Third-party vendor management; lending portfolio concentrations and out-of-market lending; and environment risk management are just three of the exam areas currently top of mind for bank regulators. During the2014 ABA Real Estate Lending Conference in March, experts representing FDIC, the Federal Reserve, and the Comptroller’s Office offered strategies for community banks to toe the line in each of these areas.
Third-party risk management
Much like any type of risk management, third-party vendor risk management requires that banks focus the most attention on the most critical areas, explained Beverlea (Suzy) Gardner, senior examination specialist, FDIC. For example, risk management for the outsourcing of core banking requires more governance and oversight than for an ancillary system. The other factor that determines how much oversight is required is whether or not the vendor has access to sensitive customer information.
Technology often falls into both categories: It’s mission critical and impacts customer privacy. “IT requires your time, attention, and expertise,” said Gardner. One of the regulators’ biggest concerns is when banks fail to assign staff with the appropriate levels of experience, authority, and accountability to oversee and monitor third-party technology systems.
Community banks, especially, outsource more and more functions, and regulators stressed that they are not anti-outsourcing. But they do want to see a culture of oversight and accountability for third-party relationships at all levels of the bank. They also want to see written contracts. Not only do written contracts satisfy regulators, they also serve as the first line of defense for the bank in case of a problem, said Gardner.
Lending regulatory issues
Loan concentrations represent another area of concern for regulators. Managing these should be part of a bank’s overall risk management program, said Carmen Holly, supervisory financial analyst, Federal Reserve. Bank staff must be able to stratify the loan portfolio by segment and describe how they arrived at the segmentations.
Common segmentation criteria include loan-to-value ratios (LTV), debt service coverage ratios (DSC), geography, rate structure (variable-rate or fixed-rate), and property type.
“Regulators want to see that banks have assessed the risk in their overall lending portfolio and have a method for ongoing concentration monitoring,” explained Holly. She added that there is no hard and fast definition of concentration risk; what’s most important is that the bank can provide a rationale for the concentrations.
For example, longstanding interagency guidance that states total construction loans be less than 100% and total commercial real estate (CRE) loans be less than 300% of total capital serve only as an indication that a bank may have an issue, noted Holly.
“These are not limits. They are triggers for more robust risk management,” she said.
Regulators are also examining out-of-market-lending, but once again, there are no hard and fast rules for what is an acceptable out-of-market risk. While regulators recognize that each bank is unique, the bank should demonstrate a well-thought out process for testing different scenarios if it engages in lending outside of its core portfolio, such as the impact of a change in interest rates or vacancy rates.
Although banks with less than $10 billion in assets are not required to submit to formalized stress testing, every bank should be able to illustrate an understanding of capital requirements in a worst-case scenario. For more information on supervisory expectations for community banks, Holly recommended the interagency Statement to Clarify Supervisory Expectations for Stress Testing by Community Banks issued May 14, 2012.
Environmental risk management
The Comprehensive Environmental Response, Compensation, and Liability Act of 1980 (CERCLA), also known as the “Superfund Law,” provides secured lenders with liability protection in the event of environmental contamination.
However, that protection may disappear if the lender participates in “management” of the facility or has not taken “reasonable steps” to divest itself of properties acquired in foreclosure.
Meeting CERCLA conditions is not enough to give banks ironclad protection. Banks remain at risk of a loss in value due to contamination or borrower inability to pay, said Jim Stiel, risk specialist, Office of the Comptroller of the Currency. And, in addition to federal rules, states have their own environmental liability laws.
An effective environmental risk management program includes an initial property risk analysis and ongoing monitoring by the lending staff for potential environmental concerns. The lending staff must demonstrate relevant knowledge, skill, and competence to evaluate environmental risk, said Stiel.
No hard and fast rules
The consensus from all three speakers was that regulatory guidance surrounding third-party arrangements, lending concentrations, and out-of-market lending, and environment risk management truly is guidance rather than hard-and-fast rules.
What’s most important is that banks have a good handle on what their risks are and have dedicated staff to manage these risks. Regulators are looking for a culture of risk management at the bank, from the board of directors on down. Risk management needs to be taken seriously and banks need to document why decisions are made.
Finally, Gardner offered this advice, “Document, document, document.”