Skip to main content

The “New” Science of Credit Risk Management

Federal Reserve Governor Janet Yellen on developments in the financial system.

September 1, 1996


Janet L. Yellen Federal Reserve Governor
The “New” Science of Credit Risk Management

Governor Yellen made these remarks at the conference on Recent Developments in the Financial System, Jerome Levy Economics Institute of Bard College, Annandale-on-Hudson, N.Y., last spring.

Thank you for the opportunity to appear at this year's conference on recent developments in the financial system with emphasis on the area of risk management. I am sure that most of you have been keeping well informed about these developments and, in particular, are aware of the great attention being paid to the subject of derivatives. Terms of art such as "swaps," "options" and "swaptions" are becoming increasingly familiar to every reader of the financial press. But, as interesting as they may be, derivatives are not the subject of my talk this afternoon—at least, derivatives are not the direct subject of my talk. Rather, I wish to discuss the important technological changes that have been taking place in the "old-fashioned" business of lending, the business of taking money from investors and lending it to corporate and household borrowers—the process we call "intermediation." In particular, I will concentrate my remarks on the implications of these technological advances for the management of risk and for the prudential supervision of banks.

In the lexicon of previous decades, "intermediation" occurred when banks and nonbank financial institutions took in funds from depositors or other investors, and then lent the funds to businesses and households, holding such loans on the books of the bank or nonbank until the loans matured, rolled over or went belly up. "Credit risk" was the major risk incurred by the financial institution, since interest rate risk could be managed easily by making sure the contractual interest rate on the loan varied with the cost of funds.

Over the past 15 years, however, traditional intermediation has changed dramatically at many of the nation's largest banks. Also, large nonbanks, including investment banks, captive finance companies and insurance companies, increasingly have become major players in the intermediation process, employing the same technological advances as banks. Chief among the innovations at the major banks has been the invention and use of loan securitization. Bank-sponsored loan securitizations currently involve over $200 billion in outstanding securities, sponsored primarily by the very largest banks, and these securitizations already account for roughly 20 percent of the credit activities of these large institutions. Furthermore, the importance of securitization will almost surely grow as market participants' understanding of the process improves. Today, banks securitize a wide variety of bank loans, including short-term commercial loans, trade and credit card receivables, auto loans, first and second mortgages, commercial mortgages and lease receivables. In addition, there are emerging markets for the securitization by banks of small business loans and middle-market commercial loans.

Securitization holds the potential for completely transforming the traditional paradigm of intermediation. But securitization does not relieve banks of their major, traditional job—which is to measure, assume and manage credit risk. Indeed, we now know that securitization can result in as much or more credit risk being undertaken by banks as when they engage in traditional lending. To see this, let's briefly review the loan securitization process. Typically, a sponsoring bank (or nonbank) forms a special purpose, bankruptcy-remote vehicle, referred to as a securitization conduit. The conduit purchases loans from the sponsor or from others, or may even originate the loans directly. To finance these loan purchases or originations, the conduit issues various classes of asset-backed securities collateralized by the underlying loan pool. Most of the conduit's debt is issued to public investors who require that the senior securities be highly rated (generally double-A and triple-A). In order to achieve these high ratings for the senior securities, the conduit must obtain credit enhancements that insulate the senior securities from the risk of default on the underlying loans. Guess who generally provides the bulk of these credit enhancements? The sponsoring bank, of course. Such credit enhancements can be provided in many forms, including the issuance of a standby letter of credit to the conduit, or by the sponsoring bank buying back the most junior securities issued by the conduit. In return for providing the credit enhancements, as well as the loan origination and servicing functions, the sponsoring bank lays claim to all residual spread between the yields on the underlying loans and the interest and noninterest costs of the conduit, net of any losses on pool assets covered by the credit enhancements.

