FDIC SI_Winter2015 Marketplace Lending

8/20/2019 FDIC SI_Winter2015 Marketplace Lending

1/34

Inside

A Framework for Cybersecurity

Marketplace Lending

Lending Viewpoint: Results from the

FDIC’s Credit and Consumer Products/

Services Survey

Regulatory and Supervisory Roundup

Devoted to Advancing the Practice of Bank Supervision

Vol. 12, Issue 2 Winter 2015


2/34

Supervisory Insights

Supervisory Insights is published by the

Division of Risk Management Supervision

of the Federal Deposit Insurance

Corporation to promote sound principles

and practices for bank supervision.

Martin J. Gruenberg

Chairman, FDIC

Doreen R. Eberley

Director, Division of Risk Management

Supervision

Journal Executive Board

Division of Risk Management

Supervision

George E. French, Deputy Director and

Executive Editor

James C. Watkins, Senior Deputy

Director

Brent D. Hoyer, Deputy Director

Mark S. Moylan, Deputy Director

Melinda West, Deputy Director

Division of Depositor and ConsumerProtection

Sylvia H. Plunkett, Senior Deputy Director

Jonathan N. Miller, Deputy Director

Regional Directors

Michael J. Dean, Atlanta Region

Kristie K. Elmquist, Dallas Region

Stan R. Ivie, San Francisco Region

James D. La Pierre, Kansas City Region

M. Anthony Lowe, Chicago Region

John F. Vogel, New York Region

Journal Staff

Kim E. Lowry

Managing Editor Michael S. Beshara

Financial Writer

Scott M. Jertberg

Financial Writer

Supervisory Insights is available on-line

by visiting the FDIC’s Web site at

www.fdic.gov. To provide comments or

suggestions for future articles, request

permission to reprint individual articles,

or request print copies, send an e-mail to

[email protected].

The views expressed in Supervisory Insights are those of the authors and do not necessarily reflectofficial positions of the Federal Deposit InsuranceCorporation. In particular, articles should not be

construed as definitive regulatory or supervisoryguidance. Some of the information used in thepreparation of this publication was obtained frompublicly available sources that are consideredreliable. However, the use of this information doesnot constitute an endorsement of its accuracy by

the Federal Deposit Insurance Corporation.


3/34

Supervisory Insights Winter 2015

Issue at a Glance

Volume 12, Issue 2 Winter 2015

Letter from the Director ........................................................................................................................................................ 2

Articles

A Framework for Cybersecurity 3

Due to the increase in number and sophistication of cyber threats, cybersecurity has become a critical issue facing the

financial services sector. This article discusses the cyber threat landscape and how financial institutions’ information

security programs can be enhanced to address evolving cybersecurity risks. The article concludes with a discussion of

actions taken by the federal banking agencies in response to the increase in cyber threats.

Marketplace Lending 12

Some banks are finding the small, but growing arena of marketplace lending to be an attractive source of revenue.

This article provides an overview of the marketplace lending model and the associated risks, including those that arise

in third-party arrangements. The article also highlights the importance of a pragmatic business strategy and offers

resources for bank boards of directors and management teams to consider when engaging in marketplace lending

activity.

Lending Viewpoint: Results from the FDIC’s Credit and Consumer Products/Services Survey 19

Prudent loan risk selection and close monitoring of the lending portfolio remain critical components of a well-managed

bank. Therefore, FDIC examiners continue to carefully assess lending and the related risks during the post-crisis

rebound in lending. This article describes recent lending conditions and risks as reported through the Credit andConsumer Products/Services Survey.

Regular Features

Regulatory and Supervisory Roundup 27

This feature provides an overview of recently released regulations and supervisory guidance.


4/34

2Supervisory Insights Winter 2015

Letter from the Director

The banking industry continuesto face challenges in traditionalbusiness lines, new product

offerings, and from cyber attacks on

information security systems. Thearticles in this issue of Supervisory

Insights provide information andresources for bankers and examinersin three areas — the evolving arena ofcybersecurity, marketplace lending,and current lending portfolio condi-tions and risks.

Due to the growing sophisticationand number of cyber attacks, cybersecurity has become a critical issuefacing the financial services sector.

“A Framework for Cybersecurity”provides an overview of the currentcyber threat landscape, and discusseshow banks can enhance and lever-age existing security and governancepractices into effective informa-tion security programs. The articleconcludes with a review of actions thefederal banking agencies have taken inresponse to cyber threats.

Marketplace lending is a small butgrowing component of the financial

services industry that some banks areviewing as an opportunity to increaserevenue. “Marketplace Lending”describes the marketplace lendingmodel and highlights the risks banksmay face in dealing with marketplacelenders, particularly when those asso-ciations are in the form of third-partyarrangements. The article identifiesresources for bank management anddirectors to consider when participat-ing in marketplace lending activity.

Careful monitoring of the loan port-folio and identification of potentialrisks remain characteristics of awell-managed bank. “Lending View-

point: Results from the FDIC’s Credit/ Consumer Products and ServicesSurvey” provides an overview ofcurrent lending conditions as reported

by this survey following FDIC riskmanagement examinations. Data fromthe survey continue to help the FDICassess lending trends at the banks wesupervise and proactively address anyareas of heightened risk.

This issue of Supervisory Insights also includes an overview of recentlyreleased regulatory and supervisoryguidance.

I hope you find the articles in this

issue to be informative and useful. We encourage our readers to providefeedback and suggest topics forfuture issues. Please e-mail yourcomments and suggestions [email protected].

Doreen R. Eberley

Director


Supervision


5/34


During the past decade, cyberse-curity has become one of themost critical challenges facing

the financial services sector due to

the frequency and increasing sophis-tication of cyber attacks. In response,financial institutions and their serviceproviders are continually challengedto assess and strengthen informationsecurity programs and refocus effortsand resources to address cybersecu-rity risks.

This article describes the evolvingcyber threat landscape and the U.S.government’s response to enhance thesecurity and resilience of the nation’s

critical infrastructure sectors. Thearticle discusses how componentsof financial institutions’ informationsecurity programs, including corporategovernance, security awareness train-ing, and patch-management programs,should be enhanced to address cyber-security risks, and concludes withan overview of actions taken by thefederal banking agencies to respond tocyber threats.

The Evolving ThreatLandscape

Historically, a bank’s primary secu-rity concern centered on protectingphysical data assets such as postedledger cards, promissory notes, andcritical documents in the vault aswell as securing the perimeter of thebank premises. In today’s bankingenvironment, business functions andtechnologies are increasingly inter-connected, requiring financial institu-

tions to secure a greater number ofaccess points. Innovation has resultedin greater use of automated coreprocessing, document imaging, distrib-uted computing, automated tellermachines, networking technologies,electronic payments, online banking,mobile banking, and other emerg-

ing technologies. At the same time,physical data assets have been auto-mated and a bank’s sensitive customerinformation stored on computers has

become as valuable as currency—a different kind of asset that needssafeguarding.

Cyber criminals use a variety oftactics. Some more common attackstrategies in recent years include mali-cious software deployment, distributeddenial-of-service (DDoS) attacks, andcompound attacks.

Malware

Malicious software, commonlyreferred to as “malware,” is a broadclass of software generally used to gainaccess to or to damage a computeror system. Malware may infect acomputer from a variety of accesspoints. Perpetrators often includemalware as an attachment to anemail, or it is delivered from websitesreferenced in emails. The perpetratortricks the email recipient into readingthe email and opening the attachment

or clicking on the link by crafting theemail to look as though it came from atrusted source.

These emails that deliver themalware are often referred to as“phishing” emails as they are fishingfor victims. A “spear phishing” emailcampaign is a subset of phishing inwhich the email content is tailoredto the interests of a smaller group ora single recipient. Phishing and spearphishing campaigns mislead targets

into providing sensitive informationsuch as user names, passwords, creditcard details, or personal sensitiveinformation, such as date of birthand Social Security number, thatcan be used to commit identity theftagainst the individual or gain access to

A Framework for Cybersecurity


6/34


1 NIST is a non-regulatory, federal agency within the U.S. Department of Commerce. See: www.nist.gov.

2 The Framework for Improving Critical Infrastructure Cybersecurity can be found at: http://www.nist.gov/cyber-

framework/.

A Framework for Cybersecuritycontinued from pg. 3

bank systems for theft, disruption, ordestruction.

Examples of malware include

ransomware and wiper programs.“Ransomware” generally restricts allaccess to a computer and demandsa ransom be paid for access to berestored. “Wiper” programs destroydata from the infected computer’shard drive and, in some cases, may beused to cover the attacker’s tracks.

