Risk is a key consideration in every element of a financial institution’s business model. Actuarial scientists develop financial risk models that shape banks’ products and services, from savings accounts to loans. And then, of course, security risks shape the ways in which banks safeguard their physical and digital assets and resources. Finally, on a slightly less obvious front, FAIR lending risk assessments also play a vital role in ensuring a financial institution’s long-term health.
What’s a FAIR Lending Risk Assessment?
Banks and other types of lenders are compelled to make equitable efforts to lend to any and all potential borrowers. These days, many businesses rely on technology to help them fulfil that mandate.
Believe it or not, fairness depends on cybersecurity practices nearly as much as it does upon attitude. Laxed IT practices can lead to “digital redlining” and other potentially harmful lending practices.
So, if you want to make sure you’re not running afoul of any key fairness rules, you’ll need to keep your cyberdefenses optimized. To that effect, this blog will break down everything you need to know on the subject into two main areas:
- What fair lending means for financial institutions
- How FAIR risk analysis can facilitate compliance
Below, we’ll switch between “fair” and “FAIR” to talk about legal requirements and cybersecurity best practices, respectively. Ultimately, the goal is to help you see what’s FAIR is fair, so to speak.
Fair Lending: What it is and Why it Matters
Fair lending is an essential practice for financial institutions. It requires that lenders issue credit in an equal way to all borrowers, no matter what their background is. Specifically, the term “fair lending” refers to a body of regulations, at all levels of government, ensuring banks follow basic principles of equity.
Per Chase’s breakdown of Fair Lending at their bank, applicable laws and acts include:
- The Civil Rights Act of 1866 – Ensuring all US-born citizens have certain rights, including purchasing real estate, regardless of their race or ethnic background.
- The Fair Housing Act (FHA) – Protecting against discrimination with respect to the buying, selling, and financing of real estate, on the basis of:
- Race, color, ethnicity, and religion
- Sex, gender, orientation,and family status
- Visible or invisible disabilities or handicaps
- Home Mortgage Disclosure Act (HMDA) – Ensuring that financial institutions report on all real-estate based financing they facilitate, including demographic details of clients.
- The Equal Credit Opportunity Act (ECOA) – Ensuring access to financial services for all clients, as well as prohibiting advice or discouragement, based on:
- All the protected identity categories of the FHA
- Income level and receipt of public assistance
- The Americans With Disabilities Act (ADA) – Further protecting disabled individuals (whether mentally or physically), ensuring their access to financial products and services is the same as anyone else’s.
Fair lending exists to do exactly what its name implies — ensure that financial institutions treat all (potential) customers equitably.
What Are Fair Lending Risks?
With respect to fair lending, “risk” has to do with the ways in which the kinds of discrimination codified across these previously mentioned laws may occur. Crucially, discrimination doesn’t always have to come from a malicious lender acting in a conspicuously prejudiced way.
According to a foundational FDIC presentation on Fair Lending Risk Assessments, the key to understanding fair lending risk comes down to three vectors of discrimination:
- Overt discrimination in lender practices or policies
- Unnecessary application of policy that leads to indirect discrimination
- Lapses in discretion that lead to discriminatory lending terms or denial thereof
Fair lending means identifying all potential sources of discrimination, no matter how overt or incidental, and rooting them out. Failure to do so can result not only in immediate harm to those discriminated against, but also consequences for the lender.
Per Chase’s guide to fair lending, the institutions who enforce these regulations include:
- The Consumer Financial Protection Bureau (CFPB)
- The Department of Housing and Urban Development (HUD)
- The Federal Deposit Insurance Corporation (FDIC)
- The Office of the Controller of Currency (OCC)
- The Federal Trade Commission (FTC)
- The Federal Reserve Board (FRB)
- The Department of Justice (DOJ)
The best way to ensure that your business is free from overt, indirect, or discretionary risk with respect to fair lending is to engage in rigorous (ideally quantifiable) risk analysis.
That’s where the FAIR part comes into play.
