1 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting July 2014 kpmg.com
3 Introduction Dear Colleagues: Credit reports play an important role in the lives of consumers. As the range and frequency of decisions that rely on credit reports have increased, so has the importance of assuring the accuracy of the reported consumer data. The Credit Reporting Agencies (CRAs) and the data furnishers who report information about borrowers both play roles that affect the accuracy of the information reported. For purposes of this survey, data furnishers will more specifically be referred to as financial institutions. Ultimately, inaccurate information may lead to incorrect actions that may impact both decision makers and consumers. The Fair Credit Reporting Act (FCRA), and its implementing regulations, impose legal duties on CRAs and on financial institutions for the accuracy and integrity of credit report information. The Consumer Financial Protection Bureau (CFPB) in its oversight role and consumer advocacy lens, has also driven increased scrutiny and examination of the processes that support data accuracy and integrity. To help with these challenges, the KPMG LLP (KPMG) Credit Risk Management practice commissioned a survey of financial institutions to provide insight into current industry practices and issues associated with credit bureau reporting, results of which are summarized in this white paper. The survey was initiated in January 2014 and ended to responders in April The following are the key considerations highlighted by responder feedback: Overall survey feedback confirms credit bureau reporting changes currently underway across people, process, and technology at all responder financial institutions. A key area of focus is the identification and appointment of accountable executives across the horizontal organization linking to line of business accountable executives. The majority of organizations have made changes in data reporting to the CRAs within the past three months. institutions made changes in reporting practices related to four themes 1) change in business process, 2) introductions of new reporting data elements, 3) regulatory or compliance concerns, and 4) result of credit bureau process audits. In contrast, small-to-medium institutions have made changes predominantly for regulatory or compliance concerns. 6 of the institutions do not have a formal annual audit in place of third parties contracted to report consumer credit data on their behalf to help ensure compliance with all federal and state laws that govern consumer bureau reporting. Not all institutions have a remediation process for rejected credit bureau data. The institutions that have a remediation process in place evaluate reasons for rejects on a monthly basis. Institutions that have MIS related to record counts, data quality, and successful data transmission have established controls such as alerts and notifications across the entire reporting process. Mike Cwiok Managing Director Risk Consulting T: E: Hoan Wagner Director Risk Consulting T: E:
4 d KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting
5 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting e CONTENTS Section A Profile of respondents...1 Section B Governance & Oversight... 5 Section C Credit bureau reporting practices...9 Section D Data quality...15 The information contained herein is of general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The views and opinions from the survey findings are those of the survey respondents and do not necessarily represent the views and opinions of KPMG LLP KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.
6 1 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting Section A Profile of respondents
7 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting 2 Profile of respondents To accomplish the goal of providing anonymous and representative insights, we reached out to 39 financial institutions ranging from $50 billion to over $300 billion in total consumer balance sheet assets. We had nine financial institutions respond for a response rate of nearly 25%. Additionally, the nine institutions represented appoximately 5 of the total reported portfolio ($) across the universe of 39 institutions. In recognition that financial institution practices often vary by the size and complexity, we separated respondents into three categories based on asset size: = >$300 billion = Between $100 billion to $300 billion = Between $50 billion to $100 billion. Additionally, we noted the following responder attributes: Of the nine financial institutions that responded, over half were large institutions with greater than $300 billion in assets. Majority of the survey responses were provided by a senior manager with less than one year of tenure in role, which suggests resource changes across institutions is occurring regardless of size. (Refer to Section B Governance & Oversight where observation may be driving resource decisions) Overall survey feedback across all sections suggest credit bureau reporting programmatic change is currently occurring across people, process, and technology. While the answers to individual questions are informative, the survey results should be considered based on the context of your organization s portfolio mix, organization infrastructure, and technology. Size of Financial Institution Responding 22% 56% 22% Balance Sheet Composition of Respondents % 35% % 43% 15% Commercial/Wholesale Consumer/Retail Traded Products
8 3 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting Profile of respondents Continued... Average Portfolio Distribution of Respondents 3 26% 25% 2 21% 15% 14% 14% 1 9% 5% 5% 5% 3% 2% 1% Credit Card Mortgage Auto Charge Home Equity Respondents reported the composition of their portfolio that is reported to the credit reporting agencies. Other LOC Education Business Commercial Credit and charge card, Mortgage, and Auto comprise 76% of data furnished. In an effort to increase consistency, current practices indicate financial institutions are reviewing their reporting policies and determining what information should be reported across loan types. Examples include the following: Reporting foreclosures and short sales for mortgages Repossessions for auto loans Payment programs for credit cards.