At the Federal Reserve, we call these credit enhancements, in all their various forms, "direct credit substitutes" or DCSs. In fact, a direct credit substitute is a credit derivative in the classic sense: The instrument's value derives from — is a derivative of—the value of the underlying loan pool. At times, the risk of these derivative instruments is far greater, per dollar of book value, than the risk of the underlying whole loans. For example, suppose that a bank securitizes $100 million in loans by having the bank-sponsored conduit issue $80 million in senior securities to the investing public and $20 million in junior securities to the sponsoring bank. In effect, the bank's $20 million position provides credit protection for the $80 million of senior securities. Losses on the underlying loans would have to exceed 20 percent before the holders of the senior securities would suffer any loss whatsoever. Losses of this magnitude are such a remote possibility—as evidenced by the triple-A rating of the senior securities —that the bank can be said to incur essentially all of the credit risk of the underlying loans. Now if the prudent bank would have held, say, $10 million in capital against the $100 million of whole loans, then the same prudent bank should hold almost the same $10 million of capital against the $20 million junior security that embodies almost all of the risk of the underlying loans. In other words, prudential capital requirements should rise from 10 percent to almost 50 percent of the book value of the bank's risk position. This is what we mean when we say that securitization can result in credit risk that is highly "concentrated" within relatively small positions on, or off, the books of the sponsoring institution.

As the larger, sophisticated banks—and their large, sophisticated nonbank competitors—have become involved in ever more complicated securitizations, a need has arisen to develop commensurately sophisticated procedures for measuring and managing the credit risks flowing from these transactions. Some of these procedures have been adapted for use in ordinary on-balance-sheet lending, and vice versa. For example, statistical credit scoring is in widespread use for many of the bank loans that are being securitized, including credit card receivables, auto loans and mortgage loans. Credit scoring—which is a statistical procedure that provides an estimate of default probability for each potential loan—increasingly is being used for small business lending and middle-market commercial lending.

Why is the use of statistical credit scoring becoming so popular and, in particular, why is credit scoring becoming so intimately tied to loan securitization? One reason is that credit scoring contributes to consistency in loan underwriting standards which, in turn, permits the estimation of a loss probability distribution for the pool of loans being securitized. Reasonably scientific estimates of these probability distributions are desirable if the rating agencies are to determine how much credit enhancement is necessary to achieve, say, triple-A ratings on the senior securities backed by the loan pools. Furthermore, in order for the credit scoring models to be developed, the bank must work with historical loss data on a large number of homogeneous loan contracts. Securitization relies on the development of good data regarding loss probabilities, and these data, in turn, rely on the use of standardized loan documents so that the statistician is comparing apples to apples.

It is easy to see why securitization has become popular with those institutions capable of measuring and managing credit risk well. To the extent loan documents are standardized and credit scoring models are used in the loan origination process, the noninterest expenses associated with lending are reduced. According to one estimate, for example, the upfront noninterest costs of the traditional underwriting process for small business lending can range to a full percentage point, or much higher, depending on the size of the loan. By using credit scoring and loan standardization, a bank can eliminate a substantial portion of this underwriting cost. This can represent a significant cost advantage when competing for new business.

A byproduct of the standardization and credit scoring process is that there is less uncertainty associated with estimates of the loss probability distributions associated with various loan pools. More precision in estimating risk is tantamount to a reduction in risk. Also, securitization, to the extent it provides the originator with greater funding sources, may allow the institution to create larger loan pools than on-balance-sheet lending through self-funding would permit. Larger, more diversified, loan pools may result in overall risk reduction. Also, securitization permits the pool sponsor to "slice and dice" the securitization tranches in order to match more closely the risk characteristics of each tranche with the desires of each class of investor. For these reasons, and because of the potential for a reduction in noninterest expenses, the net risk-adjusted return to the securitizer should be above that of holding the whole loans on its books. Indeed such a condition must exist for the large institutions to have found securitization so attractive.

The generally competitive nature of financial markets, furthermore, will result in these improvements in risk-adjusted returns being passed through, at least partially, to the loan customer. That is, securitization should result in lower loan rates for those borrowers that qualify for, and wish to partake of, the standardized loan contracts.

As markets for securitized loan products evolve, so will markets for nonstandardized loan products. As we have seen in the market for mortgage loans, borrowers who don't qualify for, or don't want, the standardized product will always have access to nonstandardized loans. But, even assuming the nonstandard loan is no more risky than the standardized product, customers for the nonstandard loan will have to pay higher rates for the customized loan product relative to the standardized loan. In some cases—for example, middle-market commercial lending—securitization will be slowed because of the traditional importance of the customer relation and the entrenchment of individualized service.