Distributed Denial-of-Service

A DDoS attack attempts to make a

machine or network connected to theInternet unavailable to its intendedusers by overloading it with excessiveInternet traffic. Given the nature ofthese attacks, DDoS attacks cannot beprevented, but they can be success-fully mitigated. The ability to effec-tively manage a DDoS attack comesfrom the target’s ability to control andrecover from the attack, possibly byredirecting Internet traffic to a differ-ent server or engaging a DDoS mitiga-tion service.

Compound Attacks

Another attack strategy is the use of“compound attacks,” in which morethan one method of attack is deployedsimultaneously. For example, crimi-nals have used DDoS attacks todistract a target organization whileperpetrating another form of attack.Or a phishing email may contain anattachment or link that, if clicked by

the target, downloads a seeminglyharmless file that contains hiddenmalicious software with delayedexecution commands.

As the banking industry necessarilyinnovates to take advantage of newtechnologies and delivery channels,it needs to be alert to any related

new avenues of cyber attacks. Bankscan help mitigate these attacks bydeveloping an effective cybersecurityawareness campaign for employeesand customers, a comprehensivepatching program, and a strong detec-tion program. A sound risk-manage-ment program and correspondingcontrols will help mitigate the threatof cyber attacks.

A Critical Infrastructure

Perspective

On February 12, 2013, the Presi-dent issued Executive Order 13636,“ Improving Critical InfrastructureCybersecurity,” which establishedthat “[i]t is the policy of the UnitedStates to enhance the security andresilience of the Nation’s criticalinfrastructure and to maintain acyber environment that encouragesefficiency, innovation, and economicprosperity while promoting safety,

security, business confidentiality,privacy, and civil liberties.” TheExecutive Order directed the NationalInstitute of Standards and Technology(NIST) to develop a risk-based cyber-security framework to serve as a setof voluntary consensus standards andindustry best practices to help orga-nizations manage cybersecurity risks.The NIST1 defines cybersecurity as“the process of protecting informationby preventing, detecting, and respond-ing to attacks.”

The NIST Framework for ImprovingCritical Infrastructure Cybersecurity2 was created through collaboration

http://www.nist.gov/cyberframework/http://www.nist.gov/cyberframework/http://www.nist.gov/cyberframework/http://www.nist.gov/cyberframework/


7/34


between industry and government andconsists of standards, guidelines, andpractices to promote the protection ofcritical infrastructure. The first version

of the cybersecurity framework wasreleased on February 12, 2014, andconsisted of five core areas: Identify,Protect, Detect, Respond, and Recover.

The cybersecurity definition and thecomponents in the framework are simi-lar to the concepts found in AppendixB to Part 364 of the FDIC’s Rules andRegulations. Appendix B was estab-lished as a result of the enactment ofthe Gramm-Leach-Bliley Act in 1999and required each financial institu-

tion to develop an information secu-rity program. Use of the cybersecurityframework is not intended to replacea bank’s traditional information secu-rity program, but rather modify theprogram to address emerging cyberrisks. A bank’s information securityprogram should evolve as the operatingenvironment and the threat landscapechange. An effective information secu-rity program is not static and should beregularly evaluated and updated.

Bank management must incorporatecybersecurity into the bank’s overallrisk-management framework; designand implement appropriate mitigatingcontrols; update respective policies andprocedures and, ultimately, validate theintended control structure through anaudit program. When designing a cyberrisk control structure, four componentsof traditional information securityprograms are critical: Corporate Gover-nance, Threat Intelligence, Security

Awareness Training, and Patch-Manage-ment Programs.

Corporate Governance ofCybersecurity

An institution’s executive manage-ment and Board of Directors (board)play a key role in overseeing programsto protect data and technology assetsand establishing a corporate cultureconsistent with the bank’s risk toler-ance. A bank should evaluate andmanage cyber risk as it does any otherbusiness risk. It is not simply the obli-gation of those employees in the serverroom, but rather an enterprise-wideinitiative involving all employees. It iscritical the board institute a corporate

culture prioritizing cybersecurity.

Threat Intelligence

The Federal Financial InstitutionsExamination Council (FFIEC) onNovember 3, 2014, issued “Cyberse-

curity Threat and Vulnerability Moni-

toring and Sharing Statement.” Thestatement indicates that, “[f]inancialinstitution management is expectedto monitor and maintain sufficient

awareness of cybersecurity threats andvulnerability information so they mayevaluate risk and respond accordingly.”Essentially, it states that each finan-cial institution should have a programfor gathering, analyzing, understand-ing, and sharing information aboutvulnerabilities and threats to arrive at“actionable intelligence.” Actionableintelligence can be gathered from vari-ous public and private sources.

The FFIEC statement encouraged

financial institutions to participatein the Financial Services InformationSharing and Analysis Center (FS-ISAC)3 as a source of threat intelligence.

3 The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to

facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability informa-

tion. See: www.fsisac.com.


8/34


FS-ISAC is a public-private partner-ship that operates as an information-sharing forum. It was established bya Presidential directive to facilitate

the sharing of threat and vulnerabilityinformation among critical infrastruc-ture sectors. FS-ISAC informationincludes analysis and mitigationstrategies about a multitude of topicsincluding, but not limited to, informa-tion security, physical security, busi-ness continuity and disaster recovery,fraud investigations, and paymentsystem risk. FS-ISAC also providesadditional services and membershipbenefits including participation inwebinars, workshops, threat exercises,and assistance in creating informa-tion filters to ensure an institution isreceiving the threat and intelligenceinformation it needs without expe-riencing information overload. Toobtain this assistance, an institutionneed only call FS-ISAC toll-free at(800) 464-0085. In addition, FS-ISAChas created a community bank work-ing group and sends weekly cyberupdates to community bank execu-tives. These updates use layman’s

language to explain the most perti-nent cyber events of the week andto provide strategies for making theinformation actionable.

Another source of cyber intelligenceis the U.S. Computer EmergencyReadiness Team (US-CERT). US-CERTis part of the Department of HomelandSecurity and is focused on informa-tion regarding current security issues,vulnerabilities, and exploits. In addi-tion to alerts, which an institution can

receive by subscribing at www.us-cert.gov, US-CERT offers publications,educational material, and some assis-tance with cyber threats.

Security Awareness Training

Even the best-designed security

controls cannot fully protect a finan-cial institution from one uninformedemployee, contractor, or customerwho unwittingly visits a malicious Website, opens a malicious email attach-ment, or clicks on a malicious emaillink. Effective cybersecurity awarenessprograms should educate employees,contractors, and customers about thethreat environment and encouragethem to “Think Before You Click.”

Cybersecurity awareness programs

should highlight the importance ofguarding against cyber risks across allbusiness lines and functions. Employ-ees from entry-level staff to the boardshould participate in mandatorycybersecurity awareness training, asone uninformed employee can be thebank’s weakest link.

Security awareness training shouldbe role-specific, as job functionsrequire access to different systemsand types of information with varying

levels of sensitivity. Cyber attacks maybe customized and targeted at employ-ees with greater access to data or theability to modify security settings orinstall new applications, or those withthe ability to initiate or authorizethe transfer of funds. For example,frequent targets include informationsecurity professionals, executives,comptrollers, and cashiers.

Cybersecurity awareness trainingshould be available to bank person-

nel and contractors as well as bankcustomers, merchants, and other thirdparties, as they represent additionalaccess points to a bank’s data systems


http://www.us-cert.gov/http://www.us-cert.gov/http://www.us-cert.gov/http://www.us-cert.gov/


9/34


and can be targets of cyber criminals.For example, corporate account take-overs are typically perpetrated by thetheft of a customer’s login credentials

that are used to transfer money fromcompromised accounts.

Patch-Management Programs

The lack of an effective patch-management program has contributedsignificantly to the increase in thenumber of security incidents. Patchesare software updates designed to fixknown vulnerabilities or securityweaknesses in applications and oper-

ating systems.

An effective patch-managementprogram should include written poli-cies and procedures to identify,prioritize, test, and apply patches ina timely manner. The first step is tocreate an asset inventory catalogingthe systems requiring patch-manage-ment oversight. The asset inventoryshould capture all software and firm-ware, such as routers and firewalloperating systems, which are subject

to periodic patches from vendors.

An effective program also should useinformation received from threat intel-ligence sources that report on identi-fied vulnerabilities. Bank managementshould be aware of products reachingor at the end-of-life or those no longersupported by a vendor. Managementshould also establish strategies tomigrate from unsupported or obsoletesystems and applications and, in theinterim, implement strategies to miti-

gate any risk associated with the useof unsupported or obsolete products.

The board and senior managementshould require regular, standardreporting (metrics) on the status

of the patch-management program,including reports that monitor theidentification and installation of avail-able patches. Independent audits and

internal reviews should validate theeffectiveness of patch-managementprograms.