9 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting 4
10 5 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting Section B Governance & Oversight
11 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting 6 Governance & Oversight Financial institutions are first and foremost addressing their existing governance structure to clarify accountability and expand breadth of coverage. Historically, individual lines of business managed policies and procedures as well as made decisions on practices. This model may have lead to inconsistent reporting practices. financial institutions are working to start up programs that span horizontally across all lines of business. As part of this effort, these institutions have implemented or begun to implement Centers Of Excellences (COE) and executive governance structures to oversee broad institutional policy over credit bureau reporting, as well as monitor and address priorities and initiatives to improve legacy programs. Survey results reinforced some of these governance observations. Several financial institutions indicate they are evaluating their organization s structures and resources needed to manage a proactive compliance program: Program Governance Financial institutions have begun to formulate a horizontal governance body within a line of business or risk department (with cross-functional representation) that is accountable for evaluating the performance of credit bureau reporting. This includes the vetting and syndicating of policies, procedures, and practices where there has been determination that consistency is required across the organization. institutions tend to have a centralized governance structure (2nd Line of Defense) lying in Corporate Risk Management with oversight functions residing in the line of business or operations (1st Line of Defense) to address transmission and transaction activities as they arise. Oversight is accomplished through reporting to a Steering Committee or Risk Management. This structure is generally driven by organizational independence and asset size of the product. to medium institutions tend to provide oversight through Risk Management, which is responsible for developing programs and monitoring reporting compliance. Although institutions have made significant efforts to improve their reporting in this important area, certain practical applications remain with the financial institutions regardless of size: Expanding efforts to identify, assess, and improve reporting consistent information Monitoring and tracking exceptions to identify and correct the root causes of inaccurate reporting Improve training and other processes Improve CFPB regulation preparedness. Credit Bureau Reporting Oversight Key areas being address: Risk Management Operations Multilple Groups Identifying and appointing accountable executives across horizontal organization linking to line of business accountable executives Resourcing to support disputes and reject remediation Resourcing to engage in target operating model design and execution Overall governance resources to support policy disclosure setting and calibration of procedures.
12 7 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting Governance & Oversight Continued... Resourcing More than 75% of the responders to the survey hold the role of a senior vice president, vice president, or senior manager for their financial institution. A majority expressed interest in a deeper discussion around credit bureau reporting programs and CFPB preparedness. Approximately 56% of the responders are in their current role for less than one year, which suggests conscious evaluation of organization structure and identification of accountable executives for credit bureau reporting. When asked how many people are dedicated to supporting the credit bureau reporting program, the majority of the organizations have less than five people with at least 5 of their job function and role assigned to credit bureau reporting. In addition, a considerable number of organizations have less than 10 people with at least 5 of their job functions related to credit bureau dispute handling. Based upon industry observations, the credit bureau disputes handling process is fairly mature within organizations with the exception of addressing block notifications, new e-oscar functionality, and managing direct disputes inventory. We have observed both highly centralized disputes handling functions as well as decentralized approaches that rely on respective lines of business to handle disputes. Survey results for the responder population show that dispute handling team sizes varied from 3 to 70 people. Policy and Procedures Most of the participants have centralized reporting policies (e.g., FCRA and FACTA). In addition, almost all of the institutions have either centralized or somewhat centralized procedures that align with those policies such as Disputes Handling or CBR operating procedures. institutions tend to have more centralized policies in order to provide enterprise wide guidance and standards on credit bureau reporting throughout the rest of the organization. -to-medium-sized institutions tend to be more decentralized with specific policies residing within the organization itself rather than administered top down. Although we have observed that many institutions have documented policies and procedures, there appears to be limited detail in what we have observed with regard to what should be reported, what should not be reported (exclusions), and standards for scenario-driven