Total Borrowing
                            Average Annual Migration Rate
                                           1         2          3            4          5         6          7         8
                                1        92.08      7.09      0.63         0.15       0.06      0.00       0.00      0.00
                                2         0.62     90.83      7.76         0.59       0.06      0.10       0.02      0.01
                                3         0.05      2.09      91.37        5.79       0.44      0.16       0.04      0.05
                                4         0.03      0.21      4.10         89.38      4.82      0.86       0.24      0.37
                                5         0.03      0.08      0.40         5.53       83.25     8.15       1.11      1.45
                                6         0.00      0.08      0.27         0.34       5.39      82.41     4.92      6.59
                                7         0.10      0.00      0.29         0.58       1.55      10.54     52.80     34.14

                            Stress Scenario—Annual Migration Rate is Double the Average Rate
                                             1      2         3          4         5        6                7         8
                                 1         84.14  14.18      1.26      0.30      0.12     0.00             0.00      0.00
                                 2         0.31   82.61     15.52      1.18      0.12     0.20             0.04      0.02
                                 3         0.03    1.05     85.97     11.58      0.88     0.32             0.08      0.10
                                 4         0.02    0.11      2.05     85.25      9.64     1.72             0.48      0.74
                                 5         0.02    0.04      0.20      2.77     75.76     16.30           2.22      2.90
                                 6         0.00    0.04      0.14      0.17      2.70     73.94           9.84      13.18
                                 7         0.05    0.00      0.15      0.29      0.78     5.27            25.19     68.2

     Supervisory Insights                                                                                           Winter 2007
effect of these provisions on earnings and           taken. The CRE guidance provides a
capital. When compared to the current                good framework to assist banks in
ratings, the effect of a market downturn             addressing the concentration risk and
could be measured (see Table 2).                     also helps establish the federal banking
                                                     agencies’ expectations during subse-
                                                     quent risk management examinations.
                                                       Regulators and bank management must
  History has clearly demonstrated that              not become complacent or static in their
CRE can experience cyclical changes in               approach to risk management; they must
which supply and demand get out of                   continually evolve and change as the envi-
balance, resulting in significant losses for         ronment changes and new risks appear.
financial institutions. To reduce potential          With the risk management tools listed in
losses in the future, banks must have                the CRE guidance and further supported
strong board and management oversight                by other regulatory guidance, there is
as well as robust risk management                    no reason CRE loans cannot continue
processes for their CRE loan portfolios              to be a favored asset class for banks.
to recognize and control risk through
all phases of the economic cycle. Bank                         Steven G. Johnson
management should also be willing to                           Senior Examination Specialist
forego potential CRE income when the                           Atlanta, GA
risk exceeds the reward.
  A well-diversified bank is, in general,                      Mark D. Sheely
better insulated against market down-                          Examination Specialist
turns. However, investing in assets that                       Columbia, MO
management does not understand
can also carry significant risks. When                         Tracy E. Fitzgerald
prudent diversification across a variety                       Examination Specialist
of asset classes is difficult to achieve,                      Tulsa, OK
it becomes even more important for
management to deploy tools and imple-                          Charles M. Foster
ment strategies similar to those outlined                      Supervisory Examiner
here to recognize and control the risk                         Tulsa, OK

                       CRE Regulations and Guidance Applicable to FDIC-Supervised Institutions
    To assist and encourage banks to recognize and control CRE lending risks, bank regulators have developed a significant body of regula-
  tory guidance for CRE transactions. Much of this guidance is based on lessons learned in downturns of the past, especially the banking
  crisis of the late 1980s and the early 1990s.

  • FIL-104-2005, Joint Guidance on Concentrations in Commercial Real Estate Lending, Sound Risk Management Practices

  • 12 CFR 365, Real Estate Lending Standards and Interagency Guidelines for Real Estate Lending Policies

  • 12 CFR 323, Appraisals (

  • Interagency Appraisal and Evaluation Guidelines (

  • FIL-90-2005, Residential Tract Development Lending (
  • FIL-94-1999, Interagency Guidance on High Loan-to-Value Residential Real Estate Lending

Supervisory Insights                                                                                                           Winter 2007
Connecting the Dots . . .
The Importance of Timely and Effective Suspicious
Activity Reports

                                    o you ever wonder what happens                        Examiners play a significant role in
                                    to all the Suspicious Activity                      ensuring SAR data integrity, and Bank
                                    Reports (SARs) financial institu-                   Secrecy Act/Anti-Money Laundering
                            tions file? Do you think that SARs just                     (BSA/AML) examinations nationwide
                            disappear into a black hole and are never                   continue to reveal common issues with
                            reviewed? While these are common                            SAR filings. This article will highlight the
                            notions voiced throughout the banking                       importance of SARs, provide examples of
                            industry, they cannot be further from                       how various agencies use them, discuss
                            the truth. The significance of the SAR                      common SAR filing issues and their
                            process in the fight against terrorism,                     potential negative impact on SAR utility,
                            drug trafficking, money laundering, bank                    and offer tips and guidance on what
                            fraud, and other financial crimes cannot                    makes an effective SAR. By better under-
                            be overstated.                                              standing how SARs are used and focusing
                                                                                        on SAR quality, examiners and bankers
                              History clearly shows that there is
                                                                                        can help to improve the reliability and
                            often a financial connection to crime.
                                                                                        integrity of the information and thereby
                            Connecting the dots between criminal
                                                                                        help ensure that SAR users have this crit-
                            activity and the financial transactions
                                                                                        ical information to fight financial crimes.
                            that facilitate such activity is invaluable,
                            not only in identifying, investigating, and
                            ultimately prosecuting criminals, but also                  SAR Filings Exceed 1 Million
                            in preventing and deterring crime. SARs                     in 2006
                            play a critical role in exposing the finan-
                            cial links to illicit activities, on both a                   Since the late 1980s, depository insti-
                            case-by-case and industrywide basis.                        tutions have been required to report
                            The U.S. Department of the Treasury’s                       known or suspected criminal violations
                            Financial Crimes Enforcement Network                        to FinCEN. In April 1996, the SAR
                            (FinCEN), bank supervisory agencies,                        replaced the Criminal Referral Form as
                            and law enforcement depend on SARs to                       the standard form to report suspicious
                            identify, investigate, and analyze criminal                 activity.1 At that point, depository institu-
                            activity. Overall, the banking industry                     tions (i.e., insured banks, credit unions,
                            has been diligent in detecting and report-                  and thrifts) were the primary filers of
                            ing suspicious activity; however, merely                    SARs. However, following the terrorist
                            filing a SAR may not be enough. The                         events of September 11, 2001, the USA
                            agencies depend on complete, accurate,                      PATRIOT Act2 expanded SAR require-
                            and timely reports to use SAR informa-                      ments to other types of financial institu-
                            tion effectively and efficiently.                           tions, including certain money services
                                                                                        businesses (MSBs),3 casinos and card

                                SAR forms are available at
                              The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct
                            Terrorism Act of 2001 (USA PATRIOT Act) is arguably the single most significant AML law Congress has enacted
                            since the BSA itself. Among other things, Title III of the USA PATRIOT Act (International Money Laundering
                            Abatement and Anti-Terrorist Financing Act of 2001) criminalized the financing of terrorism and augmented the
                            existing BSA framework by strengthening customer identification procedures; prohibiting financial institutions
                            from engaging in business with foreign shell banks; requiring financial institutions to have due diligence proce-
                            dures and, in some cases, enhanced due diligence procedures for foreign correspondent and private banking
                            accounts; and improving information sharing between financial institutions and the U.S. government. See

     Supervisory Insights                                                                                                        Winter 2007
Chart 1: SAR Filings Skyrocket







                1996     1997     1998     1999     2000     2001        2002   2003     2004   2005     2006

                                 Depository Institutions        Other Financial Institutions

    Source: The SAR Activity Review-—By the Numbers Issue 8, June 2007

clubs, and certain segments of the secu-
rities and futures industries. As a result,                  SARs Serve Many Purposes
the number of SARs filed annually has                          With limited exceptions, SARs are used
increased dramatically. As shown in                          to report all types of suspicious activity
Chart 1, all financial institutions subject                  affecting depository institutions, includ-
to SAR requirements filed more than                          ing but not limited to cash transaction
1 million SARs in 2006—five times more                       structuring,4 money laundering, check
than were filed in 2001. While other                         fraud and kiting, computer intrusion,
financial institutions have contributed                      wire transfer fraud, mortgage and
significantly to the escalation in SAR                       consumer loan fraud, embezzlement,
filings, depository institutions continue                    misuse of position or self-dealing, iden-
to file the majority of SARs—more than                       tity theft, and terrorist financing. All
565,000 reports, or approximately 53                         SARs filed are centralized in a secure
percent of the reports filed in 2006.                        database that can be accessed by author-
As the number of SARs filed annually                         ized users, including representatives
continues to rise, ensuring that deposi-                     from FinCEN, bank supervisory agen-
tory institutions file quality SARs in a                     cies, and law enforcement. These agen-
timely manner becomes increasingly                           cies rely on SARs for a number of
important. (See text box, “SAR Report-                       different purposes; yet, whether FinCEN
ing Requirements” on page 31.)                               is analyzing the entire SAR database to

 Generally, MSBs include the U.S. Postal Service and five distinct types of financial services providers: (1)
currency dealers or exchangers; (2) check cashers; (3) issuers of traveler’s checks, money orders, or stored
value; (4) sellers or redeemers of traveler’s checks, money orders, or stored value; and (5) money transmitters.
However, a business in one of the first four categories is considered an MSB only if it engages in such trans-
actions in an amount greater than $1,000 for any person on any day in one or more transactions. Refer to and 31 CFR 103.11(uu).
 Structuring is defined in 31 CFR 103.11(gg) as the act of conducting or attempting to conduct one or more trans-
actions in currency in any amount, at one or more financial institutions, on one or more days, in any manner, for
the purpose of evading the currency transaction reporting requirements. See Federal Financial Institutions
Examination Council (FFIEC) BSA/AML Examination Manual, August 24, 2007, Appendix G, “Structuring,” at

Supervisory Insights                                                                                                Winter 2007
Connecting the Dots
continued from pg. 25

                            identify trends or a law enforcement                        tic shell companies in financial crime
                            agent is following up on a single SAR,                      and money laundering, and financial
                            the integrity of the data is critical to the                activity along the U.S. southwest border
                            government’s efforts to fight criminal                      to identify potential money laundering
                            activity.                                                   hot spots so that law enforcement can
                                                                                        better direct resources.9
                            Use by FinCEN
                                                                                        Use by Bank Supervisory
                              FinCEN makes SAR and other BSA-
                            related data available to authorized agen-                  Agencies
                            cies and also plays a key role in analyzing                   Public confidence in the banking
                            the data to identify emerging trends and                    system can be undermined when an
                            patterns associated with financial                          institution insured by the Federal Deposit
                            crimes.5 FinCEN analyzes SAR data to                        Insurance Corporation (FDIC) is a victim
                            identify institutions with filing problems,                 of internal or external fraud.10 Deposi-
                            such as missing information or incom-                       tory institutions incur millions of dollars
                            plete SAR narratives,6 and uses sophisti-                   in fraud losses annually, and, in extreme
                            cated trend analysis and data-mining                        cases, fraud can contribute to a bank’s
                            techniques to pinpoint emerging indus-                      failure and result in significant losses to
                            try vulnerabilities, such as the recent rise                the Deposit Insurance Fund.11 Prompt
                            in consumer and mortgage loan fraud.7                       identification and follow-up regarding
                            FinCEN also performs key word searches                      suspected fraud is vital to the strength
                            within SAR narratives to identify poten-                    of the banking system and the Deposit
                            tial indicators or specific geographic                      Insurance Fund. SARs alert bank super-
                            areas linked to terrorist financing or                      visory agencies such as the FDIC to
                            drug trafficking.8 In testimony before the                  fraud so that they can initiate an appro-
                            U.S. House of Representatives Financial                     priate and timely response.
                            Services Subcommittee on Oversight and
                            Investigations in May 2007, FinCEN’s                          Bank fraud allegations or suspicions
                            deputy director, William Baity, noted                       of wrongdoing may come to the FDIC’s
                            that FinCEN produced 176 complex                            attention through the on-site examina-
                            analytical products in fiscal year 2006,                    tion process, an anonymous tip, or a
                            including reports concerning trends in                      referral from an outside law enforcement
                            mortgage loan fraud, the role of domes-                     agency. More commonly, fraud against