While securitization may be revolutionizing the "intermediation" process, we should still continue to characterize the sponsoring banks themselves as "intermediaries." After all, in the typical bank-sponsored securitization it is bank personnel who underwrite and originate the loan pool, service the loans and work out the loans in the pool that go bad. And it is the bank-sponsor—through the use of credit enhancements—that assumes the bulk of the credit risk on the loan pool. Therefore, as prudential supervisors of banks, the policy issues facing us with regard to securitization are similar in scope to, although often more complicated than, the questions we face regarding traditional lending. The important questions include:

  1. How should we measure the credit risk associated with the lending and securitization activities of a bank?
  2. How much capital should be required of the bank for a portfolio of given riskiness?

Regarding the capital treatment of banks, I must say that we do not have a very good handle on either how to measure credit risk in a scientific manner, or how to allocate capital to credit risk in specific circumstances. The Basle Accord on international capital standards for banks is, paradoxically, both very complex—as in the case of capital for market risk—and quite simplistic when it comes to credit risk. For example, the vast majority of nonmortgage loans are all assigned the same, rather arbitrary, capital requirement of 8 percent. Within the formal "risk-based" capital requirements, there is no distinction between a secured loan to a triple-A rated company vs. an unsecured loan to a junk-rated company. Nor do our formal regulatory capital requirements currently take into account the bank manager's success, or lack thereof, in hedging or mitigating credit risk through the use of credit derivative transactions or effective portfolio diversification.

This relatively simplistic approach to capital requirements for credit risk was a good compromise when the Basle Accord was reached in the mid-1980s. Back then, the technology of credit risk measurement was not sufficiently developed to permit more finely tuned capital requirements; and there was an overarching need to set minimum capital requirements in the face of the long decline in bank capital levels. Also, securitization and other complex credit activities were not prevalent as they are now. Today, however, the "one size fits all" approach to capital requirements for credit risk is becoming increasingly problematic as banks themselves, in their own internal capital allocation procedures, take into account the widely varying risk characteristics of their many different credit instruments.

At the most forward looking of the large institutions, bankers are trying to do the two things one must do in order to truly determine capital adequacy for credit risk. First, bankers are statistically measuring risk and, second, they are trying to follow consistent "decision rules" in allocating enough capital to cover the measured risk. In middle-market and large commercial loan activities, for example, the process of capital allocation at these large banks often begins by assigning a credit rating or score to each of the bank's business loans. Often a 1 to 10 rating system is used, with a 1-rated loan being the equivalent of a triple-A credit and a 10-rated loan being written off as a loss. Some of the more sophisticated banks then go further by using historical loss data to estimate the mean and variance of losses on each grade of loan. In effect, the risk manager attempts to estimate the loss probability distribution for each grade of commercial loan. From there it is a simple matter to "allocate" capital to the loan by following a consistent decision rule. For example, the banker might wish to allocate enough capital to a category, or subportfolio, of loans so that the probability of losses on the subportfolio exceeding the allocated capital is only, say, one-half of one percent. This "soundness" target is chosen because, say, the banker wishes to maintain a double-A rating on his own corporate debt and, over the relevant time horizon, the default probability for double-A corporate bonds has been observed to be one-half of one percent.

The process I have just described, in its many variations, is often referred to as RAROC analysis, or analysis of Risk-Adjusted Return on Capital. Techniques have evolved rapidly, so that the RAROC analysis of the mid-1990s is not the same as the RAROC analysis at its beginnings in the early 1980s. Bankers make these complex calculations for several internal business reasons. By knowing how much of the bank's capital should be internally allocated to any particular business activity, the banker can calculate the rate of return on that allocated capital. If that rate of return is too low, the bank should seek to cut noninterest expenses, or fewer resources should be devoted to the activity, or its business-line manager should be rewarded less than the managers of higher-yielding activities. To the extent that the bank can alter prices of its credit products, RAROC calculations also help in the pricing process: If capital is being allocated properly by management, and the resulting return on capital is too low, then spreads being charged on the credit products are too low.

This is not to say the large banks uniformly follow their own internal RAROC models when pricing their loan products. Often, when competitors' pricing in a particular risk category is "too low," a bank is forced to choose between, on the one hand, making a loan with a low risk-adjusted return on capital in order to preserve the bank's market share or, on the other hand, refusing to meet the low price of its competitor and therefore risk losing market share. Often, market share wins and the models-based pricing process loses.