Regulatory Response andResources

The FDIC monitors cybersecurityissues on a regular basis throughon-site bank examinations, regulatoryreports, and intelligence reports. TheCorporation continually evaluates its

own supervisory policies for potentialimprovement and encourages prac-tices to protect against threats at thebanks it supervises. The FDIC hastaken a number of steps to increaseindustry awareness of cyber risks andto provide practical tools to help miti-gate the risk of cyber attack.

In the spring of 2014, the FDICissued a press release urging insti-tutions to actively utilize availableresources to identify and help miti-

gate potential cyber-related risks.It is important for financial institu-tions of all sizes to be aware of theconstantly emerging cyber threatsand government-sponsored resourcesavailable to help identify these threatson a real-time basis. The press releasecontained a number of examples offree resources available to institutionsand their website addresses.

In the summer of 2014, the FDICdeveloped and issued the “Cyber

Challenge” exercise, a resource forcommunity banks to use in assessingtheir preparedness for a cyber-relatedincident, through a series of videosand simulation exercises that depictedactual events experienced by institu-


10/34


tions. The Cyber Challenge exercise isavailable free to all institutions on theFDIC website, www.fdic.gov, under theCommunity Banking Initiative link.4

In the summer of 2015, the FDICcreated a cybersecurity awarenesstraining program for FDIC-supervisedinstitutions, as well as FDIC supervi-sion staff and management. Thesesessions were held in each of theFDIC’s regional offices during August2015. One banker stated that duringhis examination after the session, hefound great benefit in discussing whatboth he and his examiner heard atthe cyber awareness training the week

before. The training program wasfollowed by a teleconference in Octo-ber 2015 to provide an overview ofthe program and to share commonlyasked questions and answers.

Lastly, in November 2015, the FDICadded three additional video simula-tion exercises to Cyber Challenge aswell as a Cybersecurity Awarenessvideo that provides an overview ofthe threat environment and stepscommunity financial institutions can

take to be better prepared should acyber-attack occur. These materialsare available free on the FDIC website,www.fdic.gov, under the CommunityBanking Initiative link.

The FDIC has also participatedin a number of other activities asa member of the Federal FinancialInstitutions Examination Commit-tee or FFIEC. In June 2013, theFFIEC created the Cybersecurity and

Critical Infrastructure Working Group(CCIWG). The CCIWG’s first majorundertaking was to work to determinehow well banks, particularly commu-

nity banks, manage cybersecurity andto assess banks’ preparedness to miti-gate cyber risks. The FFIEC membersconducted a pilot cybersecurityassessment during 2014 at more than500 community institutions to evalu-ate preparedness. The results werereflected in the FFIEC document,“Cybersecurity Assessment GeneralObservations,” which providedthemes from the assessment andsuggested questions for chief execu-tive officers and boards of directors toconsider when assessing institutions’cybersecurity preparedness.5

The CCIWG also reviewed alloutstanding regulatory guidance toidentify any gaps and, as a result, theFFIEC IT Examination Handbook andother relevant regulatory guidance arebeing updated to address cybersecu-rity concerns. The CCIWG publishescybersecurity information at http:// www.ffiec.gov/cybersecurity.htm. Thechart below provides an overview ofrecently released supervisory guidanceand other FDIC or FFIEC resourcesthat bank management may finduseful in addressing cybersecurityrisks.

4 https://www.fdic.gov/regulations/resources/director/technical/cyber/purpose.html.

5 The “FFIEC Cybersecurity Assessment General Observations” presents general observations from the Cyberse-

curity Assessment about the range of inherent risks and the varied risk management practices among financial

institutions. See: http://www.ffiec.gov/press/pr110314.htm.



11/34


Regulatory Action/Resource Summary

Cybersecurity Awareness Technical

Assistance Videos

This video series titled Cybersecurity Awareness is designed to assist bank directors with

understanding cybersecurity risks and related risk management programs and to elevate cyber-

security discussions from the server room to the board room. The first video covers the evolu-

tion of data security, defines cybersecurity, and reviews the current cybersecurit y threat

environment. The second video reviews the components of traditional information security

programs and discusses how elements of the program should be refocused in the current cyber-

security threat environment.

See https://www.fdic.gov/regulations/resources/director/technical/cybersecurity.html

Vendor Management TechnicalAssistance Video

This video titled Outsourcing Technology Services is designed to assist bank directors with

understanding responsibilities for governing their institution’s vendor risk management

program. The components of a program include a risk assessment process, service providerselection, contract negotiation and evaluation, and an ongoing monitoring framework. The video

also discusses business continuity planning and testing and resources to assist with establish-

ing and maintaining a vendor risk management program.

To be released in early 2016.

Cyber Challenge: A CommunityBank Cyber Exercise

The FDIC’s simulation exercise, Cyber Challenge, is designed to encourage community financial

institutions to discuss operational risk issues and the potential impact of information technology

disruptions on common banking functions. Using seven unique scenarios, the Cyber Challenge

helps start an important dialogue among bank management and staff about ways they address

operational risk today and techniques they can use to mitigate this risk in the future. Cyber Chal-

lenge is not a regulatory requirement; it is a technical assistance tool designed to help assessoperational readiness.

See https://www.fdic.gov/regulations/resources/director/technical/cyber/purpose.html

Corporate Governance TechnicalAssistance Video

This presentation reviews corporate governance principles that are vital to a director’s role in

setting the direction of the bank. It focuses on three areas: (1) the role of a bank director, the

associated responsibilities, and the importance of independent decision making; (2) direction on

the superv ision of bank operat ions; and (3) guidance to help directors s tay informed.

See https://www.fdic.gov/regulations/resources/director/virtual/governance.html

Information Technology (IT)Technical Assistance Video

The IT video is designed to enhance bank directors’ awareness of effective risk management

practices. The video illustrates key IT governance programs, discusses select emerging and

significant IT risks, and provides relevant questions to consider at the directorate level. By

doing so, it provides a reasonable foundation for bank directors to exercise their fiduciary over-

sight over ever-changing and challenging IT risks.

See https://w ww.fdic.gov/regulations/resources/director/virtual/i t.html


12/34


FFIEC Statement on Cyber AttacksInvolving Extortion

This FFIEC statement, dated November 3, 2 015, notified financial institutions of the increasing

frequency and severity of cyber attacks involving extortion. It advised financial institutions to

develop and implement effective programs to ensure the institutions are able to identify, protect,

detect, respond to, and recover from these types of attacks.

See http://www.ffiec.gov/press/PDF/FFIEC_Joint_Statement_Cyber_Attacks_Involving_

Extortion_-_Interactive_Ve%20%20%20.pdf

FFIEC Cybersecurity Assessment Tool On June 30, 2015, the FDIC, in coordination with the other FFIEC member agencies, issued the

FFIEC Cybersecurity Assessment Tool to help institutions identify cybersecurity r isks and deter-

mine their preparedness. Similar to a bank’s information security program risk assessment, this

voluntary tool provides management with a repeatable and measurable process to assess an

institution’s risks and cybersecurity preparedness.

See http://www.ffiec.gov/cyberassessmenttool.htm

FFIEC Webinar: Executive Leadershipof Cybersecurity: What Today's CEOsNeed to Know About the Threats TheyDon't See

On May 7, 2014, the FFIEC’s CCIWG hosted a Webinar entitled, Executive Leadership of Cyberse-

curity: What Today's CEOs Need to Know About the Threats They Don't See. The webinar was

intended to raise awareness about the pervasiveness of cyber threats, discuss the role of exec-

utive leadership in managing these risks, and to share actions being taken by the FFIEC.

See https://www.youtube.com/watch?v=t1ZgWKjynXI&feature=youtu.be

FFIEC Statement on DestructiveMalware

This FFIEC s tatement, dated March 30, 2015, noti fied financial institutions of the increasing

threat of cyber attacks involving destruct ive malware. It warned that financial ins titutions and

technology service providers should enhance information securi ty programs to ensure they are

able to identify, mitigate, and respond to this type of at tack. In addition, the statement recom-mended that business continuity planning and testing activities incorporate response and recov-

ery capabilities and test resilience against cyber attacks involving destructive malware.

See http://www.ffiec.gov/press/PDF/2121759_FINAL_FFIEC%20Malware.pdf

FFIEC Statement on Cyber AttacksCompromising Credentials

This FFIEC s tatement, dated March 30, 2015, noti fied financial institutions of the growing trend

of cyber attacks for the purpose of obtaining online credentials for theft, fraud, or business

disruption and to recommend risk mitigation techniques. It said financial institutions should

address this threat by reviewing their risk management practices and controls over information

technology (IT ) networks and authentication, authorization, f raud detection, and response

management systems and processes.