                             In addition to SARs, BSA-related data include Currency Transaction Reports (CTRs), Reports of International
                            Transportation of Currency or Monetary Instruments (CMIRs), Designations of Exempt Person (DOEPs), Reports
                            of Foreign Bank and Financial Accounts (FBARs), and Reports of Cash Payments Over $10,000 Received in a
                            Trade or Business (8300s). See
                             The SAR narrative refers to Part V of the Suspicious Activity Report by Depository Institutions (Form TD F 90-
                            22.47), titled Suspicious Activity Information Explanation/Description. This mandatory section is to be used to
                            provide a complete chronological account of the suspected violation of law or suspicious activity.
                             “Staying Alert to Mortgage Fraud,” Supervisory Insights, Vol. 4, Issue 1, Summer 2007, discusses the housing
                            boom of the early 2000s and how the resultant demand led to increased mortgage fraud activity. See
                              BSA Advisory Group, “Section 5—Issues and Guidance,” The SAR Activity Review—Trends, Tips & Issues,
                            Issue 11, May 2007, pages 39–42, at
                                See FinCEN Deputy Director Baity’s testimony at
                               FDIC, Risk Management Manual of Examination Policies, Section 10.1, Suspicious Activity and Criminal Viola-
                             “Enforcement Actions Against Individuals 2005: A Year in Review,” Supervisory Insights, Vol. 3, Issue 1,

                            Summer 2006, highlights a calendar year of FDIC-issued enforcement actions against individuals for insider fraud,
                            with a focus on the resultant losses to institutions. See

     Supervisory Insights                                                                                                        Winter 2007
state nonmember banks is identified by                       Often these investigations result in paral-
bank management and brought to the                           lel criminal and civil enforcement action
FDIC’s attention by a SAR filing. Each                       proceedings. Cooperation between the
FDIC region has a SAR review process to                      OIG-OI and other law enforcement agen-
follow up on depository institution SARs                     cies can be instrumental in bank fraud
filed within its supervisory territory. This                 investigations and prosecutions. In fact, a
process identifies and responds to prior-                    number of successful cases in recent
ity SAR filings, which generally include                     years have highlighted the collective work
SARs involving institution-affiliated                        of several agencies.13 As of September 30,
parties (IAPs)12 and those having a mate-                    2007, the OIG-OI had 106 open bank
rial impact on the financial soundness of                    investigations under way, involving an
the institution.                                             estimated $1.7 billion in potential fraud.
                                                             Seventy-seven percent of these cases were
  The FDIC is particularly interested in
                                                             being pursued jointly with the Federal
SARs that name IAPs as suspects. Fraud
                                                             Bureau of Investigation (FBI).14
perpetrated by employees, officers, or
directors can be especially damaging and
may require an immediate regulatory                          Use by Law Enforcement
response. If warranted, the FDIC can                             “Whether motivated by criminal greed or a
pursue civil enforcement actions against                       radical ideology, the activity underlying both
IAPs, including Removal and Prohibition                        criminal and counterterrorism investigations
Orders under section 8(e) of the Federal                       is best prevented by access to financial
Deposit Insurance Act (Act) and Civil                          information by law enforcement and the
Money Penalties under section 8(i) of                          intelligence community. The FBI considers
the Act. Many FDIC enforcement action                          this information to be of great value in carry-
cases against IAPs originate from SARs.                        ing out its mission to protect the citizens of
  The FDIC’s Office of Inspector General,                      this country, and over the past few years, we
Office of Investigations (OIG-OI)                              have made significant advances in utilizing
conducts criminal investigations based on                      this information to carry out our mission.”
allegations of fraud at FDIC-supervised                       • Testimony of Salvador Hernandez, deputy
institutions, working either independently                      assistant director, Criminal Investigative
or jointly with other law enforcement                           Division, National Crimes Branch, FBI, before
agencies. Many of the OIG-OI’s investiga-                       the Financial Services Subcommittee on
tions originate from SARs filed by FDIC-                        Oversight and Investigations, May 10, 200715
supervised institutions and involve IAPs.

  Institution-affiliated party is defined in section 3(u) of the Federal Deposit Insurance Act (12 U.S.C. 1813(u))
as—(1) any director, officer, employee, or controlling stockholder (other than a bank holding company) of, or
agent for, an insured depository institution; (2) any other person who has filed or is required to file a change-in-
control notice with the appropriate Federal banking agency under section 7(j) of the FDI Act; (3) any shareholder
(other than a bank holding company), consultant, joint venture partner, and any other person as determined by
the appropriate Federal banking agency (by regulation or case-by-case) who participates in the conduct of the
affairs of an insured depository institution; and (4) any independent contractor (including any attorney, appraiser,
or accountant) who knowingly or recklessly participates in—(A) any violation of any law or regulation; (B) any
breach of fiduciary duty; or (C) any unsafe or unsound practice, which caused or is likely to cause more than a
minimal financial loss to, or a significant adverse affect on, the insured depository institution. See
  The FDIC OIG’s Semiannual Report to Congress for October 1, 2006, to March 31, 2007, details a number of
successful internal and external bank fraud investigations that highlight the cooperative efforts of OIG investiga-
tors, FDIC divisions and offices, U.S. Attorney’s Offices, and others in the law enforcement community. See pages
18–30 at
     Source: FDIC OIG-OI.
     See complete testimony at

Supervisory Insights                                                                                                   Winter 2007
Connecting the Dots
continued from pg. 27

                              Law enforcement agencies use SARs to                      teams, while varying by location, gener-
                            identify financial links to illicit activity.               ally includes representatives from law
                            These agencies supplement ongoing                           enforcement and various regulatory
                            investigations by querying FinCEN’s                         agencies, with the U.S. Attorney’s Office
                            database for name matches to existing                       and the Internal Revenue Service’s Crim-
                            suspects and their known associates. For                    inal Investigations Division (IRS-CID)
                            example, if the U.S. Drug Enforcement                       typically in a lead role. Other partici-
                            Administration (DEA) is investigating a                     pants may include representatives from
                            specific individual in a narcotics case,                    the FBI; the DEA; the Bureau of Immi-
                            agents would likely query the FinCEN                        gration and Customs Enforcement; the
                            database by name to identify additional                     Bureau of Alcohol, Tobacco, Firearms,
                            leads, such as bank accounts, individual                    and Explosives; the U.S. Secret Service;
                            and business associates, geographic loca-                   and state and local law enforcement. A
                            tions, or aliases. The search would likely                  number of SAR Review Teams also have
                            include both SAR data and other BSA-                        representation from bank supervisory
                            related data such as Currency Transac-                      agencies, including the FDIC.16 Coordi-
                            tion Reports, which could identify                          nation among the respective agencies
                            additional information about the suspect.                   results in improved communication and
                                                                                        more efficient resource allocation.
                              In recent years, law enforcement agen-
                            cies increasingly have used SARs to
                            generate new leads and determine                            Common SAR Mistakes and
                            whether to open new cases. For example,                     Weaknesses
                            an agency may identify and pursue a
                            structuring case on its own merits based                      Banks must file complete, accurate, and
                            on a SAR filing, and in the course of                       timely SARs in order for FinCEN, bank
                            such an investigation might further                         supervisory agencies, and law enforce-
                            determine that structuring took place                       ment to gain maximum benefit from the
                            to cover up other illicit activities, such                  information.17 Preparation errors and
                            as drug trafficking or tax evasion. This                    filing weaknesses, including late submis-
                            proactive approach to using SARs is best                    sions, can reduce SAR effectiveness.
                            exemplified by the development of joint
                            agency SAR Review Teams.                                    Incomplete or Inaccurate
                              Today, SAR Review Teams, coordinated                      Data Fields
                            by the U.S. Department of Justice                             Parts I through IV of the SAR are essen-
                            through the U.S. Attorney’s Offices, exist                  tially objective data fields that call for
                            in 80 of the 94 federal judicial districts                  specific information about the filing insti-
                            nationwide. The primary purpose of a                        tution, the suspect(s), the nature of the
                            SAR Review Team is to systematically                        suspicious activity, any regulatory or
                            review all SARs that affect a specific                      law enforcement contacts made before
                            geographic jurisdiction, identify individu-                 the SAR was filed, and the contact
                            als who may be engaged in criminal                          person for additional information. Each
                            activities, and coordinate and dissemi-                     numbered reporting field can be used to
                            nate leads to appropriate agencies for                      query the information in the database;
                            follow-up. The composition of these                         therefore, omissions and inaccuracies in

                             As of September 30, 2007, the FDIC participated in SAR Review Teams in California, Connecticut, Illinois, Iowa,

                            Kansas, Maine, Massachusetts, Minnesota, Missouri, Nebraska, New Hampshire, New York, North Dakota,
                            Puerto Rico, Rhode Island, South Dakota, and Vermont.
                               There are four types of SAR forms filed by the different industries: SAR by Depository Institutions (SAR-DI/TD F
                            90-22.47); SAR by MSBs (SAR-MSB/TD F 90-22.56); SAR by Casinos and Card Clubs (SAR-C/FinCEN Form 102); and
                            SAR by the Securities and Futures Industries (SAR-SF/FinCEN Form 101). SAR references in this section pertain
                            to the SAR by Depository Institutions. See

     Supervisory Insights                                                                                                        Winter 2007
any of the data fields can reduce the           further. Incomplete, incorrect, illogical, or
overall utility of the data. For example:       disorganized narratives can make analysis
                                                difficult and adversely affect users’ deci-
s   Not identifying the bank’s primary
                                                sions. For example:
    federal regulator in Part I–Reporting
    Financial Institution Information, or       s   Incomplete narratives that do not
    not denoting an IAP relationship in             describe suspect relationships or do
    Part II–Suspect Information, can                not explain the nature of ongoing
    prevent the appropriate regulator               suspicious activity can reduce the
    from promptly detecting and respond-            effectiveness of FinCEN’s key word
    ing to a priority SAR.                          searches, lead to decisions not to
                                                    pursue suspicious activity, or delay
s   Not listing all suspects individually in
                                                    investigations while additional facts
    separate Part II sections can prevent
                                                    are gathered.
    law enforcement from linking suspects
    to existing investigations or from gener-   s   Narratives that do not clearly explain
    ating new leads for suspects reported           why an activity is suspicious can
    by multiple financial institutions.             hinder a user’s ability to understand
                                                    the possible criminal action and to
s   Not specifying occupation or type of
                                                    make an informed, appropriate, and
    business in Part II can hinder users’
                                                    timely decision whether to pursue an
    ability to understand why the reported
    activity is suspicious for a particular
    customer.                                   s   Narratives that refer to attachments
                                                    are particularly problematic because
s   Not appropriately characterizing the
                                                    information contained in tables,
    suspicious activity in Part III–Suspi-
                                                    spreadsheets, and similar attachments
    cious Activity Information, can skew
                                                    is not keypunched into the FinCEN
    FinCEN’s semiannual analysis of indus-
                                                    database. Worse yet, submitting an
    try trends, as published in The SAR
                                                    entire narrative as an attachment
    Activity Review–By the Numbers.
                                                    results in no description of the suspi-
s   Not aggregating the suspicious activity         cious activity.
    dates and dollar amounts in Part III
    when filing a SAR for continuing suspi-     Untimely SARs
    cious activity can cause law enforce-
    ment to overlook the severity of a            Timely filings enable SAR users to iden-
    situation and delay an investigation.       tify and respond promptly to potential
                                                criminal activities. Nonetheless, exami-
s   Not indicating in Part III that a partic-   nations continue to find late SARs, as
    ular law enforcement agency has been        well as SARs that are not filed every
    contacted can result in duplicative         90 days for ongoing suspicious activity.
    investigative efforts by multiple agen-     Untimely SARs can be particularly detri-
    cies and waste valuable resources.          mental when terrorist financing is
                                                suspected, in criminal cases where asset
Insufficient SAR Narratives                     seizures are possible, or when significant
                                                fraud threatens the viability of a deposi-
  Part V–Suspicious Activity Information
                                                tory institution. In such situations, time
Explanation/Description, commonly
                                                is of the essence; therefore, not only is
referred to as the SAR narrative, provides
                                                it important to file a SAR within the
the only free-flow text area to summarize
                                                prescribed period, but bank manage-
the suspicious activity. The SAR narrative
                                                ment is encouraged to contact law
is often the basis for sophisticated data
                                                enforcement directly to ensure immedi-
mining, as well as crucial decisions regard-
                                                ate attention to the matter.
ing whether to investigate a suspect

Supervisory Insights                                                                            Winter 2007
Connecting the Dots
continued from pg. 29

