Want more Insights from SAS? Subscribe to our Insights newsletter. Or check back often to get more insights on the topics you care about, including analytics, big data, data management, marketing, and risk and fraud.
Stress testing: How to turn a regulatory burden into a competitive advantage
Evaluating stress testing’s potential at midsize banks
In 2012, US regulators unveiled new rules requiring stress testing for the largest American banks – those with assets over $50 billion – to measure their ability to withstand adverse events. Starting in 2014, those Dodd-Frank Act Stress Testing (DFAST) provisions were expanded to include midsize firms – those with $10 billion to $50 billion in assets. (Regulators also recommend stress testing for community banks or other institutions too small to fall under Dodd-Frank Act requirements.)
Large banks were naturally more prepared for DFAST, because they had been expected to perform some level of stress testing since the financial crisis of 2008. However, at the time the rules were expanded, midsize banks varied quite a bit in their readiness. In a 2014 SAS-sponsored survey:
- More than a quarter of respondents (27.5 percent) said their organizations had a basic and largely manual framework for compliance purposes.
- About one-third (34.3 percent) reported having a well-developed framework with some automation in place.
- More mature banks (26.5 percent) had integrated stress testing into the business and were using it for strategic decision making, as well as regulatory reporting.
- The remaining 11.8 percent were still figuring out how to get started.
The industry made much progress in a year, at least by its own estimation. In a 2015 GARP survey sponsored by SAS, a majority of respondents said their organizations had the right people and expertise to handle the data management, risk modeling, risk model management, process management, and reporting requirements of DFAST. But technology gaps remain, especially as requirements continue to evolve, with regulators asking more complex questions that require larger data sets and faster turnarounds.
Before your organization reaches $10 billion in assets, have those conversations with the regulators to understand their expectations.
Fulton Financial Corp., a US regional financial services holding company headquartered in Lancaster, PA, is bringing risk-specific analytics to bear on these challenges. We caught up with Erich Reuter, Fulton’s Director of Risk, Analytics and Financial Strategies, to get his thoughts on the challenges midsize banks are facing, what they should be doing, and how a regulatory requirement can actually become a strategic benefit.
For banks that are new to regulatory stress testing, what is the most pressing area on which to focus?
Erich Reuter: Among banks already in the DFAST space or moving toward that $10 billion mark, the primary concern is data collection. Stress testing is very data- and analytics-driven. The sooner you start collecting data and making sense of that data the better. The regulators want to see that you have enough data to do bank-specific stress testing based on your own customers.
Second, before your organization reaches $10 billion in assets, have those conversations with the regulators to understand their expectations. That will be critical to making sure that once you reach that $10 billion mark, there’s a sound and well-thought-out process in place. Then put your DFAST process through a dry run to identify gaps that may exist in data, software or integration.
How has Fulton Financial addressed technology gaps in the stress testing process?
Reuter: Historically, there have been a lot of manual processes and silo systems involved in stress testing. Everyone owned their own data. People were using Microsoft Access and Excel, which are great tools, but they have a lot of limitations as well. Even when more sophisticated tools were put into play, banks have traditionally set up their information infrastructures to be very siloed. You have marketing, commercial lending, credit risk management, and so on – all siloed across the organization.
We recently licensed capabilities from SAS that will enable us to do things on a much larger scale and for wider use across the organization, not just in a siloed framework. The SAS® Risk Modeling Workbench we’re deploying provides a visual environment where analysts can create and calibrate the models needed for stress testing, and linkages between data sources and models can easily be visualized and explained. For spreadsheet traditionalists, a module within the workbench provides self-service SAS business intelligence from within the familiar Microsoft Office environment.
While we are in the early stages of deploying the solution, we had already been doing a lot of what is now required for stress testing before the Dodd-Frank Act came out. For example, from a budgeting and forecasting perspective, we had incorporated statistical modeling to build the PPNR (pre-provision net revenue) models before DFAST came around. So we were already doing a lot of data and analytics work on the risk side that we could transition over to the DFAST requirement.
What changes come from having an integrated, enterprisewide stress testing framework?
Reuter: The data and analytics capabilities we have been putting into place for stress testing – both for our internal use and for regulatory compliance – are also providing us two related benefits: a single source of the truth and a 360-degree view of the customer. With a holistic perspective, we can understand the customer relationship in full context, reflecting all the customer’s relationships with the bank.
In short, our response to stress testing requirements is also breaking down some of the silos. We’re finding that the analytics developed for one area of the bank can be very effectively used in other areas. For example, we share risk insights with marketing, and marketing provides insights back to the risk analytics area. This cross-pollination enables us to build products and services that meet our customers’ needs and benefit the organization – a positive side effect of managing regulatory requirements.
Here’s a specific example. We’re using SAS to build out our own loan payment studies to look at our customers and their propensity to repay loans – not just their willingness to repay but their ability to repay from a credit perspective. Bringing together multiple facets, such as credit scores and LTV (loan-to-value), these models deliver insights that support better risk management decisions, better credit decisions, development of the right products and services, and the ability to more effectively market those products and services. It’s not just about function-specific data and analytics, but how one area can affect all the different areas of the organization.
Wouldn’t it be a surprise if someone from risk management went to a marketer and said, “We found this in stress testing and think it could be a benefit to your marketing.”
Reuter: Typically, but for my organization it wasn’t. Our marketing director has a background in analytics as well, so he routinely applies those types of analytics to his world. When marketing does its analysis or develops customer-facing campaigns, products and services, that’s a conversation it runs by the risk and analytics department to determine how we think these customers will behave, how many will respond, what will happen when the campaign ends, and how many customers we’ll retain over time. This collaboration enables us to serve customers better while meeting the organization’s risk management needs as well.
How do you get people in vastly different functions to see the potential for cross-functional collaborations?
Reuter: We can talk about these ideals of breaking down silos and looking at the regulatory landscape in an entirely new way, but this is a radical approach compared to what a lot of people who grew up in the banking industry have done. Education is key. It’s going to be critical for management in different functions to understand the idea of data and analytics behind the decision-making process, getting that holistic view of the customer, and really understanding the risk the bank is assuming across the organization, considering interdependencies among areas.
The banks that will benefit the most from this will be the ones that move beyond DFAST as a periodic regulatory exercise. Banks need to remember that the true intent of stress testing is not to produce regulatory reports, but to make sound decisions to ensure the bank’s liquidity and stability under adverse conditions. That means stress testing must move away from a regulatory check-the-box exercise to being integrated into business as usual.
It involves taking the stress testing thought process and translating it into managing your business – incorporating risk insights and analytics into capital planning, budgeting and forecasting, product development, human resources, customer intelligence, and so on. The organization that successfully does this will make better operational decisions and cultivate stronger customer relationships. It will have turned what appeared to be an onerous regulatory burden into competitive advantage.
- To see the 2015 GARP survey about technologies to improve stress testing, download the report The Current State of Banking Stress Testing Technology: Closing the Gaps.
- Download the GARP white paper Stress Testing: A View From the Trenches.