See http://www.ffiec.gov/press/PDF/2121758_FINAL_FFIEC%20Credentials.pdf

Appendix J to the Business ContinuityPlanning IT Booklet: Strengthening

the Resilience of OutsourcedTechnology Services

On February 6, 2015, the FFIEC issued an update (Appendix J) to the Business Continuity Plan-

ning IT Booklet entitled “Strengthening the Resilience of Outsourced Technology Services.” This

update stresses the importance of addressing and incorporating cybersecurity elements when

establishing and monitoring third-party relationships.

See http: //ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-j-strength-

ening-the-resilience-of-outsourced-technology-services.aspx


http://www.ffiec.gov/press/PDF/FFIEC_Joint_Statement_Cyber_Attacks_Involving_Extortion_-_Interactive_Ve%20%20%20.pdfhttp://www.ffiec.gov/press/PDF/FFIEC_Joint_Statement_Cyber_Attacks_Involving_Extortion_-_Interactive_Ve%20%20%20.pdfhttp://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-j-strengthening-the-resilience-of-outsourced-technology-services.aspxhttp://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-j-strengthening-the-resilience-of-outsourced-technology-services.aspxhttp://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-j-strengthening-the-resilience-of-outsourced-technology-services.aspxhttp://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-j-strengthening-the-resilience-of-outsourced-technology-services.aspxhttp://www.ffiec.gov/press/PDF/FFIEC_Joint_Statement_Cyber_Attacks_Involving_Extortion_-_Interactive_Ve%20%20%20.pdfhttp://www.ffiec.gov/press/PDF/FFIEC_Joint_Statement_Cyber_Attacks_Involving_Extortion_-_Interactive_Ve%20%20%20.pdf


13/34


FFIEC Statement on CybersecurityThreat and Vulnerability Monitoringand Sharing

This statement, dated November 3, 2014, indicated that financial institution management is

expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerabil-

ity information so they may evaluate risk and respond accordingly. It stated that each financial

institution should have programs for gathering cyber-related information about vulnerabilities

and threats in a timely manner, analyzing the data, and sharing information to arrive at “action-

able intelligence.”

The statement also encouraged financial institutions to participate in the FS-ISAC as a source of

threat intelligence. FS-ISAC information includes analysis and solut ions about a multitude of

topics including, but not limi ted to, information security, physical securit y, business continui ty

and disaster recovery, fraud investigations, and payment system risk.

See http://www.ffiec.gov/press/pr110314.htm

Conclusion

Cyber risk is a substantial busi-ness risk. A bank’s board and seniormanagement must understand theseriousness of the threat environmentand create a cybersecurity culturethroughout the organization. Theeffective identification and mitigationof cyber risk must be grounded in astrong governance structure with thefull support of the board and senior

management.

Michael B. Benardo

Chief, Cyber Fraud and

Financial Crimes Section


Supervision

[email protected]

Kathryn M. Weatherby

Examination Specialist (Fraud)

Cyber Fraud and Financial

Crimes Section Division of Risk Management

Supervision

[email protected]


14/34


Marketplace lending is a smallbut growing alternative totraditional financial services

for consumers and small businesses.

Attracted by opportunities for earningsgrowth, some banks have entered themarketplace lending business eitheras investors or through third-partyarrangements. As with any new andemerging line of business, marketplacelending can present risks. Finan-cial institutions can manage theserisks through proper risk identifica-tion, appropriate risk-managementpractices, and effective oversight.Conversely, failure to understandand manage these risks may expose afinancial institution to financial loss,regulatory action, and litigation, andmay even compromise an institu-tion’s ability to service new or existingcustomer relationships. Before partici-pating in marketplace lending, finan-cial institution management shouldidentify potential vulnerabilities andimplement an effective risk-manage-ment strategy that protects the bankfrom undue risk.

This article is intended to heightenbankers’ and examiners’ understandingof marketplace lending and potentialassociated risks, including those aris-ing in third-party arrangements. Thearticle also highlights the importanceof a pragmatic business strategy thatconsiders the degree of risk togetherwith the potential revenue stream, andemphasizes the importance of banksexercising the same due diligence theypractice whenever they extend creditto a borrower.

Marketplace Lending Defined

For purposes of this article, market-

place lending is broadly defined toinclude any practice of pairing borrow-ers and lenders through the use of anonline platform without a traditionalbank intermediary. Although themodel, originally started as a “peer-to-peer” concept for individuals to lend toone another, the market has evolvedas more institutional investors havebecome interested in funding the activ-ity. As such, the term “peer-to-peerlending” has become less descriptive ofthe business model and current refer-

ences to the activity generally use theterm “marketplace lending.”

Marketplace lending typically involvesa prospective borrower submittinga loan application online where itis assessed, graded, and assigned aninterest rate using the marketplacelending company’s proprietary creditscoring tool. Credit grades are assignedbased on the marketplace lendingcompany’s unique scoring algorithm,which often gives consideration to a

borrower’s credit score, debt-to-incomeratio, income, and other factors setby the marketplace lender. Once theapplication process is complete, theloan request is advertised for retailinvestors to review and pledge fundsbased on their investment criteria.

A loan will fund from the moniescollected if investors pledge sufficientcapital before the deadline stated inthe loan request ( e.g. 14 days after therequest is posted). As an alternativeto funding loans through such retail

investments, institutional investors canprovide funding through whole loanpurchases or direct securitizations.

When a borrower’s requested loanamount is fully pledged, the market-

Marketplace Lending


15/34


place lending company originates andfunds the loan through one of twoframeworks: 1) the company lends thefunds directly (subsequently referredto as a “ direct marketplace lender”)or 2) the company partners with atraditional bank to facilitate the loantransaction (subsequently referred

to as a “bank-affiliated marketplacecompany”).

A direct marketplace lender typi-cally is required to be registered andlicensed to lend in the respective

state(s) in which it conducts business.Direct marketplace lenders facilitateall elements of the transaction, includ-ing collecting borrower applications,assigning credit ratings, advertising theloan request, pairing borrowers withinterested investors, originating theloan, and servicing any collected loan

payments. As part of the transaction,direct marketplace lenders issue inves-tors either registered or unregisteredsecurity notes (subsequently referredto as “security notes”) in exchangefor the investments used to fund the

Direct Funding Model

BORROWER LENDERS/INVESTORS

Borrower applies for a loan

Loan disbursed to borrower

Loan repayment net service fee

Investor receives security note

Commits funds to a borrower

DirectMarketplace

Lender

Monthly loan payments

Figure 1: Illustration of Direct Funding Model

Figure 2: Illustration of Bank Partnership Model

Bank Partnership Model

Borrower applies for a loan

Monthly loan payments

L o a n i s m a d e t o b o r r o w e r

BORROWER

R e f e r s

l o a n

r e q u e s t

S e l l s l o a n t o m a r k e t p l a c e

l e n d i n g c o m p a n y

Loan repayment net service fee

Investor receives security note

Commits funds to a borrower

LENDERS/INVESTORS

Bank-affiliatedMarketplace

Company

FinancialInstitution


16/34


loan. Consequently, the borrower’srepayment obligation remains withthe direct marketplace lender, thesecurity notes issued to investors

become the obligation of the directmarketplace lender, and the investorsare unsecured creditors of the directmarketplace lender. (See Figure 1 onthe previous page for an illustration ofthis process.)

Some marketplace lending compa-nies operate under the secondframework by working through acooperative arrangement with apartner bank. In these cases, thebank-affiliated marketplace company

collects borrower applications, assignsthe credit grade, and solicits investorinterest. However, from that point thebank-affiliated marketplace companyrefers the completed loan applicationpackages to the partner bank thatmakes the loan to the borrower. Thepartner bank typically holds the loanon its books for 2-3 days before sellingit to the bank-affiliated marketplacecompany. Once the bank-affiliatedmarketplace company purchases theloan from the partner bank, it issuessecurity notes up to the purchaseamount to its retail investors whopledged to fund the loan. By the endof the sequence of transactions, theborrower’s repayment obligationtransfers to the bank-affiliated market-place company, and the securitynoteholder maintains an unsecuredcreditor status to the bank-affiliatedmarketplace company, which mirrorsthe outcomes described under thedirect funding framework (see Figure

2 on the previous page). In certain

circumstances, some institutionalinvestors may invest in whole loantransactions, which are often arrangeddirectly between the interested parties

and outside any cooperative arrange-ment with a partner bank.

Once the process is complete,borrowers begin making fixed monthlypayments to the bank-affiliatedmarketplace company which issues apro rata payment to the investor, lessloan servicing fees.