                            Submitting an Effective SAR                                    An effective SAR narrative should
                              SAR filing deficiencies often result                         clearly detail:
                            from internal control weaknesses. On a
                            macro level, it is important for financial                     s Who conducted the suspicious activity
                            institutions to establish strong overall                       s What instruments or mechanisms were
                            risk management practices with respect                           used to facilitate the suspect
                            to suspicious activity monitoring and                            transaction(s)
                            reporting, including effective policies
                            and procedures, strong management                              s When the suspicious activity took place
                            information systems, appropriate                               s Where the suspicious activity took place
                            staffing and senior management over-
                            sight, comprehensive training, and peri-                       s Why you (the filer) think the activity was
                            odic independent testing.18 On a micro                            suspicious
                            level, it is beneficial for financial institu-                 s How or by what method of operation the
                            tions to establish comprehensive proce-                           suspicious activity took place
                            dures for SAR preparation, review, and
                            approval. The following steps can help
                            to ensure that complete and appropriate                         All SARs are potentially useful, but a
                            SAR information is collected, organized,                      SAR containing complete factual data
                            and maintained.                                               and an effective narrative can determine
                                                                                          whether FinCEN gleans useful statistical
                              Conduct thorough research and                               data, the FDIC takes appropriate and
                            analysis to gather as much information                        timely action with respect to bank fraud,
                            as possible about the potentially suspi-                      or law enforcement opens a criminal
                            cious activity. FinCEN’s Guidance on                          investigation. For example, a SAR clearly
                            Preparing a Complete and Sufficient                           evidencing a deposit structuring pattern
                            Suspicious Activity Report Narrative                          extending over a lengthy period and
                            provides extensive tips on what informa-                      involving a large dollar amount, or a SAR
                            tion to collect and how to organize it                        specifically detailing statements by a
                            effectively.19 Generally, the guidance                        suspect to a bank employee regarding
                            indicates that the filing institution                         intent to evade financial reporting
                            should consider all pertinent informa-                        requirements, is more likely to get law
                            tion it has available through the account                     enforcement’s attention than a SAR that
                            opening process and due diligence                             understates the severity of the activity or
                            efforts.                                                      omits potentially incriminating suspect
                              Accurately complete all objective                           statements. FinCEN’s Guidance on
                            data fields and write a clear and                             Preparing a Complete and Sufficient
                            comprehensive SAR narrative. The                              Suspicious Activity Report Narrative
                            SAR should be completed as fully as                           includes several examples of both useful
                            possible. Although information called for                     and ineffective SAR narratives, with a
                            in Parts I through IV occasionally may be                     discussion of the strengths or weak-
                            unknown or unavailable and should be                          nesses of each.
                            left blank, Part V—the SAR narrative—                          Maintain comprehensive SAR
                            should always include a detailed                              supporting documentation, since it
                            description of the suspicious activity.                       provides the critical evidence associated

                               See FFIEC BSA/AML Examination Manual, August 24, 2007, “Suspicious Activity Reporting – Overview,”
                            “Suspicious Activity Reporting – Examination Procedures,” and Appendix L, “SAR Quality Guidance” at

     Supervisory Insights                                                                                                      Winter 2007
with the suspected activity. SAR                                  cards and corporate filings identifying
supporting documentation should be                                officers and directors
described in the SAR narrative and
                                                              s   Account statements for all affected
refer to all documents or records that
                                                                  product types
assisted a financial institution in making
the determination that certain activity                       s   Photocopies (front and back) of all
required a SAR filing. Documentation                              applicable financial instruments asso-
may include transaction records, new                              ciated with the suspicious movement
account information, tape recordings,                             of funds, including monetary instru-
e-mail messages, and correspondence.20                            ments and deposit tickets
One IRS-CID special agent indicated
                                                              s   Complete wire transfer records,
that the following types of documenta-
                                                                  including wire request forms identify-
tion can be particularly useful:
                                                                  ing the individual initiating the wire
s   Account opening information for all                           transfer, who may not be the named
    suspects, such as account signature                           originator

                                                              SAR Reporting Requirements
      The U.S. Department of the Treasury’s financial recordkeeping                financial institutions have the discretion to file a SAR and are
    regulations (31 CFR 103.18) require federally supervised                       protected by the safe harbor provided for in the statute.2
    banking organizations to file a SAR when they detect a known
                                                                                     Filing Timelines – Banks are required to file a SAR within 30 calen-
    or suspected violation of federal law meeting applicable report-
                                                                                   dar days after the date of initial detection of facts constituting a basis
    ing criteria. FDIC Rules and Regulations (12 CFR 353) detail the
                                                                                   for filing.3 This deadline may be extended an additional 30 days up to
    SAR filing requirements that apply to state-chartered nonmem-
                                                                                   a total of 60 calendar days if no suspect is identified. FinCEN guid-
    ber banks, including dollar amount thresholds, filing timelines,
                                                                                   ance recommends that banks file an updated SAR at least every 90
    and record retention.1
                                                                                   days in situations where the suspicious activity is ongoing.4
      Dollar Amount Thresholds – Banks are required to file a SAR
                                                                                      Record Retention – Banks are required to maintain copies of any
    in the following circumstances: insider abuse involving any
                                                                                   SAR filed and the original or business record equivalent of any
    amount; transactions aggregating $5,000 or more where a
                                                                                   SAR supporting documentation for five years from the date of
    suspect can be identified; transactions aggregating $25,000 or
                                                                                   filing. Supporting documentation, though not submitted to FinCEN
    more regardless of potential suspects; and transactions aggre-
                                                                                   with the original SAR, is considered part of the SAR and must be
    gating $5,000 or more that involve potential money laundering
                                                                                   retained and made available to authorized agencies upon request.
    or violations of the BSA. It is recognized, however, that with
    respect to instances of possible terrorism, identity theft, and
    computer intrusions, the dollar thresholds for filing may not                    BSA Advisory Group, “Section 4 – Tips on SAR Form Preparation and
                                                                                   Filing,” The SAR Activity Review—Trends, Tips, & Issues, Issue 6, Novem-
    always be met. Financial institutions are encouraged to file
                                                                                   ber 2003, page 55, at
    nonetheless in appropriate situations involving these matters,                 3
                                                                                     Initial detection is discussed in the BSA Advisory Group’s “Section 5—
    based on the potential harm that such crimes can produce.
                                                                                   Issues and Guidance,” The SAR Activity Review—Trends, Tips & Issues,
    Even when the dollar thresholds of the regulations are not met,                Issue 10, May 2006, pages 44–46, at
                                                                                   pdf#page=47. According to the guidance, “The 30-day (or 60-day) period
      Similar regulations are applicable to other federally supervised banking     does not begin until an appropriate review is conducted and a determina-
    organizations by their respective primary regulator. See 12 CFR 208.62,        tion is made that the transaction under review is ‘suspicious’ within the
    211.5(k), 211.24(f), and 225.4(f) (Board of Governors of the Federal Reserve   meaning of the SAR regulations.”
    System); 12 CFR 748 (National Credit Union Administration); 12 CFR 21.11       4
                                                                                     BSA Advisory Group, “Section 5—Issues and Guidance,” The SAR
    (Office of the Comptroller of the Currency); and 12 CFR 563.180 (Office of     Activity Review, Issue 1, October 2000, page 27, at
    Thrift Supervision).                                                           sarreviewforweb.pdf#page=30.

   FinCEN Advisory, FIN-2007-G003, Suspicious Activity Report Supporting Documentation, June 13, 2007,

Supervisory Insights                                                                                                                          Winter 2007
Connecting the Dots
continued from pg. 31

                                             s    All pertinent loan documents                      as in the issuance of civil enforcement
                                                                                                    actions by bank supervisory agencies
                                               See the text box titled “Important SAR
                                                                                                    and in the identification of financial
                                             Preparation Guidance” for a list of
                                                                                                    crime patterns and trends by FinCEN.
                                             resources on completing SARs.
                                                                                                    Examiners and bankers share an impor-
                                                                                                    tant responsibility in ensuring that
                                              Making the Connection                                 SARs are complete, accurate, timely,
                                                                                                    and effective so that users can readily
                                               The quality of SAR data is crucial to                connect the dots to identify, analyze,
                                             the effective implementation of the                    and investigate financial crime.
                                             suspicious activity reporting system,
                                             which not only forms the cornerstone                              Lori Kohlenberg
                                             of the overall BSA reporting system but                           Examiner
                                             is critical to the United States’ ability                         Rocky Hill, CT
                                             to use financial information to combat
                                             terrorism, terrorist financing, money                             Rebecca Williams
                                             laundering, and other financial                                   Case Manager (Special
                                             crimes.21 SARs play a vital role in the                           Activities)
                                             investigation and prosecution of crimi-                           Braintree, MA
                                             nal cases by law enforcement, as well

                                                   Important SAR Preparation Guidance

     FinCEN Resources:                                                       s Index to Topics for “The SAR Activity Review” Volumes 1–11
                                                                                 categorizes all prior issues by topic and provides a direct link to
     s Preparation Guidelines for Suspicious Activity Report Form
                                                                                 the information. See
        (SAR), revised November 28, 2006, provides line-by-line guidance
        to assist financial institutions in preparing SARs. See              s The SAR Activity Review – By the Numbers provides semiannual                                      SAR statistics by type of financial institution, type of suspicious
                                                                                 activity, and geographic location. See
     s Guidance on Preparing a Complete and Sufficient Suspicious
        Activity Report Narrative provides a recommended process to
        organize and write SAR narratives and also includes sanitized
                                                                             Other Resources:
        examples of sufficient and insufficient SAR narratives. See                   s FDIC Risk Management Manual of Examination Policies, Manage-
                                                                                 ment, Section 9.1 – “Fraud,” and Section 10.1 –“Suspicious Activity
     s Suggestions for Addressing Common Errors Noted in Suspicious
                                                                                 and Criminal Violations.” See
        Activity Reporting lists ten common SAR filing errors and                safety/manual.
        includes suggestions to reduce incomplete and incorrect SARs.
        See                s Federal Financial Institutions Examination Council Bank Secrecy
                                                                                 Act/Anti-Money Laundering Examination Manual, August 24,
     s The SAR Activity Review—Trends, Tips & Issues, published
                                                                                 2007, pages 60–76, 356–357. See
        approximately semiannually under the auspices of the BSA
        Advisory Group, includes a section titled “Tips on SAR Form
        Preparation and Filing.” See

                                              See FFIEC BSA/AML Examination Manual, August 24, 2007, Suspicious Activity Reporting—Overview at


     Supervisory Insights                                                                                                                  Winter 2007
                                                                                 HMDA Data:
                                                            Identifying and Analyzing Outliers

        ata collected under the Home                            we supervise. Information collected
        Mortgage Disclosure Act                                 under HMDA, including pricing data,5
        (HMDA)1 continue to reveal that                         serves as a useful tool to identify poten-
certain minorities are more likely to                           tial discrimination and to support imple-
receive high-cost mortgages than other                          mentation of the fair lending laws. As
racial or ethnic groups. A 2006 Federal                         discussed in a Supervisory Insights arti-
Reserve study relying on HMDA data                              cle in summer 2006,6 FDIC examiners
from 2005 found that 55 percent of                              conduct a fair lending examination in
African-Americans and 46 percent of                             conjunction with each scheduled compli-
Hispanics, compared to only 17 percent                          ance examination—following Interagency
of non-Hispanic whites, received                                Fair Lending Examination Procedures.7
“higher-priced” conventional home                                 While the HMDA pricing data do not
purchase loans. The study indicated                             include underwriting criteria (such as
that borrower-related factors, such as                          loan-to-value ratios, debt-to-income
income, loan amount, and gender,                                ratios, or credit scores) necessary to
accounted for only one-fifth of this                            reach conclusions about discriminatory
disparity.2 The troubling trends                                lending, the data can be used to identify
continue, as the Federal Reserve’s                              situations that indicate a need for further
analysis of 2006 HMDA data again                                review. To detect illegal discrimination
found that African-American and                                 using HMDA data, a series of careful
Hispanic borrowers were more likely                             steps are required. This article describes
than non-Hispanic white borrowers to                            the process the FDIC uses for loan
obtain higher-priced loans.3                                    review and analysis at institutions that,
  The FDIC is strongly committed to                             based on an initial screening of HMDA
protecting consumers and ensuring                               data, have pricing practices that may be
adherence to the letter and spirit of the                       discriminatory—outlier institutions. The
fair lending laws, including the Equal                          article offers suggestions to bankers and
Credit Opportunity Act (ECOA) and the                           examiners gleaned from analyses of two
Fair Housing Act (FHA),4 by the banks                           years of HMDA pricing data.