How FAIR Institute Principles Can Help
What we’ve been referring to as “FAIR” thus far is actually the cybersecurity protocol “Factor Analysis of Information Risk.” FAIR is shepherded by the FAIR Institute, a US-based nonprofit, and later adopted by the Open Group as a global standard for risk management.
At its core, FAIR is a robust risk management system based on the principle that accurately quantifying risks is the most effective way to understand and mitigate them. FAIR is an explicit model of risk management, which enables a proactive risk posture more effectively than implicit, compliance-based models — like NIST CSF — which rely on a reactive risk posture.
The foundation of FAIR’s effective risk management comprises five elements:
- Accurate risk models – Complex quantitative values enable true quantitative analysis.
- Meaningful risk measurements – Actual scales, not simplified ordinal (1-5) categories.
- Effective risk comparisons – Direct mathematical comparison in uniform terms.
- Risk-informed decisions – Analytically backed decisions, minimizing variables.
- Cost-effective management – Efficient analysis, eliminating redundancies and costs.
These elements feed into one another. Together, they create a fundamental cybersecurity architecture that’s adaptable to any company at scale. But these practices don’t only ward off hackers and cybercrime; they also lay the groundwork for analysis of fair lending risks, as detailed above.
FAIR Lending Risk Assessment 101
The entirety of FAIR’s risk management relies upon the accuracy of its models. To that effect, the most important element of FAIR is the quantification of risk, also known as “risk assessment.” FAIR defines “risk” in terms of probability of future loss.
Before applying definition to fair lending risk, let’s take a look at how it works from a high-level. Per the FAIR flowchart, risk breaks down into two major categories:
- Loss event frequency – How often a loss may occur within a given timeframe.
- Loss magnitude – The various dollar-amount costs stemming from a loss event.
The first of these, loss event frequency, then breaks down into two subcategories:
- Threat event frequency – The amount of times “threat agents” are likely to engage in an activity that might trigger a loss event, including these factors:
- Contact frequency, or how regularly threat agents come into contact with catalysts that might enable them to cause a threat event.
- Probability of action, or the behaviors a threat agent is likely to take, which (upon contact with a threat vector) might result in a loss.
- Vulnerability – The relative probability that any given threat will become a loss, including the following factors:
- Threat capability, or the relative force or strength of a given threat.
- Resistance strength, or the difficulty involved in a threat becoming a loss.
The second major category, loss magnitude, breaks down into the following:
- Primary loss – The immediate and long-term costs stemming from risks, including:
- Productivity, response, and replacement costs.
- Competitive advantage and reputational costs.
- Fines, settlements, and other legal consequences.
- Secondary risk – Ancillary risks associated with the original threat, which receive their own treatment, starting again with loss frequency and magnitude.
At each category level, numerical values are assigned to variables like “risk” and “threat.” All of which are integrated into a uniform system enabling complex mathematical manipulation.
With respect to fair lending risk, “overt” instances of discrimination map onto threat events. Less tangible factors, like employees’ awareness (or lack thereof) of discrimination issues can map onto threats, with such employees themselves being designated as threat agents. Vulnerability can be calculated based on a matrix of publicly available probabilities and your own internal data.
FAIR is designed to take “intangibility” out of the equation, as much as possible. By quantifying your exposure to risk, you can get in front of discriminiation before it happens, preventing both the harm it causes to borrowers and any related blowback to your company.
How to Stay FAIR, Compliant, and Protected
Here at RSI Security, we take a similar approach to risk and cyberdefense as the FAIR Institute. While we’re happy to help your company meet any and all compliance regulations it needs to follow, we also know that just complying is far from the end of cybersecurity.
In fact, compliance is just the start of how to stay fair — and safe.
That’s why our talented team of experts has supplied cybersecurity solutions to companies of all sizes for over a decade. Whether you need a quick fix for your firewall, a tune up for cloud security, or even an overhaul of your entire architecture, we have you covered.
To get your FAIR lending risk assessment underway, or get the ball rolling on any cyber protections you may need to patch, contact RSI Security today!