Common barriers to entry for banksand other traditional financial servicesentities include state licensure laws,

capital requirements, access to financ-ing, regulatory compliance, and secu-rity concerns. Some of these barriersmay not exist for marketplace lendingcompanies. New start-up marketplacelenders may be established quicklyand often with a unique niche tocapture a particular share of themarket. In 2009, industry analystswith IBISWorld identified at leastthree marketplace lending companies;by 2014, the number had grown to 63marketplace lending companies.1 As of

September 2015, the number of estab-lished marketplace lending compa-nies totaled 163 with new entrantscontinuing to join the competitivemarket.2

Concomitant with the increas-ing number of market participants,new or expanded product lines areintroduced as companies attemptto establish a niche position in themarket. Some examples of market-place loan products include unsecured

Marketplace Lendingcontinued from pg. 13

1 Omar Khedr, “Front money: Revenue will rise, but regulations threaten industry profitability,” IBISWorld Industry

Report OD4736 Peer-to-Peer Lending Platforms in the US, December 2014. (A subscription to IBISWorld is needed

to view this report.) http://clients1.ibisworld.com/reports/us/specializedreportsarchive/default.aspx?entid=4736.

2 Omar Khedr, “Street credit: New industry’s explosive growth may meet regulatory hurdles,” IBISWorld Indus-

try Report OD4736 Peer-to-Peer Lending Platforms in the US, September 2015. (A subscription to IBISWorld is

needed to view this report.) http://clients1.ibisworld.com/reports/us/industry/default.aspx?entid=4736.


17/34


consumer loans, debt consolidationloans, auto loans, purchase financing,education financing, real estate lend-ing, merchant cash advance, medical

patient financing, and small businessloans.

The Importance of EffectiveRisk Identification

The marketplace lending businessmodel depends largely on the willing-ness of investors to take on the creditrisk of an unsecured consumer, smallbusiness owner, or other borrower.Given the market’s infancy and that

it has primarily existed in an envi-ronment of low and steady interestrates, current credit loss reports orloss-adjusted rates of return may notprovide an accurate picture of therisks associated with each market-place lending product.

Further, each marketplace lendingcompany’s risk level and composi-tion varies depending on the businessmodel or credit offering, with poten-tially significant variations across

credit products. Given the creditmodel variations that exist, using anonspecific approach to risk identi-fication could lead to an incompleterisk analysis in the bank’s market-place investments or critical gaps inbank management’s planning andoversight of third-party arrangements.

As such, banks should perform a thor-ough pre-analysis and risk assessmenton each marketplace lending companywith which it transacts business,whether acting as an institutional

investor or as a strategic partner.3

A comprehensive list of risks associ-ated with marketplace lending is notpossible without an understandingof the arranged lending activity and

the products offered. Although nota complete list, some risks includethird-party, credit, compliance,liquidity, transaction, servicing, andbankruptcy risks. Before engaging inmarketplace activity, banks shouldcomplete appropriate due diligenceand ensure effective risk identificationpractices are in place as part of therisk assessment process.

Third-party risk can vary greatlydepending on each third-party

arrangement, elevating the importancefor banks to conduct effective duediligence. Banks are encouraged toreview the FDIC’s Financial InstitutionLetter 44-2008 titled Guidance for

Managing Third-Party Risk,4 whichdiscusses the critical elements to aneffective third-party risk managementprocess: (1) risk assessment, (2) duediligence in selecting a third party, (3)contract structuring and review, and(4) oversight.

Before engaging in any third-partyarrangement, a financial institutionshould consider whether the proposedactivities are consistent with the insti-tution’s overall business strategy andrisk tolerances. Bank management isencouraged to develop a strong under-standing of the marketplace lendingcompany’s business model, establishcontractual agreements that protectthe bank from risk, regularly moni-tor the marketplace service provider,and require the marketplace lendingcompany to take corrective action

3 See FIL-49-2015 “Advisory on Effective Risk Management Practices for Purchased Loans and Purchased Loan

Participations”, November 6, 2015 at https://www.fdic.gov/news/news/financial/2015/fil15049.html.

4 See FIL-44-2008“Guidance for Managing Third-Party Risk,” June 6, 2008 athttps://www.fdic.gov/news/news/

financial/2008/fil08044.html.

https://www.fdic.gov/news/news/financial/2008/fil08044.htmlhttps://www.fdic.gov/news/news/financial/2008/fil08044.htmlhttps://www.fdic.gov/news/news/financial/2008/fil08044.htmlhttps://www.fdic.gov/news/news/financial/2008/fil08044.html


18/34


when gaps or deficiencies occur. This

due diligence may result in banksrequiring policies and procedures fromthe marketplace lending companywith respect to legal and regula-tory compliance prior to the bank’sinvestment or before any services areoffered.

Some considerations include, butare not limited to, compliance withapplicable federal laws such as lendinglaws, consumer protection require-ments, anti-money laundering rules,

and fair credit responsibilities alongwith adherence to any applicable

state laws, licensing, or requiredregistrations. As with any third-partyarrangement, banks should monitormarketplace activities and expect

marketplace servicers to undergoindependent audits and take correc-tive action on audit exceptions aswarranted. Failure to do so couldexpose a bank to substantial financialloss and an unacceptable level of risk.

For banks contemplating a fundingrelationship with a marketplace lend-ing company, management shouldconsider several issues that couldaffect the bank’s risk profile. (See DueDiligence sidebar.) Banks also should

consider validating the marketplacelending company’s compliance withany applicable state or federal laws.Negotiated contracts should considerprovisions allowing the financialinstitution the ability to control andmonitor third-party activities ( e.g.,underwriting guidelines, outsideaudits) and discontinue relationshipsif contractual obligations are not met.

Compliance risk is inherent in anymarketplace lending activity. Banks

are accountable for complying withall relevant consumer protectionand fair lending laws and regulatoryrequirements and cannot assign thisresponsibility to a marketplace lend-ing company. Although marketplacelending companies are required tocomply with many of these require-ments, well-run bank programs shouldinclude appropriate due diligence andongoing monitoring to validate thatthe marketplace lending companydemonstrates adherence to theserequirements. Relevant laws may


Due Diligence

What duties does the bank rely on the marketplace

lending company to perform?

What are the direct and indirect costs associated with the program?

Is the bank exposed to possible loss, and are there anyprotections provided to the bank by the marketplace

lending company?

What are the bank’s rights to deny credit or limit loan

sales to the marketplace lending company?

How long will the bank hold the loan before sale?

Who bears primary responsibility for consumer compli-

ance requirements, and how are efforts coordinated?

Is all appropriate and required product-related infor-mation effectively and accurately communicated to

consumers?

What procedures are in place to prevent identity theft

and satisfy other customer identification requirements?

What other risks is the bank exposed to through themarketplace arrangement?


19/34


include the Truth in Lending Act5 (TILA) that, among other things,requires the disclosure of standard-ized loan terms and conditions at

point of sale and in advertisements,and Section 5 of the Federal TradeCommission Act,6 which prohibitsunfair and deceptive acts or practices.

Consistent with the third-party riskguidance,7 banks also should evaluatewhether a bank-affiliated marketplacelending company complies with fairlending and other related laws includ-ing the Equal Credit Opportunity

Act8 (ECOA), which prohibits lend-ers from taking action related to any

aspect of a credit transaction on thebasis of race, color, religion, and otherprohibited factors. Banks that partnerwith marketplace lending compa-nies should exercise due diligence toensure the marketplace loan under-writing and pricing policies and proce-dures are consistent with fair lendingrequirements.

Transaction risk is present giventhe potential for customer serviceproblems or a marketplace lending

company’s failure to fulfill its dutiesas expected by the financial institu-tion or its customers. Marketplaceloans may be subject to high levelsof transaction risk given the largevolume of loans, handling of docu-ments, and movement of loan fundsbetween institutions or third-partyoriginators. Banks should anticipaterisks that could arise from problemswith customer service, product deliv-ery, technology failures, inadequatebusiness continuity, and data securitybreaches.

Servicing risk exists given the pass-through nature of marketplace notes.The investor becomes a creditor tothe marketplace lending company

and has no access to the borrower.Therefore, if a marketplace lend-ing company that services the loansbecomes insolvent, investors maybecome exposed not only to bank-ruptcy risk but also servicing risk ifthe loan servicing process is disrupted.In bankruptcy, a marketplace lendingcompany may be unable to fulfill itsnote servicing obligations to inves-tors even if the borrowers continue tomake timely payments.

Notwithstanding the fact that theloans in which they invested arefully performing, investors also maybe exposed to losses if other credi-tors seek rights to these borrowerpayments in the bankruptcy proceed-ing. In the event a marketplace lend-ing company becomes insolvent,investors line up in bankruptcy courtto collect on monies owed on a prorata basis, with no investor having anysuperior claim to a stream of paymentthan any other, and often times withinterest halted once the bankruptcyproceedings commence.

