Friday, June 15, 2012

The Rules of Operational Risk

Recently, I spoke with several clients who had attended mortgage industry conferences. Each one of them pointed out the very same fact: operational risk and regulatory compliance are the most prominent subjects being discussed. Thinking of learning more about new loan products and services, they left these conferences wondering about how they would ever be able to implement all the regulatory requirements being placed on them. As an old friend who runs a mid-tier, mortgage banking company said to me, "I came as a mortgage company and left as a compliance company!"

One of them said, "you know, Jonathan, you're sort of in the 'cat-bird seat' now, since you were among the first to predict that mortgage compliance would oneday dominate how we originate loans." I'm not sure if that was a back-handed compliment, but I appreciate the sentiment, nonetheless. At least LCG tries to lift some of the regulatory burden borne by our clients and free up their time to do what they do best: originate loans.

That said, let's acquaint ourselves with operational risk and how to put some structure into risk management.*
Controlling Credit Risk
Four Basic Rules
Six Even More Basic Rules
Articles and Newsletters


First and foremost, compliance decisions should be made not only on the basis of sound policy and regulatory mandates but also on the basis of how compliance procedures are viewed by regulators. Examiners want to see a financial institution enforcing existing regulatory requirements. However, they also are not antagonists on a witch hunt. They honestly want to product the kind of findings - good or bad - that will help a company to thrive. They do not get a thrill out of putting forth adverse findings.

Building a solid framework begins with cataloging the company's people, processes and technology, and continues on into deriving the means by which a stable policy is designed to formalize the way the company tracks operational risk and identifies those risks within the organization's personnel and departments. Tasking, tracking, and managing risk are central features of governance.

Companies large and small should implement operational risk frameworks that formalize their operational risk management. There really is no excuse, in this day and age - especially with ready access to information and guidance - that any size financial institution cannot position operational risk practices into the loan flow process.

Risk can't be managed if there is no framework through which to manage it.

Reviewing and formalizing an operational risk framework does not need to be a complicated exercise. The size, complexity, and risk profile of the financial institution will dictate the ways and means by which risk is managed.
Controlling Credit Risk

At the start of this year, I published an article about Controlling Credit Risk [PDF]. In the article I pointed out that risk is identifiable and measurable - and it can be controlled. To get a sense of how my firm goes about evaluating credit risk and the concurrent role played by risk management, I outlined two features of managing risk: Quantity of Risk and Quality of Risk Management.

And I concluded with a section, entitled Implementing Risk Management, in which I offered some guidance about how to use credit risk information effectively to fortify a financial institution.

I urge you to download and read it. [PDF] In formalizing a framework to manage operational risk, you need to get some idea of how firms like mine work with clients to ensure appropriate risk management strategies.

Four Basic Rules

(1) Analyze Processes. This requires creating a catalogue of the company's operational processes. This is always the first step. It can be presented like a flow chart or nested folders or in any form that makes sense to management, so long as it makes logistical and experiential sense. In effect, the analysis must reflect the way that the company actually conducts its business. 

(2) Identify Risks. Now that processes have been analyzed, each process should be considered on the basis of efficiency, data integrity, and potential risks. This is accomplished through an internal audit, external audit, or designating a competent employee to conduct a generic self-assessment. Whatever the choice, be sure to standardize the evaluation method. 

(3) Centralize Policies. Bring together all the company's policies and procedures. Take inventory and determine which policy statements are missing, which ones are outdated, and which ones may be redundant. The requirements of disparate policy statements may conflict with one another, so gather them all together and assess them as a group. 

(4) Establish a Master Policy. At this point - having analyzed processes, identified risks, and centralized policies - we are able to draft a master policy. Such an approach is reflective of 'best practices' governance. The master policy sets forth the overarching set of policies and rules that govern the company's management of operational risk. It is the "map" that serves as a guide to the operational risk framework. Be sure that the master policy also provides 'track-back' features and identifies the "owners" of each risk area.

Six Even More Basic Rules

I mentioned above that the master policy is the "map" to the operational risk framework. But, as the philosopher Alfred Korzybski noted, the map is not the territory. Working through the four basic rules takes time and resources. Sometimes we can't even get to the Four Basic Rules, because we have not taken into consideration the Six Even More Basic Rules.

Here follows those six rules, without which an operational risk framework is not really attainable. 

(1) Assemble the Management Team. Bring together the company's executive and senior management. Start a conversation about operational risk and how to create a top-down approach toward risk management. Do this at least annually. 

(2) Make Lists. Before the management meeting, each member of the management team should draft a list - long or short - of not only the known operational risks but the potential or unexpected risks. Assume that "Black Swans" do happen! Managers should offer insights relating to their own operational area as well as any other areas of the company. An unaccounted for risk, actual or potential, could cause massive financial, strategic, legal, and regulatory damage. 

(3) Detail the Risk. Specify the risk in as much detail as possible. State the consequences of risk failure. And, where possible, always provide a solution. If a risk is perceived, seek a way to mitigate or remove it. Don't waste time on solutions seeking a risk; concentrate on risks seeking a solution. 

