10:49 AM
Connect Directly

BB&T's Mike Stevens Shares How the Bank Has Upgraded Credit Risk Models, Strategies

The regional bank has revisited the way it makes consumer loan decisions and has restructured credit models, loan decision policies and credit risk analytics, according to SVP Stevens.

Two years have passed since the subprime mortgage bubble burst, and some banks have taken the time to revisit the way they make consumer loan decisions and restructure their credit models, loan decision policies and credit risk analytics.

Among these is Winston-Salem, N.C.-based BB&T, ($157 billion in assets). Mike Stevens, senior vice president, enterprise risk management (ERM) analytics and business intelligence manager, spoke with us recently about this process.

BB&T mostly avoided the financial crisis. "We made very few subprime and no option ARM loans and we stayed at home in our geography, we didn't make loans in California or Nevada," Stevens notes. The bank did make a lot of mortgage and home equity loans, however, and "even though we didn't intend to make subprime loans or risky mortgage loans, in some parts of the bank, it was possible for people to get a mortgage like product through our direct retail lending channel with lower documentation standards, or get a home equity loan from us to recapture the cash they had in the deal," Stevens acknowledges. An unexpectedly large number of customers got 80% of the value of their home from their first mortgage and 20% from a home equity loan from BB&T, so they had zero invested in the property. "We didn't intend to be the provider of cash out second mortgages but ended up with some because we didn't always have the right filters in place," Stevens shares.

Since the crisis, the bank has made changes at every level, he says. It created an independent Credit Risk Review function within ERM. It expanded its analytics and business intelligence function and placed it in ERM; this group handles data mart management, reporting and analysis, commercial credit analytics, consumer credit analytics, and operations risk analytics.

"We have many more credit scoring screens in place to filter out a much higher percentage of people who don't meet our lending criteria," he says. The bank now finds out details such as first mortgage origination date and down payment amount on that first mortgage. "Now we are better able to provide second lien home equity products for people who will continue to have real cash equity in the deal," Stevens says. The bank is mining loan and transaction data in a well-defined data model, building scorecards, and setting rules for filtering apps that kick out loans that have a high risk profile, he says, using SAS analytics tools.

It uses predictive models (also in SAS) to predict outcomes, to rank order risk, and to provide a reasonably accurate estimate of the frequency of defaults. The bank revisits these frequently. "The typical life of a model is 18-30 months," Stevens says. "They need to be refreshed because things change. We're constantly recalibrating our models."

Some of Stevens' analytics work is intended to solve big problems. "There are many big problems that almost never have a single cause, they usually have multiple causes," he says. "If you want to solve big problems, you have to identify all the things that contributed to the problem. That way you're taking advantage of all the levers you can pull, rather than one single one like credit scores." For instance, BB&T looks at policy exceptions and how policies are enforced among lenders. It also looks at concentrations in its portfolio. "Concentrations are the number one problem in banking because concentrations can kill you," Stevens says. "Some banks simply had more option ARMs and sub-prime loans than they could afford to write off."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.