At a minimum, banks that invest inmarketplace loans should determinewhether back-up servicing agree-ments are in place with an unaffiliatedcompany before investment. Banks, asinvestors, committing significant capi-tal to marketplace loans should assessthe marketplace lending company’screditworthiness with considerationgiven to the business’s solvency priorto investing the capital. Although this

5 See the Truth in Lending Act at https://www.fdic.gov/regulations/laws/rules/6500-3200.html#fdic65001026.1.

6 See Section 5 of the Federal Trade Commission Act at https://www.fdic.gov/regulations/laws/rules/8000-3000.

html.

7 Ibid.

8 See the Equal Credit Opportunity Act at https://www.fdic.gov/regulations/laws/rules/6500-200.html.

https://www.fdic.gov/regulations/laws/rules/8000-3000.htmlhttps://www.fdic.gov/regulations/laws/rules/8000-3000.htmlhttps://www.fdic.gov/regulations/laws/rules/8000-3000.htmlhttps://www.fdic.gov/regulations/laws/rules/8000-3000.html


20/34


condition may not afford completeprotection, it may mitigate some riskof loss.

Liquidity risk is present given thelimited secondary market opportuni-ties available for marketplace loans.

Although there are a few knownaftermarket providers, the secondarymarket for marketplace loans gener-ally is limited with resale opportunitiesavailable only to a select few market-place lending companies. Partnerbanks with loans in their marketplacepipeline may also experience liquid-ity risk for those pipeline loans thatrequire funding.

Other considerations include compli-ance with other state and federalrequirements, including anti-moneylaundering laws. The partner bankshould evaluate the bank-affiliatedmarketplace company as it wouldany other customer or activity, andfinancial institutions investing inmarketplace loans should exercise duediligence in evaluating appropriatecompliance for any loan purchase.

A Supervisory Perspective

Before engaging in any marketplacelending third-party arrangement orbalance sheet investment, a financialinstitution should ensure the proposedactivities are consistent with the insti-tution’s overall business strategy andrisk tolerances. FDIC examiners assesshow financial institutions managethird-party relationships and otherinvestments with marketplace lenders

through review of bank management’srecord of and process for assessing,measuring, monitoring, and controllingthe associated relationship and creditrisks. The depth of the examinationreview depends on the scope of theactivity and the degree of risk associ-ated with the activity and the relation-ship. The FDIC considers the results ofthe review in its overall evaluation of

management, including management’sability to effectively control risk.

FDIC examiners address findings

and recommendations relating to aninstitution’s third-party marketplacelender relationships and marketplaceloan investments in the Report ofExamination and within the ongo-ing supervisory process. Appropriatecorrective actions, including formalor informal enforcement actions, maybe pursued for deficiencies identifiedthat pose significant safety and sound-ness concerns or result in violationsof applicable federal or state laws orregulations.

Conclusion

Some banks are finding participa-tion in the small but growing arena ofmarketplace lending to be an attractivesource of revenue. With the market’sinfancy and its lack of performancehistory through a complete economiccycle, bank management should lookbeyond the revenue stream and deter-mine whether the related risks align

with the institution’s business strategy. As noted earlier, financial institutionscan manage the risks through properrisk identification, appropriate risk-management practices, and effectiveoversight. With the rapidly evolv-ing landscape in marketplace lend-ing, institutions should ascertain thedegree of risk involved, rememberingthey cannot abrogate responsibility forcomplying with applicable rules andregulations.

Angela M. Herrboldt Senior Examination Specialist


Supervision

[email protected]



21/34


The lending landscape for banks

continues to evolve. Whathasn’t changed is that the qual-

ity of a bank’s loan portfolio continuesto be of paramount importance to itslong-term financial health. Thus, theassessment of lending and its relatedrisks continues to be a key focus ofthe FDIC. This article describes theassessments of lending conditions andrisks by FDIC risk-management exam-iners, based on Credit and ConsumerProducts/Services Surveys (CreditSurveys) submitted for examinations

completed through the first half of2015.

Lending Conditions

As measured by bank loan growth,recovery from the financial crisis and“great recession” continues to gathermomentum. Total loans and leasesheld by FDIC-insured institutionsrose to $8.5 trillion as of June 30,2015, up 5.4 percent compared to one

year prior.1 This post-crisis reboundin lending volume is likely attribut-able, in part, to the low interest rateenvironment and a fair economicoutlook encouraging individuals andbusinesses to tap into available credit.Not only is loan volume growing, butthe proportion of institutions thatare growing their loan portfolios isincreasing. During the second quarterof 2015, 78 percent of banks grewtheir lending portfolios. This is upfrom about 74 percent the year prior.

Further, the rise in loan volume isbroad-based. Acquisition, develop-ment, and construction (ADC) loansstood at $256 billion at mid-year

2015, an increase of nearly 15 percent

from a year earlier. Commercial andindustrial (C&I) loans were $1.8trillion, an 8 percent increase froma year earlier. Consumer lendingincreased 4 percent to $1.4 trillion.Nonfarm, nonresidential commercialreal estate loans increased 4 percentto about $1.2 trillion. In addition, 1-4family residential mortgage loans heldon balance sheet grew about 2 percentto a little less than $1.9 trillion.Unused loan commitments are nearly$6.7 trillion and are up 6 percent from

a year earlier, indicating continuedloan growth.

Loan performance continues toimprove, reflecting the ongoing recov-ery in the nation’s economy and bank-ers working through and/or selling offmany of the problem legacy credits.The past due and nonaccrual (PDNA)ratio as of June 30, 2015, is 2.38percent, a 67 basis point improve-ment from the year prior. During the12-month period, the PDNA ratio

improved for nearly all loan categoriesexcept the “All other loans and leases(including farm)” category, whichonly increased six basis points to 0.45percent.

Given that borrowers generally donot immediately default after theyhave received a loan, metrics such asthe PDNA ratio tend to be a laggingindicator of loan quality, especiallyin periods of rapid loan growth, andmay not effectively provide banks and

their regulators the lead time neces-sary to properly identify and addressemerging credit risk. Accordingly, tofacilitate earlier identification and

Lending Viewpoint:Results from the FDIC’s Credit and Consumer Products/ Services Survey

1 Financial data and banking statistics for this article obtained fromQuarterly Banking Profile for second quarters

2015, 2014, and 2013.


22/34


stronger tracking of lending condi-tions and risks, the FDIC reviewsand analyzes examiners’ responsesto the Credit Surveys.2

Credit Survey Results

The observations reported byexaminers in the Credit Surveyreflect continuing improvement inthe financial condition and overallrisk profile of the banking industry.

At the same time, Credit Surveyresults suggest that just as loangrowth is returning, so to someextent are riskier lending practices.

This development is not unusual ina banking cycle’s upswing phase.

Moreover, while selected indica-tors suggest the direction of riskis increasing, examiners are stilltypically reporting these indicatorsin the context of low to moderatelevels of overall risk.

Overall loan portfolio risk

Credit Survey respondentscontinue to label the degree of riskin most lending portfolios as “low”to “moderate.”3 Reports of “high”risk portfolios declined substan-tially, from 23 percent of responsesfor the first half of 2013 to 14percent of responses for the firsthalf of 2015. For the first half of2015, roughly 67 percent of CreditSurveys reported “moderate”risk in the loan portfolio, and 18

percent considered the risk level“low.” Comparatively, for the firsthalf of 2013, responses were 62percent for “moderate” risk and 15

percent for “low” risk, respectively.The migration from the “high” risklevel in the past few years maybe due to the working throughor selling-off of many problemcredits and improvements in theeconomy, but perhaps also to tight-ening of underwriting standards inthe aftermath of the recent finan-cial crisis that was noted in priorCredit Survey results.4

When assessing the level of risk

on a portfolio-type basis, an overallimproving trend is noted for nearlyall portfolios. Regardless, someportfolios are reporting a slightuptick in the proportion of “high”risk designations in the first halfof 2015 (although the frequencyof such designations remains wellbelow those experienced with therecent crisis), suggesting that lend-ing risk may be in the very earlystages of increasing.

The Credit Survey results showthe level of risk in the Agricul-tural loan portfolio has increasedslightly during the past two years.Since the Credit Survey wasimplemented, the Agriculturalloan portfolio generally had one ofthe highest percentages of “low”risk responses. During the pasttwo years, there has been a slight

2 Past SIJ articles summarizing Credit Survey results include: Jeffrey A. Forbes, Margaret M. Hanrahan,

and Larry R. VonArb, “Lending Trends: Results from the FDIC’s Credit and Consumer Products/Services

Survey,” Winter 2013; Jeffrey A. Forbes, Margaret M. Hanrahan, Andrea N. Plante, and Paul S. Vigil,

“Results from the FDIC’s Credit and Consumer Products/Services Survey: Focus on Lending Trends,”

Summer 2012; and Jeffrey A. Forbes, David P. Lafleur, Paul S. Vigil, and Kenneth A. Weber, “Insights from

the FDIC’s Credit and Consumer Products/Services Survey,” Winter 2010.