(4) Discuss Risk. In an open and conversational way, discuss the lists. Determine if there are coinciding or divergent perceptions of risk. Identify where there are gaps in knowledge or implementation. And encourage a discussion regarding perceived risk, to be sure that there is some general understanding about the levels of risk tolerance. 

(5) Draft a Master List. Now build a consensus amongst the assembled management team. Create priorities to the various lists of risks provided by each participant. Determine the mitigation strategies that are acceptable, given the company's risk profile and risk tolerance. 

(6) Work the List. Implement the Master List, which may include the Four Basic Rules outlined above, but may just form sufficient guidelines and directives to establish appropriate means to manage operational risk. Appoint a member of the management team to monitor the Master List and update the list for those risks that have been resolved or mitigated.

Articles and Newsletters

Articles - Newsletters
* Jonathan Foxx is the President & Managing Director of Lenders Compliance Group

Friday, March 9, 2012

Action Plans to Correct Deficiencies

On March 8, 2012, the Federal Reserve Board (FRB) released the action plans for three supervised financial institutions to correct deficiencies in residential mortgage loan servicing and foreclosure processing. The three institutions are HSBC North America Holdings, Ally Financial, and IMB.

This is the second set of Action Plans that the FRB has made public.

On February 27, 2012, the FRB released the Action Plans of Bank of America, Citigroup, EverBank, JPMorgan Chase, MetLife, PNC, SunTrust, US Bancorp, and Wells Fargo.
The FRB will release additional Action Plans soon.

We have been monitoring and reporting on this matter for some time in newsletters and articles.

The Action Plans are required by formal enforcement actions issued by the FRB last year. Release of the Action Plans follows reviews conducted from November 2010 to January 2011, in which examiners found unsafe and unsound processes and practices in residential mortgage loan servicing and foreclosure processing at a number of supervised institutions.
  • The enforcement actions required Action Plans that describe, among other things, the strengthening of compliance programs.
  • Of instructional interest in learning about the adverse findings is the opportunity to review some of the ways and means adopted by the aforementioned institutions to resolve such deficiencies.
Particularly interesting are the consistent features of the mortgage compliance programs, and the training needed to effectuate corrective actions.

I hope you will take the time to consider how best to improve your own institution's compliance program.

Best wishes,
Jonathan Foxx *
Mortgage Compliance Program
Training Methods

A consistent feature of the Mortgage Compliance Programs (MCPs) is the emphasis on the institution's culture. One respondent stated that its MCP includes a commitment to determining how compliance risks are considered at planning meetings, identifying the applicable resources, compliance issues, risk reporting, and employee accountability, and instituting processes to identify compliance gaps and potential risks early in the new business or product development cycle.

The following outline sums up a broad and robust approach to readiness taken by respondents. This list combines features from various Action Plans that proved acceptable to the FRB.

Controls and Supervision
An institution should have processes to determine if appropriate controls are in place when enhancements are required, and how risks and issues are tracked and escalated within the organization.

Policies and Procedures
A description of the inventory, development, maintenance, approval and communication of policies and procedures.

Monitoring, Testing, and Reporting
Processes for mapping the laws, rules and regulations to system controls, evaluating the effectiveness of monitoring activities, determining the effectiveness of the compliance mandates and adherence to such guidelines, maintaining plans for activities to be monitored, and reporting monitoring and testing results to the management.

Implement processes to ensure the qualifications of current management and supervisory personnel responsible for mortgage operations and mortgage compliance, including collections, loss mitigation and loan modification, are appropriate, and a determine whether any staffing changes or additions are needed.

Loan Reviews
Establish an independent Loan Review and Quality Control function to provide continuous transactional testing.

Comprehensive risk assessment and remediation of any identified gaps should be performed to evaluate processes, controls and compliance with these requirements.

Procedures for integrating compliance competencies into the mortgage processes, how training is tracked and measured, identifying new compliance training, and determining when employees have sufficient awareness of laws, rules and regulations.

Management Reporting and Analysis
Inventory of management reports that address compliance, processes to determine accuracy of management reports, and how compliance risks and issues are reported

Regulatory Oversight
Procedures for maintaining and updating federal, state, and local laws, rules and regulations, and processes for management to respond to requests from regulators.

Thursday, March 8, 2012

The Cost of Consumer Financial Protection

Recently, I met with several accomplished compliance professionals for lunch. There was considerable discussion about the continuing growth of the regulatory frameworks, the bureaucracies to maintain them, and economic burden on financial institutions. *

One individual expressed the importance of financial protection of the consumer, while recognizing that such protection causes incremental compliance requirements; another individual agreed that such protection was needed, but worried that the costs to provide that protection would ultimately be borne by the consumer through increased pricing. 

In a way, these views reflect an ethical dilemma, and I would like to explore this seeming conundrum and offer a resolution.

An Unfettered Market
Protecting the Consumer
"Remember that credit is money."
Ethical Dilemma
Discussion Forum

An Unfettered Market

There is no political economy that we know of, since the dawn of recorded history, in which an unfettered market has existed.