It is important to note that, in contrast to the "one size fits all" standard of our regulatory capital rules, the internal RAROC procedures of banks often result in a very wide range of internal capital allocations, even within a particular category of credit instrument. For example, according to a 1995 industry study, approximately 60 percent of the top 50 banks internally allocate capital by risk grade of commercial loan. In a small sampling of these large institutions, Federal Reserve staff found that internal capital allocations ranged from less than 1 percent of asset value for the best rated, least risky loans, to 20 percent or more for the most risky loans.

This great diversity in internal capital allocations leads to at least two types of potential difficulty. In cases where the internal capital allocation is significantly below the 8 percent regulatory standard, a bank may have to engage in costly "regulatory arbitrage" to evade the regulatory standard. Often, this may be easily accomplished, because the regulatory minimum 8 percent capital requirement is applied against the whole portfolio of nonmortgage loans. Therefore, the bank often can simply "average" the low-risk loan (for which the 8 percent standard is too high) with other, higher-risk assets (for which the 8 percent standard is too low). However, in cases when regulatory arbitrage is not possible or too costly, the bank may actually have to alter its overall investment and funding practices, perhaps in a way that upsets the socially desirable allocation of resources. Another type of problem emerges when a bank has a nominally high regulatory capital ratio which generates a false sense of security by masking greater-than-normal risk exposures.

Internal capital allocation procedures have evolved as the credit products offered by banks have evolved. Complex credit derivatives and tranches of loan securitizations raise difficult issues of properly measuring the risk of certain instruments and therefore properly allocating capital to those risks. We know that a very wide range of capital allocations is possible, even for seemingly similar credit instruments, and that this range of possible capital allocations is widened by the use of direct credit substitutes and other credit derivatives. The problem we face increasingly as bank supervisors is that our evolving regulatory capital requirements, no matter how complex they become, are not likely to capture the complexity of risk positions that bankers are actually undertaking. I fear we may be reaching the point that, for our largest, most complicated institutions, a bank's formal, regulatory "risk-based" capital ratio, let alone its simple equity-to-asset ratio, is not as useful a signal of financial soundness as we would like it to be.

In a recent issue of the American Banker various observers of the banking scene complained that bank capital levels were now "too high" to sustain a reasonable rate of return. These observers argued that, because of the "excessive" capital, banking activities were going to have to decline or bankers were going to have to further accelerate dividend payouts and stock buybacks. But when is bank capital "too high?" If banks have such outrageously high capital ratios why does no major U.S. bank holding company have its parent corporate debt rated triple-A? In fact, 70 percent of the top 50 U.S. banking companies have their parent debt rated single-A or lower. Yet, the capital ratios of these institutions are near recent historical highs, and most are well above the regulatory minimums.

I have tried to give you a taste for the complexity of modem credit activities. This complexity, and the diverse manner in which our most sophisticated banks measure and deal with credit risk, means that the rote application of rigid capital rules is becoming less and less appropriate. Indeed, a long held view of the Federal Reserve is that the supervision of risk-taking on a bank-by-bank basis—as opposed to the writing of regulations applying to all banks—is the preferred way to assure that credit risk in our banking system is being managed in a prudential manner. Our emphasis on bank-by-bank supervision has traditionally been carried out by an examination process that focuses on the specifics of the credit portfolio. Major credits are reviewed one by one, and other elements of the portfolio are sampled, to determine which assets may fall into one of the "classified" buckets such as "substandard" or "doubtful" loans. But, while examination of individual credits and groups of credits may remain the mainstay of the examination process, supervisors are not stopping there. In late 1995, the Federal Reserve and the Comptroller of the Currency separately announced major efforts to examine the risk management capabilities of each of the institutions under their respective purviews. The other banking agencies are expected to announce similar efforts. In the case of the Federal Reserve, we intend to conduct risk examinations that will result in a specific "grade" attached to the institution's risk management performance. This "risk management grade" will help determine the bank's CAMEL rating (which as you know is the supervisory equivalent of a report card and the basis on which most supervisory actions are taken).