reporting events (e.g., bankruptcy, deceased, etc.). Additionally, it is not uncommon to see policies merged with procedures, which make it difficult for institutions to evaluate policy specifically, particularly if regulatory guidance changes requiring policy adjustment. Dedicated FTE by Respondent Credit Bureau Reporting % 25% > Organizations with assets >$300 billion have a larger number of dedicated FTE involved in credit bureau reporting because reporting responsibilities tend to lie in the line of business rather then in one centralized organization although there may be a centralized steering committee or governance structure. Organizations with assets <$300 billion tend to centralize oversight activities and support multiple stakeholders with less FTE, which may be commensurate with program scope and size. Dedicated FTE by Respondent Dispute Handling >10
13 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting 8 Centralization of Policies by Respondent Highly Centralized Mostly Decentralized Mostly Centralized Somewhat Decentralized Leading industry practice for institutions with highly centralized policy seeks consistency in reporting and has established common definitions, calculations and data attribute used across lines of businesses. Centralization of Procedures by Respondent Highly Centralized Mostly Centralized Somewhat Centralized
14 9 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting Section C Credit bureau reporting practices
15 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting 10 Credit bureau reporting practices Many institutions have identified the need for further transparency and evaluation of legacy credit bureau reporting rules and practices within their programs. Leading institutions are establishing formal feedback loops to learn from rejects, credit bureau disputes, and complaints. Responders do not generally report to all credit bureau reporting agencies (CRAs) PII Reported by Respondents % Reporting to all the CRAs is not universally 10. institutions may not report to some of the agencies as result of geographic concentrations and footprint % Our survey respondents indicate 67% of institutions report consumer data to all four bureaus (Equifax, Experian, Innovis, and TransUnion). The majority of the large institutions report to all four bureaus. Full name, generational suffix, address, and social security number are the most commonly reported elements to the credit bureaus, which are required for use in accurate matching of reported data to the consumer file at the CRA. Reporting by Bureau Full name including middle name or initial Generational suffix Full address Social Security Number Full date of birth including month, day, year Month and year of birth Metro 2 Reported by financial institution and/or Third Party Provider All respondents indicated the use of third parties in reporting to the credit agencies. This is largely driven by the use of large portfolio servicers such as First Data Resources (FDR) and Total Systems (TSYS). Most of the institutions (78%) contribute their outbound data to the credit bureaus by using a combination of reporting, where some data is reported to the bureaus directly and some data is being reported through a third party. The most commonly used third parties are FDR and Lender Processing Services (LPS). 2 Data Submission by Respondents D&B Equifax Experian Innovis TransUnion My organization submits data directly to the Bureaus My organization uses a combination, some data is reported to the Bureaus directly and some data is being reported through a third party
16 11 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting Credit bureau reporting practices Continued... Monitoring and Compliance While all institutions report a formal audit program, large institutions place greater reliance on the service level agreements with third parties in order to comply with federal and state laws. 4 of the institutions have a formal audit in place with all third parties contracted to report consumer credit data on their behalf. These audits are completed at least annually to help ensure the institutions are in compliance with all federal and state laws that govern consumer bureau reporting. 6 of the institutions placed equal reliance on service level agreements with third parties regarding FCRA/FACTA compliance and periodic reviews of compliance for accuracy. We have observed that institutions with robust third party management policies that encompass practices for evaluating regulatory compliance, service levels, and disputes/complaints are in an ideal position to understand and manage how their data is being reported to the CRAs. Reporting Program Change All respondents indicated the use of third parties in reporting to the credit agencies. This is largely driven by servicers of large consumer receivables such as FDR and TSYS. Compliance monitoring by Respondents % 43% 14% 5 5 Formal audit process Third party agreements Other Less than half of the large and small financial institution responders have a formal process to evaluate their credit bureau reporting program. Frequency of Review by Respondent Third-Party Submission % Quarterly Annually Other % 1 First Data Resources Total System Services LPS FIS 87% of all respondents indicate that some form of Review is conducted annually Where the practice and operational aspects of reporting are managed by third parties, industry leading practices of responders emphasize taking accountability for policy and auditing of third-party practices.