3 These descriptors apply only to banks with lending portfolios representing more than two percent of total

assets (“de minimis portfolio rule”).

4 See articles in the Summer 2012 and Winter 2013 issues referenced in footnote 2.

Lending Viewpointcontinued from pg. 19

Credit Survey History

The FDIC implemented the current

Credit Survey in the fall of 2009.The Credit Survey is required to

be completed by examiners at theconclusion of all risk management

examinations. It solicits examinerassessments about the level of risk

and quality of underwriting for loanportfolios and gathers information on

new and evolving bank activities andproducts, among other items, witha focus on changes since the last

examination.

Combining Credit Survey resultswith financial, economic, and

examination data helps supervi-sory staff to better identify trends,perform forward-looking analyses,

and prioritize the use of supervisoryresources. In addition, the results

are summarized for the bankingindustry in articles such as this one.

Similar articles were published in the Winter 2010, Summer 2012, andWinter 2013 issues of SupervisoryInsights (SIJ).


23/34


but noticeable shift from “low” to“moderate” and “high” risk. Such ashift is to be expected as farm incomehas declined after several years of

extraordinarily high levels. Althoughfarm income has declined, farm debtlevels remain manageable. That said,the level of risk within the Agricul-tural loan portfolio is dependent onhow borrowers and bankers adjust tothe lower levels of farm income. Asa reminder, financial institutions areencouraged to work with borrowersexperiencing financial difficulties. TheFDIC will continue to closely moni-tor the agricultural economy and thequality and performance of the Agri-cultural loan portfolio.

Regulators are also keeping a closeeye on other portfolios, including

ADC and commercial real estate(CRE) in general, which experiencedsignificant loan losses in the recentfinancial crisis. Out-of-area lendingand concentrations also remain onthe regulatory radar and are discussedlater in this article.

Underwriting

Prudent loan risk selection remainsvital to a bank’s financial health, anda bank’s first line of defense againstbooking excessive credit risk is theinitial underwriting process. For thefirst half of 2015, about 9 percent ofCredit Surveys reported “generallyliberal” underwriting in one or moreportfolios.5 This is a slight uptick fromthe 8 percent reported in the secondhalf of 2014, but is still a lower inci-

dence of “generally liberal” underwrit-ing practices than reported in all other

prior six-month periods. The portfoliomost often cited as having “generallyliberal” underwriting is the consumerportfolio (6 percent for the first half of

2015), with the C&I portfolio rankingsecond (6 percent), and the ADC port-folio ranking third (5 percent).

The Credit Surveys indicate thatexaminers are typically observing nomaterial changes in underwriting.This has remained the case during thepast five years (see Chart 1). Whenexaminers have observed a materialchange in loan underwriting practices,they more often report tighteningthan easing, again a trend that has

persisted during this period. Anotherconsistent trend is that the propor-tion of banks where examiners havereported tighter standards has gener-ally declined since 2011, leading toan increase in “no material change”observations. Whether tightening orrelaxing, the preponderance of thematerial underwriting changes contin-ues to be characterized by Credit

5 De minimis portfolio rule (see footnote 3).

0%

5%

10%

15%

20%

25%

30%

Tighter

Looser

Source: Credit Surveys of Satisfactorily Rated Institutions withAnnual Loan Growth

% Surveys

Chart 1: Changes in Underwriting Standards


24/34


Survey respondents as “moderate”versus “substantial.”

On an aggregate portfolio basis,

changes in economic conditionsand responses to regulatory obser-vations and recommendations aregenerally the most common factorsreported to be influencing changesin underwriting practices. Lesser,but still important, reported factorsinclude competitive forces, changes inmanagement, and growth goals.

The Credit Survey results describedthus far have indicated that in broadterms, the banking industry continues

to exhibit a lower risk profile than itdid coming out of the financial crisis,and that examiners generally aredescribing the overall level of lendingrisks as moderate. However, as notedearlier, Credit Survey responses alsoindicate that risks related to selectedportfolios or lending practices maybe starting to increase. Some of theseissues are described below.

About 10 percent of the applicablesurveys for satisfactorily rated banks

during the past 18 months reportedthose banks loosening at least one ofthe specified types of underwritingstandards for C&I and permanent CREloans. Reducing the spread betweenthe loan rate and cost of funds is themost frequently reported area of loos-ening for this portfolio, followed byincreasing the maximum maturity ofloans.

As mentioned previously, ADC lend-ing is on the rise, albeit from a lower

base following a post-crisis retrench-ment of this sector. Examiners notedhigher-risk ADC lending activities inabout 22 percent of applicable CreditSurveys for satisfactorily rated banksduring the past 18 months. This

remains elevated compared to otherloan portfolio types. Speculative lend-ing is the most frequently reportedhigher-risk activity. It is followed by

repayment source themes: fundingof ADC loans without considerationof repayment sources other than thesale of collateral and failing to verifythe quality of alternative repaymentsources.

The agricultural economy has beenstrong; however, real net farm incomehas been declining since the 2013peak. The increases in the overalllevel of risk in agricultural loan port-folios noted earlier is probably more

attributable to these economic devel-opments rather than to weak lendingpractices, since for most banks theCredit Survey results do not show anincrease in higher-risk agriculturallending practices. For some banks,however, riskier practices are beingreported. One sign of a weaker agri-cultural economy is an increase inCredit Surveys reporting institutionsthat are extending or renewing unpaidproduction/operating loans structuredto be paid in full at maturity and notsecured by marketable collateral, e.g.carryover debt. Other agriculturallending practices reported to be onthe rise at some banks, although lessfrequently reported than carryoverdebt, are making livestock loans with-out documenting livestock inspec-tions and lending to borrowers wholack documented financial strength tosupport the loan.

Lending Products and

Strategies

As the banking industry contin-ues its rebound from the crisis andbanks look to combat compressed netinterest margins, banks are growing



25/34


loans, sometimes by way of offeringnew products or expanding existinglending strategies. Credit Surveysreporting new or evolving products,

activities, or strategies that couldpose risks to the institution increasedfrom about 10 percent between 2010and 2011 to roughly 13 percent in2014 and 2015. Examples of the mostfrequently cited new and empha-sized lending products in the CreditSurveys include purchasing loans(including out-of-area, participa-tions, and Shared National Credits);

ADC and CRE lending; C&I lending;and Small Business Administrationlending.

Along with the uptick in new andemphasized lending products, CreditSurvey results show that examinersview the risks associated with loangrowth as somewhat greater thanin past Credit Surveys. Specifically,for the first half of 2015, 47 percentof Credit Surveys reported the riskassociated with loan growth and/ or changes in lending activities as“moderate” or “high.” This is up from43 percent two years prior and from45 percent one year ago.

A variety of reasons for “high” riskdesignations was observed. For satis-factorily rated institutions, manycomments focused on the rate ofgrowth, with CRE/ADC and residentialreal estate being the most frequentlycited. Credit administration, merger/ acquisition activity, and participationor brokered loans were also repeat-edly cited as risk factors.

Out-of-Area Lending

Many banks, such as some inmarkets with sluggish loan demand,

consider out-of-area lending as a wayto grow loans. Over time, advancesin technology and partnerships withthird parties have made out-of-area

loans more readily available to banks. As discussed in the Winter 2013SIJ article, out-of-area lending grewdramatically in the years before thecrisis, and those loans often werepurchased whole or in participationsunderwritten by other financial insti-tutions. Many failed banks had rela-tively large portfolios of out-of-arealoans that deteriorated quickly, andthe deterioration was exacerbated byweak due diligence at origination, lackof knowledge about the area wherethe loan was made, and reliance on athird party that poorly managed thecredit. The Winter 2013 SIJ articlealso suggested that institutions wereimplementing lessons learned fromthe crisis as fewer banks were makingout-of-area loans at that time.

More recently, Credit Survey resultsshow that trend may be revers-ing. Reports of out-of-area lendingincreased in the first half of 2015 (seeChart 2). About 19 percent of CreditSurveys for this period6 report out-of-area lending as a standard practiceor a practice engaged in frequentlyenough to warrant notice. This is upfrom 15 percent for the first half of2014 and from 14 percent for thefirst half of 2013. Although out-of-area lending is trending up, it has notreached the levels reported for 2009

to 2012.

In January 2015, the Credit Survey

question for out-of-area lending wasrevised, in part, to separate the lend-ing categories into direct and indirectlending.7 Commercial lending (includ-ing CRE/ADC) is the loan portfolio

6 Ibid.

7 Indirect lending includes purchased out-of-area participations and whole loans and all loans purchased from non-

FDIC-insured entities regardless of the location.