    Home Mortgage Disclosure Act, 12 U.S.C. § 2801, et seq.
 Robert B. Avery, Kenneth P. Brevoort, and Glenn B. Canner, “Higher-Priced Home Lending and the 2005 HMDA
Data,” Federal Reserve Bulletin, September 2006, at A159.
 Robert B. Avery, Kenneth P. Brevoort, and Glenn B. Canner, “The 2006 HMDA Data,” Federal Reserve Bulletin,
September 12, 2007, p. 38.
    Equal Credit Opportunity Act, 15 U.S.C. § 1691et seq., and Fair Housing Act, 42 U.S.C. § 3605 et seq.
  Beginning with the 2004 HMDA data, institutions have been required to report data on certain higher-priced
loans. For the purposes of HMDA, a higher-priced first lien loan has an interest rate of 3 percentage points or
more above the yield for a Treasury security of comparable term. A higher-priced junior lien has an interest rate
5 percentage points or more above the Treasury yield. Lenders are also required to report whether loans are
covered by the Home Ownership and Equity Protection Act (HOEPA). Under HOEPA, special restrictions and
disclosures are required for first lien refinance loans that have an interest rate of 8 percentage points or more
above the yield for comparable Treasury securities, as well as junior liens that have an interest rate of 10
percentage points or more above the Treasury yield.
 The summer 2006 issue of Supervisory Insights contains a discussion of how the HMDA data are used in the
fair lending examination process, as well as a description of the new reporting requirements under the HMDA,
which were effective with the 2004 data. See “From the Examiner’s Desk . . . Two Years After: Assessing the
Impact of the New HMDA Reporting Requirements,” Supervisory Insights, Vol. 3, Issue 1,
 Incorporated in the FDIC Compliance Examination Handbook. See

Supervisory Insights                                                                                                Winter 2007
continued from pg. 33

                                                                                        indicate a specific rate or rate spread
                            Using the HMDA Data to                                      based on borrower credit scores or loan
                            Evaluate Fair Lending                                       amount. In this case, an examiner will
                            Concerns                                                    review a sample of loan files to deter-
                                                                                        mine if pricing is indeed based on the
                            Initial Screening and Statistical                           criteria provided. If the review confirms
                            Analysis                                                    that this is the case, the matter is closed.
                                                                                        If the file review shows that the bank
                              Once the Federal Reserve Board                            does not use rate sheets, or examiners
                            releases HMDA data for a particular year,                   find discrepancies between rates charged
                            FDIC examiners, economists, fair lend-                      to borrowers and the rate sheets, a more
                            ing specialists, and policy analysts work                   intensive fair lending review is generally
                            together to identify institutions that                      required.
                            exhibit a greater risk of fair lending viola-
                            tions.8 As part of this work, the FDIC
                                                                                        Criteria Interviews
                            uses the HMDA pricing data to identify
                            specific institutions that demonstrate any                    If a more in-depth review of an outlier
                            of the following characteristics:                           bank is needed, fair lending specialists
                                                                                        and examiners conduct “criteria inter-
                            s   A disparity between the average
                                                                                        views” with bank management. The
                                annual percentage rate for protected
                                                                                        primary purpose of the criteria interviews
                                classes (minorities and women) and
                                                                                        is to gain an understanding of the param-
                                nonprotected classes;
                                                                                        eters loan officers use to make pricing
                            s   A high incidence of higher-priced                       decisions. Such criteria might include
                                mortgages for protected classes; and                    credit score, loan-to-value (LTV) ratio,
                                                                                        debt-to-income ratio, loan amount, collat-
                            s   A high incidence of HOEPA loans for
                                                                                        eral, and market competition. The crite-
                                protected classes.
                                                                                        ria interviews help examiners and fair
                              FDIC staff conducts statistical analyses                  lending specialists determine how banks
                            of the data to identify institutions that                   put their written policies into practice.
                            have unusually high pricing disparities
                                                                                          The information gathered in the crite-
                            between majority and minority groups.
                                                                                        ria interviews must be comprehensive
                            Each outlier institution is then notified
                                                                                        and accurate, because it drives our
                            that a review of HMDA data has raised
                                                                                        statistical analysis and leads to our
                            questions about its pricing of home mort-
                                                                                        conclusions about whether pricing
                            gage loans and is asked to provide infor-
                                                                                        discrimination exists. Accordingly, it
                            mation about its loan pricing policies and
                                                                                        is critical that the interviewed bank
                            procedures, such as rate sheets and a
                                                                                        personnel have in-depth operational
                            description of any discretionary pricing
                                                                                        knowledge of the loan products being
                                                                                        discussed and can explain who makes
                              The FDIC uses this additional informa-                    pricing decisions and how they are
                            tion to help determine whether a fair                       made. The FDIC uses the information
                            lending review of any of the outlier banks                  the bank provides during the criteria
                            will be required. For example, some                         interviews to determine which factors
                            banks submit documentation showing                          and variables to use in the statistical
                            that they price loans based on nondiscre-                   analysis that we develop for the bank—
                            tionary factors, such as rate sheets that                   each statistical analysis is customized

                             Because of the time necessary to report and compile the data, it takes approximately eight months before the
                            federal financial institution regulators have all the HMDA data for the previous calendar year. The 2004 aggre-
                            gate data were made available to the regulators in September 2005. The 2005 and 2006 aggregated data were
                            released in August 2006 and August 2007, respectively.

     Supervisory Insights                                                                                                       Winter 2007
on the basis of pricing criteria the indi-                   discrimination. The bank is given an
vidual bank provides. As a result, the                       opportunity to respond and submit any
questions we ask in the criteria inter-                      additional information it would like the
views are specific to each bank.                             FDIC to consider in determining
                                                             whether the laws that prohibit lending
File Reviews and Follow-up                                   discrimination have been violated.
Statistical Analysis                                         Through this process bank management
                                                             sometimes realizes that not all of the
  After the criteria interviews are                          pricing criteria actually used by the
completed—and the analysis framework is                      bank were provided to the FDIC during
developed in consultation with Washington                    the criteria interview and will cite new
office specialists and economists—examin-                    criteria that should be included in a
ers gather data from each loan file relevant                 statistical analysis.
to the bank’s pricing criteria. A statistical
analysis is then performed that incorporates                  To decide whether to consider any
the pricing criteria the bank supplied in the                additional pricing criteria, the FDIC
interviews and data gathered through the                     must assess the credibility of the bank’s
file review. To address the pricing criteria a               response. Among other things, the
bank uses, each statistical analysis is devel-               FDIC reviews the bank’s written policies
oped individually for the bank in question.                  and guidance to determine if they
Our analysis may show that once we control                   support management’s assertion that
for various nondiscretionary pricing factors                 additional pricing criteria should be
that are not included in HMDA data, there                    considered in our statistical analysis.
is no longer evidence that discrimination in
pricing exists.                                              Referral to the Department of
Notification to Bank of “Reason                                If the FDIC finds that the information
to Believe”                                                  the bank submits does not convincingly
  If the analysis indicates that the differ-                 refute the preliminary finding of
ence in pricing cannot be explained by                       discrimination, we finalize the examina-
nondiscretionary pricing policies, the                       tion and refer the case to the Depart-
FDIC formally notifies the bank that we                      ment of Justice (DOJ). (See text box,
have reason to believe that discrimina-                      “Department of Justice Referrals.”) The
tion in loan pricing exists.9 The bank is                    DOJ may conduct its own investigation
advised of the type of loans for which                       and go forward with a case, or it may
the FDIC has identified potential pric-                      defer to the FDIC’s supervisory and
ing discrimination and the racial,                           enforcement process.10
ethnic, or gender group affected by the

  The analysis identifies statistically significant disparities between prices charged to target and control group
borrowers. “Statistically significant” is defined as a significance level of 5 percent or better. This significance
level means that there is a 5 percent or lower probability that an observed disparity would occur if there were
no underlying systematic difference in treatment (that is, differences were truly random). Economists and statis-
ticians consider statistical significance levels of 5 percent or better to be a strong indicator that the observed
disparity is not likely to be due to random chance. Many courts also accept a statistical significance level of
5 percent as sufficient to rule out chance. See Waisome v. Port Auth., 948 F.2d 1370, 1376 (2d Cir. 1991).
  The DOJ’s independent investigation may be broader in scope than that of the FDIC. The FDIC’s evidentiary
threshold for referral is lower than the evidentiary standard for the DOJ to proceed with an action. The “reason
to believe” standard required for an FDIC referral does not require that the FDIC have sufficient evidence to
prove a violation with certainty. Instead, a “regulatory agency has reason to believe that an ECOA violation has
occurred when a reasonable person would conclude from an examination of all credible information available
that discrimination has occurred.” See Policy Statement on Discrimination in Lending, April 15, 1994, 59 FR 18266-
01, p. 18271.

Supervisory Insights                                                                                                  Winter 2007
continued from pg. 33

                                                                             may report during criteria interviews
                             Department of Justice Referrals                 that its loan officers rely on the
                                                                             borrower’s credit score to make a pric-
                              Pursuant to the ECOA statute, agencies         ing determination, but the file review
                              “shall refer the matter to the Attorney        finds no credit reports in many of the
                              General whenever the agency has reason         loan files.
                              to believe that one or more creditors has
                                                                               Similarly, the bank may report that if
                              engaged in a pattern or practice of discour-
                                                                             a customer has frequently been more
                              aging or denying applications for credit in
                                                                             than 60 days late on any credit line with
                              violation of section 1691(a) of this title.”
                                                                             the bank, it will require a higher rate on
                              [Emphasis added] 15 U.S.C. § 1691e(g).
                                                                             a subsequent mortgage. This bank’s
                                                                             loan files should contain information
                                                                             that documents the delinquencies, such
                            Lessons Learned                                  as a copy of the customer’s file printed
                                                                             from a loan officer’s computer screen
                              The FDIC’s review of the pricing data          at the time the bank was underwriting
                            reported for 2004 and 2005 has not only          the loan. If such verification does not
                            enabled us to resolve discriminatory pric-       appear in the loan file, it is extremely
                            ing practices; it has also helped us refine      difficult to re-create that information
                            the process we use to obtain and analyze         during the file review. In these situa-
                            pricing data. We have identified several         tions, the FDIC must assess the bank’s
                            practices by banks that make the review          credibility, as well as the adequacy of
                            and analysis of pricing data more effi-          management controls and oversight.
                            cient for both banks and the FDIC.
                                                                               Comprehensive information enables
                              Removing discretion in pricing deci-           accurate analyses. Obtaining clear
                            sions reduces risk of discrimination.            information about a bank’s practices is
                            When a bank provides clear guidance to           key to the FDIC’s ability to conduct fair
                            loan officers on its pricing policies, the       lending reviews. The FDIC’s goal in loan
                            risk that loan officers will treat borrow-       reviews is to understand how loans are
                            ers differently for inappropriate reasons        priced, whether loan officers or other
                            is reduced. When a bank uses rate                staff members have discretion in assign-
                            sheets and loan officers are not allowed         ing an interest rate, and exactly where
                            discretion in pricing, the pricing poli-         discretion lies. To understand the bank’s
                            cies of the bank are transparent and the         lending process, examiners need to have
                            risks of discriminatory pricing are              access to any pricing guidance the bank
                            further reduced. Allowing discretion in          provides to its loan officers and to be
                            pricing decisions introduces more risk           informed of any other factors that loan
                            that illegal discrimination will occur,          officers incorporate in making pricing
                            although it does not signify conclusively        decisions.
                            that pricing discrimination exists.
                                                                               Examiners must understand the crite-
                              Documentation minimizes ques-                  ria that are used to make pricing deci-
                            tions. Beyond providing clear pricing            sions and how those criteria work in
                            guidance, banks that clearly document            practice. For example, if a bank prices
                            how pricing decisions are made gener-            loans differently in different markets,
                            ally will have expedited file reviews.           examiners will need to know how the
                            Examiners sometimes find that although           markets are delineated, why they were
                            the bank may have stated clear pricing           chosen, and how prices differ across
                            policies in the criteria interview, the          markets. Obtaining this information is
                            loan files lack evidence of consistent           necessary because we sometimes must
                            use of the policies. For example, a bank         run a separate analysis for each market

     Supervisory Insights                                                                                   Winter 2007
to incorporate the different pricing crite-    management program. One bank’s
ria a bank uses in different markets.          guidelines outlined pricing policies that
                                               eliminated discretion, but when the
  We often have to ask bank staff for addi-
                                               bank analyzed its own data it found that
tional details in order to ensure that we
                                               interest rates given to similarly qualified
have complete information. For example,
                                               borrowers varied tremendously. Going
a bank may state that it uses both the
                                               forward, the bank directed its compli-
borrower and co-borrower credit scores
                                               ance officer to review all loans for
in establishing a loan rate. To incorporate
                                               compliance with the applicable rate
these criteria into a statistical analysis,
                                               sheet before the loans would be funded.
the FDIC needs to know how much
                                               The bank coupled this monitoring with
weight is given to the scores and how
                                               loan officer training on pricing guide-
each of the scores is used (e.g., higher
                                               lines. Another bank, which allows
score only, average of the two scores).
                                               discretion in pricing, has its compliance
Similarly, if a bank states that it uses a
                                               officer flag all higher-priced loans and
credit score and LTV ratio to determine a
                                               discuss the reasons for the pricing deci-
rate, we need to know what credit score
                                               sion with the appropriate loan officer.
range and what LTV range lead to what
rates. It is very important to obtain this
type of information early in the process       Conclusion
so that we have access to all the criteria a
bank uses before performing the file             Analysis of HMDA data for fair lending
review and any statistical analysis. If we     purposes can be time-consuming for
must revise our approach to accommo-           both an institution and the FDIC. We
date new information obtained later in         often find that only an in-depth analysis
the process, both the FDIC and the bank        can determine whether pricing differen-
will have to expend additional resources.      tials are due to discriminatory practices
                                               or other variables. The FDIC is commit-
  Bank management should be very               ted to a process that is fair and applied
clear during criteria interviews about         consistently across lenders. To work
the factors used in pricing decisions—         toward these goals, our review of 2006
including a comprehensive description          HMDA data will direct the majority of
of all the factors used in pricing loans.      resources to institutions that show the
Some banks have hired third parties to         greatest risk of discriminatory practices
perform statistical analysis of their loan     while incorporating the lessons learned
data after being notified of FDIC’s            from previous reviews.
preliminary findings of discrimination.
If a bank chooses to do this, it is imper-       It is our responsibility as a financial
ative that the bank provide consistent         regulator to ensure that the unfairness
information to the FDIC and the third          resulting from discriminatory pricing is
party. Problems can arise when third           addressed. When discriminatory pricing
parties are provided different data sets       practices exist, they are usually caused
than were provided to the FDIC or are          by ineffective compliance management
told of different criteria that went into      at the bank. In the absence of clear
pricing decisions than were communi-           pricing criteria, pricing may be driven
cated to the FDIC.                             in part by lenders’ biases, resulting in
                                               illegal discrimination. The banks where
  Monitoring of pricing decisions is           we have seen the most problems allow
essential. Regardless of whether banks         discretion in pricing and fail to monitor
allow pricing discretion, periodic moni-       the pricing process.
toring of pricing decisions is a key
component of an effective compliance            The FDIC is continually assessing our
                                               supervisory practices for identifying fair