17 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting 12 Review Participants by Respondent % 71% 99% Internal parties responsible for outbound consumer credit bureau reporting Internal parties responsible for outbound consumer reporting along with representation from at least one Consumer Credit Bureau Internal parties responsible for outbound consumer reporting and representation from all Consumer Credit Bureau that my organization reports to Internal parties with no connection or responsibility for credit bureau reporting Organizations with assets <$100B tend to self-assess their own processes while organizations >$100B tend towards a more independent review. Organizations with assets <$100 billion tend to self-assess their own processes while organizations >$100 billion tend towards a more independent review. Recent Data Changes Within the past 3-months Within the past 6-months Within the past year Unknown Drivers of Change The majority of institutions have made changes in the data reported to the CRAs within the past three months. institutions made changes in reporting practices related to four themes change in business process, introduction of new reporting data elements, regulatory or compliance concerns, and result of bureau audit. In contrast, small-tomedium institutions have made changes predominantly for regulatory or compliance concerns. In addition, approximately 67% of the institutions have a formal change management review process in place to evaluate and approve these data changes Change in business process Internal enhancement to data quality for a data element(s) that had not previously been reported Mitigation of downstream disputes as a result from lack of reporting Regulatory or Compliance concern due to reporting Result of Bureau audit 5 5
18 13 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting Credit bureau reporting practices Continued... MIS and Reporting The majority of institutions have MIS related to data quantity, data quality, and successful data transmission. institutions appear more proactive in identifying controls such as alerts and notifications across the entire reporting process. Leading industry practice for reporting encompasses both summarized executive-level reporting and detailed field-level reporting for all lines of business. institutions have capabilities to report data waterfalls (e.g., source system record volumes, number of eligible records, number related to policy exclusions, and outputs to Metro 2). Additionally, MIS encompasses disputes with both e-oscar and direct as well as rejects and credit bureau reporting complaints. Implementation of Data Changes Formal review process No formal process Monitoring Reports by Respondents Monitoring is in place to validate the quantity of records contained within a file does not deviate from established ranges Successful Data Transmission Monitoring is in place that validates the transmission to the data file to the Bureaus is successful Data Quality Monitoring is in place that interrogates data elements to validate the data being reported to the Bureau do not deviate Data Population Monitoring is in place that validates data elements reported to the Bureau are populated within historical percentages 5 6 Other Survey response of Unknown was removed from the results and is not graphically represented.