26/34


most often associated with out-of-arealending, on both direct and indirectbases. In 13 percent of Credit Surveysfor the first half of 2015, institutions

were identified as being engaged indirect or indirect out-of-area lend-ing for their commercial portfoliosas a standard practice or frequentlyenough to warrant notice. Thepercentages reported for residentialand consumer portfolios were muchlower (see Chart 3). Depending on theportfolio type, approximately 26 to 29percent of the institutions identifiedas engaged in out-of-area lending arereported to be engaged in both directand indirect out-of-area lending.

In early November 2015, the FDICissued FIL-49-2015 to update informa-tion contained in the FDIC Advisoryon Effective Credit Risk ManagementPractices for Purchased Loan Partici-pations (FIL-38-2012). The updatedadvisory addresses purchased loansand loan participations and remindsFDIC-supervised institutions of theimportance of underwriting and

administering purchased credits asif the loans were originated by thepurchasing institution. The updatedadvisory also reminds institutions thatthird-party arrangements to facilitateloan and loan participation purchasesshould be managed by an effectivethird-party risk management process.

Concentrations

Loan growth has the potential tocreate or exacerbate concentrations

of credit and/or funding. The FDICrecognizes that concentration risk isa reality for many institutions, andis often a reflection of local econo-


0%

5%

10%

15%

Direct

Commercial

Direct

Residential

Direct

Consumer

Indirect

Commercial

Indirect

Residential

Indirect

Consumer

Standard Practice

Warrant Notice

% Surveys

Source: Credit Surveys (First Half 2015)

Chart 3: Out-of-Area Lending Type

0%

10%

20%

30%

40%

Standard Practice Warrant Notice

% Surveys

Source: Credit Surveys

Chart 2: Out-of-Area Lending Trended Up in 2015


27/34


mies, borrowing needs, and marketconditions. Concentrations are notinherently problematic, but the asso-ciated risks need to be well-managed.

As discussed in the Winter 2013 SIJarticle, ineffective risk managementof growing concentrated portfolios hasbeen a key contributor to asset prob-lems in many banking crises. As such,the FDIC continues to closely tracktrends in concentrations.

About 55 percent of Credit Surveysfor the first half of 2015 reportedat least one credit and/or fundingconcentration. Moreover, many insti-tutions that have concentrated loan

portfolios are growing those portfolios.Based on June 30, 2015, Call Reportdata, about 49 percent of institutionswith one or more loan portfolios thatexceed 300 percent of total capital8 grew such a portfolio over 10 percent.9

In the fourth quarter of 2013, theCredit Survey question for credit andfunding concentrations was revisedto provide more granular data onconcentrations including, amongother items, type. Chart 4 summa-

rizes concentration types on a broadcategory basis as reported through theCredit Survey. More specifically, themost frequently cited credit concen-trations in the Credit Survey resultsare CRE/ADC, individual borrower,agriculture, residential/multi-familyreal estate, hospitality, and out-of-area/participations. On the fund-ing side, the most frequently citedconcentrations are brokered deposits,borrowings/wholesale funds, largedeposits, public funds, and internet/ listing service deposits. As indicatedin the Chart, survey responses char-acterized a subset of these concentra-

tions as displaying material growth orvulnerability to economic stress.

Chart 4: Credit and Funding Concentrations

0%

10%

20%

30%

40%

Individual, Project,Single Repayment

Industry, Product,Collateral

Single FundingSource

Volatile FundingSource

Concentrations

Material Growth

Vulnerable to Economic Stress

% Surveys

Source: Credit Surveys (First Half 2014 through First Half 2015)

Outlook and Viewpoint

The lending environment willcontinue to change. Banks are grow-ing loan portfolios, and there maybe early signs of emerging risk. Inthe current environment, banks arefacing strong competition, earningspressure, and increasing deposits.How well banks manage loan growth,concentrations, funding, and newproducts or services will be criticalto their successful operation goingforward. As banks revisit risk toler-ances and market strategies to remaincompetitive, management shouldremember that prudent risk selectionand careful monitoring of the lend-ing portfolio are integral componentsof a well-managed institution. Whenassessing proposed and new productsand activities, considerations shouldinclude matters such as whether thebank understands the risks associ-

ated with the market or product,whether pricing is appropriate forany increased risk, and whether the

8 For ADC lending, 100 percent of total capital is used.

9 For institutions with more than one portfolio exceeding the threshold, the highest growth rate is used.


28/34


proper resources, including technol-ogy and staffing, are available.

The data obtained from the Credit

Surveys are valuable to the supervi-sory process. The FDIC will continueto evaluate the Credit Survey dataalong with other sources of infor-mation to proactively identify andaddress the continued evolution oflending practices and risks at thebanks we supervise.

Lisa A. Garcia

Senior Examination Specialist


Supervision

[email protected]

Kenneth A. Weber

Senior Quantitative

Risk Analyst


Supervision

[email protected]



29/34


Overview of Selected Regulationsand Supervisory Guidance

This section provides an overview of recently released regulations and supervisory guidance, arranged inreverse chronological order. Press Release (PR) and Financial Institution Letter (FIL) designations are

included so the reader can obtain more information.

ACRONYMS and DEFINITIONS

CFPB Consumer Financial Protection Bureau

FDIC Federal Deposit Insurance Corporation

FFIEC Federal Financial Institutions Examination Council

FRB Federal Reserve Board

NCUA National Credit Union Administration

OCC Office of the Comptroller of the Currency

Federal bank regulatory agencies FDIC, FRB, and OCC

Federal financial institution regulatory agencies CFPB, FDIC, FRB, NCUA, and OCC

Subject Summary

FDIC Issues Additional

Cybersecurity Awareness

Resources (FIL-55-2015,

November 23, 2015)

The FDIC is adding to its cybersecurity awareness resources for financial institutions. The

new resources include a Cybersecurity Awareness video and three vignettes for the Cyber

Challenge, which consist of exercises that encourage discussions of operational risk issues

and the potential impact of information technology (IT) disruptions on common banking

functions.

See https://www.fdic.gov/news/news/financial/2015/fil15055.html

FFIEC Issues Updated Management

Booklet as Part of IT Examination

Handbook Series (FIL-54-2015,

November 20, 2015)

The FFIEC has issued a revised “Management” booklet that provides guidance to assist exam-

iners in evaluating the IT governance at financial institutions and service providers. The book-

let is part of the IT Examination Handbook series.


FDIC Board Approves Proposed Rule

to Increase Deposit Insurance Fund

To Statutorily Required Level (FIL-

53-2015, November 17, 2015)

On October 22, 2015, the FDIC Board of Directors adopted a proposal to increase the Deposit

Insurance Fund to the statutorily required minimum level of 1.35 percent. The proposed rule

would impose on banks with at least $10 billion in assets a surcharge of 4.5 cents per $100 of

their assessment base, af ter making cer tain adjustments. The FDIC expects the reserve ratio

would likely reach 1.35 percent after approximately two years of payments of the proposedsurcharges. Comments on the proposed rule are due January 5, 2016.



30/34


Subject Summary

FDIC Clarifies its Approach to Banks

Offering Certain Products and

Services to Non-Bank Payday

Lenders (FIL-52-2015, November 16,

2015)

The FDIC is reissuing its 2005 Payday Lending Guidance (FIL-14-2005) to ensure bankers and

others are aware that it does not apply to banks offering products and services, such as

deposit accounts and extensions of credit, to non-bank payday lenders. Financial institutions

that can properly manage customer relationships and effect ively mi tigate r isks are neither

prohibited nor discouraged from providing services to any category of business customers or

individual customers operating in compliance with applicable state and federal laws.


FDIC Seeking Comment on

Frequently Asked Questions

Regarding Identifying, Accepting,

and Reporting Brokered Deposits

(FIL-51-2015, November 13, 2015)

The FDIC is seeking comment on a proposed update to a series of frequently asked questions

and an accompanying introductory letter regarding identifying, accepting and reporting

brokered deposits that were issued in January 2015 through FIL-2-2015. Comments on the

proposed update are due December 28, 2015.


Agencies Announce Final EGRPRA

Outreach Meeting (PR-90-2015,

November 13, 2015)

The federal banking agencies will hold the final outreach meeting on Wednesday, December 2,

2015, at the FDIC in Arlington, VA, as part of their regulatory review under the Economic

Growth and Regulatory Paperwork Reduction Act of 1996 (EGRPRA) . The meeting will feature

panel presentations by

FDIC SI_Winter2015 Marketplace Lending

Documents

Transcript of FDIC SI_Winter2015 Marketplace Lending