Supervisory Insights                                                                         Winter 2007
continued from pg. 37

                            lending violations. One of our goals is to           Samuel Frumkin
                            maximize the value of the HMDA data to               Senior Policy Analyst
                            ensure effective examinations and                    Washington, DC
                            enforcement. We encourage the institu-
                            tions we supervise to continue to provide
                            us with feedback and ideas on how to         Acknowledgement: The author gives
                            make our fair lending reviews as efficient   special thanks to Kristie Elmquist,
                            as possible, while ensuring that HMDA        assistant regional director in FDIC’s
                            data continue to help root out any           Dallas Region, for her thoughtful
                            discriminatory credit practices.             consultation on the fair lending exami-
                                                                         nation process.

     Supervisory Insights                                                                                Winter 2007
                                           Authentication in Internet Banking:
                                               A Lesson in Risk Management

       he business model that banks use         access through dial-up connections and
       to offer products and services to        software provided by the financial institu-
       their customers has evolved signifi-     tion. The online connection was made
cantly. Most banks have supplemented            only to the bank, and opportunities to
tellers, drive-ups, and other facilities with   compromise the connection or steal
electronic capabilities, many of which are      access credentials were very limited.
facilitated by the Internet. This shift to      Although PC banking proved to be a
Internet-based banking and e-commerce           viable product, problems such as slow
in general is accompanied by new risks          dial-up connections and the expense of
as well as an increase in existing risks.       distributing and updating customer soft-
Security weaknesses in Internet-based           ware prompted financial institutions to
processes create opportunities for savvy        search for alternatives.
hackers to compromise systems and steal           The Internet seemed to be the perfect
data. The Internet provides an effective        answer. Rather than relying on banks to
and anonymous medium for thieves to             support and distribute online banking
advertise and sell the stolen data. In          software, customers can simply access
response, the bank regulatory agencies          their financial information using their
and the banking industry have sought            bank’s Web site. Faster telecommunica-
ways to mitigate these vulnerabilities.         tions offerings, such as digital subscriber
  Authentication—the validation of a            line (DSL) and cable modems, provide
customer’s identity—is a critical element       the speed that dial-up connections
of an effective information security            lacked. But while the Internet offers a
program. This article defines authentica-       cheaper and faster product, it also
tion and describes instances when               contains serious new security vulnerabili-
stronger authentication is needed, the          ties. Internet connections establish a
authentication strategies some banks are        pathway for hackers and thieves to
using, and the roles and responsibilities       access and steal sensitive personal infor-
of both bankers and regulators.                 mation, including the banking records
                                                that many customers store on their
                                                home computers. Phishing, pharming,
What Has Changed, and Why                       spyware, malware, worms, nimdas,
did the Old Processes Fail?                     viruses, buffer overflows, and spam—all
                                                relatively recent entries to our vocabu-
  For years, financial institutions relied
                                                lary—have raised electronic/Internet
on user identification (IDs) and secret
                                                banking risk levels to new highs, and
passwords to authenticate electronic
                                                financial institutions have had to
banking customers. Because customers
                                                increase security measures to address
transacting business over telephone lines
                                                those risks.
or through their computers could not
show an ID card in person, user IDs and           Financial institutions offering Internet
passwords served the same purpose—              banking products have generally done a
authenticating the customer to the finan-       good job of providing security-related
cial institution. Using passwords as            information on their Web sites to both
access credentials proved to be effective       educate customers about the threats and
as long as the risks of compromise              instruct them on how to report
remained low.                                   suspected fraud. Providing educational
                                                materials to customers that explain how
 When online banking (PC banking)
                                                to recognize phishing e-mails and
emerged some years ago, passwords
                                                describe how to secure personal comput-
continued to provide reliable and secure
                                                ers against viruses and Internet schemes

Supervisory Insights                                                                          Winter 2007
continued from pg. 39

                            continues to be an important bank activ-                    Identity Theft.2 The study concluded
                            ity. Customer education adds value to                       that passwords alone were no longer an
                            banks’ information security efforts, but                    adequate authentication strategy when
                            banks still must address the risks of                       assets and personal information were
                            compromised access credentials.                             at risk.
                                                                                          On October 12, 2005, the FFIEC
                            The Regulatory Response                                     issued further guidance titled Authenti-
                                                                                        cation in an Internet Banking Environ-
                              While numbers published in various                        ment.3 The new guidance, which
                            periodicals and by consulting organiza-                     replaced the 2001 guidance, required
                            tions place Internet fraud losses in the                    financial institutions to perform risk
                            billions of dollars, it is very difficult to                assessments of their electronic banking
                            know just how large bank-specific losses                    products and services. Institutions were
                            are. One reason for this lack of informa-                   expected to implement stronger authen-
                            tion is that financial institutions are                     tication procedures for high-risk trans-
                            generally reluctant to discuss these                        actions, but they had considerable
                            issues publicly. Most financial institu-                    leeway regarding the authentication
                            tions have borne these losses and not                       methods they chose to implement. They
                            passed them on to the customers whose                       were expected to comply with the guid-
                            accounts were compromised. Financial                        ance by year-end 2006.
                            institutions may simply cover these
                            losses to avoid both the negative public-                     A common misinterpretation of the
                            ity and the legal requirements related to                   guidance made by both bankers and
                            Internet fraud losses.                                      industry affiliates is that the banking
                                                                                        agencies require multifactor authentica-
                              These losses often result from fraud                      tion for high-risk transactions. In fact,
                            committed using compromised access                          what the guidance requires is stronger
                            credentials. In response, in 2001 the                       authentication to mitigate high risk.
                            Federal Financial Institution Examination                   Traditional single-factor authentication
                            Council (FFIEC) issued guidance titled                      should be augmented to create a level of
                            Authentication in an Electronic Banking                     security capable of coping with the risks
                            Environment.1 This guidance explained                       of the transactions.
                            the nature of a variety of threats and
                            how banking customer access creden-                              Where risk assessments indicate
                            tials could be compromised (stolen) and                          that the use of single-factor authenti-
                            fraud perpetrated. However, the guid-                            cation is inadequate, financial insti-
                            ance lacked formal mandates and did                              tutions should implement
                            not require action, so it did not prompt                         multifactor authentication, layered
                            most financial institutions to act.                              security, or other controls reason-
                                                                                             ably calculated to mitigate those
                              To draw attention to the issues associ-                        risks. The agencies consider single-
                            ated with Internet banking fraud, in                             factor authentication, as the only
                            December 2004 the FDIC published a                               control mechanism, to be inade-
                            study focused on Internet ID theft—                              quate in the case of high-risk trans-
                            Putting an End to Account-Hijacking                              actions involving access to customer

                              FIL-69-2001, Authentication in an Electronic Banking Environment, August 24, 2001,
                              FIL-132-2004, Identity Theft: Study on ‘Account Hijacking’ Identity Theft and Suggestions for Reducing Online
                            Fraud, December 14, 2004,
                             FIL-103-2005, Authentication in an Internet Banking Environment, October 12, 2005,

     Supervisory Insights                                                                                                        Winter 2007
       information or the movement of          s   Banking customers are generally not
       funds to other parties.4                    receptive to paying security-related
                                                   fees or enrolling in and installing
  After careful study, the FFIEC agencies
                                                   security software and hardware on
concluded that stronger authentication,
                                                   their home computers.
including multifactor authentication,
should be considered an industry best            The difficulty and expense of imple-
practice. They also concluded that multi-      menting authentication standards typi-
factor authentication, layered security,       cally increase proportionately with the
and compensating controls could all miti-      strength and reliability of the solution.
gate different levels of risk. The authen-     For instance, passwords present fewer
tication guidance provides a framework         challenges than fingerprint scanning.
for improving online banking security          Authentication methodologies generally
by using stronger authentication.              rely on one or more of the following
                                               three factors:

What Is Authentication?                        s   Something you know (e.g., password)

  Successful authentication occurs when        s   Something you have (e.g., ATM card)
an individual presents evidence or proof       s   Something you are (e.g., fingerprint)
that confirms a previously established
identity. For example, if you moved to           Requiring one of these factors to
a new country, to establish residency          authenticate an individual is an example
you might have to present a number             of single-factor authentication. Passwords
of documents that identify you. Once           are perhaps the most commonly used
these documents have been scrutinized          single-factor authentication methodol-
and found to be in order—part of a             ogy. Multifactor authentication consists
process called enrollment—you might            of using two or more factors together.
then be issued an official government          Using an ATM card is a common exam-
ID card for future use. This process of        ple of multifactor authentication—the
producing documents to prove an iden-          card is something you have, and the
tity is commonly referred to as identifi-      personal identification number (PIN) is
cation. Authentication occurs when you         something you know. Both are required
are later asked to produce the official        to complete a transaction. The use of two
ID card, such as when cashing a check—         authentication factors in ATM transac-
the ID card authenticates you as having        tions is considered strong authentication.
been previously identified.
  Bankers can accomplish and manage            When Are Stronger Controls
authentication easily with face-to-face        Necessary?
customer interaction; however, authenti-
cating a disparate customer base                 Banks traditionally have acknowledged
remotely connecting to Internet banking        the risks inherent in large dollar transac-
platforms using traditional physical secu-     tions, such as those initiated in commer-
rity tools presents certain challenges:        cial accounts and by customers who
                                               have high balances and corresponding
s     The distribution of software, hard-      activity. Stronger authentication, includ-
      ware, cards, and other authentication-   ing multifactor authentication, has been
      enabling technologies to a large         an integral part of many financial institu-
      Internet banking customer base is        tions’ risk management strategies for
      generally expensive to implement         these higher-risk customers. But before
      and administer.                          the guidance was issued, most banks


Supervisory Insights                                                                         Winter 2007
continued from pg. 41

                            had not implemented stronger authenti-
                            cation for all customers. The guidance,                   Responding to the Challenges
                            while addressing both commercial and                      of Authentication
                            consumer accounts, is clearly directed                      There are a variety of authentication
                            at protecting the more vulnerable                         products and services on the market,
                            consumer account access credentials                       each with varying degrees of strength
                            used in Internet banking. The                             and reliability. Most FDIC-supervised
                            mandated stronger authentication                          institutions are customers of technology
                            provides improved protection for all                      service providers (TSPs). Major TSPs
                            Internet banking customers.                               have implemented authentication prod-
                              The 2005 guidance instructed finan-                     ucts from known vendors who use meth-
                            cial institutions to conduct and docu-                    odologies that the banking industry
                            ment the results of an Internet banking                   generally considers to be effective. Regu-
                            risk assessment. In the assessments,                      lators, including the FDIC, have closely
                            banks were required to identify high-                     scrutinized and vetted TSP authentica-
                            risk transactions and, if they existed,                   tion product offerings. While many are
                            strengthen Internet authentication stan-                  not examples of true multifactor authen-
                            dards if only passwords were used. The                    tication, they can offer strong protection
                            guidance defines high-risk transactions                   (especially when combined) and meet
                            as those that allow the transfer of funds                 the provisions of the guidance. These
                            to third parties or provide access to                     products represent affordable and effec-
                            nonpublic personal information. For                       tive solutions for community banks.
                            example, bill pay, a common Internet                        FDIC-supervised banks should be in a
                            banking product, allows funds to be                       good position to select an authentication
                            transferred to third party payees. This                   product that mitigates the risks inherent
                            is considered a high-risk transaction.                    in their Internet banking environments.
                              Today, the vast majority of banks that                  While all the large TSPs have created and
                            offer Internet banking are subject to the                 offer authentication products, it is up to
                            provisions of the guidance.5 Telephone                    the banks to install and properly imple-
                            banking operations are also subject to                    ment them. As with any automation and
                            the guidance when high-risk transac-                      security product, improper installation
                            tions can be conducted over the phone.                    can render a solution ineffective.
                            It is important that financial institutions                 Some TSPs offer tiers of authentica-
                            identify the banking systems and prod-                    tion, with each tier relying on others to
                            ucts that require stronger authentica-                    provide an effective overall solution.
                            tion and the degree of risk inherent in                   Since each tier must often be purchased
                            each. Internet banking transactions                       separately, an institution may pick and
                            range from paying a small water bill to                   choose pieces of a TSP’s authentication
                            authorizing a large wire transfer. Obvi-                  product offering. Such a strategy can
                            ously these two transactions are very                     help minimize cost, but institutions
                            different, and creating the wire transfer                 may sometimes select pieces that do
                            would carry much more risk than                           not work together effectively. Another
                            paying a water bill. The level of risk                    common problem is weak authentica-
                            depends on the potential harm if the                      tion enrollment processes. For example,
                            risk is left unmitigated.                                 relying only on a weak password (such
                                                                                      as a mother’s maiden name) during the
                                                                                      initial identification phase is a weak

