After initially running out of money, the Paycheck Protection Program has received a fresh round of funding. Banks and credit unions that are able to participate in it will receive much needed fee-based income to offset their drop in income as a result of the Federal Reserve cutting interest rates to nearly zero. Unfortunately, there are several risks that lenders will take on when participating in this program.
Credit Risk Is One Exposure Among Many
The federal government has taken on the credit risk of these loans with its guarantees, but credit risk is only one of many risks financial institutions face. Operational and fraud detection risk management practices are also a critical part of all lending processes. Existing customers of banks and credit unions have already gone through a “know your customer” process designed to mitigate the risk of fraud, criminal activity and other operational risks, giving those relationships an advantage as part of a streamlined approval process.
Lenders will need to create a new operational risk management process without a credit risk component. That may sound easy. However, financial institutions have traditionally used credit management tools as the primary risk management practice and backbone of the lending approval process. Operational risk management practices have not been as well developed.
Lenders with inadequate enterprise risk management practices and infrastructure likely feel they are navigating a maze of many vague, uncertain and still unfolding government requirements. They may spend their time trying to shift their liability from performing due diligence on companies to the government. What they don’t realize is that the real problem is the risk within their own internal processes.
They may be driven by revenue pressure or pressure to contribute to the public good — approving loans quickly and without the necessary due diligence. Financial institutions with robust enterprise risk management programs, on the other hand, will have a competitive advantage allowing them to secure potential long-term customers in the process. Acquiring a new customer, especially getting them to designate your firm as their primary relationship, is very time-consuming and expensive.
How to Screen Out the Risks that PPP Represents
Here are four key steps financial institutions can take to strengthen their operational risk and fraud detection programs while making and holding PPP loans and potentially other coronavirus-oriented loans:
1. Risk Identification: Engage your risk managers in the design of loan approval processes and give them the authority to perform a robust risk assessment to identify the risks presented by the PPP program.
Do not outsource this authority to consultants or other third parties. You can outsource the activity but you cannot outsource the risk.
The industry learned this lesson, or should have, during the recession of 2007. Institutions relied on third-party rating agencies but those firms had started giving favorable ratings in the quest to build fees.
2. Risk Assessment: Mobilize a cross-functional expert team through a common loan application and evaluation framework to assess potential borrowers. Make these corporate resources available to front-line lending staff.
After the operational risks have been identified, empower your risk teams to engage with internal security professionals, process experts, legal experts, compliance, and auditors to score the risks using repeatable, standardized and objective evaluation criteria. Not using this approach may leave an institution susceptible to the pressure to perform quickly. It’s quite possible institutions will inadvertently accept risks their experts knew about but were not able to surface to higher levels of management.
3. Mitigation Transparency: The PPP rules and guidance have already changed several times and adjustments are expected to be ongoing, meaning new risks will appear. Policy changes that take place on an ad hoc basis can be traced back to a date, but financial institutions may struggle to trace back a loan to a policy change.
Tracking up front would shorten investigations and provide compliance evidence that spans multiple levels, business areas and third-party technologies. This can also demonstrate that the institution was using best efforts to enforce all the requirements that were in place at that time to mitigate liabilities.
For the risk-based incident recounted in point 4, below, the tracking of IP addresses helped identify which loans were originating under different stolen identity personalities as a way to move from reactive to proactive quickly.
4. Risk-based Incident Management: A priority should be providing a channel for customers, employees and partners to provide anonymous tips for fraud dedicated to the PPP program.
One fraud report by a customer through a bank’s web form revealed that they had received a statement for a loan they hadn’t applied for. This wound up showing the bank that its background checks were screening for fake identities. It turned out that a fraud ring was using actual but stolen identities which had passed the bank’s screening. This kind of risk-based mechanism not only flags problems but helps to evaluate the effectiveness of mitigation and policy activities.