Theories abound about how such a market might function. Whether we term such markets as "unfettered" or use the more emotionally appealing word "free," these markets are nonetheless only theories, howsoever popular in the public mind, and have virtually no extrapolation into economic reality. Better to call such theoretical legerdemain "utopian markets" and leave them to their rightful place in speculative philosophy and treatises on metaphysics.

Of course, utopias are attractive and always will be, even if we instinctively know that their viability is inherently unsupported by human experience and their imagined structure is ultimately dissolved in the unsentimental crucible of human history.


All markets are a remunerative way of exchanging information, which we call goods and services. Pricing is that information means by which markets communicate value relative to goods and services. And pricing is communicated through the conveyance of planning.

Markets contain an element of planning - some in extreme, others much less so. The plan, or the framework, is often in control of market participants by virtue of the very act of pricing. It is not possible to remove pricing from a market. Even a market predicated on bartering utilizes the "quid pro quo" as its informational pricing signal.


In the absence of a framework there is no market. It is not the framework that encourages commerce; rather, it is the commerce itself that encourages the formation of the framework. Innovative commerce often bleeds through and beyond an old framework, thus creating the need for a new framework.

And there is often reactionary resistance to the new framework. Those market participants who are paying attention to the informational signals of a new market are already finding ways and means to act in the new framework, while those whose commerce has not kept pace with innovation tend to resist the change mightily, hopelessly trying to preserve what they have by "fighting the tape."


Over the years I have found that the word "regulations" has become a euphemism for all manner of mischief perpetrated by politicians and market participants. Notice I differentiate the two: while some politicians may be market participants, most market participants are not politicians. Yet politicians spend quite a bit of their time crafting regulations! The mischief takes the form of viewing regulations as not only coercive (which they are) but also capricious (which they are not).

Both the politicians and the market participants rail on and on between and amongst each other about the coercion and the capriciousness of regulations, yet none of them ever really defines what actually is an efficient regulation. That is because, often, neither side has any idea how best to define such a thing.

But I'll define an "efficient regulation" right here and now:

An efficient regulation is the means by which the framework is preserved. Nothing more.

An inefficient regulation is the means by which the framework is destroyed. QED.

Protecting the Consumer

The consumer and the provider of goods and services in a market are economic equals. These actors are not two sides of the same coin. They comprise the market itself! The consumer's impact on regulation is what economists call "endogenous;" that is, acting in the aggregate, consumers influence a regulatory framework by accentuating certain preferences, such as encouraging diversity and innovation.

And providers of goods and services influence regulations by discouraging monopoly, reducing inefficiencies, constraining the inappropriate acquisition of ownership and irreversible wealth accumulation, and so forth.

Protecting the consumer is really just another way of protecting the provider.

But it comes at a cost to both of them.

Friday, January 13, 2012

Protecting Tenants at Foreclosure

Jonathan Foxx
President & Managing Director
Lenders Compliance Group

The Protecting Tenants at Foreclosure Act (PTFA) went into effect in May 2009. The PTFA provides protections to tenants in foreclosed properties.

The PTFA is found in the Helping Families Save Their Homes Act of 2009 (a document of 1632 pages). Originally set to expire (or "sunset") on December 31, 2012, Dodd-Frank extended the expiration date of the PTFA to December 31, 2014.

Under this legislation, the immediate successor of interest (generally the purchaser) of a foreclosed property must provide all tenants with at least 90 days notice prior to eviction because of foreclosure.

Additionally, tenants must be permitted to stay in the residence until the end of the lease, with two exceptions:
  • The property is sold after foreclosure to a purchaser who will occupy the property as a primary residence, or
  • There is no lease or the lease is terminable at will under state law.
Even if these exceptions apply, the tenant must be given at least 90 days notice prior to eviction. The rights of Section 8 tenants are also protected under the PTFA.

In this newsletter, we should like to direct you to further information on the PTFA.

In This Newsletter-1
  • Protecting Tenants at Foreclosure Act
  • Dodd-Frank extends the PTFA
  • National Housing Law Project
  • Library
The Protecting Tenants at Foreclosure Act (PTFA) is Title VII of the Helping Families Save Their Homes Act of 2009.

We have extracted the relevant section and placed it in our Library.
The PTFA was extended and clarified by the Dodd-Frank Wall Street Reform and Consumer Protection Act.

We have extracted the relevant section and placed it in our Library.
The National Housing Law Project (NHLP) has materials that can help housing counseling agencies understand the PTFA's provisions and help tenants exercise their rights under the law.

NHLP's materials include sample letters that tenants can use to inform their landlords, as well as sample letters that advocates can use to inform the courts and public housing authorities.

These materials are available on the National Low Income Housing Coalition website.


Protecting Tenants at Foreclosure Act (PTFA)
Title VII of the Helping Families Save Their Homes Act of 2009

PTFA Extension and Clarification -
Dodd-Frank Wall Street Reform and Consumer Protection Act