19 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting 14 Data Elements Reviewed by Respondents Percentage of records that return reject errors from the Bureaus Business practices regarding reporting eligibility or exclusion from reporting Review of the data elements presently reported to the Bureaus Review of underlying source data that is utilized in any derived field How my organization's reporting trends compare to past review Review of computations used to calculate any derived field 5 8 Credit bureau disputes relative to the data being reported 5 6 How my organization's reporting trends compare to that of my peers Other
20 15 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting Section D Data quality
21 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting 16 Data quality Leading institutions are implementing policies and procedures to evaluate source data quality prior to transmission of the Metro 2 file to the CRAs. Additionally, institutions are leveraging feedback loops from rejects, credit bureau disputes, and complaints to inform how the reporting program is running. Particularly in an environment where the same information is sent to each CRA, there is potential that the same consumer may see different results from each CRA. The survey provided the following insights to key areas of focus in managing and addressing data quality: Reject and Data Evaluation The survey showed that 5 of the large institutions have a formal remediation process in place for records that have been rejected. The other 5 of the large institutions and 67% of medium institutions do not have a formal consumer remediation process in place or are developing a remediation process. Remaining responders, including small institutions as a whole, do not have a process in place. Through industry observations, leading institutions are making investments in people, process, and technology to address rejects. The institutions that have a remediation process in place evaluate reasons for rejects on a monthly basis. We see that remediation is completed within certain lines of business (e.g., mortgage, but not credit cards). This may be a by-product of a decentralized process for evaluating rejects that is dependent on individual line of business priorities. Commentary by Responders: One of the lessons learned through evaluation of a surveyed institution is that the CRAs will reject records in upfront processing without identifying them officially as rejects. Another lesson learned through the evaluation of rejects for a surveyed institution is that the number of rejects is too large to handle manually. This institution is in the process of developing a systematic approach for handling these volumes. Evaluation by CRA of reject reason data can be requested once per 12-month period. Data is used to identify root cause, which in turn allows for continuous improvement in data reported. Notification of Reporting Anomalies by Respondents % 11% 11% 22% Real time 11% Not real time 22% Not aware of timing Transmission will be stopped Data outside of tolerance is reviewed Not aware if transfer is stopped Other Organizations with assets >$300 billion appear more proactive in identifying transmission errors. Frequency of Reject Analysis Monthly My organization does not have an evaluation process in place to evaluate records that receive an error return from the Bureaus Other Reject Remediation Broad formal remediation process My organization remediates all records that receive reject error codes from all Bureaus reported to Limited formal remediation process based on Reject Error Type Remediation is done for a limited number of reject error code types Non Existent My organization does not have a formal remediation process in place Other, please specify Survey response of Unknown was removed from the results and is not graphically represented.
22 17 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting Evaluating Your Credit Bureau Reporting Process With heightened awareness of consumer protection and recent regulatory guideline updates, all data furnishers must be vigilant of the following regulations concerning the accuracy and integrity of consumer information reported to credit reporting agencies: Fair Credit Reporting Act (FCRA) Fair and Accurate Credit Transactions Act (FACTA) Consumer Data Industry Association (CDIA) Consumer Finance Protection Bureau (CFPB). Common Challenges Across the industry we have observed areas of opportunity that often require immediate attention and investment. Incorrect account coding, definition writing, and designations during the implementation phase of a system change. Credit bureau analysts and data furnishers do not know who to reach out to if an issue arises with reported data. At a minimum, a documented trail of file delivery and receipt is paramount for compliance and audit purposes. Inaccurate reporting to CRAs has adverse risk-based pricing implications on customers. Unsatisfactory credit terms and pricing can result in unhappy customers and potentially a loss of customer base. CFPB oversight of CRAs and heightened awareness of consumer protection create potential for regulatory action and remediation requirements. The operational costs, litigation complaints, and regulatory fines due to credit bureau reporting weaknesses and credit bureau disputes are on the rise. Recent court decisions regarding provisions in FCRA and FACTA indicate the allowance of customer-driven class action suits against data furnishers for a number of violations. A proactive approach to credit bureau reporting will certainly outweigh the cons of being reactive in the marketplace. Why KPMG? KPMG has an established methodology and approach for performing a thorough credit bureau reporting assessment with a CRA perspective across business operations, regulatory compliance, and IT functions. Each stage is designed to build upon the next stage leading ultimately to remediation and a sustainable future operating model. KPMG s Credit Risk professionals provide clients with a full range of credit risk management and operational improvement services. KPMG has the largest Financial Services practice of any of the Big 4 firms. We believe our impressive client base speaks for itself and clearly demonstrates our leadership position in the financial services industry. We assist organizations with the alignment of their credit risk processes with leading risk practices. We also assist clients in achieving alignment of credit risk management practices with regulatory guidance. KPMG is appreciative of the respondents support of this survey. For more information, please contact one of the KPMG professionals listed below. Mike Cwiok Managing Director Risk Consulting T: E: Hoan Wagner Director Risk Consulting T: E:
23 KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting 18
24 kpmg.com 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS