News & Commentary

09:49 AM
Kenneth Yu, SunGard
Kenneth Yu, SunGard

Stress Testing: Are Mid-Sized U.S. Banks Joining the Dots?

It has been more than a year since the top tier US banks began running macroeconomic capital stress tests on their balance sheets as a result of Dodd Frank. For the small- to medium-sized banks now facing similar stress test requirements, it is critical that they consider the strategic link between these capital stress tests and their own credit rating models. Many of the smaller banks with under $50 billion in assets have so far relied on portfolio- or segment-level net charge-off approaches to stress their loan portfolios that are quick to implement and answer immediate regulatory concerns. However, more sophisticated and granular approaches will be needed at some point in the future.

This will have major implications on the way that banks risk rate their credit borrowers because one of the best ways to implement a loan level stress testing approach is to leverage the bank’s existing data driven credit rating models. This will not only put the results in the right context, but also appease regulators that want stress tests to be run as an ongoing part of the business rather than just as annual reporting exercises.

But the credit rating models must be suitable for the stress testing task at hand. The banks that still rely on wholly judgmental credit rating processes will find it impossible to automate a loan level stress testing approach, while the banks that have a data-driven credit rating approach will be in a more flexible, strategic position. This is because loan level stress testing requires the identification of borrower-level risk factors and the ability to stress these same factors conditioned on an adverse macroeconomic scenario. Banks with data-driven credit rating models in place will more likely have already identified the underlying credit risk factors to be used for stress tests and have the infrastructure in place for gathering and segmenting borrower-level data.

With the data-driven credit rating models and associated data infrastructure in place, the bank will then be able to analyze the relationship over time between the credit risk factor values against the macroeconomic factors used to define a downturn scenario. Capturing this relationship between borrower financials and the macroeconomic environment forms the basis of bottom-up stress testing.

Banks looking to leverage their credit risk rating models for bottom-up stress testing should also ensure that their rating models are sufficiently sensitive, distributed and calibrated. Additionally, careful attention should be paid to stressing the qualitative risk rating factors, such as management experience and industry standing. The relationship between qualitative factors and the macroeconomic environment is not always obvious, so expert judgment may need to be employed.

Small- and medium-sized banks should start thinking about the strategic link between their risk rating approach and their future stress testing capabilities, as a bottom-up stress testing approach can give management a number of valuable insights:

- Identify the loans most vulnerable to given stresses.

- Highlight the factors that are increasing risks in certain macroeconomic scenarios.

- Allow for more granular ‘what-if’ scenarios.

- Enable prompt risk management actions and contingency planning for deteriorating environments (such as increased collateralization)

To realize these valuable insights, banks must also acknowledge potential challenges in implementing a bottom up approach to stress testing:

- Appropriateness of their risk rating process as it relates to stress testing: whether it is quantitatively-driven, whether it provides significant differentiation capability across the risk grades or whether it is predominantly expert judgment-driven.

- Quality, length, and accessibility of borrower data: bottom-up stress testing requires more loan-level data than most other credit modelling approaches.

- “Over-engineering”: you don’t need bottom-up stress testing for all your portfolios and product types. You can do bottom-up stress testing for your largest portfolio exposures or most risky product types, while taking a lighter approach for your other products/portfolios.

With these in mind, mid-sized firms must also take time to address the specific organizational and technological hurdles they will need to jump through for this approach to truly be a success.

Organizationally, capital stress testing is an enterprise-wide process that touches all functions and business lines. This requires coordination and communication that previously might not have existed. This is where having a goal, developing a roadmap with input from all the different departments, and setting the right tone at the top of the house is very important.

Technologically, data and systems will need to be sufficient and keep pace with stress testing progress. For example, perhaps the bank decides to do a top-down approach for the analytical quick-win in the short term, but concurrently also starts gathering borrower-level data in its data warehouse. Then a few years down the road the bank will be able to build a bottom-up stress testing approach and employ both approaches in a primary-challenger model setup.

[Related Content: Lessons Learned From The Fed Stress Tests]

Ultimately, for mid-sized banks, the key lesson to learn from the stress testing approaches that others have implemented is simple – don’t try everything at once. This is an evolving process that will take some time to perfect. However, don’t go to the other extreme and take a band aid approach either. The best way to find the middle ground is to start off with clearly defined goals – whether they be regulatory-driven or business-driven - with senior management buy-in. You can then work with the end state in mind by identifying the high value benefit components, prioritizing building blocks, and investing in analytical quick-wins. In that way you can get the most bang for your buck up front but also have a roadmap for future enhancements that will build on those initial stress testing components.

The right approach underpinned by the right set of models and infrastructure will not only meet stress testing requirements but pave the way for on-demand risk adjusted information that can act as part of a wider project to improve bank soundness and risk-adjusted profitability.

Kenneth Yu is a senior consultant in risk advisory for SunGard.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Author
4/24/2014 | 1:37:33 AM
re: Stress Testing: Are Mid-Sized U.S. Banks Joining the Dots?
With all of the other regulatory initiatives that mid-size banks are dealing with, implementing a stress testing strategy is going to very difficult for these institutions that don't have the resources of the biggest institutions. These points will definitely be helpful. Thanks for the insight Kenneth.
User Rank: Apprentice
4/28/2014 | 3:58:49 PM
re: Stress Testing: Are Mid-Sized U.S. Banks Joining the Dots?
Thanks for the comment Jonathan. You bring up a good point, and that's exactly why mid-size and small-size banks need to work with the end in mind (i.e. goal-oriented), because each resource/investment made is that much more important. I actually have a follow-up article in the works right now that will be published soon.
User Rank: Author
4/28/2014 | 9:18:29 PM
re: Stress Testing: Are Mid-Sized U.S. Banks Joining the Dots?
We would certainly be interested in publishing that as this seems like it will be a big issue for mid-size banks over the next year. Thanks Kenneth.
User Rank: Apprentice
10/20/2014 | 10:39:34 AM
Pending Review
This comment is waiting for review by our moderators.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.