Our risk management examinations will focus not only on the risk models used by an institution, but also on its risk management process, including its internal controls. As recent highly publicized events have shown, it does a bank no good to have a state-of-the-art risk model if the bank doesn't conduct a simple background check on the person asking for the loan, or if the bank doesn't monitor and control the activities of individual officials, especially traders. This caveat notwithstanding, risk management has at its core the effective measurement of risk. So, when we conduct our risk management examinations, we will look closely at the specific techniques the banking institutions use to measure credit risk. And, as has always been the case in the past—before securitization, before concerns over credit risk associated with derivative counterparties and certainly before the advent of credit derivatives—supervisors will use examinations to keep up with practices at the frontiers of credit risk measurement.

As supervisors, not practitioners, we can never hope to be truly on the frontiers of credit risk practice. Indeed, the science and art of risk measurement is evolving so rapidly that only a handful of institutions can properly be said to be engaging in "best practice" risk measurement at any one time. And "best practice" for a large, money-center institution may be totally inappropriate for a regional or community bank. Also, there will always be disagreement over what truly constitutes "best practice." But one of the supervisors' tasks is to try not to fall too far behind. In particular, it is important that we can discern between "adequate practice" and "unacceptable practice" when it comes to risk measurement and risk management. This we intend to continue doing.

There are other, even more complex issues that are being brought to the fore with the advent of the new risk measurement and management technologies. As the years go by, the technologies for quantifying bankwide credit risk certainly will continue to evolve well beyond what was possible when our risk-based capital regulations were first devised in the mid-1980s. A decade ago, risk managers at the major institutions rarely talked about "probability distributions" in the way that market risk managers—and, increasingly, credit risk managers—now talk about such matters. It is easy to imagine that in another decade the typical chief risk officer at a major institution will have at his or her disposal, at any moment in time, one or more models for estimating the institutionwide credit-loss probability distribution facing the bank. In fact, several of the major banking institutions are actively developing such models, and it is likely to be only a matter of when, not whether, such technologies become commonplace.

Risk, of course, can never be measured in absolutely precise terms: There are, after all, specification and estimation errors, as well as the possibility that future behavior will differ from past behavior. Nevertheless, at some point, the technology for measuring credit risk will become sufficiently robust to warrant a major rethinking of our prudential capital regulations for credit risk. As regulators develop increasing confidence in the ability of banks to quantify and manage credit risk, the natural course will be to find ways to reflect these competencies in our regulatory and supervisory capital standards. We are attempting to do this now with respect to capital requirements for market risk. Under the "models-based" procedures that will go into effect within two years for the largest, internationally active banks, the bank trading account manager estimates a loss probability distribution for the entire trading account over a two-week time horizon. Then, the manager estimates the amount of losses that would occur with 1 percent or less probability, if the portfolio were left unchanged over the two-week horizon. Regulatory capital is set at a multiple of this loss amount, which is commonly called the Value-at-Risk, or VaR. For example, depending on the specifics, regulatory capital might be set at three times the two-week VaR. The adoption of this internal models-based approach to capital requirements became possible only because of the technological advances over the past decade or so that now permit managers to measure market risk over short time horizons with acceptable accuracy.

The measurement of credit risk has a long way to go before it reaches the current level of sophistication with which market risk is measured. Market risk measurement is expedited by the ability of risk managers to view daily or intraday changes in asset prices on instruments traded in well developed secondary markets. However, except for the larger loans, secondary markets are not well developed for, say, commercial loans, and therefore loss distributions cannot easily be estimated by directly observing changes in asset prices. Nevertheless, the measurement of credit risk eventually may evolve to the point where an "internal models" approach to capital for credit risk will become a practical possibility.

Despite the complexities I have attempted to describe today—indeed, partly because of these complexities—I remain highly optimistic that both our system of financial intermediation and our system of financial regulation will remain strong and resilient. We know much more about risk measurement and management than we did a decade ago—and a decade from now we will know still more. Just as I cannot imagine that our present system of regulation will remain unchanged forever, I cannot imagine that we will ever reach a "perfect" system of regulation and supervision. However, we can, and I believe will, make the system better as we strive to adapt to changing realities. Perhaps a future Federal Reserve governor will appear before you a decade hence to discuss the continuing evolution of our financial system.