                             FIL-77-2006, Frequently Asked Questions on Authentication in an Internet Banking Environment, August 21, 2006,

     Supervisory Insights                                                                                                     Winter 2007
enrollment procedure. A better enroll-                    Combining several processes greatly
ment process might involve mailing a                      increases the strength of the security and
unique password to the customer. The                      is an effective risk management strategy.
customer uses the unique password for
                                                            For consumer accounts, most banks
the initial sign-on but then must change
                                                          are using combinations of geo-location,
the password for future use.
                                                          device identification, shared information,
  Some banks have implemented controls                    and IP intelligence, with challenge ques-
that involve identifying the device used to               tions as the primary fallback. Challenge
establish the Internet banking connec-                    questions, generally set up at enrollment,
tion. For example, the device (such as a                  involve the customer answering several
computer, personal digital assistant, or                  questions. If a customer cannot be
cell phone) the customer uses to connect                  authenticated using normal routines, a
to the bank can be uniquely identified by                 challenge question is posed. A customer
the bank as belonging to the customer.                    who answers correctly is authenticated
This method of authenticating the                         and provided with access. The most
customer—referred to as device authenti-                  effective challenge questions rotate from
cation—is considered a compensating                       session to session; otherwise, they are
control that strengthens authentication.                  little more than another password.
 Financial institutions often select two                    The agencies expect financial institutions
or three authentication solutions that                    to implement strategies that address the
can be implemented together to achieve                    risks in their particular environment when
acceptable levels of risk mitigation:                     considering how to authenticate Internet
                                                          banking customers. Moreover, authentica-
s   Shared information—Secret informa-
                                                          tion processes should be implemented
    tion or images that are shared between
                                                          using logical and prudent risk manage-
    the customer and the bank
                                                          ment principles such as those described in
s   Device identification—A profile of the                the FFIEC Information Technology Exam-
    connecting device that can be used                    ination Handbook, including:
    to authenticate the user in future
                                                          s   Classifying and ranking sensitive data,
                                                              systems, and applications
s   Geo-location—Establishing the
                                                          s   Assessing threats and vulnerabilities
    geographic location from which the
    customer is connecting                                s   Evaluating control effectiveness6
s   Internet Protocol (IP) intelligence—
    Using the customer’s unique IP                        Risk Management Procedures
    address                                               and Examiner Review
s   Encrypted cookies—Special bits of                       One of the primary factors that the
    data that the bank places on the                      agencies consider in reviewing banks’
    customer’s computer to assist in                      efforts to comply with the guidance is
    authenticating the customer                           the risks and how the bank’s authentica-
s   Out-of-band communication—Cell                        tion strategy mitigates those risks. When
    phone call or e-mail message provid-                  selecting authentication products and
    ing verification                                      services, vetting the products offered by
                                                          the TSP and performing vendor due dili-
  Each of these processes alone adds                      gence are critical for both financial insti-
strength to the authentication process.                   tutions and service providers.

 FFIEC, Information Technology Examination Handbook, Information Security Booklet, Information Security, July,
2006, at

Supervisory Insights                                                                                             Winter 2007
continued from pg. 43

                              Due diligence should include acquiring a     procedures to include a formal review of
                            sound working knowledge of the technol-        banks’ authentication strategies.
                            ogy and being able to both explain and
                            defend the solution during regulatory
                            scrutiny. Using a one-time password-           Authentication—One Part of
                            generating token along with a user pass-       Enterprise Risk Assessment
                            word is generally accepted as strong             A common criticism of security
                            authentication, as is the two-factor authen-   processes in general is that they do not
                            tication for ATM use discussed previously.     provide guarantees. In the real world,
                            Thus, examiner review and assessment of        there are no guaranteed solutions to
                            these technologies is fairly straightfor-      protect systems and data. Implementing
                            ward. On the other hand, evaluating tech-      strong authentication is only part of an
                            nologies purchased from less well-known        effective enterprise-wide risk manage-
                            sources can be more difficult. If the bank     ment program. Managing information
                            has purchased a solution from a vendor         technology risks is a dynamic proposi-
                            whose claims are not easily understood or      tion that should be proactive rather than
                            are filled with technical jargon, examiners    reactive. Effectively managing authenti-
                            may need to review the solution more           cation risks today may limit vulnerabili-
                            closely. In some cases, information tech-      ties in the future. Managing access
                            nology examination specialists may need        credentials, whether for remote banking
                            to evaluate the solution.                      customers or bank employees accessing
                              Feedback from bankers indicates that         confidential systems, is an important
                            the level of online banking fraud is down      element in a bank’s information security
                            and that the guidance may have had a           plan and risk assessment. The authenti-
                            positive effect. During on-site examina-       cation guidance provides the impetus for
                            tions and telephone contacts earlier in        performing and managing periodic evalu-
                            the year, examiners began noting the           ations of the threats and vulnerabilities
                            progress banks have made in implement-         of Internet banking products and serv-
                            ing authentication solutions. Although         ices as part of the bank’s comprehensive
                            the effort is not yet complete, of more        risk management program.
                            than 500 institutions assessed, 92               Strong authentication practices coupled
                            percent have complied with the guidance        with other security policies such as back-
                            and implemented stronger authentica-           end fraud detection are elements of an
                            tion for their high-risk transactions.         effective information security plan. And
                            While a few institutions may have              like any good plan that assesses risk, the
                            procrastinated thinking there would be         plan must be revisited and revised regu-
                            relief through extended compliance             larly as the threat and vulnerability land-
                            dates, or otherwise may not have acted,        scape changes. Technology changes daily,
                            most banks that have not yet complied          and the best way to maintain a proper
                            with the guidance have plans in place          defense is to keep a constant vigil. Inter-
                            and are making progress. Many of these         net banking risk assessments and evalua-
                            banks are serviced by small, regional-         tions should have a permanent place in
                            based TSPs and may either be waiting for       every bank’s enterprise risk assessment
                            their turn to have a product installed or      strategy.
                            waiting for one to be tested and available
                            for installation. The FDIC continues to                 Robert D. Lee
                            monitor banks’ compliance efforts and                   Senior Technology Specialist
                            risk assessment efforts, and, if necessary,             Washington, DC
                            will consider enhancing examination

     Supervisory Insights                                                                                   Winter 2007
                                            From the
       Examiner’s Desk … Community Bank Leverage
Strategies: Short-term Rewards and Longer-term Risks
       ommunity banks are constantly                       being added to the balance sheet with a
       seeking ways to improve their                       corresponding decrease in regulatory
       earnings performance. Starting                      capital ratios.
in 2000, net interest margins (NIMs) in
                                                             A financial institution’s primary goal
many banks supervised by the FDIC’s
                                                           in entering into a leverage transaction
Dallas Region showed a declining trend,
                                                           is to increase the level of earnings and
and bankers explored a number of
                                                           to improve return on equity (ROE).
different methods to improve noninter-
                                                           Institutions that initiate leverage trans-
est income as well as their net interest
                                                           actions typically have high levels of
margins.1 This article discusses one of
                                                           regulatory capital and below-average
these solutions—using leverage through
                                                           ROE. These banks generally have been
wholesale funding. Though leverage
                                                           unable to increase their loan base in
strategies could be implemented in any
                                                           their delineated lending area because of
geographic area, we will use FDIC-
                                                           their locale or competitive conditions
supervised community banks in the
                                                           and, accordingly, increased their level
Dallas Region to illustrate this strategy.
                                                           of earning assets through these leverage
We will offer insights for bankers and
                                                           transactions. The participants view
examiners concerning the risks of
                                                           these transactions as having a low level
entering into leverage transactions and
                                                           of risk (interest rate or credit) and
the expectations of risk management
                                                           requiring only minimal overhead, espe-
when conducting this business activity.
                                                           cially in relation to the significant
  Leverage strategies are often said to                    increase in assets. Because of changes
be sold and not bought. More precisely,                    in market conditions, however, these
these strategies are usually suggested                     expectations are not always fulfilled.
by an outside party such as a securities
sales representative, rather than initi-
ated within the bank. Sales pitches                        Profile of a Leverage
usually focus on the potential rewards of                  Candidate
the transactions, without an adequate                        The most common identifying feature
disclosure and analysis of the potential                   of a new participant in a leverage pro-
risks. As indicated in this article, these                 gram is rapid asset growth funded with
risks can be considerable.                                 wholesale borrowings. Generally, the
                                                           asset growth will be centered entirely in
Overview of a Leverage                                     the investment portfolio. The most
                                                           common characteristics of a potential
Transaction                                                leverage candidate are:
  Leverage strategies involve single or
                                                           s   Small asset size
multiple transactions in which a finan-
cial institution purchases assets, typi-                   s   Located outside a metropolitan area
cally investment securities, and funds
                                                           s   Relatively high leverage capital ratio
the transaction(s) with wholesale fund-
ing. The strategy generally is a depar-                    s   Mediocre earnings
ture from the institution’s core business
                                                           s   Low loan demand
activities and usually results in a signifi-
cant volume of assets and liabilities                      s   Few prospects for asset growth

  The FDIC’s Dallas Region supervises insured state-chartered institutions that are not members of the Federal
Reserve located in Colorado, New Mexico, Oklahoma, Arkansas, Louisiana, Mississippi, Tennessee, and Texas.

Supervisory Insights                                                                                             Winter 2007
Examiner’s Desk …
Leverage Strategies
continued from pg. 45
                            Chart 1: Short-term U.S. Treasury Rates Have Increased from Historic Lows

                                                                                            U.S. Treasury Yield Curve


                                Interest Rate, %   5



                                                                                                                                             Dec 00

                                                                                                                                             Dec 02

                                                                                                                                             June 07

                                                              3 mo              6 mo               2 yr               5 yr           10 yr             30 yr

                                                       Source: Daily Treasury Yield Curve Rates, Federal Reserve Bank of St. Louis

                                                                                                               can change over time and can even
                            Investment and Funding                                                             become negative.
                            Options in Leverage
                                                                                                                 Banks employing leverage strategies
                            Transactions                                                                       have used four principal types of fund-
                              Real estate mortgage investment                                                  ing sources—federal funds purchased,
                            conduits (REMICs) have been the                                                    Federal Home Loan Bank advances,
                            primary type of investment securities                                              brokered deposits,2 and securities sold
                            used by Dallas Region banks in leverage                                            under agreement to repurchase. Most
                            transactions. REMICs’ cash flow char-                                              of the transactions involve a combina-
                            acteristics, which are more structured                                             tion of these borrowings.
                            than mortgage pass-through securities,
                            allow institutions entering into a lever-
                            age transaction to target the degree of                                            Financial Environment
                            interest rate risk based on the risk                                                 To understand more fully what precipi-
                            characteristics of the particular REMIC                                            tated the use of leverage strategies in
                            selected. Other securities used in these                                           some Dallas Region community banks
                            strategies include U.S. agency securi-                                             and the risks that emerged, it is neces-
                            ties, mortgage pass-through securities,                                            sary to review the interest rate environ-
                            and bond mutual funds. The initial                                                 ment starting in 2001 as well as these
                            spread on the leverage transaction                                                 banks’ financial positions and operating
                            (the difference between the cost of                                                results. Chart 1 illustrates three points
                            funds and the yield on the securities)                                             in time on the Treasury yield curve:
                            is a function of the risk the institution                                          December 2000, December 2002, and
                            is willing to take; however, the spread                                            June 2007.

                             Brokered deposits are subject to regulatory limitations and potential restrictions as defined in 12 CFR 337.6.
                            See FDIC Rules and Regulations,

     Supervisory Insights                                                                                                                                  Winter 2007
Chart 2: NIMs at Dallas Banks Declined from 2000 to 2004, Then Recovered

                                         4.70%                             Dallas Banks                                  8.00%
                                                                      NIM vs. One Month LIBOR
                                                                      (September 2000–December 2006)

   Net Interest Margin





                                         4.20%                                                                           0.00%
                                               Sep-00             Sep-02                    Sep-04              Sep-06
                                                   Net Interest Margin (median %)            One Month LIBOR

                   LIBOR: London Interbank Offered Rate.
                   Source: Consolidated Reports of Income and Condition

Chart 3: Previous Wide Spreads Have Narrowed Significantly

                                                          Ten-Year CMT Less 3-Month Treasury Bill
                                                                  (October 2000 through March 2007)



       Interest Rate Differential, %



                                        1.50                        30 Year Median = 166 Basis Point





                                          Mar-01        Mar-02      Mar-03          Mar-04             Mar-05   Mar-06     Mar-07
       Source: Economic Research—Federal Reserve Bank of St. Louis-—Interest Rates

  Starting in 2001 and over the next two                                                  market rates, it did not improve net
years, the Federal Reserve lowered short-                                                 interest margins. Some financial institu-
term interest rates to historically low                                                   tions started to pursue other business
levels. While this trend resulted in a                                                    strategies to improve their earnings.
lower cost of funding for most financial                                                  Chart 2 shows this declining trend in
institutions with relatively short-term                                                   NIMs in institutions supervised by the
funding bases indirectly tied to money                                                    Dallas Region from 2000 to 2004.

Supervisory Insights                                                                                                                     Winter 2007
Examiner’s Desk …
Leverage Strategies
continued from pg. 47

                              While the Federal Reserve was decreas-              During 2003, the Federal Reserve
                            ing short-term interest rates, longer-term          started raising short-term interest rates,
                            rates changed little—fluctuating within a           and in late 2005, the yield curve became
                            100-basis-point range. As shown in Chart            inverted (short-term rates were higher
                            3, the Treasury yield curve steepened               than longer-term rates), as noted in both
                            significantly, and for about three years,           Chart 1 and Chart 3. Eventually, some of
                            the spread between the yield on the                 the institutions participating in leverage
                            three-month Treasury bill and the ten-              strategies that invested in longer-term
                            year constant maturity Treasury (CMT)               securities experienced nominal to nega-
                            yield moved well above historical norms.            tive spreads between the cost of their
                            (Over a 30-year period, the median                  funding and yields on their securities
                            spread of the ten-year CMT over the                 used in the leverage transaction.
                            three-month Treasury bill was 166 basis
                            points.) This environment of a steepening
                            yield curve facilitated institutions enter-         Hypothetical Example
                            ing into leverage strategies. Investing in            To further illustrate the risk-reward
                            debt securities with extended maturities            profile of a leverage strategy, we can
                            and embedded options in a steep-yield-              look at an example of two hypothetical
                            curve environment will widen this spread            banks (Opportunity Bank and Fortuity
                            and improve earnings, at least for a time.          Bank) that engage in a leverage activity.
                            Table 1
                            Leverage Bank Example—Agency Bullet vs. Mortgage-Backed Security
                                                                        Opportunity Bank             Fortuity Bank
                            Prior to Leverage
                            Total Assets                                   $100,000,000               $100,000,000
                            Tier 1 Leverage Ratio                              12%                        12%
                            Return on Assets (ROA)                            1.00%                      1.00%
                            Return on Equity (ROE)                            8.33%                      8.33%

                            Leverage Transaction
                            Purchase                                   $40MM U.S. agency          $40MM Fannie Mae
                                                                         security, no call,     current coupon 30-year
                                                                         2-year maturity          fixed-rate mortgage
                                                                                                 pass-through security
                            Funding                                 FHLB fixed-rate advance,       LIBOR floating-rate
                                                                       18-month maturity                 advance
                            Spread*                                     40 basis points              500 basis points

                            One Year Subsequent to Leverage
                            Total Assets                                   $140,000,000               $140,000,000
                            Tier 1 Leverage Ratio                             9.29%                     10.06%
                            Increase in Earnings (Net of Tax)                $105,600                  $1,320,000
                            ROA                                               0.79%                      1.63%
                            ROE                                               8.81%                     17.63%

                             *Federal Home Loan Bank of Dallas—Rates History, Federal Reserve Bank of St. Louis Interest Rates,
                             FannieMae Benchmark Securities—Constant Maturity Debt Index Series History
                            Source: Authors’ calculations

     Supervisory Insights                                                                                            Winter 2007
In this hypothetical example, the                 These examples illustrate the risk and
market rates used for the purchased             reward spectrum for an institution engag-
funding and investment yields are typi-         ing in leveraging. However, they need to
cal of actual spreads in effect during a        be viewed in conjunction with the under-
steeper yield curve environment. Table          lying risk and risk management prac-
1 details the results of these leverage         tices, both of which are discussed in the
strategies one year after consumma-             following sections.
tion, assuming no change in interest
rates or in the asset/liability mix of
the two institutions.                           Risks Inherent in Leverage
  One year after they initiated the trans-
actions, the Tier 1 capital ratios of both        Implementing a leverage strategy can
institutions have declined but still remain     introduce several new risks to a financial
well above regulatory minimums. Oppor-          institution’s balance sheet.
tunity Bank’s ROA actually decreased,             Interest rate risk, or the exposure
which would be expected, since the              of a bank’s current or future earnings
spread on the transaction of 40 basis           and capital to adverse interest rate
points was smaller than the net interest        changes, is the primary risk in most
margin before consummation of the               leverage strategies. The interest rate
transaction. Opportunity Bank’s ROE             risk arising from leverage includes
increase appears relatively small               several components:
compared to that of Fortuity Bank.
Fortuity Bank’s ROA and ROE show                s   Repricing risk, sometimes referred
significant increases, but with a corre-            to as gap risk, results when the matu-
sponding significant degree of risk,                rity or repricing date of the asset
since it is investing in securities with            differs substantially from the repricing
an estimated life in excess of five years           date of the funding source. Leverage
that could extend, and the transaction              strategies often consist of longer-term
is funded with short-term repriceable               assets funded with short-term liabili-
funds.                                              ties. While this will maximize the
                                                    initial spread in the transaction, it will
  For banks that engage in extreme                  also create future repricing risk.
levels of leverage, the risk can be
substantial. As interest rates rose rapidly     s   Option risk is the risk from volatile
in 2004–2006 and the yield curve flat-              cash flows resulting from options
tened, the performance of some lever-               embedded in a bond. A common
age programs sharply deteriorated.                  example is the call feature on many
ROAs of some banks adopting these                   bonds. Mortgage securities contain
strategies have dropped by as much as               option risk, which is the underlying
80 percent from 2004 to mid-2007.                   borrower’s inherent ability to prepay
Table 2 illustrates the effect of a flat-           the loan. Option risk is present in
tened yield curve on the two banks in               many leverage structures but is often
our hypothetical example.                           overlooked or inadequately assessed.
                                                    Changes in market interest rates will
Table 2
Leverage Bank Example: Year 2—Flat Yield Curve
                                         Opportunity Bank            Fortuity Bank
ROA                                           0.56%                      0.84%
Change in Earnings                           –29.11%                   –48.47%
Source: Authors’ calculations

Supervisory Insights                                                                             Winter 2007
Examiner’s Desk …
Leverage Strategies
continued from pg. 49

                                change the effective maturity of          of these funding sources could become
                                these assets. This cash flow volatility   constrained should the institution’s
                                complicates the funding strategy and      financial condition deteriorate. Because
                                also necessitates risk measurement        of these unique liquidity characteristics,
                                systems capable of adequately             traditional static measures of assessing
                                capturing option risk.                    liquidity are not very effective and can
                                                                          often be misleading.
                            s   Yield curve risk is the risk from
                                changes in the shape of the yield           Market risk is the potential change in
                                curve. It occurs when the asset and       value of a bank’s assets and liabilities
                                the funding source are priced from        caused by changes in interest rates. Market
                                two different points on the yield         risk should be viewed on both macro and
                                curve. Recent history is a good exam-     micro bases, affecting the change in value
                                ple of yield curve risk as illustrated    of specific assets as well as the change in
                                in Charts 1 and 3. High spreads           value of the entire balance sheet. Because
                                resulting from strategies originating     of the potential duration mismatch
                                during periods with a steep yield         between the assets and funding, there
                                curve will usually evaporate when         may be significant risk to economic value
                                the yield curve flattens.                 of equity (EVE) from leverage. From the
                                                                          micro perspective, the potential market
                              Basis risk is the risk arising from
                                                                          risk of the leveraged assets can create
                            assets and liabilities that are priced to
                                                                          liquidity problems. As mentioned previ-
                            different rate indices. Basis risk is pres-
                                                                          ously, much of the wholesale funding
                            ent in all financial institutions to some
                                                                          used for leverage is secured by the same
                            degree and generally exists with the
                                                                          assets acquired in the strategy. If these
                            leverage strategies described in this
                                                                          assets have a high level of market volatil-
                            article. Basis risk usually is not as
                                                                          ity, then adverse interest rate changes
                            pronounced as the other interest rate
                                                                          will not only affect earnings but also will
                            risks, but it can be a significant factor
                                                                          reduce collateral available for continued
                            because of the small margins usually
                                                                          funding and potential margin calls.
                            associated with leverage programs.
                                                                            Operational risk in leverage strategies
                              Liquidity risk resulting from leverage
                                                                          is the risk arising from inadequate inter-
                            strategies can be significant. Because
                                                                          nal controls, poor strategic decisions, or
                            wholesale sources of funding are gener-
                                                                          inadequate management information
                            ally more sensitive to the value of collat-
                                                                          systems. Perhaps the most common
                            eral pledged to secure funding as well as
                                                                          operational risk noted with leverage is
                            the bank’s financial condition, liquidity
                                                                          failure to understand all the risks inher-
                            risk for banks employing leverage strate-
                                                                          ent in these strategies.
                            gies is often more complex and some-
                            times less obvious than the liquidity risk      Another significant operational risk is
                            in a typical community bank. For exam-        model risk, which arises from inade-
                            ple, funding sources such as Federal          quate risk quantification methods. Small
                            Home Loan Bank advances or repur-             community banks without sophisticated
                            chase agreements have margin require-         asset/liability systems often undertake
                            ments. Additional collateral may be           leverage strategies. Unless the risk meas-
                            required if the market value of the           urement systems are upgraded to assess
                            assets serving as collateral declines         the unique risks properly, management
                            substantially. Also, wholesale funding        will be unable to manage the strategy
                            sources are more credit sensitive than        properly and may be unable to avoid
                            core deposits. Therefore, the availability    adverse consequences.

     Supervisory Insights                                                                                 Winter 2007
  Regulatory risk is the risk that poorly                    these programs generally look for the
structured or badly managed leverage                         following risk management practices:
strategies will result in regulatory criti-
                                                             s   Management expertise and sound
cism. If the leverage results in unsatisfac-
                                                                 strategies—Effective management will
tory levels of market and liquidity risk,
                                                                 understand all of the risks involved in
then the financial institution’s primary
                                                                 leverage strategies and the potential
regulator may pursue corrective action
                                                                 financial effects from adverse scenar-
(including formal enforcement action).
                                                                 ios. Sound strategies will be developed
Since many wholesale funding sources are
                                                                 that do not rely excessively on optimal
credit sensitive, the implementation of a
                                                                 market conditions such as a steep
formal enforcement action may constrain
                                                                 yield curve. Potential worst-case
the institution’s ability to secure future
                                                                 scenarios will be identified and quan-
funding, including brokered deposits.
                                                                 tified. Properly designed strategies
Regulatory restrictions include a prohi-
                                                                 may also include exit strategies if risk
bition against acceptance of brokered
                                                                 analysis identifies potential market
deposits by any bank failing to meet at
                                                                 scenarios that could be detrimental
least an “adequately capitalized” stan-
                                                                 to the bank’s financial performance.
dard, and a requirement to obtain FDIC
permission to accept brokered deposits                       s   Adequate policies and procedures—
if the bank is not “well capitalized.”3                          A well-managed program will include
                                                                 formal policies and procedures that
  Credit risk. Most leverage strategies
                                                                 specifically address leverage and will
employed by the banks considered for
                                                                 provide proper guidance for manage-
this article added little credit risk to the
                                                                 ment. Policies will include appropriate
balance sheet. For these banks, invest-
                                                                 limits for all risks identified in the
ments generally consisted of bonds with
                                                                 program, including limits for interest
explicit government guarantees and
                                                                 rate risk, liquidity, funding concentra-
agency securities. Whole loans, corpo-
                                                                 tions, and collateral availability.
rate bonds, or private-label asset-backed
securities could be used in leverage                         s   Risk measurement systems—Lever-
strategies, but they seldom are. However,                        age portfolios often contain embedded
the credit quality of the financial institu-                     options and require robust interest
tion itself is a significant type of credit                      rate risk measurement systems. In
risk. As long as the institution remains                         addition, assumptions and interest
financially strong and profitable, access                        rate scenarios should be appropriate
to wholesale funding should remain plen-                         to capture all material risks.
tiful and reasonably priced. However, if
                                                             s   Contingency funding plan—
an adverse interest rate environment
                                                                 Because of the unique liquidity risks
results in a weakening financial condi-
                                                                 and the fact that current funding
tion, funding sources, especially unse-
                                                                 sources may evaporate during certain
cured funding, may become more
                                                                 adverse events, a well-managed lever-
limited and more expensive.
                                                                 age program will include a formal
                                                                 contingency funding plan. Such plans
Risk Management Practices                                        will identify plausible stress events of
                                                                 differing levels of severity and evalu-
 Leverage strategies can add risks and                           ate potential funding needs. Alterna-
complexity to a financial institution’s                          tive funding sources that will be
balance sheet. Examiners encountering

  Section 38 of the Federal Deposit Insurance Act, Prompt Corrective Action (12 USC § 38) defines “adequately
capitalized” and “well capitalized” institutions. See

Supervisory Insights                                                                                                   Winter 2007
Examiner’s Desk …
Leverage Strategies
continued from pg. 51

                                available during stress events should                  contain excessive risk, or are imple-
                                be identified.4                                        mented without a sound risk manage-
                                                                                       ment program will likely result in
                            s   Audit processes and controls—A
                                                                                       criticism and possible corrective action.
                                well-structured leverage program will
                                                                                       Leverage strategies should not be under-
                                have strong internal controls as well
                                                                                       taken without a complete prepurchase
                                as formal audit and internal review
                                                                                       risk analysis. Acceptable policies and
                                                                                       procedures must be put in place to
                                                                                       measure, monitor, and control the risks
                            Conclusion                                                 inherent in such programs.

                              A small number of institutions super-                               Darrell L. Couch, CFA
                            vised by the Dallas Region have engaged                               Senior Capital Markets and
                            in leveraging strategies, and a number of                             Securities Specialist
                            other institutions have expressed an inter-                           Dallas, TX
                            est in pursuing this business activity.
                            Although financial institutions imple-                                Timothy P. Neeck, CFA, CPA
                            menting leverage strategies are not                                   Senior Capital Markets and
                            subject to automatic regulatory criticism,                            Securities Specialist
                            these strategies can introduce significant                            Memphis, TN
                            risk. Strategies that are poorly structured,

                              For an expanded discussion of contingency funding plans, see “Liquidity Analysis: Decades of Change” in this
                            issue of Supervisory Insights.

     Supervisory Insights                                                                                                      Winter 2007
                                               Overview of
            Selected Regulations and Supervisory Guidance
This section provides an overview of recently released regulations and supervisory guidance, arranged in
reverse chronological order. Press Release (PR) or Financial Institution Letter (FIL) designations are
included so the reader may obtain more information.

  Subject                                      Summary

  Final Rule Implementing Exceptions           The FDIC distributed Regulation R, a joint rule of the Federal Reserve Board (FRB) and
  and Exemptions for Banks from the            the Securities and Exchange Commission. The rule implements provisions of the Gramm-
  Definition of Broker (FIL-92-2007,           Leach-Bliley Act that provide exceptions for banks from the definition of broker under
  October 25, 2007; Federal Register, Vol.     the Securities Exchange Act of 1934 when they conduct certain securities transactions.
  72. No. 191, p. 56514, October 3, 2007)      Financial institutions have until the first day of their first fiscal year that commences after
                                               September 30, 2008, to comply with the requirements in Regulation R. See

  Final Rules on Expanded Examination          The FDIC, FRB, Office of the Comptroller of the Currency (OCC), and Office of Thrift Super-
  Cycle for Certain Institutions (FIL-90-      vision (OTS) (collectively, the federal bank and thrift regulatory agencies) issued final
  2007, October 24, 2007; Federal              rules on expanding the range of small institutions eligible for an extended 18-month on-
  Register, Vol. 72, No. 185, p. 54347,        site examination cycle. The final rules allow well-capitalized and well-managed banks and
  September 25, 2007)                          savings associations with up to $500 million in total assets and a composite CAMELS
                                               rating of 1 or 2 to qualify for an 18-month (rather than a 12-month) on-site examination
                                               cycle. See

  Proposed Statement of Best Practices         The FDIC, FRB, OCC, OTS, and National Credit Union Administration (collectively, the
  on Garnishment Orders of Exempt              federal financial institution regulatory agencies) sought public comment on a proposed
  Federal Benefit Funds (FIL-87-2007,          statement encouraging federally regulated financial institutions to minimize the hardships
  October 9, 2007; Federal Register, Vol.      on federal benefit recipients and to do so while remaining in compliance with applicable
  72, No. 188, p. 55273, September 28, 2007)   law. See

  Comments Sought on Alternative               The FDIC issued an Advance Notice of Proposed Rulemaking seeking comments on alter-
  Methods for Allocating Dividends (FIL-       native methods for allocating dividends as part of a final rule to implement the dividend
  85-2007, September 26, 2007; Federal         requirements of the Federal Deposit Insurance Reform Act of 2005 and the Federal Deposit
  Register, Vol. 72, No. 180, p. 53181,        Insurance Reform Conforming Amendments Act of 2005. Comments were due by November
  September 18, 2007)                          29, 2007. See

  Final Rule Implementing Section 670          The FDIC distributed the Department of Defense’s final rule regulating the terms of certain
  of the John Warner National Defense          credit extensions to active duty service members and their dependents. The law and rules
  Authorization Act for Fiscal Year 2007       took effect October 1, 2007. See
  (FIL-87-29-2007, September 24, 2007)

  Proposed Revisions to the Reports of         The FDIC, FRB, and OCC (collectively, the banking agencies) sought comments on a
  Condition and Income for 2008 (FIL-82-       number of proposed reporting changes related to one-to-four family residential mortgage
  2007, September 18, 2007)                    loans, including reporting interest and fee income on and the quarterly average for such
                                               mortgages separately from income on and the quarterly average for other real estate
                                               loans. Comments were due November 13, 2007. See

Supervisory Insights                                                                                                                Winter 2007
Regulatory and Supervisory
continued from pg. 53

     Statement on Loss Mitigation                The federal financial institution regulatory agencies and the Conference of State Banking
     Strategies for Services of Residential      Supervisors issued a statement and supplement encouraging institutions and their
     Mortgages (FIL-76-2007, September 4,        subsidiaries that service mortgage loans to pursue strategies to mitigate losses while
     2007; FIL-77-2007, September 4, 2007)       preserving affordable, sustainable mortgage obligations. See
                                                 financial/2007/fil07076.html and

     Interagency Statement on                    The federal financial institution regulatory agencies issued an interagency statement
     Enforcement of Bank Secrecy                 setting forth their policy on the circumstances in which an agency will issue a cease and
     Act/Anti-Money Laundering                   desist order to address noncompliance with certain Bank Secrecy Act/Anti-Money Laun-
     Requirements (FIL-71-2007,                  dering (BSA/AML) requirements, particularly in light of the specific BSA/AML compliance
     August 23, 2007)                            provisions of section 8(s) of the Federal Deposit Insurance Act and section 206(q) of the
                                                 Federal Credit Union Act. See

     Applicability of Market Risk Capital        The FDIC issued a statement reminding banks that reporting a significant amount of trading
     Rules (FIL-64-2007, July 18, 2007)          assets on the balance sheet, or increasing the percentage of assets reported as trading
                                                 assets, may subject a bank to the market risk capital requirements (12 CFR 325, Appendix
                                                 C). See

     Proposed Interagency Questions and          The federal bank and thrift regulatory agencies published proposed revisions to the Intera-
     Answers Regarding the Community             gency Questions and Answers Regarding Community Reinvestment (Interagency Q&As).
     Reinvestment Act (FIL-63-2007, July 11,     The proposed Q&As contain revisions intended to encourage institutions to work with
     2007; Federal Register, Vol. 72, No. 132,   homeowners who are unable to make mortgage payments and clarify that institutions of
     p. 37922, July 11, 2007)                    all sizes should receive favorable consideration for providing credit in a manner that is
                                                 responsible to the needs of their communities. There are also nine new Interagency Q&As,
                                                 as well as substantive and technical revisions to existing ones. Comments were due
                                                 September 10, 2007. See

     Interagency Statement on Subprime           The federal financial institution regulatory agencies issued a final Statement on Subprime
     Mortgage Lending (FIL-62-2007, July         Mortgage Lending to address issues relating to certain adjustable rate mortgage products
     10, 2007; Federal Register, Vol. 72, No.    that can cause payment shock. The statement describes the prudent safety and soundness
     131, p. 37569, July 10, 2007) and           and consumer protection standards institutions should follow to ensure that borrowers obtain
     Proposed Illustrations of Consumer          loans they can afford to repay. See
     Information for Subprime Mortgage           The agencies subsequently published for comment proposed Illustrations of Consumer
     Lending (FIL-67-2007, August 14, 2007,      Information for Subprime Mortgage Lending, intended to assist institutions as they imple-
     Federal Register, Vol. 72, No. 156, p.      ment the Consumer Protection Principles portion of the Interagency Statement on
     45495, August 14, 2007)                     Subprime Mortgage Lending. Comments were due October 15, 2007. See

     Guidance on Bank Secrecy Act                The FDIC distributed guidance from the Financial Crimes Enforcement Network (FinCEN)
     Suspicious Activity Report                  reminding financial institutions to provide all documentation supporting the filing of a
     Supporting Documentation                    Suspicious Activity Report upon request by FinCEN, appropriate law enforcement, or a
     (FIL-55-2007, June 26, 2007)                supervisory agency. See

     Supervisory Insights                                                                                                           Winter 2007
  Guidelines on Affordable Small-Dollar      The FDIC issued “Affordable Small-Dollar Loan Guidelines” that encourage financial institu-
  Loan Products (FIL-50-2007,                tions to offer small-dollar credit products and to promote these products to their customers.
  June 19, 2007)                             The products should be affordable, yet safe and sound, and consistent with all applicable
                                             federal and state laws. See

  Illustrations of Consumer Information      The federal financial institution regulatory agencies published final illustrations of consumer
  for Nontraditional Mortgage Products       information intended to assist institutions as they implement the consumer protection
  (FIL-51-2007, June 20, 2007; Federal       portion of the Interagency Guidance on Nontraditional Mortgage Product Risks. The
  Register, Vol. 72, No. 110, p. 31825,      consumer protection section of the guidance sets forth recommended practices to ensure
  June 8, 2007)                              that consumers have clear and balanced information about nontraditional mortgages before
                                             choosing a mortgage product or selecting a payment option for an existing mortgage. Use
                                             of the illustrations is optional. See

  Final Rule on Deposit Insurance Late       The FDIC issued the final rule to implement provisions of the Federal Deposit Insurance
  Assessment Penalties (FIL-43-2007,         Reform Act of 2005 that provide penalties for failure to timely pay assessments (12 CFR §
  June 4, 2007)                              308.132(c)(3)(v)). The FDIC applied these provisions beginning with the assessment collec-
                                             tion made on the June 29, 2007, payment date. See

  List of Distressed or Underserved          The federal bank and thrift regulatory agencies announced the availability of the 2007 list of
  Nonmetropolitan Middle-Income              distressed or underserved nonmetropolitan middle-income geographies in which bank revi-
  Geographies (PR-45-2007,                   talization or stabilization activities will receive Community Reinvestment Act consideration
  June 1, 2007)                              as community development. See

  Deposit Insurance Assessment Rate          The FDIC issued guidelines for determining how adjustments of up to 0.50 basis points will
  Adjustment Guidelines for Large            be made to the quarterly assessment rates of insured institutions defined as large (gener-
  Institutions and Insured Foreign           ally, over $10 billion in assets), Risk Category I institutions, and insured foreign branches in
  Branches in Risk Category I (FIL-40-       Risk Category I. These guidelines provide further clarification of the analytical processes,
  2007, May 16, 2007; Federal Register,      and the controls that will be applied to these processes, in determining assessment rate
  Vol. 72, No. 92, p. 27122, May 14, 2007)   adjustments. See

Supervisory Insights                                                                                                             Winter 2007
                                                          Subscription Form
    To obtain a subscription to Supervisory Insights, please print or type the following information:

    Institution Name                   __________________________________________________________________________________

    Contact Person                     __________________________________________________________________________________

    Telephone                          __________________________________________________________________________________

    Street Address                     __________________________________________________________________________________

    City, State, Zip Code              __________________________________________________________________________________

    Please fax or mail this order form to:                      FDIC Public Information Center
                                                                3501 North Fairfax Drive, Room E-1022
                                                                Arlington, VA 22226
                                                                Fax Number (703) 562-2296

    Subscription requests also may be placed by calling 1-877-ASK-FDIC or 1-877-275-3342.

Federal Deposit Insurance Corporation                                                                                 MAIL
Washington, DC 20429-9990                                                                                          Postage &
OFFICIAL BUSINESS                                                                                                   Fees Paid
PENALTY FOR PRIVATE USE, $300                                                                                         FDIC
                                                                                                                 Permit No. G-36